Understanding Digital Evidence

Many departments are behind the curve in handling digital evidence. There are a number of explanations for this, including the rapid changes and proliferation of digital devices, budgetary limitations, and lack of proper training opportunities.

Performing digital forensics can be an expensive proposition involving licenses, equipment and significant personnel costs. Demonstrating cost effective return on investment is crucial to securing command staff buy in. Funding these efforts can involve a complicated mix of local, state and federal budgets, and this can be particularly challenging for smaller departments. Regional models and other forms of collaboration can help, provided officers know where to turn for help.

Advanced digital evidence training is not yet part of the core curriculum for police academies, yet officers of all levels of experience may have contact with digital evidence that is sufficient to affect the resolution of the case. For example: training can improve the preservation of evidence, such as educating patrol officers on the necessity of a Faraday bag to isolate electronic devices.

Departments face large digital evidence backlogs, limited equipment, and potential turnover of examiners. Contributing to the backlog is the lack of personnel trained in digital evidence extraction. A growing backlog prevents training opportunities since classes would take examiners out of the workplace, and a backlog can undermine requests to replace inadequate, antiquated, or under-funded technology and licenses due to budget constraints of units perceived to be performing slowly.

In short, digital evidence must be planned for and plays a role at each stage in the investigation/prosecution process, which we describe further below.

Violation of the law

In the early days of digital evidence the focus was predominantly on computer crime. However, now nearly every crime has some digital artifact that might be useful for an investigation. As a result, proactive investigation now considers how digital evidence might be exploited for non-computer crimes as well. For example: investigators might consider as a default assumption that data exists in suspect or victim cloud storage accounts exists and, provided that it could be legally obtained, it could provide investigative leads.

Discovery/Accusation

Many computer crimes that get reported may or may not exceed thresholds for investigation and/or prosecution. As victims of such crimes increasingly turn to law enforcement for assistance, adequate processes for responding need to be in place not only to assist the victim, but also to capture digital evidence and information that might otherwise be lost.

Seizure

The Fourth Amendment provides protection against unreasonable search and seizure by governmental authorities. This has been an area of much debate with respect to digital evidence. Most recently, the recent Riley (Riley v. California, No. 13-132) decision highlighted the differences between digital and physical evidence in that a warrant is now required to examine the contents of a cell phone, unlike physical papers which may be on a person. The difference was drawn due to the considerably larger storage potential of a portable electronic device which can contain information on lifestyle, associates, and activities which may be outside of the investigation’s scope.

Riley makes on-scene triage more challenging. When an arrest is made, there is a possibility that a confiscated cell phone could be wiped via a remote command or timed security locks activated resulting in loss of access to data.
Even with a warrant, seizure of digital evidence can be present several challenges. First responding officers to an incident or arrest often do not know how to secure and use digital evidence to preserve chain of custody and later admissibility in court. Occasionally, collecting digital evidence from victim devices – where broad capture of all data on phone – results in capture data that law enforcement “doesn’t want”.

In many cases, considerable jurisdictional challenges exist when the digital evidence required for an investigation does not exist on a physical device at the crime scene, but rather on a server many counties, states, or countries away. Even within the US, ISPs may balk at complying, especially out of fear of incurring liability under the ECPA. International warrants can be complicated by the necessary mutual legal assistance treaty (MLAT) which can incur significant delays for assistance, if any is even provided.

Several trends may further complicate seizure of digital evidence in the future. Developing law suggests that overly broad civil subpoenas may not be sufficient to compel ISPs to provide private information of users as current judicial thinking is tending toward greater restriction on what is included in searches of electronic devices (Murphy and Esworthy, 2012). Moving forward, issues relating to cloud-based information and legal challenges associated with the proper scope for searching portable electronic “microcomputers” may shape the future of digital evidence processing.

Preservation

When prosecution is the goal, chain of custody, discovery, and other issues pertaining to the use of digital evidence in the courtroom are paramount. Documentation requirements include authentication (i.e., how was the evidence produced and by whom?) as well as the chain of custody (has the integrity of the evidence been preserved since its collection?).

