Sources of Digital Evidence
Evidence kept on computers, and other electronic devices play a significant role in a growing number of client affairs. Computer forensics examiners, as well as experts, need to capture such kind of information quickly and comprehensively.
Computer emails, instant messages and text, documents, images, transactions, and Internet or browser histories are good instances of information that is collected from electronic gadgets and utilized as evidence successfully. For instance, mobile devices such smartphones utilizing online-based backup systems offer forensic examiners, and experts access to instant and text messages and photos taken from a specific handset. The majority of mobile devices keep information related to the places where the device has been and the exact time when it was there. Investigators usually access an average of 200 cell locations previously accessed by the mobile device to get this information. Satellite radios in cars and Satellite navigation systems also offer the same information. Pictures posted to social media sites also contain location information and can be used as electronic evidence. Pictures taken using a Global Positioning System (GPS)-enabled device possess file data that indicate the time and place where a picture was captured.
In instances involving financial assets, forensic examination of computers and phones discloses any determinations made to conceal assets via off-shore or online bank accounts or any additional hidden investment accounts. Some business owners may make a duplicate set of books put secretly on a thumb drive. Electronic evidence may be found on them as thumb drives can be utilized in hiding this kind of evidence. Recovery of deleted information is another important source of electronic evidence for a computer forensics examiner. The computer forensics examiners copy the unallocated space on the hard drive where information related to the deleted files resides. They then utilize specialized software that enable the recovery of deleted files, even after being emptied from the recycle bin, unless they have been overwritten in which case it is impossible to recover. In some instances, these files may be partially overwritten making it possible for only some parts of the deleted file to be recovered.
Deleted files are usually randomly overwritten by the typical functioning of the operating system of a computer making electronic evidence very volatile. The longer the delay from file deletion time to recovery time, the more the probability of the file being overwritten increases. The interval between deletion and overwriting usually depends on the hard drive size. Smaller hard drives are usually overwritten more as compared to larger ones. Mobile phones and smart phones mostly overwrite data as compared to personal computers. As a result, electronic evidence needs to be collected as soon as possible to avoid overwriting of deleted files. Forensic experts must verify the accuracy of the images created during the process of imaging, to make sure that a precise bit-by-bit copy of the source hard drive has been made. This process is referred to as hash verification. A hash value is usually a unique alpha-numeric value calculated by the application of mathematical algorithms against the data to be copied.
Quick, D., & Choo, K. K. R. (2016). Big forensic data reduction: digital forensic images and electronic evidence. Cluster Computing, 19(2), 723-740.
Dykstra, J. (2013). Seizing electronic evidence from cloud computing environments. IGI Global.
Taylor, R. W., Fritsch, E. J., & Liederbach, J. (2014). Digital crime and digital terrorism. Prentice Hall Press.