Digital Evidence and Forensics

This is FREE sample
This text is free, available online and used for guidance and inspiration. Need a 100% unique paper? Order a custom essay.
  • Any subject
  • Within the deadline
  • Without paying in advance
Get custom essay


Law enforcement faces new challenges with new types of digital technologies. They are in a continuous battle with criminals of different applications of digital technologies and so law enforcement is coming up with new forensics tools to systematically search digital devices for evidence that is either hidden or has been deleted for the device. What I hope to accomplish in this paper is to give the reader a better understanding of digital evidence and forensics. What is involved with the collecting and how the digital evidence is processed and who can process the evidence without destroying the evidence?


Nowadays computers and tablets, and cell phones and other electronic devices are used to commit crimes, the increasing science of digital evidence and forensics, law enforcement agencies now use computers to help with fighting crime. Digital evidence is defined as evidence consisting of information stored or transmitted in electronic form. Digital evidence is any information that is stored or transmitted in a binary form that may be relied on in court. Digital evidence can be found on the computer’s hard drive, flash card in a digital camera, cell phone, and tablets, among many other places.

Digital evidence is frequently related to electronic crime, or e-crime, such as credit card fraud or child pornography. Though digital evidence is now used to prosecute all different types of crimes and not just e-crimes (Nelson, Philips, & Steuart, 2016). For example, a suspect e-mail or a mobile device file might contain serious evidence concerning their intent along with their whereabouts at the time the crime was committed and their actual relationship with other suspects.

The history of digital evidence and forensics is relatively new it’s hard to pinpoint when it actually began. However, most experts come to agree that the field of digital evidence and forensics began to grow more than thirty years ago. Digital evidence and forensics began in the United States when law enforcement and military investigators started seeing more and more criminals get technical with their crimes. Management employees that are charged with critical important, confidential and certainty classified information when conducting forensic investigations in response to possible security break not only investigate the possible breach but how to prevent them in the future (Sammons, 2015).

The field of information security is responsible for protecting vital information, assets, and computer forensics, which they focus on hi-tech offenses that start to intertwine. However, prior to analyzing the digital evidence, an image or work copy of the original storage device is created. When collecting data from a suspect device, a copy must be stored on another form of media to keep the original untouched. This prevents the original device from being connected to any networks and keep the evidence as pristine as possible. There needs to be a chain of custody that provides information for the electronic evidence from the beginning to the end by recording it on the evidence log sheet.

If there is more then one device collected all need to be logged on the evidence sheet in chronological order of every person who has had the evidence in their custody (I-long & Yun-Sheng, 2011). Nevertheless, before beginning to collect evidence and creating the chain of custody. Before collecting or touching anything at the crime scene, there should be steps taken to record the location and condition of the computer and other items. A notepad and a digital camera can be a very valuable tool for capturing evidence what was on the device screen when investigators arrived on scene. Digital evidence is information stored or transited in digital form that may be used in court during an investigation.

Understanding Digital Evidence and Forensics

When collecting evidence, the only evidence that can be collected is what is stated in the search warrant. If the search warrant was for all electronic devices this would include computers, gaming systems, cameras, tablets, and cell phones would be collected as evidence. Each of the items would be logged on an Evidence sheet that will remain with the evidence at all time. Making sure that the chain of custody is not broken or compromised. The evidence that can be gathered digitally would include all computer documents, all emails, text and instant messages, images and internet histories are all examples of information that can be gathered from electronic devices and used as evidence in court.

Most mobile devices use an online backup system known as the cloud that helps provide forensic investigators with access to text messages and pictures taken from a specific phone or tablet that has the capabilities of taken pictures. These devices keep up to an average of 1000 or more of text messages sent to and received from the phone gathered. Furthermore, many mobile devices store information about the locations where the device has traveled and what time it was at certain locations. To have a better knowledge of the device, the investigators can access up to the last 200 locations of the mobile device. Just like when someone post pictures to social media like Facebook account it may contain the location information in the photos that were taken.

