* Cell Phones (CDR Records)
* Trucking GPS Systems
* Desktop and laptop hard drives
* External hard drives
* USB drives
* Cloud data storage
* Memory cards
* Car black boxes (EDR)
* Cell Tower GPS Location Social Media Accounts
* Medical Record Systems
* Medical Billing Systems
* Accounting Record Systems
* Email Accounts
* Digital File Storage Systems
* File Metadata
* Printer/Fax Machine Data
How Do We Get The Evidence
Evidence acquisition should be performed to ensure that it will withstand legal proceedings. Key criteria for handling such evidence are outlined below:
* Digital evidence must be handled in a way to preserve the original state of the data as closely as possible. Often, just looking at the data, e.g. an email or image, can alter information about that evidence on the storage device. Digital evidence specialists have the means to carefully extract data in such a way that does not alter the data.
* Careful attention and specific procedures are required if the physical state of the data storage device is damaged or compromised in any way.
* Special circumstances may be necessary for active situations. For example, a virus reformatting a hard drive will need to be shut down immediately to preserve data.
* All artifacts, physical and/or digital should be collected, retained and transferred using a standardized policy with a log including information such as time, date, who collected the data, and locations it has been transferred to, and who has analyzed the data.
* Data access and storage should be limited to authorized individuals only.
Evidence Analysis
Digital evidence can be contaminated or altered by merely accessing the data or opening a file. Analysts will create a “copy” or “image” of the data storage device and use this image in their research and analysis. This image is a true copy of the original storage media. This preserves the original data on the device and allows the specialist to view, search, and report on the imaged "original" information without modifying the files. There are additional issues that affect the ability to analyze the data:
* If the data on the storage media is encrypted in any way, the decryption of the data becomes a critical bottleneck in the process. Specialized technology used in digital forensics can overcome some encryption. Passwords can sometimes be required as part of the data acquisition process and included in the legal documentation.
* The forensics investigator can often times recover deleted files, and this information is often critical to a case. This is not always possible, depending on how the data was stored and on how the device on which it was stored is used.
* Data stored about a file is called metadata and can include very useful information. For example, the date the file was created, users that created or accessed the file, or what date and time was the file last accessed and more. Metadata analysis is only useful if the data was acquired and accessed in a specific way that does not alter either the file nor its metadata.
What We Can Do With Digital Forensics?
Data that is used regularly, such as email, texting, internet browsers and other traditional files, contains more data than the actual content of the email or text. Metadata provides interesting information such as when it was sent, to whom, from what IP address. Phone book or address book apps can contain much more than a name and a phone number or address. All this information can prove very useful in many investigations.
Cell phone digital forensics can be useful in auto accidents and commercial trucking accidents. Distracted driving cases involving the use of a cell phone for talking, texting, or even shopping on the device while driving, can be proven with careful analysis of the cell phone activity. Analysts can determine what was happening on a cell phone during the time leading up to and at the time of the accident.
Cell tower data can be analyzed to determine where a cell phone has traveled or was located when an incident occurred. This can be useful information in many cases including distracted driving, divorce proceedings, and many others.
Cloud storage and social media sites can be evaluated to determine culpability regarding cyberbullying, stalking, intimidation of a witness, or libel. Cloud research should not be overlooked as it can also contain data similar to a cell phone or hard drive, and is often a good source of artifacts when researching a case.
Social media and other posting activities can be examined in cases involving child custody, infidelity, divorce, insurance fraud, and many others. This information can be found in many data storage devices including cell phones, computers, cloud storage, as well as online social media websites.
Partnering with a Digital Forensic Firm
Technical devices are integral in our everyday lives and becoming increasingly involved in almost every aspect of our daily interactions with our world. It is now critical for a law firm to have a digital forensics partner on their team. Selection of a firm that can help you find the information and interpret the data is essential. When selecting a firm, please consider these important points:
* Forensic work can range from being very sophisticated, e.g deleted file recovery or encrypted files, to simple analysis of call records with texts and calls. Law firms need to have a digital forensics partner that possesses the experience and knowledge to do both simple and complicated investigations.
* A digital forensics firm may request a retainer payment model for services. This usually includes an initial payment to “retain” the forensics firm, and additional payments until an agreed upon number of hours are reached. This may be useful to law firms that have either a complicated case, or many cases requiring digital investigations.
* Many firms can recover the files, and provide a report with key evidence, but not help you understand the data or explain it to a judge or jury. Be sure to select a firm has experienced experts that can also interpret the data, explain it to all parties, and testify in court for you. As the technology in our hands, cars, trucks, homes and world continue to become increasingly integrated in our lives, digital forensics will become more critical. Law firms that develop a relationship with digital forensics firms and create a strategy to include electronic evidence in their work will be better poised to rise to a higher level of client service and success.