Main Body

Chapter 4: The computer as evidence

An open PC laptop computer on a white counter with data on the screen.
A PC laptop computer. Image by Clement Heladot on Unsplash.

Computers have been used to locate digital evidence for decades. Methodologies have been developed to seize, extract, analyse and present digital evidence and courts have become accustomed to seeing this form of evidence. To assist in the capture and analysis of the wide range of computer-generated evidence, forensic tools such as EnCase[1]Forensic Tool Kit (FTK)[2], and Cellebrite[3] have entered the market and developed as new generations of Operating Systems and technology have evolved.

The time taken to conduct such an investigation is dependent on the size of the drive(s) of the target device (computer) and how deep an analysis is required. The digital examiner can greatly contribute to the progress of your investigation; however, they need direction as to what you are looking for. For example, if they are looking for a single image, the examination stage may be very quick. If they are seeking evidence of computer hacking or complex fraud, this examination may take several days or more.

A large desktop Apple Mac computer with an Apple laptop and Iphone on a desk.
Mac desktop computer, Apple laptop and iPhone. Image by Domenico Loia on Unsplash.

Computers are everywhere and we are familiar with desktops, laptops and mobile devices. These have large storage capacity, which is increasing exponentially every year, and the way cybercriminals are using these devices is also expanding exponentially. Cloud services connected through the computer contain vast amounts of additional storage, and the evidence you suspected was held in the device may actually be stored within a cloud service accessed through that device. Your digital evidence across a wide range of devices is now stored in these cloud computing services, and the digital investigator needs to be able to operate in this environment as effectively as they do with any other digital device located within a home or office.

Cloud services include the more well-known services such as Microsoft 365 which contains a suite of workplace applications such as Word and Excel, and data storage services such as Dropbox. Apple, Google and Amazon are other major corporations offering cloud storage services. Businesses and individuals purchase cloud services ranging from the use of pre-supplied applications and storage with larger organisations that rent large volumes of empty storage and customise their computer needs to their specific requirements.

A computer is often a tool of the trade of a criminal, whether that is a stalking offence, identity theft, trading criminal products and services or the commission of any offence involving misleading documentation/communication. It is also often used to research the steps involved in the commission of a physical crime or the many offences involving social media. The computer can capture evidence that the person of interest may be unaware of, including search inquiries, log files and web browsing history.

Digital forensic examinations

The art of conducting digital forensic examinations has become a specialist position entrusted to investigators who have developed levels of expertise such as passing intensive training courses as well as courses dedicated to a single or range of forensic tools. They have undertaken extensive courses of study and learnt from the professionals how to conduct their duties to the highest possible standard, how and where to locate their digital evidence and present it in a manner that is understandable to those who do not have their level of technical knowledge or skills. Courts expect to see this form of evidence captured, processed, stored and presented in a manner which they can rely upon as an accurate representation of the evidence which is effectively stored on devices in 0’s and 1’s.

At the completion of a digital forensic examination, detectives receive reports from their examiners which provide leads and evidence of the offence under investigation. However, often despite the best efforts of the examiner, the reports are complex as they serve many audiences as well as the investigator, such as the courts, lawyers, and other technical witnesses. The technical report is evidence in its own right and has to be specific as to its findings and relevance, meaning the digital examiner has to be very precise in their statements and use the appropriate technical language as required. This does not always make easy reading for non-technical audiences.

The detective is expected to be able to understand the report and assimilate it into their investigation. As digital forensic technology uses different terminology than that known to many detectives and civilian investigators, this chapter seeks to introduce to the reader the many forms of evidence that may be obtained from a computer, identify what it means and highlight its potential relevance to the investigation. The many forms of digital evidence will increase as technology evolves and the investigator will benefit from having a detailed conversation with the digital examiners as to what evidence the computer examination can produce before the forensic investigation process commences. With this information, the detective can have a greater understanding of the evidence that may be obtained from a computer and be more precise in what they can ask their forensic investigator to look for in their formal request. The terminology in this chapter is intended to be read and understood by a non-technical audience.

Seizing digital evidence requires more care than most physical items. This is due to the volatile nature of the data operating and stored within a device or network. Obtaining the support of digital forensic experts at the scene alleviates the investigator from the immediate complexity of seizing this evidence and ensures best practice is used. The detective may concentrate on other areas of practice at the scene including speaking to complainants, witnesses, or suspects, obtaining reports from the search team and overseeing team safety, safe in the knowledge the complex technical evidence capture is being conducted by the team expert.

However, not all scenes will have the luxury of having experts in digital evidence available and the investigator will be required to identify digital evidence and seize it in a forensically sound manner as explained later in this chapter.

Other digital devices

Scenes may contain many variations of computers including the familiar-looking desktop computers and laptops, but smaller variations of computers exist such as the Raspberry Pi and the Apple Mac Pro. It is worth being aware computers come in many shapes and forms. Digital storage devices such as USB’s and external hard drives can also be spread throughout crime scenes. In some instances, CDs and DVDs may be found containing digital evidence, especially when detectives are searching for evidence of serious crimes such as possession of Child Exploitation Material (CEM). Initial consideration may be that these forms of data storage are old and not used by suspects any more, however, images of CEM downloaded and stored ten years ago on a CD are as much an offence as those downloaded today and stored on a modern data storage device.

At a scene, it is worth conducting an audit of the technology present and gaining an understanding of what each item does, why it is present, what it records and how it may advance your investigation. Identifying all the connected devices within a smart home may be challenging, however, reviewing the list of devices connected through the Wi-Fi modem/router provides a good starting point. This is discussed in Chapter 11.

