Electronic evidence can be collected from a variety of sources. From personal and work computers, storage devices, servers, gaming systems, and the ever popular Internet of Things (IoT) devices, technology often leaves a trail for skilled law enforcement officers to follow.

Frequently seized devices – Laptop and Desktop Computer Systems

This document focuses on the proper collection and preservation of  laptop and desktop computer systems. The information found in this document comes from the Digital Evidence Guide for First Responders developed by the Massachusetts Digital Evidence Consortium.

Gaming Consoles

Devices like the Xbox, PS3 and iPads are now a key focus area for digital forensics investigators.  Accessing content seized on these devices is crucial to many investigations. Today’s gaming consoles can store hundreds of gigabytes of data, connect and browse the internet, transmit live video and audio conversations and much more.  Recognizing these advances and capabilities, Gaming systems have now become a popular platform to commit or assist in criminal activities, and therefore must be considered viable sources of digital evidence.

These devices can present many challenges from a forensic perspective.  A modified X-Box has the potential to be used as a personal computer, file server, web server, and more.  It is imperative for investigators to be able to recognize, acquire, and analyze digital evidence from these types of devices.

 Internet of Things (IoT)

The implementation of the Internet of Thing (Iot) has resulted in the connection of tens of billions of wireless devices and is playing an important role in crime scene investigations.  More than ever before, law enforcement is being trained to look for “digital footprints” on IoT devices that potentially track and record activities.  In recent months, devices such as Fitbits, Amazon Echos’ and other IoT devices have proven to be very beneficial as they can sometimes be helpful in proving or disproving alibis and witness statements.  For instance, in 2015, East Lampeter Police used Fitbit technology to disprove a fabricated sexual assault. The alleged victim claimed her watch was lost in a struggle, but was found undamaged in a hallway of the home.  When investigators downloaded the fitness activity they saw she had been awake and walking around the entire night, not sleeping as she had claimed. Click here for original article.

Individuals are slowly filling their homes with data gathering IoT devices, and it’s imperative law enforcement officers understand the use of this technology and how it can assist in their investigations.

Click here to see an interactive house that provides an example of what law enforcement should consider when collecting evidence.

Click here to view SWGDE’s Technical Notes on Internet of Things (IoT) Devices.

Other commonly seized devices that may store digital evidence

There are many other storage media and technical devices that may process and store digital evidence.  Examples of these devices include media cards (ie. secure digital, SIM card, flash, memory sticks), thumb drives, optical media (ie. CD, DVD, and Blu-ray), digital cameras, MP3 players, iPods, servers, surveillance systems, gaming stations (ie. Xbox, PlayStation, Wii), and GPS devices. Each of these devices is capable of holding significant amount of data that could help your case. And each is handled in a separate way. Seizure of these items should be performed with special care.   Consider working with an experienced digital evidence analyst to collect these items.  The link below provides information on best practices in identifying, seizing these types of devices.

Click here to access this document.

Evidence Triage/Preview

There are certain situations where a live triage/preview is necessary.  This could include but is not limited to: exigent circumstances, encryption, or consent.  During these situations, time and date stamps can be changed and certain items (like deleted files) may not be scene.  These reasons are why a triage/preview shouldn’t take the place of a full examination.

See NW3C’s online course Introduction to Previewing  for training in this area.

Powered-On and Off Systems

The guidelines below are from the Scientific Working Group on Digital Evidence (SWDGE) as it relates to dealing with powered-on and powered-off systems.

Powered-On Systems

The examiner should:

• Examine the computer for any running processes. If it is observed running a destructive process, the examiner should stop the process (by removing the power source) and document any actions taken.
• Capture RAM and other volatile data from the operating system.
• Determine if any of the running processes are related to cloud or off-site storage. When encountered, the examiner should coordinate with the appropriate legal authority to ensure the scope covers the off-site acquisition.
• Document and hibernate any running virtual machines.
• Consider the potential of encryption software installed on the computer or as part of the operating system. If present, appropriate forensic methods should be utilized to capture the unencrypted data before the computer is powered off.
• Save any opened files to trusted media.
• Evaluate the impact of pulling the plug vs. shutting the computer down. This is typically dependent upon the operating system and file system encountered.
• Isolate the computer from any network connectivity.
• Use a triage tool to preview data.

