Emails, instant messages, emails, transactions, images, and histories can all be obtained from electronic devices. This information can be used as evidence. In addition, mobile devices can access online-based backups systems (also known as the cloud), allowing forensic investigators to view text messages and photos taken from a specific phone. These systems store an average of 1,000-1500 of the last text messages sent and received from a particular phone.
Many mobile devices also store information about where and when the device was last used. Investigators have access to an average of 200 locations that were accessed by mobile devices in order to gain this information. Similar information can be obtained from satellite navigation systems or car-mounted satellite radios.
Photos posted on social media sites like Facebook can contain location information. Photos that are taken using a Global Positioning System-enabled phone can contain location data. This information includes the date and exact location of each photo. Investigators can gather a lot of information about a mobile device and its user by obtaining a subpoena.
Who conducts the analysis?
The National Institute of Justice states that digital evidence should only be reviewed by individuals who have been specifically trained for it. With so many electronic devices available today and how fast they change, it can be difficult for law enforcement to keep up. Many agencies don’t have a digital expert available. If they do, it might be someone who is a specialist in bank fraud or some other niche. Although a detective might be able log on to devices, they may not know how to capture text messages histories from cell phones and may lose evidence if they try. Many take an interest in the area and learn what they can. Still, there is no single path to digital evidence expertise–qualifications and certifications are not standardized across the country. First responder training is increasingly incorporating digital seizure techniques.
Digital media examiners are investigators with the experience, education, and training to use this sensitive evidence. There is no one certification body, and different courses of study can be included in certification programs. These professionals are generally competent in core competencies such as pre-examination procedures, legal issues, media analysis, media assessment, data recovery, specific data analysis, documentation, reporting, and presentation of findings.
Although certification of examiners does not require agencies to have it, they are becoming an increasingly valuable asset. The Digital Forensics Certification Board, which is independent and certifies digital evidence examiners through the National Computer Forensics Academy of the High Tech Crime Institute, and other colleges, offers vendor-neutral certification.
Many states have at minimum one section or laboratory for digital forensics and a range of task forces, including Internet Crimes Against Children and Joint Terrorism Task Forces (JTTF), and Narcotics and Property Crimes. These officers have specialized training that includes search, seizure, and exploitation of digital evidence in their areas of expertise. To ensure that the best security and evidence handling are used, agencies and investigators need to work together. The FBI is able to assist in certain areas.
How digital devices are collected
The scene: Anyone who has lost their cell phone or computer in a storm or moved knows that digitally stored information can be very sensitive and easily stolen. Organizations like NIJ and SWGDE have developed best practices to properly seize computers and devices. Devices can be taken after the scene is secured and the legal authority to seize evidence has been established. If possible, passwords, codes, or PINs should first be obtained from the people involved. Then, any chargers, cables, and peripherals that may be required, as well as manuals and manuals, should also be taken. Different tools and techniques are used to examine thumb drives, cell phones, hard drives, and other similar devices. This is usually done in a specialized lab.
First responders must take extra care when using digital devices, in addition to the normal evidence collection procedures, to avoid exposure to things such as extreme temperatures, static electricity, and moisture.
Seizing Mobile Devices
* If possible, turn off the device immediately and remove any batteries. The phone’s status information, including call logs and cell tower location, can be saved by turning it off. It also prevents any other users from using the phone, which could cause data to change. Remote destruction commands can be used to destroy the device without the investigator’s knowledge if it is left on. The phone may have an auto-return feature that turns on the phone to check for updates. This could compromise data, so it is best to remove the battery.
* If the device is not able to be turned off, it should be placed in Faraday bags or other blocking materials. Antistatic packaging should be used for digital devices, such as cardboard boxes and envelopes or paper bags. Avoid plastic as it can transmit static electricity and allow condensation to build up.
Information from the phone may be deleted in an emergency situation or when life-threatening circumstances arise. However, it is important to document the actions and preserve the data.
* The investigator must specify the type of information that they are seeking when sending digital devices to the laboratory. This could include phone numbers and call history from a cell phone, emails and documents from a computer, or images from a tablet.
First Responders Should Document Any Activity on Stand Alone Computers or Equipment. To protect digital evidence from being altered during collection, they should take a photo and record any information on the screen. To determine whether something is visible on the screen, responders can move the mouse without pressing any buttons or moving the wheel. It is highly recommended that you call a computer forensic specialist if the computer is turned on. This can help to identify criminal connections. To preserve any data on the machine, it is important to immediately disconnect power from a computer that is on and running destructive software.
Because of networking, possible loss of evidence, and potential liabilities to the agency beyond the criminal investigation, office environments can be a difficult place to collect information. For example, if a server that provides service to customers outside of the criminal investigation is taken away, it could be extremely damaging. You should also collect any office equipment that may contain evidence, such as scanners, scanners, security cameras, facsimile machines, pagers, and caller identification units.
As per an agency’s usual digital evidence procedures, computers that are not working may be used as evidence.
What and where is the analysis performed?
Exploiting laboratory data: After the digital evidence has been submitted to the laboratory, a qualified analyst will use the following steps to extract and analyze the data:
1. Prevent cross-contamination before digital evidence can be analyzed, it is necessary to create an image of or a working copy from the original storage device. To preserve the original data, the copy must always be kept on another media when obtaining data from suspect devices. Analysts must store data on “clean” media to avoid contamination and the introduction of data from other sources. For example, if the analyst were to place a copy of the suspect’s device on a CD with information, the information could be analyzed as if it was on the suspect’s device. Digital storage media like thumb drives or data cards can be re-used, but simply erasing and replacing the evidence with new evidence will not suffice. It must be either a new storage unit or, if it is being used, it must have been forensically “wiped” before being used. This will remove all known and unknown content from the media.
2. If possible, isolate wireless devices. This will prevent any connection to networks and preserve evidence as clean as possible. You can open the Faraday bag inside the chamber to access the device, including phone numbers, SIM cards and information from Federal Communications Commission (FCC). The chamber can allow the device to be connected to analysis software. Investigators will usually place the device in a Faraday bag to block reception if the agency doesn’t have an isolation chamber.
3. Install write-blocking Software: This software prevents any data from being changed on the media or device. The analyst will place a block on the working copy to allow data to be viewed, but no changes or additions can be made.
4. Select extraction methods: After the working copy has been created, the analyst will identify the make and model of your device and choose the best extraction software to “parse” the data or view its contents.
5. Submit original media or device for traditional evidence examination: Once the data is removed, the device can be sent back into evidence. The device may contain DNA, trace, fingerprint, or other evidence. However, the digital analyst is able to work without it. Find out more about DNA, trace evidence, and fingerprints
6. Proceed with the investigation: The analyst will then use the chosen software to view the data. Analysts will be able see the contents of the drive and can identify hidden files. They may also be able to restore file organization to allow for the viewing of hidden areas. As long as the files have not been overwritten by new data, deleted files can also be visible. Even partially deleted files may still be valuable.
Not only can files on a computer or another device be used as evidence, but so is any other evidence. To find evidence on the Internet, such as chat rooms, instant messaging, and websites, the analyst might need to look beyond the hardware. The analyst can use the system of Internet addresses and email header information to piece together strings that show activity.