As technology becomes more prevalent in society the introduction of electronic data and information as evidence has become more commonplace. Electronic evidence is not only useful in crimes that involve computer related offenses such as hacking but are also useful in regular crimes. Data extracted from electronic devices, computer networks and cloud services can help investigators determine the events that took place surrounding a crime. This can include user accounts, dates & times, location data, messages and other forms of media. All of this can be entered into an investigation to help investigators and legal authorities to determine what legal action should be taken.
One of the most important aspects of using electronic evidence in a court setting is verifying the authenticity and integrity of the data. Without this it may not be possible to prove in a legal sense who committed a certain act. In a criminal case the legal precedent requires a preponderance of evidence in order to convict someone of a crime. If this evidence has lost its integrity due to the improper handling practices during the digital forensics process then it will likely not be admissible in court. If this happens then criminals who committed crimes may not be convicted and even worse, individuals who are innocent may be convicted of crimes they did not commit (Yarnall, 2020).
In order for electronic evidence to be admissible in a legal setting it must first be presented in such a way that can proves its integrity. In order to do this it is commonplace for investigators to make copies of the original data to preserve the evidence. This is done with digital forensics software tools such as FTK Imager which will create a disk image of a drive for later analysis. During this imaging process the investigator can choose to create a hash function that will verify integrity of the original data. These hash functions can then be used to compare the original data against the hash function that was first created in order to digitally verify that it has not been altered in any way.
Additionally, investigators must be able to prove what is known as user attribution. This is where evidence is produced that proves the suspect in question was in fact the one using an electronic device during a specific crime or event. This can done with meta data such as user accounts, media access control (MAC) addresses, internet protocol (IP) addresses and other data that can link an individual to a particular device or action. From here extensive analysis must be conducted in order to connect the physical evidence with the electronic evidence in order to make a compelling case against the suspect (U.S. Department of Justice, 2011).