This module is a resource for lecturers
Handling of digital evidence
Did you know?
In the private sector, the response to cybersecurity incidents (e.g., a distributed denial of service attack, unauthorized access to systems, or data breach) includes specific procedures that should be followed to contain the incident, to investigate it and/or to resolve the cybersecurity incident (Cyber Security Coalition, 2015). There two primary ways of handling a cybersecurity incident: recover quickly or gather evidence (Cyber Security Coalition, 2015): The first approach, recover quickly, is not concerned with the preservation and/or collection of data but the containment of the incident to minimize harm. Because of its primary focus on swift response and recovery, vital evidence could be lost. The second approach, monitors the cybersecurity incident and focuses on digital forensic applications in order to gather evidence of and information about the incident. Because of its primary focus of evidence collection, the recovery from the cybersecurity incident is delayed. These approaches are not exclusive to the private sector. The approach taken by the private sector varies by organization and the priorities of the organization.
Read more: Cyber Security Coalition, Cyber Security Incident Management Guide , 2015.
Digital evidence is volatile and fragile and the improper handling of this evidence can alter it. Because of its volatility and fragility, protocols need to be followed to ensure that data is not modified during its handling (i.e., during its access, collection, packaging, transfer, and storage). These protocols delineate the steps to be followed when handling digital evidence. There are four phases involved in the initial handling of digital evidence: identification, collection, acquisition, and preservation ( ISO/IEC 27037 ; see Cybercrime Module 4 on Introduction to Digital Forensics).
Did you know?
There are protocols for the collecting volatile evidence. Volatile evidence should be collected based on the order of volatility; that is, the most volatile evidence should be collected first, and the least volatile should be collected last. The Request for Comments (RFC) 3227 document provides the following sample of the order of volatile data (from most to least volatile) for standard systems (Brezinski and Killalea, 2002):
- registers, cache
- routing table, ...[address resolution protocol or ARP] cache, process table, kernel statistics, memory
- temporary file systems
- remote logging and monitoring data that is relevant to the system in question
- physical configuration, network topology
- archival media
For more information see: Brezinski, D. and T. Killalea. (2002). Guidelines for Evidence Collection and Archiving . Request for Comments: 3227.
In the identification phase, preliminary information is obtained about the cybercrime case prior to collecting digital evidence. This preliminary information is similar to that which is sought during a traditional criminal investigation. The investigator seeks to answer the following questions:
- Who was involved?
- What happened?
- When did the cybercrime occur?
- Where did the cybercrime occur?
- How did the cybercrime occur?
The answers to these questions will provide investigators with guidance on how to proceed with the case. For example, the answer to the question "where did this crime occur?" - that is, within or outside of a country's borders (see Cybercrime Module 3 on Legal Frameworks and Human Rights for information about jurisdictions) - will inform the investigator on how to proceed with the case (e.g., which agencies should be involved and/or contacted).
In the identification phase, cybercrime investigators use many traditional investigative techniques (see: UNODC, Policing: Crime Investigation for a detailed analysis of these techniques), especially with respect to information and evidence gathering. For example, victims, witnesses, and suspects of a cybercrime are interviewed to gather information and evidence of the cybercrime under investigation (for guidance on interviewing suspects and adult and children witnesses and victims, see: UNODC, Anti-Human Trafficking Manual for Criminal Justice Practitioners, Module 9; UNODC, Toolkit to Combat Trafficking in Persons; UN Economic and Social Council (ECOSOC) Resolution 2005/20 Guidelines on Justice in Matters involving Child Victims and Witnesses of Crime; UNODC, Justice in Matters involving Child Victims and Witnesses of Crime; and Boyle and Vullierme, Council of Europe, A brief introduction to investigative interviewing: A practitioner's guide).
