Digital Forensics for Law Enforcement
Digital evidence is information stored or transmitted in binary form or other formats that may be relied on in court. It can be found on a computer hard drive, a mobile phone, tablet or other piece of computer hardware. Digital evidence is commonly associated with electronic crime also known as e-crime, hacking or credit card theft. However, digital evidence is now used to prosecute all types of crimes, not just e-crime. For example, suspects' e-mail or mobile phone files might contain critical evidence regarding their intent, their whereabouts at the time of a crime and their relationship with other suspects. In an effort to fight e-crime and to collect relevant digital evidence for all crimes, law enforcement agencies are incorporating the collection and analysis of digital evidence, also known as computer forensics, into their infrastructure. Law enforcement agencies are challenged by the need to train officers to collect digital evidence and keep up with rapidly evolving technologies such as computer operating systems.
For law enforcement investigations the preservation of digital evidence is of the highest importance. If it appears as though digital evidence has been changed it can no longer be trusted in the court of law. In order to preserve digital evidence it must be handled properly to verify that the original data is unchanged. This is generally accomplished through two mechanisms, one being administrative and the other being technical. First there is something known as chain of custody which documents and verifies the transference of digital evidence. Second the evidence is generally copied and then a cryptographic hash digest of the original data is created. This hash will determine whether or not the data has been tampered with at a later date. From here the copy of the original data can be used for the forensic investigation. It can be processed through various data exploitation tools such as Autopsy but without changing the original data.
Digital evidence can play a critical role in solving crimes and preparing court cases. But often the complexity and sheer volume of evidence found on computers, mobile phones, and other devices can overwhelm investigators from law enforcement agencies.During an investigation of suspected human trafficking, for instance, a computer forensic analyst will typically spend hours reviewing hundreds of videos from seized media. The analyst looks at whether a human is present in a particular image and whether or not illicit activity is present. This process is time-consuming, stressful, and prone to error.
This is just one example of the challenges facing law enforcement agencies when it comes to digital evidence. Departments around the country find themselves unable to keep up with rapidly evolving technologies and the quantity of digital evidence they produce. Many departments have limited budgets and lack proper equipment and training opportunities for officers. The result is often large backlogs in analyzing digital evidence.
Large capacity media typically seized as evidence in a criminal investigation, such as computer hard drives and external drives, may be 1 terabyte or larger. This is equivalent to about 17,000 hours of recorded audio. Today, media can be acquired forensically at approximately 1.5 gigabytes per minute. The forensically acquired media are stored in a raw image format, which results in a bit-for-bit copy of the data contained in the original media without any additions or deletions, even for the portions of the media that do not contain data. This means that a 1 terabyte hard drive will take approximately 11 hours for forensic acquisition.
With the help of digital forensics tools like the one’s you’ll learn about in this course, investigators are able to sift through large quantities of data in a very short period of time. These automated tools help investigators to pinpoint exactly what they are trying to find which would be nearly impossible through manual examination. Tools allow for complex filters to be established that may utilize databases of known keywords such as those used in drug trafficking or terrorism. These filters quickly identify the keywords, file types and location of information that is relevant to an investigation.
These days electronic evidence is proving to be more and more valuable as criminals leave digital signatures that log their activity which helps in an investigation. For example metadata found in photographs can help law enforcement determine the GPS coordinates of a digital picture or video. This information can help law enforcement to located certain individuals who have committed crimes or to find missing people.