This paper examines the field of digital forensics and the challenges law enforcement faces when investigating electronic crimes. It discusses the wide range of devices that can serve as sources of digital evidence—from personal computers and tablets to telephone systems and access control devices—and explains why electronic evidence is particularly sensitive and prone to alteration. The paper outlines the four core phases of a forensic investigation: collection, examination, analysis, and reporting. It emphasizes proper handling procedures, documentation requirements, and the importance of preserving evidence for court proceedings, including the potential role of forensic examiners as expert witnesses.
The computer age has brought with it a whole new host of problems for law enforcement. According to the research, "the Internet, computer networks, and automated data systems present enormous new opportunity for committing criminal activity" (U.S. Department of Justice, 2013, p. 6). Many electronic devices are becoming facilitators for electronic crime. Hackers and other criminals frequently use computer systems and the Internet to commit crimes against both individuals and larger organizations. Crimes committed digitally include auction fraud, computer intrusion, economic fraud, e-mail harassment, extortion, identity theft, and software piracy, among many others (Protext International, 2003).
Personal consumer products such as desktops, laptops, and tablets can all be used in digital crime. Larger electronic systems in business or enterprise operations can equally be sources of digital crime; towers, modular racks, minicomputers, and mainframes can all be locations where evidence is found (Protext International, 2003). Additionally, access control devices such as smart cards, dongles, and biometric scanners may also contain evidence (Protext International, 2003). Even telephone switching systems, answering machines, and fax machines can contain hidden data that points to evidence of digital crime. As technology advances, so do the crimes committed with it. In order to combat this type of crime, investigators need an entirely new set of skills in the digital realm. Electronic crimes are still crimes, and law enforcement must treat them accordingly. "The law enforcement response to electronic evidence requires that officers, investigators, forensic examiners, and managers all play a role" (U.S. Department of Justice, 2013, p. 16).
Much of the evidence left behind in electronic crime is latent. This means that residual evidence of a crime exists because it was at some point stored or transmitted by a computer or other electronic device. "Electronic evidence is latent evidence in the same sense that fingerprints or DNA evidence are latent. In its natural state, we cannot see what is contained in the physical object that holds the evidence" (U.S. Department of Justice, 2013, p. 17). Special skills and processes are therefore needed to uncover the evidence that remains on a computer's hardware or other electronic device.
New devices and processes are continually being designed to combat digital crime. Research suggests that "cloud computing brings opportunities for network forensics tracing Internet criminals in a distributed environment" (Fu et al., 2010, p. 1). These new developments in cloud computing create new potential for gathering forensic evidence on a scale previously not possible in computer crime investigations.
Electronic evidence is extremely sensitive. It "can be altered, damaged, or destroyed by improper handling or improper examination. For this reason, special precautions should be taken to document, collect, preserve, and examine this type of evidence" (U.S. Department of Justice, 2013, p. 17). Rigorous forensic processes are required in order to collect electronic data that is usable in a court of law. There are four specific phases involved in the forensic investigation of electronic evidence: collection, examination, analysis, and reporting.
Electronic evidence can also be time-sensitive. Certain aspects of the data may erase or eliminate incriminating evidence after a certain amount of time, or after the evidence is overwritten with other data (Protext International, 2003). Even "components such as keyboards, mice, removable storage media, and other items may hold latent evidence such as fingerprints, DNA, or other physical evidence that should be preserved" (National Institute of Justice, 2013). Careful consideration of electronic evidence must therefore be conducted in the same manner as collecting physical evidence at a crime scene.
"Warrants, documentation, and scene procedures"
"Uncovering, documenting, and reporting digital evidence"
Certain types of computer evidence require special attention, packaging, and transportation. "Consideration should be given to protect the data that may be susceptible to damage or alteration from electromagnetic fields (e.g., static electricity, magnets, radio transmitters, etc.)" (Protext International, 2003). During the examination process, all evidence uncovered must be thoroughly documented along with a record of how it was extracted. The examination is completed with a written report that gives other law enforcement investigators insight into what evidence was found on various computers and electronic devices and how it can be used to support theories about particular crimes. All examination notes should be included so they are available for future discovery or for use in a court of law.
The investigation concludes with the "packaging and transportation of the evidence" back into the hands of law enforcement (Protext International, 2003). This is technically where the forensic examiner's primary role ends. However, the forensic examiner may also be called into court to testify regarding the validity of the evidence. Research suggests that "an examiner may need to testify about not only the conduct of the examination but also the validity of the procedure and his or her qualifications to conduct the examination" (U.S. Department of Justice, 2013, p. 19). A suspect's legal counsel may attempt to question the validity of the search and evidence collection, and the forensic investigator must then be called upon to support the conclusions derived from the digital evidence.
You’re 73% through this paper. Sign up to read the remaining 2 sections.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.