Some courts are skeptical of digital evidence due to uncertainties about chain of custody and validity of information obtained from devices. Overcoming these challenges requires rigorous documentation of data such as when the evidence was collected and where it was collected from (i.e. type, identity, and ownership of device), who owned the device, and who had access to it; as well as how the evidence was collected (i.e. what tools and procedures were used). Finally, chain of custody involves documenting how the evidence was stored, who has handled the evidence, and who had access.

Examination

Digital evidence requires different training and tools compared to physical evidence. The range of extraction modes that can be required to obtain digital evidence from different sources or types of devices (including those belonging to both suspects and victims) means that its collection and use is truly a multi-faceted challenge, potentially requiring building and maintaining a variety of quite different technical capabilities and expertise.
Manual techniques involve using standard inputs included with or built into the device, such as touch screens or keyboards. Logical extractions incorporate external computer equipment to provide commands through code to the targeted device. Physical techniques refer to reading information from flash memory sources. The most specialized processing options, chip-off and micro read, are highly technical activities and represent advanced digital evidence extraction.

Additional obstacles may need to be overcome even after data is extracted from a device. For example: Apple announced that its new iOS 8 operating system has improved security that prevents Apple from unlocking phones even in response to a request from law enforcement. On phones using the new operating system, photos, messages, email, contacts, call history, and other personal data are under protection of a passcode that Apple is not able to bypass. Google has announced that it will do the same in new Android-based operating systems. The listing and variety of device and products poses challenges as there is no uniform process to obtain information across makes and models, let alone different types of devices.

In addition to physical devices that are seized by law enforcement, digital evidence may need to be collected and examined from networked devices, both single servers and entire constellations of IT systems. These networked devices may or may not be beyond the physical reach of law enforcement. Furthermore examination may involve not only “dead box” disk based forensics, but extend to network traffic and in memory analysis. For example: stealthy malware seeking to evade detection may operate solely in a machine’s memory in order to avoid disk based detection.

Computer – There is a wealth of potential digital evidence on a personal computer. When browsing the internet, programs will often maintain temporary internet files, cookies, and a browsing history. Emails and other messages may be found on the physical computer as well.

Portable electronics – Currently, digital evidence processing from portable electronics such as cell phones is the primary focus of interest to examiners and researchers. There should be no surprise that cell phones are the dominant interest within the field of digital evidence.

Internet – Some of the first digital evidence used in law enforcement investigations came from communication websites, particularly message boards and chats rooms. File sharing networks are another major source used during investigations. Some internet technologies have been designed specifically to enable the hiding of the identity and location of individuals accessing or sharing information. For example, the Tor Project provides a high degree of anonymity for internet users.

In some cases methods and tools for examination from ten years ago are insufficient and incompatible with current technology. This turnover is due to the rapidly changing landscape of personal electronics. Using the most up to date tools can help mitigate challenges to the acceptability of results of digital evidence analysis in court. In contrast, using invalidated tools runs the risk of missing critical information or otherwise jeopardizing an investigation.

Analysis

As digital devices such as computers, cell phones, and GPS devices become ubiquitous, analysis of digital evidence is becoming increasingly important to the investigation and prosecution of many types of crimes as it can reveal information about crimes committed, movement of suspects, and criminal associates.

If departments do not have enough of the right people to process the volume of digital evidence, the result is a large backlog no matter what tools are used. Without the right tools, departments may lack the capability to represent complex data sets in understandable ways for investigation and presentation. Temporal, spatial and network analysis of large troves of digital evidence benefits significantly from software that is explicitly designed to facilitate those specific methodologies.

Exploitation of multimedia data presents another emerging analytical challenge. For example: video evidence – particularly from surveillance cameras – can be as voluminous as mobile device data, if not more so and there are limited tools available to reliably enhance and analyze video.

In the course of an investigation time is of the essence and triage has been recognized as an effective means of getting useful information early without waiting for in depth analysis of the entire target system. Scant attention has been given to developing robust capabilities in this area, though some recent attempts have promise. Triage tools could lower the minimum skill threshold for some parts of the analysis of digital evidence and consequently reduce the workload and backlog of the digital evidence lab. Nevertheless, in order to effectively operationalize triage and optimize the use of scarce resources, a systematic method of prioritizing a work queue is required.