Individual jurisdictions have their own rules on what the courts require and the manner in which evidence is seized, preserved, examined, and presented in court. It is the investigators’ responsibility to understand these rules and laws and ensure they are adhered to. The investigator is also required to ensure they keep up to date on the changes to laws and requirements of the courts in the jurisdictions they operate within.

As digital devices are collected, they are to be treated as any other form of evidence, with the understanding that this form of evidence may be highly volatile and subject to remote interference by the device owner or accomplice. Computers provide their own integral threats to the detectives’ investigation as evidence can be easily lost and/or damaged. Digital evidence is easily tainted, and remote access to a connected device where evidence resides is a high-risk environment where evidence can be damaged or destroyed. Remote access to the computer is a hazard and suspects or their associates can log onto the accounts/device of the suspect and delete data whilst the detective is standing next to the device. Also, shutting down a device at the scene for seizure and later analysis deletes potentially valuable evidence such as passwords located in the device’s memory. Obtaining advice from a digital forensics expert prior to the seizure of such evidence is an investment in your investigation.

Suspects wearing smart devices within the scene or when encountered will need to be identified early in the scene search or interview with the technology seized and preserved. Chapter 8 discusses wearable technology and provides examples of the digital evidence of technological devices people can wear as clothing or accessories, as well as implanted into the body such as under the skin within the palm of the hand. There will be obvious logistical difficulty involving the seizure of implantable devices.

Computer Operating Systems (OS) vary by manufacturer and device (for example, desktop, laptop, mobile, server) with industry leaders such as Google, Apple and Microsoft regularly updating their OS. Subsequently, there are many versions of these popular operating systems on the market with many dating back several versions. Another popular OS is Ubuntu which has a very loyal following of Linux users.

What does a detective/investigator need to know about a computer device?

The following section provides a series of considerations a detective or civilian investigator needs to think about before seizing digital evidence from a scene. Many of these considerations are standard to any form of evidence and will be familiar to the experienced investigator, however, are listed for general knowledge.

Initial evidence possession actions

  1. Accurately record where the computer was located and who seized it. This is a principle of any exhibit located for an investigation.
  2. Photograph the device in the location it was found prior to seizing it as an exhibit. This shows exactly where the evidence was found in the scene, as well as providing a valuable memory prompt when attending court several years later.
  3. Photograph any physical damage to the device such as a cracked screen. This prevents claims damage to the device was caused by the investigation team.
  4. Do you have lawful access to seize and examine it? Search warrant/court order/consent?
  5. Ensure the chain of custody has been preserved. All persons having possession of the exhibit from the time of seizure are to record these details in their investigation notebook. A receipt detailing the item(s) seized is to be issued so the property owner knows exactly what was taken.
  6. Identify who is the owner and user(s) of the device. These may be different people.  Because you can prove a device contains valuable evidence, you must also prove who was using the device at the time of the alleged offence as there may be several persons present when the defining acts(s) were committed or have access to the device username and password. One form of identifying a user is to examine the activity within the registry of the user and this will be discussed later in this chapter.
  7. Obtain passwords or other access mechanisms to the device. These may be provided by consent of the device owner, a court direction or by locating schedules of passwords that may be located within the search area. Suspects sometimes leave notes with passwords hidden close to the device they use.
  8. Place a unique investigation exhibit number on the device such as by an evidence sticker or similar. This should match the number on the master schedule as well as the property receipt.
  9. Provide a property receipt to the device owner or person in possession accurately describing the exhibit(s) being seized and the state it is in such as whether there is any damage to the device when seized.  As mentioned, the receipt should also contain the reference number which links to the number placed on the device. For example, if a Dell laptop was in the suspect’s home office, a sticker or computer-generated tag will provide an exhibit number, and this will be the same number as on the property receipt provided to the suspect.
  10. Record unique identifiers such as model and serial numbers. Sometimes these are generic devices and identifiers cannot be located, so an alternative is to record unique features on the device such as stickers, unique markings etc. This helps when there are multiple devices seized of the same brand and model, such as a drug dealer having four mobile phones from the same manufacturer.
  11. Record any activity within the device that can be easily seen such as windows open and what was on the screen at the time of seizing the device. Also, note whether the machine was powered off when seized using the device’s shutdown procedure or if the power was removed, crashing the device. Taking a photograph of the windows or tabs open when the computer is seized is a valuable investigation resource, especially when the images contain evidence of the offending such as viewing CEM or the user being on a criminal website.
  12. Record devices attached to the computer such as printers or external storage devices. Also, look for removable storage devices such as SD cards which should be recorded on the exhibit schedule and property receipt.
  13. Remove the device from a network or other remote access to prevent damage to the device and/or evidence within it. This may include the removal of a SIM card or placing the device into flight mode or similar depending on the device. Mobile devices may be accessible by a suspect where evidence can be destroyed remotely. Removing the SIM card and network access is necessary, and another option is to place the device in a Faraday bag which is specifically designed to prevent any connection to a network. When there are no other options, wrapping a mobile device in aluminium foil is effective.
  14. Consider the safety of the device and those who are in possession of it. This may be physical safety as well as safety to the investigation. For example, a computer may be seized, however, the suspect has remotely turned the microphone or webcam on meaning they can hear and/or see every discussion the investigation team is undertaking in real-time. Should the team discuss their investigation strategy to locate the suspect next to this device, the suspect will know these plans well in advance. Also, should someone on the investigation team make an inappropriate comment about the suspect, this may be used as evidence in court with the defence lawyer arguing the investigator had prejudicial beliefs about the suspect early in the investigation.
  15. Is there an Uninterruptable Power Supply (UPS) present? UPS means that when the power cord is disconnected from the device, it continues to operate as normal as it has an alternative source of electricity. This may be a particular problem for the investigator who tries to turn a computer off by removing the power cord because they fear there is software installed to delete evidence.
Working with the digital examiner
  1. The examiner should confirm their skills are appropriate for the type of examination that is required. For example, an examiner may be an expert at the examination of laptops and desktop computers but have minimal experience or qualifications in the examination of mobile devices or the capture of data over a network. Specialist training using tools, such as Wireshark, are used for the capture of data travelling over a network.
  2. Agree on a course of action to be taken should sensitive material be located such as protected legal communication or pornographic images unrelated to the matter under investigation.
  3. Also, agree on a course of action should commercially sensitive data be found on a device under examination. This can include action to be taken should a device contain cryptocurrencies which can be seen the same as seizing cash.
  4. Explain details of images, documents or recordings which may be evidence of an offence. That is, what exactly are you looking for on the device? Metadata is data within the recording, image or document which records valuable data such as time the document/recording//image was created, who the user creating it is as well as who has had access to it.
  5. Discuss the possibility of them attending the scene to secure volatile digital evidence such as that in the memory of a device which will be lost when the device is powered down.
  6. Explain any suspicions that potential evidence has been destroyed on a device. This generally requires the skill of a trained expert.
  7. Identify the devices they are to attend to. This is the same regardless of whether they are to attend to a complainant, witnesses, or suspect’s address. The devices should have identifiers that can link the device under examination to the property receipt issued to the property owner. For example, the digital examiner is to examine items 3, 17 and 25 of the exhibits seized with a description provided of each to corroborate the item numbers.
  8. Identify time constraints such as time available at the scene, date the examination report is required for court, whether the exhibit needs to be returned to the owner etc.
  9. Prepare a schedule of keywords, phrases and images for the digital examiner to use for their examination.
  10. Prepare a summary of the investigation so they have an understanding of what the case is about. Include details of the offences you are investigating. With this information, the examiner may be able to provide advice regarding the types of evidence they can recover from a device they were unaware of.
  11. Seek advice from the digital examiner on what suggestions they can make regarding locating evidence.  Asking them for their advice on the examination of the device allows them to use their professional experience from previous examinations on such devices and similar investigations and they may provide valuable suggestions as to locations of evidence and its meaning. Examiners will have experience from the many investigations they have undertaken, and they bring their experience from the examinations of many different devices to your investigation.
  12. Write a detailed explanation of what evidence you are looking for.