Powered-Off Systems

If the computer is powered off, do not turn on the computer.

• Only personnel trained to preview/triage computers should power on the computer and preview/triage data.
• Disconnect all physical network connectivity.
• Consider the possibility of Wake on Wireless LAN (WoWLAN) and BIOS timed booting sequences.
• Verify the computer system for compatibility with triage tools and software.
• Identify and document evidence, if applicable.
• Export evidence to trusted media.

See NW3C’s training on Introduction to Previewing and Encryption.

For Apple Macintosh computers, see Advanced Digital Forensic Analysis: macOS.

Acquisition and Acquisition Types

Acquisition

• Precautions should be taken to prevent exposure to evidence that may be contaminated with dangerous substances or hazardous materials.
• All items submitted for forensic examination should be inspected for their physical integrity.
• Methods of acquiring evidence should be forensically sound and verifiable; method deviations shall be documented.
• Digital evidence submitted for examination should be maintained in such a way that the integrity of the data is preserved. Additional information on data integrity is discussed in SWGDE Best Practices for Mobile Device Evidence Collection & Preservation Handling and Acquisition.
• Forensic image(s) should be archived to trusted media and maintained consistent with organization policy and applicable laws.
• Any errors encountered during acquisition should be documented.
• Steps should be taken to ensure the integrity of the data acquired; this may include one or more of the following:
• Hash values (e.g., MD5, SHA-1 and SHA-256)
• Stored on read-only media (e.g., CD-R and DVD-R)
• Sealed in tamper-evident packaging

Acquisition Types

• Physical
• Hardware or software write blockers should be used when possible to prevent writing to the original evidence.
• Forensic image(s) should be acquired using hardware or software that is capable of capturing a bit stream image of the original media.
• Logical
• Hardware or software write blockers should be used when possible to prevent writing to the original evidence.
• Forensic image(s) should be acquired using hardware or software that is capable of capturing a “sparse” or logical image of the original media.
• Live
• Live data should be acquired using hardware or software that is capable of capturing a “sparse” or logical image of the original media.
• Live acquisition software should be run from trusted media to prevent unnecessary changes to the live system.
• Live acquisition software should be run at the highest level of privilege available to ensure all possible data is available for acquisition.
• Additional information on live acquisitions is discussed in Introduction to Previewing.
• Targeted File(s)
• Targeted file(s) should be acquired using hardware or software that is capable of capturing a “sparse” or logical image of the original media.
• Examiners should request whether associated artifacts are to be collected relating to the targeted file(s) (e.g., LNK files, Jump lists and associated registry keys).

See NW3C’s on training course for training in this area here and NW3C’s online training for How Computers Work and Store Data.

For Apple Macintosh computers, see Advanced Digital Forensic Analysis: macOS.

Forensic Analysis/Examination

• Examiners should review documentation provided by the requestor to determine the processes necessary to complete the examination.
• Examiners should review the legal authority (e.g., consent to search by owner, search warrant or other legal authority).
• Conducting an examination on the original evidence media should be avoided if possible. Examinations should be conducted on forensic copies or images.
• Appropriate controls and standards should be used during the examination procedure.
• Examination of the media should be completed logically and systematically consistent with organizational policy.

See NW3C’s Intermediate Digital Forensic Analysis: Automated Forensic Tools for understanding File Systems and how to conduct a forensic exam on a piece a media.  For an in-depth, deep dive into Window artifacts,  see Advanced Digital Forensic Analysis: Windows.

For Apple Macintosh computers, see Advanced Digital Forensic Analysis: macOS.

 Popular Acquisition Tool Vendors