When a Global Positioning System (GPS) enabled a device that holds file data that displays when and accurately where a photo was taken. By acquisition a subpoena for certain mobile devices accounts, an investigator can gather the amount of history related to a device and the person using it. Who conducts the analysis? “Analysis examines all information available in an effort to separate that data into relevant parts for further study” (Osterburg & Ward, 2014).

The analysis is always conducted by a trained expert in the field of removing digital evidence and they need to be trained in that certain device otherwise they could destroy all the digital evidence on the device. However, not all agencies have digital evidence expert’s on hand, but if they do, the officer maybe only specialized in social media or credit and bank fraud. Some detectives would have the abilities to login onto e-Bay or other auction sites to look for stolen property, but not qualified to search a computer for hidden documents or other digital documents of illegal actives.

Again, if the detective does not know what they’re doing they could destroy all of the digital evidence in the process. There has been a wide amount of interest in the area and learning how and what can be extract, digital evidence from computers or other electronic devices. However, there is more than one path to digital evidence expertise qualifications and certifications. Combination of digital seizure methods has become more common in first responder training.

A certified digital media examiner are investigators who have the education, training, and experience to properly exploit sensitive evidence. “These professionals have shown essential proficiencies in pre-examination measures and legal issues, media assessment and analysis, data recovery, specific analysis of recovered data, documentation and reporting, and presentation of findings (Nelson, Philips, & Steuart, 2016).’ Most agencies do not require certification of examiners but are a very valuable asset.

How are digital devices collected? First, the scene needs to be secured, then and legal authority to seize the evidence has to be confirmed, all devices are then collected. Along with gathering evidence any and all passwords, codes, or PINs should be gathered, and if possible, the charger associated with the devices, cables, peripherals, and manuals should be collected as well. Flash drives, cell phones, hard drives, are examined using different tools and techniques, and this is often performed in a specialized laboratory.

Values of Digital Evidence

The benefits of digital evidence are the ability to reduce or even eliminate sampling risk, this happens to be the largest benefit of forensic accountants over the outside examiners. The evaluation of related types of data from different systems or sources to show a more complete picture. The ability to easily trend applicable data over periods of time; variations in trending lines can be examined further for false positives and potential risk factors (Collie, 2018). Digital evidence may be found on computers or other electronic devices directly associated with the offense committed. For example, law enforcement may be investigating a child molestation complaint.

When the investigator inspects the suspect’s computer, he finds multiple pictures that appear to show the suspect molesting a number of children (Casey, 2010). Then another piece of digital evidence like a flash card from digital camera pictures are found to have the suspect possession has the flash card contains pictures of the stolen vehicles. The Internet has been around since the 1990s, the use of social media has only been around since 2003. Users can add their own content to any social media site that will allow it.

Sites like Facebook are not static, individuals continually changing what they have added commentary, photos, and videos. ‘Social media is a form an electronic communication: websites and applications that enable users to create and share content or to participate in social networking” (Casey, 2010). “Digital media is any digitized content such as text, photographs, audio and video that has been encoded and easily transmitted over computer networks. Digital media can be created, viewed, distributed, altered and preserved on electronic devices. Digital evidence is any probative information stored or transmitted in digital form over the Internet or computer networks” (Nelson, Philips, & Steuart, 2016).

How is digital evidence processed? After all, the evidence has been logged on the evidence sheet and a copy of the files and applications on the computer are done. The next step is the specialist will use selected software to view data. They will be able to see all the files on the drive, and they can see if any areas are hidden and could be able to restore organization of files allowing the hidden areas to be viewed. All deleted files are also visible as long as they have not been overwritten by new data (Nelson, Philips, & Steuart, 2016).