Seizing digital evidence

  1. Use the skills of a specialist digital examiner where possible.
  2. If a device is turned on, remove it from the network by removing the SIM card, placing the device in flight mode or equivalent, turn off Wi-Fi or other access such as Bluetooth or place it into a Faraday bag or equivalent to prevent network access. A Faraday bag is designed to stop any form of communication to/from the device to any form of network. An alternative to a Faraday bag is a clean metal tin with the device placed inside, the lid placed on, and the entire tin covered in aluminium foil. Removing the device from the network reduces the capacity for the offender or their associates to remotely access the device and delete any incriminating data.
  3. If a computer is on, consider the value of having the digital forensic examiner conduct an examination at the location to obtain data in the memory as well as ensure continual access to the device. Where possible and feasible, this would be advantageous in obtaining as complete a copy of evidence as possible. However, in reality, this is not always possible, and the device needs to be removed from the scene. If this is the case, shut it down by using the shutdown process or an emergency procedure such as pressing the power off button or removing the power source. A laptop may be secured without having to shut the device down if the circumstances allow. Consider the possibility of having the digital examiner undertake an initial examination of the device’s memory prior to being shut down where feasible.
  4. Secure cords and cables attached to the device, especially those used to power it. There are numerous versions of technology in crime scenes, and digital examiners may not have the power or connection cords to them all, especially when a device is old or originated from a foreign country. If there are manuals, seize these if you think they will be of assistance to the digital examiner.
  5. If a device is turned off, do not turn it on.
  6. If there is any concern the suspect may have specialist software that deletes evidence unless a specific pre-formatted shutdown procedure is followed cutting power to the device when seizing. Even in this instance, beware of the computer that has an Uninterruptable Power Source (UPS) such as an attached battery which allows the device to continue running even when the power cord is removed. Whilst this action will permanently eliminate the evidence in the device’s memory, the investigator must work within the presented environment to the best of their ability.
  7. Any changes to the device during the seizure should be documented at the time. This includes documenting when the device was disconnected from Wi-Fi, any memory acquisition that took place while the device was still turned on and the time and manner in which the device was turned off. As all changes will leave a trace on the device, the goal is to be able to explain and attribute these specific actions involved in the device seizure to the digital examiner so that the integrity of the evidence can be maintained.

Other considerations regarding seized computers

  1. Gain a basic understanding of the device, what its function is, the data it generates and where that data is stored.
  2. Identify whether it is attached to a network or has cellular connectivity.
  3. Obtain access details such as passwords or other access mechanisms.
  4. Proprietary Operating Systems: Large organisations may develop their own Operating System (OS) to suit their needs, and these are proprietary to the organisation. These may present a challenge to the digital forensic examiner who will be required to liaise with the developers of the proprietary OS to understand how the system was developed and operates and to identify the key locations where evidence may be resident. They may need to obtain a copy of the proprietary OS to assist with viewing the evidence in their forensic examination.
  5. Whose device, is it? It may not be the property of the person in possession when seized. This is common when devices are seized in corporate environments and the organisation has a Bring Your Own Device (BYOD) policy. BYOD involves a person using their personal computer device on the corporate network.
  6. Who has had access to it? Many people may use a specific device such as a desktop computer in a corporate environment. Passwords may also be shared.
  7. Why was it seized? What is the relevance of the device to the investigation? A complainant may direct the investigation team to the subject device, or in the event of a search of a suspect’s home, they may have to search for it and confirm which device is relevant to their investigation.

