Return to the lecture notes index
Lecture 3 (Tuesday, January 18, 2011)


Evidence, broadly defined, is anything used to establish a fact. The basis of any case or incident response is obtaining the facts surrounding the matter in question. Even in most "computer cases" most of the facts are probably established using non-digital evidence. This is no less true in the majority of cases that aren't, "computer cases" and/or (at least in first light) don't appear to touch the computer or digital worlds. Even with all of the technology present in today's world, good old-fashioned human eye-witness testimony remains among the most compelling evidence in many cases.

Having said that, in this class, we aren't going to worry about those cases where digital evidence cannot be of help or isn't particularly compelling. We are, instead, going toConcern ourselves with understanding what can be demonstrated, those areas where it is being exploited, and those areas where it remains a rich, but unexplored resource.

The Lifetime of Evidence and the Chain of Custody

Evidence might be used from seconds to decades after it was first encountered. Footprints might allow investigators to follow a "hot trail", and medical or digital evidence might be re-examined decades later, for example to address "cold cases" or injustices. It is compelling that the evidence remain protected from the moment it is collected through the time it is disposed by the legal system, if ever.

In order to protect the trustworthiness of evidence, the legal system places significant emphasis on the chain of custody. The chain of custody is the set of persons responsible for maintaining the integrity of the evidence over time, combined with the procedures and safeguards that they employed, and the documentation that evidences the the state of the evidence at each point in time.

If, at any time, from collection through trial, the chain of custody is broken, it represents a significant barrier to the evidence's trustworthiness. During the period of time in which the evidence is not demonstrated to have been protected, it could have been altered by a party with motivations other than a fair trial. We are fortunate in information forensics, because most of our evidence is stable, unlike medical evidence, which might require special care, such as refrigeration, to protect its state.

The chain of custody is important in not necessarily important in corporate incident response for internal reasons. But, it can become critically important if internally collected evidence needs to be offered to a judicial process.

The Lifetime of Evidence and the Chain of Custody, Thinking About Digital Information

But, we are not without our specialConcerns. Our evidence is more opaque than many other types. And, accessing the evidence may require the slicing and dicing of the host device. For example, we might need to repair failed devices, enhance weak magnetic information, or perform other evidence-altering procedures. Alteration of the device that hosts information is usually only done when essential often needs special permission from the court, and typically requires careful documentation and photography of the device's original state.

Similarly, a change in the data hosted by a hard drive, USB disk, or CD-RW doesn't cause a change in the way the device looks to the naked eye. This is very different, for example, than cross-outs and white out on paper records. As a result, we rely on hash values to ensure that the hosted information being used as evidence at any point in a trial is the same as the evidence originally seized. If a hash value changes, it is a bad thing, becuase it is usually not possible to determine, with certainty, what or how much has changed. All of the evidence covered by the original hash may well be spoiled.

Protocols For Collecting Evidence

Over the years, police and other first responders have established processes for collecting and securing evidence to protect its integrity for later analysis and/or presentation in court. The written rules expressing this process are known as the protocols. The details of the protocol vary with the type of evidence, for example, the collection of some types of evidence might require prompt refrigeration. The collection of medical evidence, e.g. a "rape kit" is very different than the collection of fingerprints, which is different than the collection of other types of evidence, such as spent cartridge casings or stained clothing.

But, in any case, the protocols are designed to achieve three goals. The first is to protect the evidence. The second is to provide a way to teach people to collect evidence and to ensure that "lessons learned" are not forgotten. And the third is to provide a well-understood, established, credible, familar standard of care that ensures the quality of evidence and reduces the need to examine every detail of the processes freshly for each piece introduces.

Who Collects Digital Evidence?

In criminal cases, the evidence is most often collected by the prosecution. The police begin investigating the case on their own schedule and perform searches and seizures on their own schedule. The defense does not usually begin, in earnest, until well after the arrest. And, because the criminal legal process is often slow, it might be years before the defendent is close to rial and truly mustering a rigorous defense. This isn't good. But, it is the way it often happens.

