Not all evidence rests in the traces of blood and DNA. Not all evidence even rests at the crime scene. Digital forensics is the process by which digital information — information transmitted and stored in binary, often on hard drives, mobile phones, and virtually any sort of electronic device — is collected. Digital forensics can provide critical information on the whereabouts of a suspect at the time of a crime, an alibi, and even a person’s association with other suspects.

The advancement of technology has placed personal information at a much higher risk than before. With information increasingly stored electronically and developments in unauthorized ways to access data, information has become increasingly vulnerable. Furthermore, the manipulation of data often operates without leaving many traces. Computer forensics can help retrieve lost data, data deleted intentionally or unintentionally, while also analyzing existing data to solve crime. Computer forensics often serves as the only form of evidence available for the prosecution of cyber crimes. Other crimes that “make use of electronic data storage” and would benefit from computer forensics include check frauds (amounting to almost 20 billion annually in America alone), health care frauds (costing around 100 billion annually in America), and threats to national security. 

There are various kinds of forensic tools that may be used, which may be utilized by private companies as well as law enforcement on all levels. Within a company, forensic tracking may be used to prevent corporate data theft, compliance violations, and employee misconduct, which may result from information being sold without permission (Veriato). Computer screen activity, including any videos played, may be recorded, while website, email, chat, and network activity may be further monitored. Keystroke logging is often used by malware to gain access to an individual’s personal accounts and passwords, but can also be used by corporations to track all logins made by an employee on their computer. When used by law enforcement, keystroke logging as well as monitoring Internet activity may provide incriminating evidence on a suspect.

The Massachusetts Digital Evidence Consortium lists digital forensics crime scenes to include  “locations within the jurisdiction, like homes, where computers and other digital devices are located,” “offices and business networks,” and “third-party providers like internet or cellular service providers.” If the crime evidence is held by a third-party provider, the information collection “may be subject to the provisions of federal and state statutes pertaining to law enforcement access to records and communications held by these providers” (IACP). Thus, the legal standards for collecting digital evidence may vary based on the situation. When handling the evidence, investigators may interrogate witnesses and suspects about any digital encryption applications they may have as well as ask for complete access (username and passwords) to various accounts. Most importantly, guidelines for handling digital evidence underscore that if a device is found on at the crime scene, it should not be turned off, as law enforcement can take the time to gather all available security “unlock” information as well as isolate the device from various networks. 

When the crime scene still involves some level of physical evidence, such as a mobile phone or laptop, biological forensic evidence will still prevail. Fingerprints and DNA evidence may be gathered and may help with access to the data on the device. Regular biological sample collection and preservation processes will be followed. After necessary samples have been collected, law enforcement might proceed to physically disassemble the device system.

Law enforcement uses software and hardware tools to analyze digital evidence. Hardware tools are “designed primarily for storage device investigations,” with an emphasis on keeping “suspect devices unaltered to preserve the integrity of evidence.” (DHS) A forensic disk controller is a type of hard disk controller that gives “read-only” access to a computer’s content, preventing the data from being tampered with accidentally. Hard-drive duplicators are devices that allow the quick copying of all data files from one or more devices onto a new hard drive. Password recovery devices are also used to gain access to password-protected data, using techniques such as “dictionary attacks,” which throw a list of commonly used words and phrases (along with common variations of those words) by businesses and individuals at the security system. 

Open-source software applications allow for code to be viewed, distributed, and modified for any purpose, which may reduce costs for law enforcement when trying to get the application to meet their needs. Forensic software plays a huge role in recovering deleted evidence, as the computer operating systems (such as Windows) record all activity relating to files, which software can retrieve and then analyze. GPS devices and phone logs allow for the geolocation of the person at several instances in time to be investigated as well as for a potential timeline to be developed. The metadata for pictures and videos taken can also store information on where and when the picture was taken. Other applications specifically look out for any security breaches of a trusted network. However, the biggest digital analysis challenge faced by law enforcement is decrypting encrypted data – for transforming the data back, “large computational resources and skills are required” (DHS).

Computer forensics led to law enforcement catching the infamous “BTK” Killer, who committed a string of murders between 1974 and 1991. After the case went cold for years, the BTK Killer himself sent various pieces of evidence connecting him to the crime to law enforcement and the media in an effort to taunt them. Despite DNA evidence being collected from a victim and blurry security camera footage, the most crucial piece of evidence came with a floppy disk he mailed to a local TV station – the contents of which he did not believe could be traced. However, metadata embedded in a deleted document contained the words Christ Lutheran Church” and “attributed the last edits made to someone named Dennis.” After discerning that the Church had a leader named Dennis Rader, police were able to then track his house and found further evidence to incriminate him, including a match of his car to the car found in other camera footage. Rader was finally arrested 30 years after the first case had been opened. 

Read more about the various tasks performed by digital forensic analysts here 

Sources:

https://www.nu.edu/blog/whats-digital-forensics/

https://nij.ojp.gov/digital-evidence-and-forensics

https://studycorgi.com/significance-of-computer-forensics-to-law-enforcement/

https://veriato.com/blog/computer-forensic-tools-providing-the-evidence-you-need/