Also, partially deleted files can be of great value as well. Files on computer and other devices are not the only evidence that can be gathered. Sometimes the expert may have to work beyond the hardware to find evidence that resides on the Internet which includes social media, chat rooms, instant messaging, and other networks of information (Angus, 2008). Benefits of electronic devices such as computers and cell phones are that most people use a cloud to back up their information that’s on their computers or other devices.

The cloud is a network of computers each of which serves a different function. When you save or access data to and from the cloud you do so over the internet rather via a computer hard-drive. The allows people to enjoy greater freedom and flexibility when it comes to accessing data and services and has been proven invaluable for both individuals and businesses. The cloud also allows the user to easily recover data if it is lost. The cloud also provides automatic software updates and provides greater security levels. The clouds allow you to access your data anywhere if you are on the go like meeting, classrooms, the places are endless.

Why and When is Digital Evidence examined? Digital evidence is examined after a crime has been committed. First, every lab has a Standard operating procedure (SOP). Standard operating procedures are vital in any lab to be run successfully. There is also a Scientific working group on digital evidence (SWGDE) which creates a number of standards for digital forensics.

The SWGDE has a model standard operation procedure for computer forensics document defines examination requirements, process structures and documentation (Scientific Working Group on Digital Evidence, 2018). According to this document, there are four steps of examination, visual inspection, forensic duplication, media examination, and evidence return. Visual inspection is the purpose of the inspection is to determine the type of evidence, the condition, and the relevant information to perform the test. Often done when the evidence is a first seizure at the crime scene.

For example, if a computer is seized at the scene you want to document if the computer was on and running. Forensic Duplication is the process of duplicating the media before examination of the computer. It is always important to have a forensic copy and not work off the original. Media examination is the actual forensic testing of the application by media which is the hard drive, Ram, Sim card or something else that hold digital data. The evidence is then returned to the secured location. “Digital evidence comes into play in any serious criminal investigation such as murder, rape, stalking, car-jacking, burglary, child abuse, or exploitation, counterfeiting, extortion, gambling, piracy, property crimes and terrorism” (Maecella & Guillossou, 2012).

Pre-and Post-crime information is most applicable for example if the criminal was using online programs like Google maps or street view to case a property before a crime or posting stolen items on craigslist or communicating via text message with accomplices to plan a crime or threaten a person (Maecella & Guillossou, 2012). Rules of Evidence is for practical purposes the rules of evidence are rules of exclusion.

Digital Forensics tools are designed to help security staff, and law enforcement investigators identify, collect, preserve and examine data on computer hard drives that are related to the illegal activity, like cybercrime, e-mail and internet abuse, fraud, financial mismanagement, unauthorized disclosure of corporate information, rational property theft. Gradually these tools are being applied to e-discovery related to civil litigation and regulatory compliance (Sammons, 2015). Forensics tools have a purpose is they abide by a formal evidence processing protocols such as maintaining a chain of custody and avoiding alteration or compromise of evidence and allowing any and all findings to be successfully used in the court of law (Nelson, Philips, & Steuart, 2016).

Documenting and Reporting

Documenting the crime scene is normally done in two steps first sketching and then photographing the scene. An electronic crime scene is no different, the first sketch the scene and then overall photographs of the location should be taken. Close up photographs of any running computer monitor should be taken. “All computer connections to the system unit such as peripherical devices for example keyboard, monitor, speakers, mouse, printer, and any other devices should be photographed. Photographs of systems serial numbers should be taken, if needed” (Osterburg & Ward, 2014).


Preserving Evidence is vital to any criminal investigation, always make a copy of any digital file so the original is preserved for later. When examining digital evidence always be sure to make a copy before you begin the process of examining the applications or file on a computer. When analysis of all digital evidence is should only be done by a trained expert who knows how to remove or get information from the device. A trained expert has the experience and the knowledge of how to get the information without destroying it. Digital evidence is having a huge impact on the fourth amendment. The court’s ultimate question is whether locations where digital evidence may be found, that range from desktop computers to countless other devices are subject to a special rule or whether traditional search and seizure rules is sufficing (Collie, 2018).


