It can be safely stated that digital evidence can play a part in the investigation of any criminal or civil offence should the investigator’s mind be adept enough to consider what technology is doing around us.  As this book discusses, technology is everywhere, collecting and storing data and in many cases, profiling us including our personality DNA.

There is little escaping technology in our environments. Attending to a friend’s home may find a home assistant activated, the sort of technology you declared would never be in your home because of the perceived intrusive nature of the product. A friend or colleague uploading the contacts of their phone to a new social media provider may upload your personal details such as phone number, email address and name even though you do not have an account with that social media provider. This creates a shadow profile of you even though you have not signed up to the platform.

Social media giants also place cookies on your computer from websites you visit. These cookies monitor your online activity and report these back to the social media provider, even if you do not have an account with them.

Technology is now wearable and, in some cases, able to be inserted into the palm of a hand where data can be stored and used. Police officers arresting suspects will need to acquire the current personal identifiers such as photographs, fingerprints, DNA, record physical characteristics of their suspects as well as distinguishing features such as tattoos. In the very near future, they will need to consider whether the person in their custody has a computer chip storing potential digital evidence inside the palm of their hand.

Digital evidence will tell you a lot of information your witnesses cannot or will not tell. It can corroborate a version of events as told by a witness or provide information that is inaccurate or is a lie. Sometimes witnesses are themselves unclear of times/dates, places, or order of events, and analysis of technical evidence can provide this information in chronological order. Witnesses will generally attempt to be helpful, but some will lie or not mention valuable information for reasons that make sense to them.

Digital evidence may take your investigation into areas you were not aware of when commencing the investigation. For example, more than one investigation interrogating the digital evidence of a suspected fraud has uncovered other frauds or offences the complainant and police were unaware of.^[1]

Also, criminals are members of the general community and many of them will have the same level of technical expertise, meaning some will be technically astute and others will not. Few will understand the detailed examination the digital forensic examiner will be able to undertake and the potential to capture various forms of data showing they were at a specific location and a specific time when they were saying they were not.

As we will discuss in the chapters on smart homes, offices, buildings, vehicles and cities, massive amounts of data are being recorded daily about our movements, mostly without our express knowledge. Even if we are aware, it is so common today to move through cities, public transport, shopping centres and so on that we do not even consider this. People will generally not refuse to go to a shopping centre because there are security cameras present.

The wide collection and storage of data today is considerable; however, it is just the current step in what comes next. The modern investigator will be grateful for the amount of evidence that is available to them that their predecessors did not have.  In forthcoming years investigators will incrementally have much more to work with. Autonomous vehicles, home robots and medical devices inserted into the brain to assist medical conditions may contain evidence of an offence by a person who is the victim, witness or offender. Imagine a circumstance where a person has a chip inserted into the brain to assist with damaged memory storage and they witness a homicide. Can that chip be downloaded to visually present what the witness saw? Only time and technology will tell.

Digital evidence available to the investigator is so widespread now, that the question in court may be ‘Why was it not collected?’ rather than ‘Did you collect it?’ If a person is being accused and prosecuted for an offence and there is digital evidence available to assist in proving their innocence or guilt, then it is the responsibility of the investigator to obtain and analyse it to the benefit of whomever the evidence directs.

Technology will be valuable when an event occurs and there is no person present, or the subject is deceased, incapacitated or cannot immediately be located. It is also valuable when a witness or suspect is lying. Technology can also be used to initiate memory recall or assist the investigator in their line of questioning.

There are many questions the digital evidence can answer, and we will examine examples of these throughout the remainder of this chapter. The following list can be easily applied to any investigation from a homicide to the theft of Intellectual Property. The questions are formulated in the manner of what may be asked in a formal personal record of an interview with a suspect, witness or victim.

As each question is posed, we will identify the digital evidence that may be able to corroborate the answers provided.

You will note there are a lot of similarities between the two lists. Technology can be a stand-alone source of evidence or corroborative to the evidence provided by a person.

Types of corroborative technology

The technology involved in supporting an interview can be wide-ranging. To commence this section, we include a few examples of digital evidence that may be relevant to support your line of questioning. Further and more detailed examples will be included throughout this book.