Undercover law enforcement investigations have also been conducted to identify, investigate, and prosecute cybercriminals (examples of these investigations are included in Cybercrime Module 12 on Interpersonal Cybercrime and Cybercrime Module 13 on Cyber Organized Crime). Additionally, cybercrime investigators have conducted covert surveillance. This tactic is a "particularly intrusive method for collecting evidence. The use of covert surveillance measures involves a careful balancing of a suspect's right to privacy against the need to investigate serious criminality. Provisions on covert surveillance should fully respect "the rights of the suspect. There have been various decisions of international human rights bodies and courts on the permissibility of covert surveillance and the parameters of these measures" (UNODC, 2010, p. 13). Even malware has been used by law enforcement agencies to conduct surveillance in order to gather information about and evidence of cybercrime. For example, US law enforcement agencies are using networking investigation techniques (NITs), "specially designed exploits or malware," in their investigations of online child sexual exploitation and abuse (Finklea, 2017, p. 2; see Cybercrime Module 13 on Cyber Organized Crime for more information about these techniques).
Before digital evidence collection begins, the investigator must define the types of evidence sought. Digital evidence can be found on digital devices, such as computers, external hard drives, flash drives, routers, smartphones, tablets, cameras, smart televisions, Internet-enabled home appliances (e.g., refrigerators and washing machines), and gaming consoles (to name a few), as well as public resources (e.g., social media platforms, websites, and discussion forums) and private resources (e.g. Internet service providers logs of user activity; communication service providers business records; and cloud storage providers records of user activity and content). Many applications, websites, and digital devices utilize cloud storage services. Users' data can thus be stored wholly or in fragments by many different providers in servers in multiple locations (UNODC, 2013; Quick, Martini, and Choo, 2014). Because of this, retrieving data from these providers is challenging (for more information, see Cybercrime Module 7 on International Cooperation against Cybercrime). The evidence sought will depend on the cybercrime under investigation. If the cybercrime under investigation is identity-related fraud, then digital devices that are seized will be searched for evidence of this crime (e.g., evidence of a fraudulent transactions or fraudulent transactions).
With respect to cybercrime, the crime scene is not limited to the physical location of digital devices used in the commissions of the cybercrime and/or that were the target of the cybercrime. The cybercrime crime scene also includes the digital devices that potentially hold digital evidence, and spans multiple digital devices, systems, and servers. The crime scene is secured when a cybercrime is observed, reported, and/or suspected. The first responder (discussed in Cybercrime Module 5 on Cybercrime Investigations) identifies and protects the crime scene from contamination and preserves volatile evidence by isolating the users of all digital devices found at the crime scene (e.g., holding them in a separate room or location) (Casey, 2011; Sammons, 2012; Maras, 2014; Nelson, Phillips, and Steuart, 2015; see "Note" box below). The users must not be given the opportunity to further operate the digital devices. Neither should the first responder nor the investigator seek the assistance of any user during the search and documentation process. The investigator, if different from the first responder, searches the crime scene and identifies the evidence. Before evidence is collected, the crime scene is documented. Documentation is needed throughout the entire investigative process (before, during, and after the evidence has been acquired). This documentation should include detailed information about the digital devices collected, including the operational state of the device - on, off, standby mode - and its physical characteristics, such as make, model, serial number, connections, and any markings or other damage (Casey, 2011; Sammons, 2012; Maras, 2014; Nelson, Phillips, and Steuart, 2015). In addition to written notes, sketches, photographs and/or video recordings of the crime scene and evidence are also needed to document the scene and evidence (Maras, 2014, pp. 230-233).
Collecting volatile data can alter the memory content of digital devices and data within them.
The investigator, or crime scene technician, collects the evidence. The collection procedures vary depending on the type of digital device, and the public and private resources where digital evidence resides (e.g., computers, phones, social media, and cloud; for different digital forensics practices pertaining to multimedia, video, mobile, see the Scientific Working Group on Digital Evidence ( SWGDE )). Law enforcement agencies have standard operating procedures that detail the steps to be taken when handling digital evidence on mobile devices, Internet-enabled objects (e.g., watches, fitness trackers, and home appliances), the cloud, and social media platforms ( SWGDE Draft Best Practices for Mobile Device Evidence Collection & Preservation, Handling, and Acquisition, 2018; SWGDE Best Practices for the Acquisition of Data from Novel Digital Devices ; Cloud Security Alliance, 2013; Police Service of Scotland, 2018). A standard operating procedure (SOP) is designed to assist investigators by including the policies and sequential acts that should be followed to investigate cybercrime in a manner that ensures the admissibility of collected evidence in a court of law, as well as the tools and other resources needed to conduct the investigation (for example, see the following SOPs: Data Security Council of India, 2011; Police Service of Scotland, 2018). Overall, SOPs include the processes to be followed during an investigation.