A goal is to have the evidence as it was when the suspect or device owner last operated it. There should be no changes to the device and/or its operating system. This is where the role of the digital examiner is of immense value as they have the training to ensure there are no changes to the device system files which could potentially contaminate the evidence. If there are any changes such as the shutting down of the device through the formal shutdown procedures, file changes can be easily explained.

There will be instances where the computer to be seized cannot be removed from its location such as the server of a business that is making a complaint. Alternatively, the computer may be a critical part of the functioning of the network and its removal would harm the operation of the business. In a perfect world, the server would be fully imaged, and the image taken for examination, however in reality, this is often not practical as the storage and memory within a server are often beyond the realistic storage capability of the investigation team and the time taken for a full forensic image is prohibitive.

Where can evidence be found on a computer?

Computers contain potentially large volumes of evidence that can support and advance an investigation. This section provides directions as to the evidence that may be located on a computer and how it can be incorporated into an investigation. The lists are not static as new OS are developed and features are added and removed. Also, investigations are varied, and other locations of evidence may be identified and relevant in that instance. However, it is useful to have a starting point of understanding the many examples of evidence a computer device may provide and include the potential of this evidence in your investigation plan.

Operating System

A computer Hard Drive.
A computer hard drive. Image by Vincent Botta on Unsplash

The Operating System (OS) is the basis of a computer system in which applications operate. Common operating systems for computers include the Microsoft Windows range and the Apple Mac OS. Ubuntu is also a very popular Linux OS. Loading of the OS is one of the first activities a computer undertakes when it is powered on, and applications are installed once the OS is loaded and operational.

The OS is important to the examination of the device, as although evidence such as photos and documents may be installed well after the OS is operating, the OS will provide valuable information about the activity involving these documents and images as well as details on the operation of the device.

Digital evidence that the digital examiner can locate for you from the OS includes:

      • Date and time on the device which can be the default times, user configured or synchronised through the internet.
      • Details on the OS including version numbers. This can help identify a unique device on a network.
      • Time zone the OS is configured as. This can be a default setting, user-configured or synchronised through the internet.
      • When an OS was installed. This may be useful to the investigator when there has been a suspected OS reinstall to delete evidence.
      • A Windows OS formatted with a New Technology File System (NTFS) file system will include a Master File Table (MFT) which contains a record of each file and folder that were ever present on the device, listed in the order in which they were created on the device. This can help an investigator identify the date and time files were created on the device and identify the presence of files that have since been deleted.

Application details

Applications are computer programs that provide functionality to the OS. A common application is the Microsoft Office suite of programs such as Word and Excel. Other examples of applications include databases, email and accounting packages.

Examples of evidence that can be obtained from an application include:

    • Applications installed on the device including version numbers.
    • Applications that have been deleted from the device.
    • Applications open at the time of seizure.
    • Applications that load on OS start up.
    • Autocomplete data. Valuable information including email addresses, passwords and credit card details may be identified.
    • Calendar entries.
    • Clipboard data where the user has cut/copied data within a document or spreadsheet can also be recovered.
    • Databases on the device and deleted.
    • Date and time applications on the OS were installed.
    • Date and time applications on the OS were uninstalled.
    • Emails on the device and deleted.
    • Images on the device and deleted.
    • Keywords and numbers as identified by the investigator to the examiner. This may include words unique to the investigation that may be located in documents as well as numbers such as bank accounts, phone numbers and credit cards.
    • Memos such as Notepad or Stickies (Apple notes which sit on the device desktop)
    • Most recently used applications and files they accessed.
    • Number of times applications have been used and by which user profile.
    • Spreadsheets on the device and deleted.
    • Videos on the device and deleted.
    • Voice messages including recordings.
    • Who installed the applications?
    • When applications have been accessed.
    • Word documents on the device and deleted.

Device logs

A computer log is a record of an activity on a computer. The OS creates many logs which may be of benefit to the investigator. Computer logs are considered to be one of the most important sources of evidence of digital devices as they record the essential activities on the system.[4]

Within a Windows device, event logs capture and record activities within the device as generated by the user, applications, or the OS. They are useful as they can be used to reconstruct an event.[5]

These record significant events, and are stored under the following headings on a Windows device:

      • Application logs: Records events as generated by the activity of applications.
      • Forwarded events: These are logs collected that have been generated by remote computers on the network.
      • Security logs: Windows system logs events of suspected security-related events.
      • Setup logs: Contains events relating to the setup of applications.
      • System logs: Records events logged by the Windows system components[6]

As events occur, they generate a unique number which is an event code. The code describes an event that has happened, such as event code 4720 identifying a new user account created on the device. Event codes provide a valuable understanding of events as they occur.

Another example of valuable log data is when a USB or external device is attached, information about that device is stored including its unique identifier, where available. To the investigator, this is valuable information as it provides a link from the device to a uniquely identifiable external storage device where a copy of valuable Intellectual Property may be stored. An examiner may identify from the OS the external device identifier such as a serial number and see whether that device has been attached to the OS.

Documents and spreadsheets

Documents and spreadsheets are common sources of evidence in the investigation of financial crimes. Corporate investigations conduct a comprehensive analysis of documents. Documents may also apply to other investigations such as identity theft and the creation of fraudulent identities. Understanding the evidence that may reside within documents and financial records is the cornerstone of many of these forms of investigation.

Several of the items listed in the schedule were mentioned in the previous section “Application details”, however, as they are highly relevant to this section, they are included for completeness.

