According to the U.S. Department of Justice defines digital evidence as information and data stored on, received, or transmitted by an electronic device and determined to be of value to an investigation. Digital evidence can be latent, time-sensitive, easily changed, damaged, or destroyed, and can transverse jurisdictional borders (National Institute of Justice, 2008). As with any evidence, to be useful in proving or disproving criminal actions, the evidence and how it is obtained and analyzed must be reliable. Therefore, the processes used to obtain, handle, and analyze digital evidence should conform to accepted practices and utilize industry recognized and accepted tools. Additionally, persons responsible for identifying, collecting, transporting, storing, and analyzing digital evidence must be knowledgeable and properly trained in this field as well as having a good understanding of the legal requirements for search and seizure of electronic evidence.
Digital evidence is found on a variety of electronic devices and many of these are utilized daily in almost all societies and enable people to interact with each other both near and far. This form of instant communications and e-mail provides a means for criminals to communicate with each other as well as with their victims (U.S. Department of Homeland Security & U.S. Secret Service, 2007). When used in the planning and commission of a crime, the digital evidence stored on computers, network servers, storage devices and media, digital cameras, and other such digital devices can be valuable in solving crimes. Digital forensic investigators must also be cognizant that additional digital evidence may exist away from the scene, such on network servers used by email providers or social media sites or stored in online storage
For digital evidence to be useful in solving crimes, it must be relevant and its reliability must be maintained throughout the process of search, seizure, examination, and analysis. First, and foremost, the search and seizure of any evidence must be conducted using a legal means, by either executing a search warrant or by one of the exceptions to a search warrant (National Institute of Justice, 2008). Once it is determined or suspected that digital evidence is involved in the commission of a crime, it is paramount that the scene is controlled and any digital devices and electronic storage media at the scene be secured to prevent potential damage, corruption, or destruction of any digital evidence. The scene should be fully documented to create an official record of the scene for later use by investigators and to aid in reconnecting any computers or devices seized. Care should be taken when documenting the scene to ensure running computers are not powered down or any evidence moved until the entire scene is documented. Once the scene has been documented by either sketch, photograph or video, any devices to be seized should be either powered off or left with power on, according to departmental or agency procedures. This will best ensure any digital evidence contained on these devices is left intact and not damaged, corrupted, or destroyed by improperly powering off a device.
Any electronic device seized should be properly labeled and packaged before transporting to preserve any digital evidence. If it is determined that computers in a powered-on state be powered down, then power must be removed by unplugging the power connector at the back of the computers power supply or by removing the battery on laptop computers. Packaging must include using the proper materials, such as cardboard boxes, paper bags, and anti-static bags to prevent the creation of static electricity or the buildup of humidity and moisture that could damage sensitive electronic components. Devices such as cell phones should be left in a powered-on state if found that way and should be transported in specialized packaging that prevents the reception of any signals (National Institute of Justice, 2008). A complete inventory of all items seized must be completed and each item must be entered on a chain of custody form. Personnel should also take care to preserve any traditional evidence that may exist on these devices such as fingerprints or body fluids (National Institute of Justice, 2008).
Once seized items have been properly packaged and transported, only persons trained and qualified in digital forensics procedures should conduct examinations and analysis of digital evidence. Anytime evidence is transferred to another person, the release and receipt of the evidence must be annotated on a chain of custody log. Additionally, forensic tools used to discover and recover any digital evidence should be court-approved or recognized by the forensic community and any examination or analysis of digital evidence must be performed on a copy of the original digital image. (National Institute of Justice, 2007).
Electronic devices, especially those used to communicate with others, are in widespread use and often times, crimes are committed with these electronic devices. Digital evidence is not limited to cyber or computer crimes. Digital evidence can exist in a variety of instances where criminals, and sometimes victims, communicate using computers, social media, and cellular phones, as well as someone simply posting a criminal act on social media. The existence of digital evidence can be overwhelming in some cases, however, for evidence to be useful, it must be relevant, admissible, and reliable. To ensure digital evidence meets these requirements, agencies and department must ensure persons collecting, handling, transporting, and analyzing digital evidence follow department or agency procedures and that they are properly trained and utilize industry and court accepted procedures and tools.
National Institute of Justice. (2007, January). Digital Evidence in the Courtroom: A Guide for Law Enforcement and Prosecutors. Retrieved from National Criminal Justice Reference Service: https://www.ncjrs.gov/pdffiles1/nij/211314.pdf
National Institute of Justice. (2008, April). Electronic Crime Scene Investigation: A Guide for First Responders, Second Edition. Retrieved February 13, 2017, from National Institute of Justice: https://www.ncjrs.gov/pdffiles1/nij/219941.pdf
U.S. Department of Homeland Security & U.S. Secret Service. (2007). Best Practices for Seizing Electronic Evidence v.3: A Pocket Guide for First Responders. Washington D.C., USA.