Unique constraints that could be encountered during the investigation should be identified. For instance, cybercrime investigators could encounter multiple digital devices, operating systems, and complex network configurations, which will require specialized knowledge, variations in collection procedures, and assistance in identifying connections between systems and devices (e.g., a topology of networks). Anti-forensics techniques (discussed in Cybercrime Module 4 on Introduction to Digital Forensics), such as steganography (i.e., the stealthy concealment of data by both hiding content and making it invisible) and encryption (i.e., "physically blocking third-party access to a file, either by using a password or by rendering the file or aspects of the file unusable;" Maras, 2014, p. 204; for more information on encryption, see Cybercrime Module 10 on Privacy and Data Protection), could also be encountered during an investigation (Conlan, Baggili, and Breitinger, 2016). Because of this, the investigator should be prepared for these situations and have the necessary human and technical resources needed to deal with these constraints. The actions taken by the investigator in these cases (e.g., the ability of the investigator to obtain the passwords to those devices and/or decrypt the files), if any, depends on national laws (see Global Partners Digital interactive map for more information on the encryption laws and policies of countries). Digital forensics tools (discussed in Cybercrime Module 4 on Introduction to Digital Forensics) can assist in this endeavour by, for example, identifying steganography and decrypting files, as well as perform other critical digital forensics tasks. Examples of such tools include Forensic Toolkit (FTK) by Access Data, Volatile Framework, X-Ways Forensics. Along with these resources, a forensic toolkit is needed, which contains the objects needed to document the crime scene, tools need to disassemble devices and remove other forms of evidence from the crime scene, and material needed to label and package evidence (e.g., for smartphones, a Faraday bag, which blocks wireless signals to and from the digital device, and a power bank are needed and used to transport them), among other items (Casey, 2011; Sammons, 2012; Maras, 2014; Nelson, Phillips, and Steuart, 2015).
The actual collection of the evidence involves the preservation of volatile evidence and the powering down of digital devices. The state of operation of the digital devices encountered will dictate the collection procedures. For instance, if a computer is encountered, if the device is on, volatile evidence (e.g., temporary files, register, cache, and network status and connections, to name a few) is preserved before powering down the device and collecting it (Casey, 2011; Sammons, 2012; Maras, 2014; Nelson, Phillips, and Steuart, 2015). If the device is off, then it remains off and is collected (US National Institute of Justice; 2004b; US National Institute of Justice, 2008). There are circumstances where digital devices will not and cannot be collected (e.g., due to size and/or complexity of the systems and/or their hardware and software configurations, because these systems provide critical services) (see Cybercrime Module 4 on Introduction to Digital Forensics). In these situations, volatile and non-volatile data are collected through special procedures that require live acquisition ( SWGDE Capture of Live Systems , 2014). The type of digital device encountered during an investigation will also dictate the manner in which digital evidence is collected (see, for example, SWGDE Best Practices for Mobile Device Evidence Preservation and Acquisition, 2018; SWGDE Best Practices for the Acquisition of Data from Novel Digital Devices; US National Institute of Justice, 2007a).
Did you know?
Commands can be used to obtain volatile data from live systems. For example, for Windows operating systems the command ipconfig is used to obtain network information, whereas for Unix operating systems, the command ifconfig is used. For both Windows and Unix, the command netstat is used to obtain information about active network connections.
Want to learn more?
- Software Engineering Institute. (2016). Volatile Data Collection . Carnegie Mellon University.
- Amari, Kristine. (2009). Techniques and Tools for Recovering and Analyzing Data from Volatile Memory. SANS Institute InfoSec Reading Room.
- Bolt, Steven and Earl Door. (2007). Methods for Capturing Volatile Data.
In addition to digital devices, other relevant items (e.g., notes and/or notebooks that might include passwords or other information about online credentials, telephones, fax machines, printers, routers, etc.) should be collected as well. The actions taken by the investigator during the collection of evidence should be documented. Each device should be labelled (along with its connecting cables and power cords), packaged, and transported back to a digital forensics laboratory (US National Institute of Justice; 2004b; US National Institute of Justice, 2008). Once the items are transported to the laboratory, they are "inventoried, recorded, and secured in a locked room…away from extreme temperatures, humidity, dust, and other possible contaminants" (Maras, 2014, p. 237).