Examples of evidence that may be found within a document or spreadsheet include:

      • Content of document/spreadsheet.
      • Date and time the document or spreadsheet was created.
      • Details about who the application such as Microsoft Word/Excel is registered to (Company/individual/fake name).
      • Details of who has last modified a document and when.
      • Details of an image being modified by a program such as Photoshop.
      • File and folder size.
      • Folder name. This is a unique name generated by the user unless they have copied a folder completely from another source. If the folder name bears no reflection on what is in it, it indicates an intention to hide the folder’s contents.
      • Location sourced including recycle bin.
      • The number of times it has been accessed. Regularity of access shows the level of interest a person may have in an image or document.
      • Previous versions of a document (Not always available).
      • Whether a document or image has had its extension changed. This tactic is used to hide data potentially damaging to the device owner.

Relevant questions:

      • Has the file or folder been renamed? A file name change can be seen as evidence of knowledge of the file and its contents.
      • How many times has it been accessed and by whom?
      • Was it a user-generated document/spreadsheet or downloaded?
      • When was it last accessed?
      • When was it last saved?
      • When was the document/spreadsheet last printed?
      • Who created the document or spreadsheet?
      • Who has viewed the document/spreadsheet?
      • Was the document/spreadsheet created on the device or copied from another location?
      • Were temporary files created when the application was in use?

Emails

One of the interesting things about email communication is it provides information about the writer as well as their relationship with the recipient. Emails can be rich in metadata and are useful for linking a person to the originating computer at a specific time.

Emails may be found on a computer using a local service or linked to a cloud computing service such as Microsoft 365. Alternatively, emails may be found in free web-based services such as Gmail, Yahoo or Hotmail.

The information that can be obtained from an email includes:

      • Attachments to other sites of relevance to the communication.
      • An understanding of the relationship between sender and the receiver.
      • An understanding of the motivations of the sender and the receiver.
      • Dates of communication.
      • Email trail of communication showing how a conversation has progressed and dates and times of communication. The gaps in time from email receipt to reply may provide some guidance to the importance of the communication to the parties which can be confirmed in the message contents.
      • Information as to whether the email address has been modified to that which is shown (Within the email header).
      • Links to other events.
      • Links to other people.
      • Links to other sites of relevance to the communication.
      • Looking at the account details of a web-based email account such as Outlook or Gmail may find other email accounts or phone numbers used for account recovery, opening new lines of investigation.
      • Message contents that may provide evidence of the matter under investigation or motivations of persons who are party to the communication.
      • Message subject.
      • Others copied into the communication and their email addresses.
      • Receiver email address.
      • Route an email has travelled through including time stamps (Within the email header).
      • Sender email address.
      • Sender’s Internet Protocol address (Within the email header).
      • Signature blocks may provide extra information such as phone numbers.
      • The email address can be used to locate online accounts linked to the subject. This is discussed in the chapter on open-source evidence.
      • Time zone they are located in (Within the email header).
      • The application used to send the email for example Outlook and the version number (Within the email header).
      • Uncommonly used words that may link to an individual.
      • User or nicknames used in communication.
      • Words repeatedly misspelt which may help in providing a unique identifier as to the writer.

The metadata available from web-based email services may be restricted due to the protocols of the service provider. So, in some instances, examination of the email on a web-based service may provide excellent metadata evidence, however, the exact same examination on a competing web-based service can provide literally no metadata evidence of any value.

Files and folders

Folders are where documents or images are stored. The name of a folder or file may be indicative of the contents, or it may be an innocuous name aimed at diverting the attention of anyone viewing it.

Files and folders are generally created by the user but can be imported from an external source which can indicate that they are of importance to the device owner or user account.

Evidence that may be obtained from folders and files includes:

      • Dates, times and number of views of folders and files. This can show the significance of a file or folder to the user or whether a folder or file has been downloaded accidentally using a service such as a Peer-to-Peer network and deleted once they find it contains unlawful content such as Child Exploitation Material (CEM).
      • Details on files and folders which have been copied from the computer including the device to which they have been transferred.
      • Encrypted folders.
      • Files downloaded from online sources. These can show a specific decision by the account user.
      • File extensions changed in an attempt to deceive investigators, i.e. extensions that are not identified by the forensic software.
      • Files and/or folders transferred to or from an external device.
      • Files that were opened remotely.
      • Folder names which have been created by a user. These may be valuable when people who are in possession of CEM create folders and sub-folders detailing their particular interests.
      • Hidden directories and files. These may show the intent of a user to hide incriminating evidence or a level of technical knowledge.
      • Recently opened files aka “Most Recently Used.” These may be used to show the recent activity of a user including whether folders or files subject to an investigation have been recently viewed by the user.
      • Users who have access to files/folders. On a domestic device, the option to share documents may be open to other people on the network, which is particularly difficult when using an open and shared network such as a public library.
      • Temporary files created when a file is in use.

Images

Images recovered from a computer can provide interesting information. The metadata, also known as Exchangeable Image File (EXIF) stored within an image can provide details such as the camera/phone make and model, its serial number, capture and shutter speed, GPS location where the photo was taken and any camera settings.

This information can link an image found on a computer to the camera/phone that took the photo.

The camera make and model can also be used online to find other images with metadata resident which were taken by the same camera/phone.

      • Folder names may identify interests by the folders they are stored in, including names.
      • Images stored and in memory.
      • Metadata of camera make, model, and serial number.
      • Sorting of images within a folder including creating subfolders. Particularly with images, users may create sub-folders based on criteria that make sense to them. Viewers of CEM often like to collect a series of images of a child or categorise images under criteria such as age, gender, location etc. This shows deliberate action by the user and removes the defence of having no knowledge that the images were on the computer.
      • The file log may also provide evidence of the times the sub-folders were created, and when the images were moved into the folders.