  1. Angus, M. (2008). Digital Evidence in Criminal Investigation. Hokaban: Wiley-Blackwell. Retrieved November 9, 2018,
  2. Casey, E. (2010). Handbook of Digital Forensics and Investigation. Retrieved November 5, 2018, from https://doi.org/10.1016/C2009-0-01683-3
  3. Collie, J. (2018, August). Digital forensic evidence—Flaws in the criminal justice system. Forensic Science International, 154-155. Retrieved November 9, 2018, from https://www-sciencedirect-com.ezproxy.liberty.edu/science/article/pii/S0379073818302378
  4. Daniel, L. E., & Lars, D. (2012). Digital Forensics for Legal Professionals. Elsevier. Retrieved November 6, 2018, from https://www-sciencedirect-com.ezproxy.liberty.edu/book/9781597496438/digital-forensics-for-legal-professionals
  5. I-long, l., & Yun-Sheng, Y. (2011). VoIP Digital Evidence Forensics Standard Operating Procedure. International Journal of Research and Reviews in Computer Science, 2(1), 173-179. Retrieved November 4, 2018, from http://ezproxy.liberty.edu/login?url=https://search-proquest-com.ezproxy.liberty.edu/docview/1013807216?accountid=12085
  6. Mabuto, E., & Venter, H. (2013). System-Generated Digital Forensic Evidence in Graphic Design Applications. The Journal of Digital Forensics, Security and Law: JDFSL, 71-86. Retrieved November 5, 2018, from http://exproxy.liberty.edu/login?url=https://search-proquest-com.ezproxy.liberty.edu/docview/1525458314?accountid=12085
  7. Maecella, A. J., & Guillossou, F. (2012, May 1). onlinelibrary-wiley-com.ezproxy.liberty.edu. doi:978-1-118-27366-1
  8. National Institute of Justice. (2016, April 14). Retrieved November 8, 2018, from https://www.nij.gov/topics/forensics/evidence/digital/Pages/welcome.aspx
  9. Nelson, B., Philips, A., & Steuart, C. (2016). Guide to Computer Forensics and Investigations Processing Digital Evidence. Boston: Cengage.
  10. Osterburg, J. W., & Ward, R. H. (2014). Criminal Investigation (7th ed.). Waltham, MA: Elsevier. Saferstein, R. (2016). Forensic Science from the Crime Scene to the Crime Lab (3rd ed.). Mt.Laurel, New Jersey: Pearson.
  11. Sammons, J. (2015). The Basics of Digital Forensics. Retrieved November 05, 2018, from https://www-sciencedirect-com.ezproxy.liberty.edu/science/article: https://www-sciencedirect-com.ezproxy.liberty.edu/science/article/pii/B9780128016350000024

Cite this paper

Digital Evidence and Forensics. (2022, Jan 14). Retrieved from https://samploon.com/digital-evidence-and-forensics/



What are examples of digital evidence?
Digital evidence is any data that can be stored on a digital device. This can include text files, images, videos, and emails.
What are the two types of digital evidence?
There are two types of digital evidence: active and passive. Active digital evidence is data that is currently stored on a device or in transit. Passive digital evidence is data that has already been stored on a device.
What is an example of digital forensics?
Digital forensics is the practice of investigating and analyzing digital devices and data.
What is the difference between forensics and digital forensics?
The main difference between the two disciplines is that forensic science emphasizes physical evidence instead of digital evidence . The forensic science certification is chosen for comparison purposes because forensic science is closely related to digital forensics.
We use cookies to give you the best experience possible. By continuing we’ll assume you’re on board with our cookie policy

Peter is on the line!

Don't settle for a cookie-cutter essay. Receive a tailored piece that meets your specific needs and requirements.

Check it out