I’ve recently started watching season 3 of FOX’s detective show Lucifer. I’ve always enjoyed the show, despite how improbable it that the resident forensic scientist appears to specialise in digital forensics, toxicology, ballistics, DNA forensics or whatever the plot requires - though I suppose that’s hardly the most unrealistic thing in a show about the devil solving crimes in Los Angeles.
Something I’ve observed is that whenever a case grinds to a halt in this show (and many other police procedurals), some piece of digital evidence usually comes to light to save the day – whether it’s suddenly-unearthed CCTV footage, or a photo of a number plate, or some incriminating emails or Google searches.
So let’s talk about digital evidence (DE) – what it is, why it’s the 21st century’s new treasure trove for the inquiring investigator, and the legal niceties surrounding it.
What is Digital Evidence (DE)?
Our entire lives are becoming increasingly more digital. We socialise on Facebook, show off on Instagram, argue on Twitter and mess around on Reddit. We do our work on laptops and smartphones, and play games on consoles and desktops. We order things online, we do our banking online, we regularly query the great oracle Google regarding the mysteries of the universe and where the nearest Chinese takeaway place is – that sort of thing.
Is it any wonder, then, that crime is another thing happening in the digital space?
The US National Institute of Justice gives us this definition for digital evidence:
“Digital evidence is information stored or transmitted in binary form that may be relied on in court. It can be found on a computer hard drive, a mobile phone, a personal digital assistant (PDA), a CD, and a flash card in a digital camera, among other places.”
I like this definition because it emphasises how many sources of digital evidence there can be, beyond your basic computer and mobile phone. Any device that stores or tracks data in some way is a potential source of evidence – yes, even your FitBit.
How is DE gathered and preserved?
This is where the DFIR (digital forensics and incident response) gentlemen and ladies come in. Gathering and preserving digital evidence is not simply copying and pasting a piece of data and handing it over (we’ll get into the reason for this when we get to the legal issues in Part II). There are accepted and standardised methods for acquiring data for evidential purposes, and special tools to facilitate these processes.
The Scientific Working Group on Digital Evidence (SWGDE) outlines the best practices when conducting an acquisition. The entire document can be found here (the document is at version 3.1 at the time of writing), but the basic idea is:
Since this post is getting a little longer than I anticipated, I’ll be talking about the legal issues surrounding digital evidence in Part II.
Something I’ve observed is that whenever a case grinds to a halt in this show (and many other police procedurals), some piece of digital evidence usually comes to light to save the day – whether it’s suddenly-unearthed CCTV footage, or a photo of a number plate, or some incriminating emails or Google searches.
So let’s talk about digital evidence (DE) – what it is, why it’s the 21st century’s new treasure trove for the inquiring investigator, and the legal niceties surrounding it.
What is Digital Evidence (DE)?
Our entire lives are becoming increasingly more digital. We socialise on Facebook, show off on Instagram, argue on Twitter and mess around on Reddit. We do our work on laptops and smartphones, and play games on consoles and desktops. We order things online, we do our banking online, we regularly query the great oracle Google regarding the mysteries of the universe and where the nearest Chinese takeaway place is – that sort of thing.
Is it any wonder, then, that crime is another thing happening in the digital space?
The US National Institute of Justice gives us this definition for digital evidence:
“Digital evidence is information stored or transmitted in binary form that may be relied on in court. It can be found on a computer hard drive, a mobile phone, a personal digital assistant (PDA), a CD, and a flash card in a digital camera, among other places.”
I like this definition because it emphasises how many sources of digital evidence there can be, beyond your basic computer and mobile phone. Any device that stores or tracks data in some way is a potential source of evidence – yes, even your FitBit.
How is DE gathered and preserved?
This is where the DFIR (digital forensics and incident response) gentlemen and ladies come in. Gathering and preserving digital evidence is not simply copying and pasting a piece of data and handing it over (we’ll get into the reason for this when we get to the legal issues in Part II). There are accepted and standardised methods for acquiring data for evidential purposes, and special tools to facilitate these processes.
The Scientific Working Group on Digital Evidence (SWGDE) outlines the best practices when conducting an acquisition. The entire document can be found here (the document is at version 3.1 at the time of writing), but the basic idea is:
- Document the scene
- Secure and collect the devices that contain the digital evidence (provided that devices may be removed from the scene)
- Image the devices (i.e. create a bit-stream copy – called a forensic image – of the relevant data, which will be saved to a proprietary format such as .E01). This step is arguably the most critical in any investigation – if the integrity of the evidence is compromised here, the rest of the investigation is going to be a walk in the (Jurassic) park
- Verify the forensic image against the original data (where possible)
Since this post is getting a little longer than I anticipated, I’ll be talking about the legal issues surrounding digital evidence in Part II.
Author
Saskia Kuschke is a digital forensics examiner and resident pop-culture reference generator at DFIRLABS.