Also:

      • When images were accessed and how often.
      • When images were downloaded.
      • Whether the images were altered by applications such as Photoshop.

Internet history and usage

A person’s internet history provides insight into the person they are and can be relevant to the investigation team as they research facets of a crime.

A person’s internet history may produce evidence including:

      • Access to cloud computing accounts. These may locate new sources of evidence.
      • Bookmarks.
      • Browser configuration details (Can indicate a level of technical sophistication).
      • Browser extensions available from online stores.
      • Browser history.
      • Cookies.
      • Details relating to online chat accounts.
      • How the user reached a specific website for example by typing the URL, clicking a bookmark, via a specific search engine or link.
      • Links to Peer-to-Peer accounts which show a user’s interests including their account search history.
      • Links to online email or storage accounts.
      • Maps history.
      • Number of times a specific site has been visited including dates and times.
      • Passwords stored in web browsers.
      • Peer-to-peer applications.
      • Searches conducted including phrases used. May be valuable in revealing subjects of interest to the user.
      • Thumbnail images and web cache downloaded from the websites visited.
      • Web sites subscribed to, including passwords, may be stored within the browser settings.
      • Web history.
      • When a site was visited and how many times.
      • Whether an image was accidentally downloaded or viewed.

Network

A computer device may be connected to many networks throughout its life.

The evidence available includes:

      • Connected devices such as printers and external storage device identifiers. External devices may contain further sources of evidence.
      • Every network it has been connected to is retained and is ready to reconnect should the device be within range of the network. This information can provide details as to where the device and user have recently been.
      • For a network device, the Internet Protocol addresses of devices logged into it (local and remote) and details of the device they are using.
      • Network configuration.
      • Networks the device is or has been connected to. This information is called mapped drives.
      • On a network, whether the documents can be shared with other devices on the network.
      • Schedule of those accounts logged on at the time of seizure/examination. This can include those at the location as well as remotely.
      • Unique network connection identifiers are called the Media Access Control Addresses (MAC). A separate MAC address exists for each Ethernet (blue cable), wireless and Bluetooth connector.

Recycle bin

This is where documents, files, folders etc. are placed to be disposed of by the OS. Metadata can show when the item was placed into the recycle bin and where it was resident on the device before being placed into the recycle bin.

A benefit of examining the recycle bin is suspects sometimes do not understand the recycle bin does not usually automatically clear its contents, so documents, images etc they thought had been disposed of may still be easily found. The recycle bin also provides a small insight into the thoughts of the user when they have tried to dispose of data.

The recycle bin can show:

      • When an image was accidentally downloaded and immediately deleted.
      • Deleted documents and spreadsheets.
      • When and by whom, and
      • Were they recovered post-deletion?

Registry

Within the OS is the registry which provides a detailed level of evidence. The registry is the location where the OS is configured for individual users. Each registered user will have an individual registry entry, and these are created by the device or network administrator who has administrator access. This may provide direction to the activity of a specific user who shares a device such as in an office where desk space and computer devices are shared amongst users. Also, the computer network OS will have a separate registry folder for each of the many users on the corporate network.

The registry stores data of users, devices attached to the OS and peripherals such as printers. It records logs of all activity. You will notice some of the evidence mentioned is similar to that mentioned in the description of OS evidence, however, evidence at this level is more specific to an individual user, especially on a device that is shared amongst multiple users, each of which has an individual account.

Examples of data that the registry may store include:

    • Administrator privileges allocated to which user.
    • Applications installed.
    • Autorun programs. What loads automatically on the device start-up.
    • Date and time settings.
    • Devices installed.
    • Files accessed.
    • External hardware, such as USBs or hard drives that have been attached to the device.
    • Information on the web browser and its history of use.
    • Internet home page.
    • Internet search history.
    • Most Recently Used files.
    • Network connections and settings.
    • Networks the device has been connected to.
    • Passwords that may be in plain text or visible as a hash value. This includes those stored within a web browser.
    • Ports open.
    • Records of any malicious software (malware) located on the device.
    • Records of users logging into and off the OS.
    • Schedule of registered users.
    • System configuration including applications installed under the user’s profile.
    • Typed web addresses.
    • Unique name of the computer.
    • Unique user account avatar.
    • User profiles including the individual names and when each profile was created.
    • The version of the Operating System.
    • Wireless networks that the device has been attached to.
    • Files and folders that have been accessed from external devices while connected to the computer such as a USB or hard drive.
    • Recently opened files from Windows Explorer.
    • Files and applications recently run from the “Run” bar.
    • Recently opened files and folders.
    • The computer’s name.
    • Records of Remote Desktop Protocol (RDP) usage.

This information provides the investigator with unique knowledge about the activities and profile of a specific user and how this user operates through their individual accounts, as they have a unique identifier that is linked to their activity.

Slack space

This is the area of the hard drive that is available to be used to install new applications, store documents etc. It is in effect the space on a drive that is available for storage.

Deleted evidence resides in the slack space. It is not necessarily totally removed from the device unless specific applications such as CCleaner[7] or Bleach Bit [8] have been used to wipe the slack space clean by overwriting it.

This area is an excellent location to find valuable evidence such as deleted images, movies, documents, spreadsheets etc as many people do not understand this evidence can be recovered. Computer logs that have been deleted by an attacker may also be resident in this space. It is a worthwhile investment in time and resources to request your digital examiner to examine the slack space to see what evidence resides there.

As well as locating the evidence, it is also valuable in showing the intent of a person’s attempt to delete what may be considered incriminating evidence.