There are many questions that digital evidence can answer. The following list can be easily applied to any investigation from a homicide to the theft of Intellectual Property. The questions are formulated in the manner of what may be asked in a ‘formal personal record of interview’, however in this chapter, we will use technology to answer the questions rather than focus on the person being interviewed who may be a suspect, witness or victim.

Where do you live?

This is a basic question delivered at the commencement of any interview. It confirms the identity of the interviewee and where they can be located. Most people provide this information without difficulty, however not always and it is always helpful to be able to independently confirm this information should the need arise.

Who else lives at this address?

This may be a useful question when working out who has access to a digital device such as a computer or premises which is subject to investigation. It may also be useful when determining who was present at a location to access data recorded by Internet of Things (IoT) sensors.

Where were you at the specific time?

This question is to place a specific person, at a specific location, at a specific time. Identifying where a key person of interest was at the times of relevance can corroborate their statement, negate it or place them in the scene at the crucial time.

What were you doing?

Again, this can be used to identify the truthfulness of the statement of an individual. For example, in relation to a person who said they were sleeping at 1:00 a.m., the technology in their home, or on their person, does not corroborate this statement and shows that they had an elevated heart rate and their GPS indicates they were at a different location.

Who were you with?

This question can be used to corroborate the statement of another person, showing where they were at the crucial time of the investigation. It can also identify further witnesses.

Technology can be used to assess the truthfulness of their statement as well as cross-reference GPS locations of other people who were allegedly with the witness at a specific time. If several witnesses all say they were at a specific location at a specific time, and the GPS on each of their mobile devices corroborates this, then generally, that component of their statements is verified by the technological devices.

Were you active or stationary?

Health apps on mobile devices capture a significant volume of data about the activity of an individual. This includes heart rate and motion. Fitness trackers also record a lot of relevant information about the activity of individuals.

Where did you travel from?

Again, GPS location data can be used to corroborate or negate the statement. If they are lying about their location, why are they lying and what else are they lying about? Digital surveillance cameras are also valuable should this line of evidence be available.

How long were you there?

Not only GPS can be used to identify a person being at a specific location, but social media check ins also show this information. People check in when they arrive at a location or post timestamped photos onto social media such as being at an event or restaurant. Phones record significant locations to the device owner, including GPS location, date, time of arrival and time of departure.

Where did you go next?

The behaviour of a person after the event of interest may be of interest to the investigator. After a burglary, did they go to a regular contact to dispose of the property? In this case, the investigator has a whole new investigation to conduct. GPS data on a mobile device or linked to a website will be very beneficial here.

Also, in the event of suspected homicide as in the case study, GPS location data can show where the body was disposed of. Cars capture volumes of information and show the manner of driving as well as the locations attended.

What did you purchase?

Banking records and receipts are traditional methods of showing a person’s income and expenditure. Technology can produce banking records in real-time through mobile banking, especially phone apps. Digital receipts emailed to a user also place a person at a specific location at a specific time and link to a bank account.

What was said?

Home assistant devices may capture and store conversations if activated by the wake word. Sometimes, people record sensitive conversations on their mobile devices for reasons that make sense to them.

What are your sources of income?

Again, banking records show sources of income. Mobile devices also show sources of irregular or criminal income through chat conversations, images shared or photos.

People also go on social media and place images of their lifestyle which is far in excess of their income. People enjoying a high-value lifestyle on a limited income are advertising they have irregular incomes or have won a lottery, had success gambling, have a wealthy benefactor, or benefited from an inheritance. If these legitimate sources of income do not apply, look closely for irregular income such as drug dealing in encrypted chat apps. Virtual currency inquiries linked to an individual are also important sources of evidence.

What methods of communication do you use?

This can be corroborated through examination of their mobile devices. Look at the battery usage to see which apps are the most commonly used. Also, look for the app that is attended to most frequently. If a person says they hardly ever use WhatsApp, yet their battery shows they use it continually, they are lying, and the investigator will understand the suspect is attempting to draw their attention away from the app that contains potentially the most damaging evidence against them.