Different approaches to performing acquisition exist. The approach taken depends on the type of digital device. For example, the procedure for acquiring evidence from a computer hard drive is different from the procedure required to obtain digital evidence from mobile devices, such as smartphones.
Unless live acquisition is performed, evidence is extracted from the seized digital devices at the forensic laboratory (i.e., static acquisition). At the forensics laboratory, digital evidence should be acquired in a manner that preserves the integrity of the evidence (i.e., ensuring that the data is unaltered); that is, in a forensically sound manner (see Cybercrime Module 4 on Introduction to Digital Forensics). To achieve this, the tools and techniques used to acquire digital evidence must prevent alterations to the data or when this is not possible, at the very least minimize them ( SWGDE Best Practices for Computer Forensic Acquisitions , 2018). The tools and techniques used should be valid and reliable (NIST, n.d.; SWGDE Recommended Guidelines for Validation Testing , 2014; US National Institute of Justice, 2007b). The limitations of these tools and techniques should be identified and considered before their use (SWGDE Best Practices for Computer Forensic Acquisitions, 2018). The US National Institute of Standards and Technology has a searchable digital forensics tools database with tools with various functionalities (e.g., cloud forensics tools, among others) (for more information on digital forensics tools, see Cybercrime Module 4 on Introduction to Digital Forensics).
Did you know?
Triage, the "reviewing of the attributes and contents of potential data" sources, may be conducted "prior to acquisition to reduce the amount of data acquired, avoid acquitting irrelevant information, or comply with restrictions on search authority" (SWGDE Focused Collection and Examination of Digital Evidence).
Want to learn more?
For more information about triage, see Cybercrime Module 4 on Introduction to Digital Forensics.
The seized digital devices are considered as the primary source of evidence. The digital forensics analyst does not acquire data from the primary source. Instead, a duplicate is made of the contents of that device and the analyst works on the copy. This duplicate copy of the content of the digital device ( imaging) is created before a static acquisition is conducted to maintain the integrity of digital evidence (see Cybercrime Module 4 on Introduction to Digital Forensics). To verify whether the duplicate is an exact copy of the original, a cryptographic hash value is calculated for the original and duplicate using mathematical computations; if they match, the copy's contents are a mirror image (i.e., duplicate) of the original content (Cybercrime Module 4 on Introduction to Digital Forensics). A write blocker, which is designed to prevent the alteration of data during the copying process (Cybercrime Module 4 on Introduction to Digital Forensics), should be used before extraction whenever possible in order to prevent the modification of data during the copying process ( SWGDE Best Practices for Computer Forensic Acquisitions , 2018). It is important to note that the acquisition process described above applies mainly to computers. When acquiring data from mobile phones and similar devices, where the memory storage cannot be physically separated from the device to make an image, a different procedure is followed (see, for example, SWGDE Best Practices for Mobile Device Evidence Preservation and Acquisition, 2018; SWGDE Best Practices for Mobile Phone Forensics, 2013).
There are two types of extraction performed: physical and logical. Physical extraction involves the search for and acquisition of evidence from the location within a digital device where the evidence resides, such as the hard drive of a computer (Maras, 2014). A physical extraction may be conducted using keyword searches (based on terms provided by the investigator), file carving (i.e., search "based on the header, footer, and other identifiers"), and by examining unallocated space (i.e., "[s]pace available on a system because it was never used or because the information in it was deleted"; Maras, 2014, p. 36) and partitions, which separates segments of the hard drive from each other (Casey, 2011; Maras, 2014; Nelson, Phillips, and Steuart, 2015). Logical extraction involves the search for and acquisition of evidence from the location it "resides relative to the file system of a computer operating system, which is used to keep track of the names and locations of files that are stored on a storage medium such as a hard disk" (Maras, 2014, p. 36). The type of logical extraction conducted depends on the digital device, file system, applications on the device, and operating system. A logical extraction involves the acquisition of data from active and deleted files, file systems, unallocated and unused space, and compressed, encrypted, and password protected data (Nelson, Phillips, and Steuart, 2015; SWGDE Best Practices for Digital Evidence Collection, 2018).