As this chapter shows, computers have the potential to contain valuable evidence. Experienced criminals will be aware of this and attempt to reduce the potential for this data to be used against them and will regularly clear evidence such as internet history and event logs. Some may change file extensions such as changing an image from the extension .jpeg to .docx in the hope that the investigator looking for suspect images will not look at that file. Experienced digital investigators will be aware of these methodologies and have their own methodologies to identify such evidence. To the investigator this is valuable evidence as it shows a specific attempt by the suspect criminal to hide compromising evidence.

System data including memory

Analysis of the system data and memory includes the examination of volatile data that resides in the device memory which may be lost when a device is turned off.

Examples of data the system and memory may store include:

      • Commands issued by an attacker will be of value when investigating a data intrusion event.
      • Deleted files.
      • Error codes that show problems with the system or applications.
      • Log files.
      • Malicious software resident on the device.
      • Partitioned section of the drive which may be hidden where criminal offending is stored.
      • Passwords in plain text if recovered from memory prior to the device being shut down.
      • Processes running that can lead to the identification of malware being on the device, its location and when it was installed.
      • When a user has logged on and off.
      • People who have remote access.

As we can see, the computer can present a large volume of factual material to the investigator. It can also present a timeline of activity to show what was happening on the device at a specific time and what the user was doing. For example, a person may deny sending a malicious email from a web-based account at a specific time, however, an examination of the OS timeline shows that they were logged onto the web service when the subject email was sent, and they had their personal online banking open in another window. This helps solve a key question an investigator needs to prove in court which is “Who was using the device at the time a specific event under investigation took place”.

Preparing for challenges 

As discussed, digital evidence is everywhere and can assist your investigation. This chapter has raised considerations that may affect the collection of digital evidence. This section provides several potential problems that may require a plan.

1: Completeness of evidence[9]

Device storage grows rapidly, and storage limitations seen as acceptable today will be exponentially larger in 12 months. Imaging a complete copy of a storage device may take more time than the investigation team has available, especially when a device needs to be imaged at a specific location.

In this instance, a portion of the device may be imaged after discussions to identify where the evidence is likely to be found. This is not always the best option when seeking completeness of the evidence, but allowances need to be applied for the individual circumstances and environment an investigator may find themselves. A complainant company system administrator may be able to direct the digital examiner exactly to where the evidence is resident meaning a complete image may not be required.

Another factor may be a complainant organisation that has been the victim of a crime may not want the investigation team to have copies of valuable corporate data including Intellectual Property, email communication, personnel records etc.

Computer servers may be shared amongst a multitude of clients. This is particularly so with cloud computing services. Imaging a shared tenancy server will not be practical or legally allowed in many circumstances.

Document the reasons why a complete image was not taken so justification can be provided should you be asked in court why the complete image was not taken. A lawyer for the other party may use the excuse that the valuable evidence that would prove their client’s innocence was not collected or was maliciously excluded. Detailed notes will provide an explanation of the circumstances that existed at the time of evidence capture and the discussions that took place leading to the decisions made.

2: Live forensics[10]

This involves capturing digital evidence from a device that is not turned off and continues to operate or a network.

Live forensics can involve capturing data as it travels over a network, or from the memory of a device on a network. When a network is under attack from an external attacker, a highly skilled incident responder may capture the attack as it occurs live over the network, thus obtaining evidence as to the methodology of the attacker, their skill set and objectives.

Capturing the contents of the memory of a device provides the opportunity to obtain passwords that will be lost when the device is shut down. This is a particularly valuable consideration when you are at a scene with physical access to a suspect’s computer which is turned on and password access can be obtained.

Computers may operate a virtual instance which will be lost when the device is powered off. There will be only one opportunity to obtain this data and that is at the time of seizing the device before the virtual server or instance is turned off.

3: Volatility[11]

Volatility refers to data being lost when a device is powered down, a virtual machine is closed or evidence such as computer logs being overwritten. When devices have a small storage capacity, the data can be overwritten quickly depending upon device operator usage.

4: Logical versus physical acquisition[12]

A logical acquisition involves obtaining only the user data as the examiner is not able to obtain a complete image for reasons such as a complainant’s direction to protect certain information.

A physical acquisition involves a bit-by-bit image of the device and is a more complete standard of digital evidence.

5: Speed of technology evolution[13]

Technology changes rapidly with OS being regularly updated or replaced. New devices such as Internet of Things devices store little evidence on the physical device, as they use cloud computing services to store the operational data the investigation team requires.

The digital examiner needs to keep up with the many emerging technologies, their file systems and how to obtain digital evidence.

6: Cloud computing services[14]

There are different structures for Cloud Service Providers (CSP) and the ability to access evidence. These are discussed in the Cybercrime Investigators Manual.

Several considerations include the ability to access the remote storage service, the level of access to computer logs which are often under the sole control of the CSP, the legality of viewing and downloading contents of a cloud account resident within a separate legal jurisdiction as well as the large contents of data which are stored in cloud accounts.

Obtaining digital evidence involves using forensic tools that may not be able to fully access the evidence sought. The tools may also not be known or accepted by the courts.

Key Takeaways

Key Takeaways

  • The computer is a valuable source of evidence, and there are many locations of evidence that can provide details on the activities of a user. All activities are recorded in some manner and the investigator attempting to confirm an act and intention of a suspect may find the computer a valuable place to search for evidence.
  • Computers contain volatile evidence that needs to be treated with a greater level of care than a physical device less inclined to breaking. Whilst working at the scene, the investigator may face the dilemma of shutting down a device and seizing it as evidence or attempting to obtain evidence that is stored in its memory. This dilemma may be made more complicated by having no digital forensic experts available and a limited amount of time available in which to complete the search.
  • As well as locating volumes of evidence, the lack of evidence may also be of investigatory value when a confirmed device has been examined. A person who has cleaned evidence including deleting computer logs shows a level of technical skill as well as intent to hide potentially incriminating evidence.

