digital forensics in criminal justice

Digital Forensics in Criminal Justice

There are several recovery techniques digital forensic practitioners can use when they encounter broken or damaged devices with deleted files (Daniel, 2011). File carving involves searching for specific patterns of data that match known file formats within the raw data from the disk. Even if the file system information is missing, file carving can effectively recover files. Or, data imaging can capture an exact copy of the digital media. This process saves every detail, including unallocated space, where remnants of files may reside. There are also specialized software tools like Encase or FTK that are designed to recover deleted files. They function by examining the file system on a disk and identifying files marked as deleted but still existent.

Locard's exchange principle is fundamental to forensic science, stating that every contact leaves a trace (Mistek et al., 2018). In digital forensics, this signifies that any interaction with a digital device or network invariably leaves a trace of data or a "mark." Such a mark could take the form of an IP address logged during a web session, a file left on a hard drive, metadata within a document, or even a timestamp on an email. These digital traces serve as invaluable evidence in tracing an individual's activities on their device or the internet and can provide critical evidence in criminal investigations.

Avoiding inadvertent modification of the evidence during forensic examination is of paramount importance (Hassan, 2019). The use of write blockers is a common practice that enables reading a drive without the risk of writing data back to it, thereby preventing accidental changes to the original evidence. Working on duplicates of the original evidence also ensures the preservation of the original evidence's integrity while allowing for reproducibility of the analysis. Plus, maintaining a clear chain of custody, documenting all individuals who have had physical or digital possession of the evidence, is important for accountability and traceability.

Specific devices, like laptops, smartphones, and IoT devices, each leave distinctive digital "marks." A laptop can leave behind artifacts, including browser history, saved passwords, email communications, Wi-Fi connections, USB insertion records, software installation records, and file access logs. Smartphones maintain call logs, text messages, GPS location history, app usage data, browser history, and email data. IoT devices, such as smart home appliances or smartwatches, typically contain user commands, network logs, usage data, and in certain cases, audio or video data (Hassan, 2019).

The digital artifacts collected from these devices can be used by investigators to establish a timeline of events, identify the parties involved, demonstrate intent, or even place a suspect at a crime scene (Daniel, 2011). Browser history or GPS data from a smartphone can reveal the suspect's location at the time of the crime. Email or text messages can disclose communications that might be related to the crime. Network logs from IoT devices could also present user activity at specific times. Therefore, this digital information, when thoroughly and correctly analyzed, can serve as pivotal evidence in proving or disproving the allegations under investigation.

When a digital forensic professional encounters a running or live laptop, the primary action is to follow the procedure known as live forensics or live acquisition. This involves collecting volatile data, which is data that would be lost once the system is powered off. The professional should carefully document everything visible on the screen and any open applications. Subsequently, the volatile data like running processes, network connections, and logged-on users can be captured using appropriate forensic tools. Any incorrect operation can lead to loss of valuable data, so it is necessary to handle this with extreme care (Hassan, 2019).

Live systems can contain a wealth of data not found on powered-off systems. This includes volatile data such as system processes, network connections, login sessions, clipboard contents, and RAM contents, which may hold critical evidence related to recent activities on the device. Furthermore, live systems may have encrypted volumes open and accessible, which would relock and potentially become inaccessible once the system is powered off (Hassan, 2019).

Cloud storage refers to the storage of data on remote servers accessed from the internet ("the cloud"), rather than on local servers or personal computers. These platforms can hold a variety of data types, including files, emails, chat logs, images, and more. Because users often sync their devices with cloud services, there can be a wealth of information that may not be available on the physical device itself (Hassan, 2019).

Preserving cloud data can be challenging because control over the data often lies with the service provider, not the user. However, investigators can make a formal request to the service provider to preserve the user's data, possibly accompanied by a legal order. Many service providers have legal processes in place to deal with such requests. Investigators can also capture cloud data by logging into the account (with appropriate legal authority) and downloading the data (Hassan, 2019).