Having said that, sometimes the defense does collect evidence that the prosecution missed, didn't know existed, or didn'tConsider relevant. Depending on the circumstances, establishing the trustworthiness of this evidence is often challenging and may require significant corroboration or expert analysis. This is precisely because the chain of custody of the evidence isn't usually well protected while in defense custody.

In civil cases there may be very little seizure. Instead, thorugh the judicial process, each side will be asked to produce evidence demanded by the other side. This is a slow process and often requires the involvement of a judge to determine how to balance the interests, e.g. the probative value of the requested evidence against the expense of acquiring it, the risk of exposing trade secrets, etc. Even though the trial is public, certain information might be protected from public disclosure, such as to protect the financial, medical or educational records of third parties, to prevent the release of trade secrets, etc.

Corporate incident response is in many ways like a criminal investigation. Evidence is collected by responders. But, unlike criminal cases, corporations can punish uncooperative employees.

What is Seized?

What is seized? The short answer is anything that is reasonably believed to be relevant. While it is unlikely that the analysis of PC stored in the trunk of a car will turn up additional evidence of speeding, for many crimes this is not the case. Emails, TXT messages, Chat logs, GPS information in phones, Web records, call/contact histories and records, etc, may all provide evidence of a wide variety computer and non-computer crimes.

In all honesty, I'd like to see more electronic evidence seized for a wider variety of crimes. How much of your life is proximal to electronic devices? How could they not be relevant?

Safety and Separation

Before any evidence is collected, the scene has to be secured. The very first part is making it safe. This generally involves, aong other things, getting everyone out of the way. This protects the investigators and the evidence.

Often the perseosn at the scene are identified and questioned. They can often be useful witnesses (or suspects). Information they can provide about electronic equipment, media, documentation, accounts, usage patterns, users, and passwords might be of particular value.

How to Collect Evidence: Usual Physical Precautions

Before evidence is collected, it is usually photographed in place. Close ups are taken, as well as photos that show the big picture. Sketches are often made in order to note distances. Sketches are additionally important when the physicalConstraints prevent photographs, for perspective over a large scene, and as a backup for the photos.

Evidence is then bagged and tagged with an evidence number to identify it throughout the rest of the judicial process. In addition to the evidence number, the tagContains a summary of almost every other aspect of the case and the evidence, e.g. case number, suspect, who collected it, what it is, where it was found, who the victim was, etc.

EvidenceContainers are often sealed with tamper-evident tape that can't be removed without tearing. Evidence bags may have tamper-evident features. Fragile evidence is then repackaged in a protective packaging, e.g. foam-filled box, etc.

Evidence is transported from the scene to a police evidence facility. There it is signed for and cataloged. Detecives, experts, and others can sign it in and out of this facility, as necessary. The documentation began at the scene with the figures, photography, and tags, andContinues throughout the whole process.

"Loose" Digital Media

Our worlds are littered with digital media. I don't know how many USB "thumb drives" and old CDs are in my desk, never mind camera cards, CDs I've burned, DVDs, external hard drives, etc. In general, if there is reason to seize a computer or records, there is reason to seize these.

Loose digital media should almost -never- be examined at the crime scene. This could alter what is stored. Examination should happen in aControlled situation in a lab. So, basically this stuff gets boxed and shipped like any other physical evidence.

Although most digital media is very stable, there are some risks. Magnetic media can be affected by magnetic fields from magnets or electrical devices, some types of CDs can be damaged by sunlight, and electronics can be static "zapped". And, any type of emdia can be damaged by phsyical shock or stress. Since precautions are fast, easy, and inexpensive, any media should be packaged to protect it from sunlight and physical damage. All but CDs should be protected in anti-static bags. And, any magnetic media should be stored in "faraday bags or boxes" that shield from magnetism.

Cell phones, Smart Phones, PDAs, etc

Cellphones are a pain for investigators. There are two big, novel fears. The first is that the devices will become locked and require a PIN to unlock. Oddly enough, defendants don't usually want to offer the PIN to law enforcement and often seem to have trouble recalling it after the stress of a search, seizure, arrest, etc. Many phones only lock and require a PIN when turned off or after losing power -- but some do it after a time-out period. Sometimes the phones can be "cracked" without the PIN -- but this is actually somewhat rare. The phone's owner might not want to answer, but it can't hurt to ask, "Does the phone have a PIN? What is it?" The same is true of anyone else at the scene who might know.