Reporting

The role of law enforcement does not end with an arrest or clearance. Police must give evidence to prosecutors and effectively communicate both the significance of and process to obtain digital evidence to all parties, including a jury.

There are significant challenges in the investigative process, up to and including the handoff of evidence to the prosecution that must be addressed to successfully use digital evidence in prosecutions. This can range from inexperience of patrol officers and detectives in preserving and collecting digital evidence, to lack of familiarity of court officials about the nature of digital evidence. Typically issues with evidence in general and with digital evidence in particular include hearsay, admissibility and obligation to the defense.

Testimony given by witnesses based on conversations held outside the courtroom are considered “hearsay.” Some digital evidence falls under the heading of such hearsay statements. A common exception to the hearsay rule is the business records exception.

The Frye test (Frye v. United States, 54 App. D.C. 46, 293 F. 1013 (1923)) allowed scientific evidence to be admitted if the science upon which it rested was generally accepted by the scientific community. More recently, the Frye test has been replaced in federal courts by the Daubert test (Daubert v. Merrell Dow Pharmaceuticals, 509 U.S. 579 (1993)). Daubert uses five criteria to determine the admissibility of scientific evidence: whether the technique has been tested; whether it has undergone peer review; whether there is a known error rate; the existence and maintenance of standards controlling its operation; and (like Frye) whether the technique is generally accepted by the scientific community. The work of NIST is, for this purpose, very important. The field of digital evidence – both the devices to be exploited and the tools to exploit them – change rapidly. NIST testing provides the basis for asserting that the data gathered and analyzed by new tools is scientifically valid.

Finally, obligations to the defense require that defense attorneys receive a duplicate copy of digital information or access to view it and that exculpatory evidence be brought to the attention of the defense.

Adjudication

The management of digital evidence as it is prepared and presented in the courtroom taps into interconnected criminal justice issues that go beyond law enforcement’s typical role in collecting evidence. For example: upstream requests from prosecutors to law enforcement can incur expenditure of significant processing resources to produce outputs that are difficult and or unlikely to be reviewed in their entirety at trial.

Information disconnects can emerge between the prosecution and the defense. One reason the defense may be behind is because they receive evidence through discovery weeks after the prosecutors do and therefore have even less time to sift through the amount of information. While defense attorneys can challenge how the records were acquired and chain of custody issues, especially in the context of the cloud, most are ineffective at pushing back against digital evidence presented by the prosecution. However, this balance may shift as the technology improves and if it does defense attorneys will eventually obtain a parity of digital evidence knowledge, which will result in more successful challenges.

Execution of the Law

Judgment at trial in some ways represents the close of the law enforcement process that began with the violation of a law and ends with the execution of a law. Judges, juries, and defense attorneys clearly have a stake in digital evidence processing. Objections to digital evidence are rarely sustained, provided that the evidence meets the Daubert standard. Juries often find the presentation of digital evidence compelling. Yet, variation remains in the familiarity with digital evidence across different areas of the criminal justice system (e.g. Lack of knowledge about digital evidence on the part of judges can complicate appropriate use in court) or echelons of command within law enforcement (e.g. senior leadership may not immediately recognize the benefit of digital evidence capabilities).

However, consensus is easier to find when successful processing of digital evidence directly results in more cases solved and more successfully prosecutions on the basis of that evidence. The current trend is an increasing number of positive outcomes, and positive feedback that results from showcasing these efforts.

Additional Resources

Examples of software tools to be used for computer and network forensics can be found here:
• NIST: http://toolcatalog.nist.gov/populated_taxonomy/index.php

Note

Note that some of this content has been reproduced with the permission of the authors of Digital Evidence and the U.S. Criminal Justice System: Identifying Technology and Related Needs to More Effectively Acquire and Utilize Digital Evidence, Sean E. Goodison, Robert C. Davis, and Brian A. Jackson, RAND Corporation, (forthcoming).

IACP Conference