Digital Evidence

Below we provide an introduction to digital evidence for the investigator, and identify the role of which digital evidence in each stage of the investigation/prosecution process.

Utility of Digital Evidence

Digital evidence is conceptually the same as any other evidence – it is information leveraged in an attempt to place people and events within time and space to establish causality for criminal incidents. Digital evidence can have a role at every step in the lifecycle of the case/incident resolution process including: violation of the law, discovery/accusation, seizure, preservation, examination, analysis, reporting/conversion to admissible evidence, adjudication, and execution of law. Even before the case begins, hiring and training practices will affect the capacity of the criminal justice system to move through these stages when digital evidence is involved.

Receiving Digital Evidence

Mobile devices are being used to document and report emergencies and potential crimes. Many agencies use social media sites to solicit tips from the community, have tip lines for text messages, and some agencies already use Next Generation 911 (NG911). NG911 is an internet Protocol (IP)-based system that allows digital information (e.g., voice, photos, videos, text messages) to flow seamlessly from the public, through the 911 network, then to emergency responders. For example, in the aftermath of the bombings at the 2013 Boston Marathon, law enforcement received approximately 13,000 videos and more than 120,000 photographs. The Vancouver Police Department also received emails with images, videos, and links to social media pages that showed potential evidence of riot suspects following the Stanley Cup Finals in 2011. Law enforcement policies and procedures must have the capability to not only receive this information in a timely fashion, but also to review and store this evidence as well.

Preserving Digital Evidence

Digital evidence preservation and maintenance should, at a minimum, follow agency standards and protocols. All evidence collected should be authenticated, backed-up in multiple locations, and stored in a secure location. Additionally, the chain of custody for digital evidence should be thoroughly documented and limited to only those who require access.

Recovering Digital Evidence (Digital Forensics)

Recovering and analyzing data and material obtained from electronic devices and cloud-based services, also known as digital forensics, can provide significant leads and digital evidence. While digital forensic analysts are responsible for conducting in-depth investigations of devices, first responders also play an important role in ensuring that any devices, and their content, are properly recovered and preserved.

Understanding Digital Evidence

For more information on understanding digital evidence, click here.

Note

Note that some of this content has been reproduced with the permission of the authors of Digital Evidence and the U.S. Criminal Justice System: Identifying Technology and Related Needs to More Effectively Acquire and Utilize Digital Evidence, Sean E. Goodison, Robert C. Davis, and Brian A. Jackson, RAND Corporation, (forthcoming).

  • Was this article helpful ?
  • Yes   No

FBI Cyber Shield Alliance

IACP Conference

Contribute Content