The other risk is that, while the phone is in evidence, it could receive calls or TXT messages that over-write messages in its own logs. This could happen by chance -- or because the defendant or a collaborator calls the phone all night to destroy evidence.

My belief is that the best practice here is to keep the phone powered up, but isolated from radio communication. In theory putting the phone into "Airplane mode" is good enough -- but I'd rather not mess around at the scene. Instead, I recommend providing a source of back-up power, for example, from a AA-battery powered device, and then immediately bagging the phone in a protective "faraday bag", like the one I showed in class.

I like that bag, because it is easy to see through, so that the phone can beConfirmed to have no signal. One thing I don't like about it, is that it has no positive closure. I use plastic zip-ties, zipping the wire for the power device outside of the bag, so the batteries can be changed or a power adapterConnected to the wire. But, this could serve as an antenna. So, I double bag around it, just in case. The signal monitor usually takes a second or a few to "catch up" and report no signal.

I hate to admit this, but I've heard of investigators who were overwhelmed by the amount of evidence using metal-lines snack food bags from vending machines to protect phones. What to say? In a pinch...

Also, I recommend photographing whatever is on the screen at the time it is seized, just in case it doesn't come up again. This might provide critical information, such as the last few calls, whether or not there are any voicemails or TXT messages, or the service provider from whom records can be requested.

Networked Equipment

In most cases, we don't move anything until -everything- has been photographed and documented. But, we want to disable networkConnectivity as quickly as possible to prevent evidence from being destroyed remotely. As a result, if a router is found, it should immediately be photographed and then theConnection to the network should immediately be disconnected.

The same is true of any network cable attached to any electronic device. Photograph theConnection to the network port or router and then disconnect exactly one end.

If the investigator canConfidently disable the wirelessConnection on a device, such as by a switch or keypress thatControls exactly the wireless connection, or the removal of a wireless interface card, or by disconnecting a tetehred cellphone, this should beConsidered, but only after photographing the device, including a close-up of the wireless status light, if present. If there is any apparent change, e.g. message on screen, light goes off, the tethered phones says "disconncted", etc, this, too, should be photographed.

The disabling of each and every wireless device is often not necessary, because the disconnecting of the home's/business's access point often, though not always suffices. The devices might be using, or switch to, a different nearby access point. Or, a device might be using mobile broadband, e.g. a 3G or 4G "mobile phone data" card, or tethered to a cellphone.


Most present protocols call for the screen of a running computer to be photographed, then the system powered down. Next they call for detailed photos of the area, including all cables. After that, each cable should be labeled, then each end of each cable. Next, notes and diagrams should be made indicating which ends of which cables go to which ports. This includes power cables.

It is imperative that it is known which cablesConnect where. This information might later be used to determine how devices were powered up or down based on surge supressors,Connected or disconnected, etc. It might also be used to identify how devices were labeled within the computer's file system.

In general, after power down and labelling, protruding attached media should be disconnected for safe transportation, e.g. external hard drives, USB drives, etc. But, internal media can be left for examination at the lab. If it is visible or can easily be made visible, its presnece should be noted in documentation, e.g. "Disk in top drive", and figures. But, there is no reason to poke and prod at the scene. It can be difficult, for example, to eject mounted volumes from running systems or to eject CD-ROM drives from unpowered systems. There are moreControlled places to do this than at the scene.

All ports (power and data), disk drives, etc, are taped over with evidence tape. This secures whatever might be in the drive for the lab, and ensures that no port is used to alter the evidence. In short, it protects the system from spoilage.

Emerging forensics tools allow for the acquisition of copies of the core memory of a computer. This memory can later be examined to do things such as reconstruct the system's desktop, identify who was logged in and what applications were running, what data was loaded into those applications, and encryptrion keys that were in use to access media. Core forensics can, for example prove to be of tremendous value in the event that the media is encrypted and those with the keys are unable or unwilling to provide them.