Scenario

The computer plays a role in the investigation after the offence has been committed. Sledge uses the fingerprint of the recently deceased Alex to gain access to the device and immediately changes the access password so he can have access to the device at his convenience.

Evidence to support this activity can be located on the device including at the following locations:

  • Security Event logs and Event ID 4624 show the time the device was logged onto using Alex’s account. This can be compared to the precise time of Alex’s death which can be identified from his smartwatch. Since the computer and watch are time synchronised, they will be operating in the same time zone and be accurate.
  • Security Event logs and Event ID 4724 which record the change of password.
  • Security Event logs and Event ID 4800 which show the time the device was locked. These three actions will occur within a short period of time, and with no other activity occurring, will provide evidence the sole purpose of logging onto the device was to change the password.

Sledge next used Alex’s computer at Sledge’s home address when he logged the device onto his home computer network for the first time.

Evidence identified can include the following:

  • The router will show as a device the computer has been connected to. It will contain the Service Set Identifier (SSID) which was created by Sledge when naming his home network. This will show Alex’s computer has been connected to Sledge’s home network.
  • It may retain in clear text the password to Sledge’s home network.
  • The Media Access Control (MAC) address of Alex’s computer will be recorded within the home modem/router of Sledge providing a further layer of evidence showing the computer has been connected to Sledge’s home network.
  • It will have a dynamically generated Internet Protocol address generated by Sledge’s home network which will begin with 192.168.XXX.XXX.
  • Alex’s computer will retain the SSID of Alex’s home network showing it has been connected to Alex’s home network.

This evidence provides links to the home networks of Alex and Sledge showing the computer has been connected to both networks.

Sledge viewed the private accounts of Alex which were logged on at the time of Alex’s death. This includes Alex’s Facebook account as well as a cloud storage account.

Sources of evidence of this activity include:

  • List of applications running at the specific time including a choice of web browsers such as Safari, Chrome and Firefox.
  • Auto-complete details which may contain an account identifier and/or password.
  • Passwords stored in the web browser.
  • Date and time the application was operated.
  • Most Recently Used applications.
  • System logs will record the opening of a Word document and it being stored onto the USB drive of Sledge. This contains the new passwords to the accounts Sledge created.
  • Web history showing the date and time of connection to the Facebook and cloud storage account.
  • Identifier of the USB device Sledge connected to Alex’s computer to store the cloud computer storage folders and files.

Sledge makes comments on Alex’s Facebook page to make it look like he is still alive. The evidence of this activity will need to be made under subpoena to Facebook.

The activity on the cloud computing account will need to originate from the cloud computing service. The computer can show the connection time, however, the best evidence as to the transfer of content data will originate from the cloud computing service logs as well as the USB device in Sledge’s possession.

Evidence includes:

  • Connection to Facebook.
  • Time and length of connection.
  • Connection to the cloud computing account.
  • Event log details showing a download of data from the cloud computing account to the USB device.

Although the computer does not provide direct evidence of the crime, it does provide a physical link between the home address of Alex and Sledge. Logs will show it was in Alex’s home at the time of his death, and shortly afterwards was at Sledge’s home address.

The changing of the cloud computing account also shows possession of the device, and the connection activity is recorded on Alex’s computer when connected to Sledge’s home router.

Sledge also obtains copies of documents from Alex’s cloud account, and these will be located on the computers of Alex/Sledge as well as other possible external device backups. The cloud accounts will show access times and activities within the cloud environment. The investigator will need to identify the process of obtaining this data from the Cloud Service Provider.

Upon gaining access to Alex’s mobile device, Sledge transferred funds from Alex’s account to his own. The connection to the bank account will be evident on Alex’s mobile device, as is the separate evidence of the bank transfer into Sledge’s account. The timing of the connection can be identified to be post-death of Alex.

Documentary records obtained from Alex’s home by Sledge will become evidence at Sledge’s residence. There may be traces of blood on the documents as well as DNA from both Alex and Sledge.

  1. Open Text (n.d.) OpenTextEnCase Forensic. EnCase Open Text Corporation. https://www.opentext.com/products/encase-forensic
  2. Exterro (2024) FTK Forensic Toolkit. Exterro. https://www.exterro.com/digital-forensics-software/forensic-toolkit
  3. Cellebrite (n.d.) Accelerate justice with Cellebrite. Cellebrite. https://cellebrite.com/en/home/
  4. Studiawan, H., Sohel, F., & Payne, C. (2019). A survey on forensic investigation of operating system logs. Digital Investigation, 29, 1–20. https://doi.org/10.1016/j.diin.2019.02.005
  5. Ibid.
  6. Wireshark (n.d.) The World’s most popular network protocol analyzer. Wireshark Foundation. https://www.wireshark.org/
  7. CCleaner (2005-2024) Clean up, speed up, and fix your PC with CCleaner. Piriform Software Ltd. https://www.ccleaner.com/
  8. BleachBit (2008-2023) Clean Your System and Free Disk Space. Andrew Ziem. https://www.bleachbit.org/  Content licenced under the Creative Commons Attribution-Noncommercial-Share Alike 3.0 license.
  9. Jones, A., & Vidalis, S. (2019). Rethinking Digital Forensics. Annals of Emerging Technologies in Computing, 3(2), 41–53. https://doi.org/10.33166/aetic.2019.02.005
  10. Ibid.
  11. Ibid.
  12. Ibid.
  13. Ibid.
  14. Ibid.
definition

Licence

Icon for the Creative Commons Attribution-NonCommercial 4.0 International License

Digital Evidence Manual Copyright © 2024 by Graeme Edwards is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License, except where otherwise noted.

Share This Book