4 min read

Interesting cases

• Data collected from a smartwatch worn by a 57-year old Australian murder victim led to the arrest of her daughter-in-law. (Details)
• Data recorded in Apple’s Health App led to the conviction of a murder suspect. The data showed that the suspect was climbing stairs and this was correlated to him dragging his victim down a riverbank and climbing back up. (Details)
• US law enforcement used Fitbit data to charge a man with the murder of his wife. (Details)
• Amazon Echo data is being used in a US murder trial. (Details)
• A 59-year old American was indicted for arson and insurance fraud based on evidence from his pacemaker (artificial heart implant). (Details)
• According to the European Commission, more than half of all investigations today involve a cross-border request to access electronic evidence. Electronic evidence is needed in around 85% of criminal investigations.

---

What is digital evidence?

Digital / electronic evidence refers to various types of data in electronic form that are relevant in investigating and prosecuting criminal offences.

ISO/IEC STANDARD 27037 defines digital evidence as information or data, stored or transmitted in binary form that may be relied on as evidence.

Digital Evidence is found in most cyber and conventional cases today — adultery, arson, copyright infringement, cyberbullying & stalking, data theft, fraud, malware, matrimony scams, money laundering, murder, online banking & shopping scams, piracy, web attacks and more.

More than half of all investigations today involve a cross-border request to access electronic evidence. Electronic evidence is needed in around 85% of criminal investigations… (European Commission)”

The most important standards for the identification, collection, acquisition, and preservation of potential digital evidence include:

1. ISO/IEC standards 27037, 27042, 27043 and 27050.
2. ACPO Good Practice Guide for Digital Evidence.
3. European Union on Global Action on Cybercrime (GLACY) Digital Forensics Guide.
4. Scientific Working Group on Digital Evidence (SWGDE) Best Practices, Manuals, and Standard Operating Procedures.

---

---

Sources of digital evidence

The primary sources of digital evidence are:

1. Computer networks

These include Access Control lists, Address Resolution Protocol (ARP) cache records, Encrypted traffic, IP addresses, Media Access Control (MAC) addresses, Routing tables, Network Address Translation data, Network configurations, connections & devices, Service Set Identifiers (SSID), Wifi logs. Also relevant is data from Firewalls, Intrusion detection systems, Network Forensic Analysis Tools and Network monitoring software, Packet sniffers and protocol analyzers, Remote access logs, Routers, and Security Event Management Software.

2. Cellular & Internet service providers

These include Access data (date and time of subscriber’s use, the log-in to and log-off from the service, the IP address allocated by the service provider), Content data (stored data in a digital format such as text, voice, videos, images, and sound other than subscriber, access or transactional data), Subscriber data (subscriber’s name, date of birth, postal address, billing, and payment data, telephone number, email address), and Transactional data (the source and destination of a message, data on the location of the device, date, time, duration, size, route, format, the protocol used and the type of compression).

3. Emails

Evidence from emails includes headers, IP addresses, and login details. Popular email providers include Gmail, Outlook, and Yahoo.

4. Google

Considering the vast amount of information collected by Google, it deserves a special category. Google evidence includes data from Google Bookmarks, Calendar, Cloud Print, Dashboard, Drive, Group, History, Keep, Location reporting & history, Maps, Sites, and YouTube.

5. Internet browsers & artifacts

Popular browsers include Chrome, Firefox, and Safari. The sources of digital evidence include bookmarks, cached data, cookies, dark web browsing data, favorites, browser extensions, history, peer-to-peer file exchange logs, and stored passwords.

6. IoT & smart devices

These include Drones, Smart speakers (Amazon Echo, Google Home), Smart cars, Smart Medical Devices, and Smartwatches.

7. Laptops & Desktops

On Windows, Mac, and Linux laptops, the common sources of digital evidence are Application data, Application files, Backup data, Basic Input Output System (BIOS), Compressed files, Configuration files, Data files, Deleted files, Documents, Dump files, Encrypted archives, files & volumes, File modification, access and creation times, Firmware information, Free space, Hidden files, Host Protected Area, Login sessions, Metadata, Multimedia files (movies, digital photographs, graphic image files, streaming data, flash), Open files, Operating system registers & time, Print scan & fax jobs, Printer spooler files, Random Access Memory (RAM), Running processes, Slack space, Swap files, System files, and Temporary files.

Specific to Windows computers are Alternate data streams, Hibernation files, Page files, Picture thumbnail data, and PST files.

8. Mobile app providers

These include Cloud Storage, Deleted messages, Emails, GPS locations, Internet searches, Media files, Messages, Passwords, Photos, and Videos.

9. Servers

These include Domain Name (DNS) servers, Database servers, Dynamic Host Configuration Protocol (DHCP) servers, Email servers, File Transfer Protocol (FTP) servers, and Web servers.

10. Smartphones & tablets

These include Account numbers, Apps, Audio, Browser & Internet artifacts (bookmarks, cached data, cookies, favorites, browser extensions, history, stored passwords), Calendar items, Call logs & register, Chat and instant messaging records, Cloud Storage, Connected devices, Contacts, International Mobile Equipment Identity (IMEI), International Mobile Subscriber Identity (IMSI), Location information including recently used cell phone towers, Malware, Maps, Notes & memos, Passwords, Photos, Purchased media, SIM Cards, Stored files Stored voicemail, and Videos.

11. Social media platforms

The popular social media platforms include Facebook, Instagram, LinkedIn, Pinterest, Snapchat, Tumblr, Twitter, and WeChat.

12. Storage media

These include Flash Storage, Floppy Discs and Legacy Media, Hard Disk Drives, Magnetic Tape Digital Storage, Optical Discs, Solid State Drives, and USB drives.

13. Other sources of digital evidence

These include Bitcoin & crypto-currency wallets, Closed-circuit television cameras (CCTV), Credit card & other payment details, Datacenters, Digital Cameras, Gaming Consoles, GPS coordinates & geo-tags, Online Gaming Platforms, Physical access registers for buildings and facilities (e.g., radio frequency identification logs), Postage tracking numbers, Private Branch Exchange (PBX), Registered ownership and software registration information, Screen names, Security Systems, Synchronised data, and Virtual machines / cloud servers.

---

---