The flip side is that encrypted media remains rare in most cases, leaving systems powered up for longer exposes them to risk for longer, and there is no telling if the computer will react as expected to a core imaging tool, or if it might be, for example, programmed to eat itself in the event a firewire or USB device is inserted. It is also the case that tools to analyze core remain somewhat underpowered. None-the-less, I'd like to recommend that it be given seriousConsideration, especially in the event of sophisticated suspects, such as might be found in financial crimes and some pornography cases. In these cases, encryption might be more of a risk than special programming to destroy evidence.

Why do I make this reccommendation? Check this out: The first prosection based on memory analysis


Laptops should largely be handled as desktops, with three additional considerations. The first is that they usually have internal batteries. The second is that they usually have integrated wirelessConnectivity, e.g. BlueTooth and Wi-Fi. And the third is that they are more likely to be found in a hibernated pseudo-off state.

Laptops should never be opened in order to photograph the screens. This risks turning on a hibernated or powered-down device, altering its state. But, if the screen is visble, it should be photographed as with a desktop.

Most protocols call for the laptop battery to be removed, if possible. And, if not possible, for the system to be "hard powered down", if it isn't, by pressing and holding the power button for 30 or more seconds. The reason that cellphones are maintained power-up, and laptops are maintained power-down is that, as we'll learn, PINs are normally a much bigger hurdle on cellphones than on computers.

But, it is worth noting that laptop-sized "Faraday bags" exist. They can protect a laptop from network interference, just as they do for cellphones. In some cases, these can beConsidered in place of powering down the system. This might, for example, be the case if there is a substantial risk that the disk is encrypted. But, they are essential if, in any case, the system isn't certain to have been powered down.

When using RF bags to protect laptops, careful attention needs to be paid to keeping the system powered and also to prevent the system from powering itself down. In these cases, it mgiht be necesary to change power settings. Documentation. Documentation. Documentation.

Servers in a Business Setting

Business settings are very complicated. Seizures in business settings may cause disruptions to many unrelated people. It may also be very hard to identify the correct equipment. Many business environments have infrastructure services, e.g. email servers, netowrk storage, and firewall logs, thatContain as much more more information than the user's endpoint.

Seizures in business settings often require the help and cooperation of the business's IT professionals and may require investigators with very specialized IT skills. The IT department representatives are often, but not always, trustable. Sometimes they can be actors or protective of their colleages or employers. This is a ticklish dance. The class got to hear a few bits of a case I worked on where a prosecution was compromised by a "cooperating" IT employee who later turned out to be a suspect.

Anything with Communication

Anything that has the possibility of communication should be managed as appropriate. For example, wireless tablets should be managed as laptops or cellphones. GPS devices often have communications ability, etc. And, don't forget about DVD players and TiVos, etc. If these devices can be accessed remotely, they can be spoiled. And, they might well have information worth a look.

Anything with Storage

Cameras. GPSs. Game systems. DVD players. Etc. Etc. Etc. All of these systems are computers. They have storage, sometimes internal and sometimes with media cards. They mightContain informations about a person's activities. They might also have been hacked to serve a different purpose. They, too, should be protected and seized, as appropriate.

Passwords and PINs

As we've noted, passwords and PINs can be anywhere between show-stoppers and inconveniences or no-ops. Login passwords on computers are often not at all problematic. Many account passwords can be broken with some effort. Cellphone PINS and encrpyted disks can be show stoppers.

If there is anyone around who might know about the existence of accounts or passwords, they should be asked. They might or might not provide the information, but what's to lose?

Manuals, Notes, Papers

Manuals, notes, and papers anywhere near electronics or media to be seized are also often seized. Nearby paper oftenContains passwords. Manuals may later help understand software. Paper is oftens inside of other paper. So, if there is a stack of related manuals, they will often all be seized, rather than trying to sort the wheat from the chaff at the scene. Books are often searched for loose paper.

Warning to all Readers

These are unrefined notes. They are not published documents. They are not citable. They should not be relied upon for forensics practice. They do not define any legal process or strategy, standard of care, evidentiary standard, or process for conducting investigations or analysis. Instead, they are designed for, and serve, a single purpose, to help students to jog their memory of classroom discussions and assist them in thinking critically about the issues presented. The author is certainly not an attorney and is absolutely not giving any legal advice.