A logical extraction of files may result in a loss of metadata (i.e., data about data) (SWGDE Best Practices for Computer Forensic Acquisitions, 2018).
The entire acquisition process should be documented. This documentation should include detailed information about the digital devices from which evidence was extracted, the hardware and software used to acquire the evidence, the manner in which the evidence was acquired (i.e., how it was obtained), when it was obtained, where it was obtained, why it was obtained, what evidence was obtained, and for what reason it was obtained (Maras, 2014).
Evidence preservation seeks to protect digital evidence from modification. The integrity of digital evidence should be maintained in each phase of the handling of digital evidence (ISO/IEC 27037). First responders, investigators, crime scene technicians, and/or digital forensics experts must demonstrate, wherever possible, that digital evidence was not modified during the identification, collection, and acquisition phase; the ability to do so, of course, depends on the digital device (e.g., computer and mobile phones) and circumstances encountered by them (e.g., need to quickly preserve data). To demonstrate this, a chain of custody must be maintained. The chain of custody is "the process by which investigators preserve the crime (or incident) scene and evidence throughout the life cycle of a case. It includes information about who collected the evidence, where and how the evidence was collected, which individuals took possession of the evidence, and when they took possession of it" (Maras, 2014, 377; Cybercrime Module 4 on Introduction to Digital Forensics). In the chain of custody, the names, titles, and contact information of the individuals who identified, collected, and acquired the evidence should be documented, as well as any other individuals the evidence was transferred to, details about the evidence that was transferred, the time and date of transfer, and the purpose of the transfer.
Analysis and Reporting
In addition to the handling of digital evidence, the digital forensics process also involves the examination and interpretation of digital evidence ( analysis phase), and the communication of the findings of the analysis ( reporting phase). During the analysis phase, digital evidence is extracted from the device, data is analysed, and events are reconstructed. Before the analysis of the digital evidence, the digital forensics analyst in the laboratory must be informed of the objectives of the search, and provided with some background knowledge of the case and any other information that was obtained during the investigation that can assist the forensics analyst in this phase (e.g., IP address or MAC addresses). Various forms of analyses are performed depending on the type of digital evidence sought, such as network, file system, application, video, image, and media analysis (i.e., analysis of data on storage device) (Grance, Chevalier, Kent, and Dang, 2005; Carrier, 2005; European Network of Forensic Science Institute, 2015; SWGDE Best Practices for Image Authentication , 2018; SWGDE Best Practices for Image Content Analysis , 2017; SWGDE Guidelines for Forensic Image Analysis , 2017; SWGDE Best Practices for Data Acquisition from Digital Video Recorders , 2018; SWGDE Best Practices for Digital & Multimedia Evidence Video Acquisition from Cloud Storage , 2018). Files are analysed to determine their origin, and when and where the data was created, modified, accessed, downloaded, or uploaded, and the potential connection of these files on storage devices to, for example, remote storage, such as cloud-based storage (Carrier, 2005). The type of digital evidence (e.g., emails, text messages, geolocation, Word processing documents, images, videos, and chat logs) sought depends on the cybercrime case.
Generally, there are four types of analyses that can be performed on computers: time-frame analysis; ownership and possession analysis; application and file analysis; and data hiding analysis. The time-frame analysis seeks to create a timeline or time sequence of actions using time stamps (date and time) that led to an event or to determine the time and date a user performed some action (US National Institute of Justice, 2004b). This analysis is performed to attribute a crime to a perpetrator or at the very least attribute an act that led to a crime to particular individual (US National Institute of Justice, 2004b); there are, however, challenges in validating time-frame analysis results (see "Note" box).
The ownership and possession analysis is used to determine the person who created, accessed, and/or modified files on a computer system (US National Institute of Justice, 2004b). For instance, this analysis may reveal an image of child sexual abuse material (i.e., the "representation, by whatever means, of a child engaged in real or simulated explicit sexual activities or representation of the sexual parts of a child for primarily sexual purposes"; Article 2, United Nations Optional Protocol to the Convention on the Rights of the Child on the Sale of Children, Child Prostitution, and Child Pornography of 2000) on a suspect's device. This piece of information alone is not enough to prove ownership of child sexual abuse material. Further evidence is needed to prove this such as exclusive use of the computer where the material was found. The application and file analysis is performed to examine applications and files on a computer system to determine the perpetrator's knowledge of and intent and capabilities to commit cybercrime (for example, the labelling or name of the file may indicate the contents of the file; e.g., the file name can be the cybercrime victim's name) (US National Institute of Justice, 2004b).