What locations are important to you?

Apple Significant Locations records the apps people attend to most often, Helpfully, the app also records the dates and times they attend this location. This is a very valuable investigative tool to the investigator as people who attempt to downplay their association with a specific address may be caught by the evidence from the Significant Locations entries.

What vehicles are you linked to?

The mobile phone links to a vehicle and leaves a multitude of evidence behind as discussed in Chapter 8 “Motor Vehicles”. The vehicle stores this data, including all the other vehicles a specific mobile device has been connected to.

The home modem/router may be linked to the vehicle where updates to the vehicle are downloaded.

Scene questions that can be solved by technology.  

In this section, we will look at what technology can tell us about what happened in a scene or location outside of conducting interviews. You will see a similarity to technology which has just been discussed involving a witness, so when information is repeated, it is done so for completeness.

What happened?

Internet of Things (IoT) devices can capture exact details of activity within a scene. The chapter Internet of Things provides descriptions of many IoT devices that may be located within an address and the data/evidence that their sensors can collect.

Written accounts in emails, chat, and online communications can also provide descriptions of activity within a scene or crime.  People often talk about their criminal behaviour on secure apps, believing they are operating within a safe environment.

A modem/router can collect data on the Media Access Control address of devices within a location, regardless of whether the devices make a successful connection. Examination of the modem/router can provide details of the MAC addresses of how many people were within the location at the relevant time, and unique identifiers as to who they are. Further examination of this point with be discussed in Chapter 10 “Internet of Things (IoT)”.

Where did it happen?

As previously explained, GPS is a premier source of evidence in locating where events occurred. IoT devices again can identify a specific crime scene, and motor vehicles record post-offence behaviour where the vehicle was not an original component of the crime. The mobile phone and associated applications will be valuable evidence here.

When did it happen?

Wearable IoT devices as well as smart locations can provide volumes of evidence as can mobile devices and associated applications.

Sometimes, criminals talk about their criminal activities on online sites. Monitoring these open-source sites may provide valuable information.

Who was involved?

Technology can place people in scenes, or work towards eliminating them as being potential witnesses/suspects.

How many people were present?

IoT devices can capture how many people were in a scene when the event occurred. It may not be able to identify all of them but can tell investigators there were five individuals at the scene during the crucial time. This means investigators have a definitive number to work with when attempting to identify who these five people were as well as corroborate this number against what people say in their statements.

How long did the event last?

IoT can capture how long an event occurred via the sensors in the room.

Why did the event happen?

Evidence such as the home assistant may collect evidence of the beginning or parts of the event under investigation. This will be very subject to the circumstances as well as the manner in which the home assistant was directed to start recording.

What happened after the event?

Post-event behaviour of a suspect can help identify an offender. CCTV cameras may record complete incidents or part of an event such as a suspect leaving a scene. Fitness trackers monitor post-offence behaviour of suspects such as elevated heart rates. Wearable technology may record offences involving violence involving the wearer.

What were the consequences of the event?

Closely related to what happened after an event, identifying consequences is valuable evidence to provide to a court or corroborate witness interviews. The prime examples are CCTV videos and mobile phone applications; however, fitness trackers and similar health/activity-related applications may record data such as the last moments of a person’s life.

Was anything introduced or removed from the scene?

Evidence removed or introduced to a crime scene may involve an attempt by the offender to cover the activity or mislead investigators. Modem/routers collect the MAC address of activated wireless devices. CCTV cameras record physical activity. Including the inclusion or removal of objects. An examination of the objects being introduced or removed will identify objects of specific interest to the offender.

IoT devices record activity such as lights being turned on, doors opened and locked, and vehicles leaving a location.

Summary

As time progresses, technology merges into our lives. In many instances, the fully connected individual will be able to do little in their lives which is not recorded and permanently stored by technology.

The investigator will evolve with the adaption of technology into the lives of the community, and an astute investigator who understands the technology in our environment will incorporate it into the investigation to corroborate the statements of witnesses or suspects or speak for a victim when they are unable to do so themselves.

Key Takeaways