Timestamp data can be modified. As such, a conclusion should not be drawn based on this evidence alone. The same holds true for other data. For example, web browser history shows that sites have been accessed and the times they have been accessed. More evidence is needed to show that the person whose digital evidence was used to access these websites was the owner and/or suspected user of the device.
Data hiding analysis can also be performed. As the name implies, data hiding analysis searches for hidden data on a system. Criminals use several data-hiding techniques to conceal their illicit activities and identifying information, such as using encryption (discussed in Cybercrime Module 9 on Cybersecurity and Cybercrime Prevention: Practical Applications and Measures as well as Cybercrime Module 10 on Privacy and Data Protection), password-protecting devices and specific content (e.g., files), changing file extensions, and hiding partitions (US National Institute of Justice, 2004b; Casey, 2011; Maras, 2014; Nelson, Phillips, and Steuart, 2015). During the analysis phase, the investigator needs to address the data-hiding techniques that perpetrators could have used to conceal their identities and activities. Hidden data can reveal "knowledge [of a crime], ownership [of content], or intent [to commit a crime]" (US National Institute of Justice, 2004b, p. 17).
When a file is deleted on a computer, it is placed in the Recycle Bin or Trash. If the Recycle Bin or Trash of trash is emptied (i.e., by the deletion of content), the files that were deleted are removed from the file allocation table, which archives file names and locations on hard drives (Maras, 2014). The space where the file resides is marked as free space (i.e., unallocated space) after it is deleted but the file still resides in that space (at least until it is fully or partially overwritten by new data) (Maras, 2014)
As the US National Institute of Justice concluded, "[i]n and of themselves, results obtained from any one of these ….[analyses] may not be sufficient to draw a conclusion. When viewed as a whole, however, associations between individual results may provide a more complete picture" (p. 18).
The purpose of these analyses is crime reconstruction (or event reconstruction). Event reconstruction seeks to determine who was responsible for the event, what happened, where did the event occur, when did the event take place, and how the event unfolded, through the identification, collation, and linkage of data (revealing the "big picture" or essence of an event). Event reconstruction can involve a temporal analysis (i.e., the determination of the time events occurred and the sequence of these events), relational analysis (i.e., the determination of the individuals involved and what they did, and the association and relationships between these individuals), and functional analysis (i.e., assessment of the performance and capabilities of systems and devices involved in events) (Casey, 2010; Casey, 2011; Kao, 2016). Overall, event reconstruction is performed to prove or disprove a working hypothesis concerning the case (i.e., educated guess concerning the sequence of acts that led to an event) (ENFSI, 2015).
Investigators should be engaged in preliminary reconstructive actions at the identification and collection stages of the investigation. These tasks assist investigators in identifying new potential sources of digital evidence.
Ultimately, event reconstruction for the analysis phase uses imperfect knowledge to draw conclusions about a case based on available evidence and analyses of the evidence. For this reason, it is important for cybercrime investigators and digital forensics analysts to recognize these limitations and avoid biased interpretations of the results of these analyses, such as those that result from confirmation bias, where individuals look for and support results that support their working hypothesis and dismiss results that conflict with their working hypothesis (Kassin, Dror, and Kukucka, 2013; Boddington, 2016).
The results of the analysis are documented in a report. The reports should be as clear and precise as possible. Demonstrative material (e.g., figures, graphs, outputs of tools) and supporting documents, such as chain of custody documentation should be included, along with a detailed explanation of the methods used and steps taken to examine and extract data (US National Institute of Justice, 2004b). The findings should be explained in light of the objectives of the analysis (i.e., the purpose of the investigation and the case under investigation). Information about the limitations of the findings should also be included in the report. The content of the report varies by jurisdiction depending on national policies (wherever present) regarding investigations and digital forensics. To prevent the misinterpretation or the placement of inappropriate weight on digital evidence, the report should communicate known errors and uncertainty in results (European Network of Forensic Science Institute, 2015, p. 39).