digital forensics

The Major Differences Between Digital Forensics and eDiscovery

Almost every litigation now involves some sort of digital evidence, whether it’s a criminal case, IP theft or even family law. Depending on the unique details of the case, there are two different ways that digital evidence can be obtained, analyzed and used – eDiscovery and digital forensics. Electronic discovery will be used in almost every case. Digital forensics is used when you need to dig deeper into the digital evidence.

Electronic Discovery

Electronic discovery or eDiscovery generally collects active data. Active data is classified as information and data that is easily available through file storage and program managers utilized by a business or individual.

When collecting data through electronic discovery, the data usually goes to the legal counsel who then performs his or her own review on the data. The professionals collecting this data are simply transferring information and do not discuss the intent of the user or business. They also do not provide legal advice. Electronic discovery is useful when the only information needed involves easily accessible files such as email, calendars, documents, and databases.

If some of the information required by eDiscovery has been deleted or if there is a suspicion that it has been tampered with or altered in some way, then you’ll need to engage the assistance of a digital forensics expert.

Digital Forensics

A forensic analysis of data is needed when the litigation requires a deeper look at the information on a digital device, especially if there is a suspicion that digital evidence has been deleted or altered in some way.

A digital forensics examiner uses specialized tools and interfaces to analyze both the visible and “invisible” data on a specific piece of digital media. The “invisible” data includes things like deleted or edited files, old emails, deleted browsing or social media history, etc. In some cases these old files may not be recoverable, but a digital forensic expert may be able to demonstrate that certain files were actually deleted by a specific user at a specific time and may also uncover programs that are frequently used to encrypt, hide or delete data that a user wants to keep secret.

Common examples of data that can only be retrieved through digital forensics are:

  • Evidence that a user accessed or copied specific files from a computer network via their desktop computer. This is useful in IP theft cases.
  • Copies of files/emails that have been deleted or files/emails that used to be part of a backup process. These files are often used in family law cases.
  • Evidence of wiping software used to permanently delete large amounts of data. This information is often useful in criminal cases and some family law cases.
  • Location or activity data from a mobile device – can be used in almost any type of court case.

Digital forensic experts are brought in to produce more than data for a case. They analyze that data in hopes of finding evidence that can be used for a client. Typically, they partner with a legal team to determine what type of data they are seeking before the forensic examination takes place. Digital forensic experts are often active throughout a case and can be called on in legal proceedings to defend their claims about the information.

Maintaining Data Integrity

Regardless of what method of data collection is used, it is important that the data remains protected. When collecting data through electronic discovery, large amounts of information are transferred from the original source. Copies of the relevant files should be made to ensure that no changes are being made to the original files.

Maintaining data integrity requires more specialized tools and processes in the world of digital forensics. By definition, you’re focusing on data that is not easy to find and is often controlled by background processes on a computer. Digital forensics experts use tools to ensure that information is accessed safely.  They also create what is called a “verified forensic image” of a specific device or piece of media. Unlike a standard file copy, a forensic image is a bit for bit copy of all of the contents of a drive, even the data that is hidden from users. Maintaining a verified forensic image is a critical component of professional forensic exam that can hold up in court.

When to Consider Digital Forensics

The use of digital forensics in IP theft, family law and criminal cases is increasing rapidly. As digital devices become a constant fixture in our lives, any investigation of a person or entity’s activities must include an investigation of their digital footprint.

Courts are less willing to grant blanket access to all the data associated with a person or company and require details of the specific information that will support a specific case.

If you expect your case to be contentious or you suspect that data has been altered or deleted, it helps to bring in a digital forensics expert as soon as possible. They can help preserve data from the start and find deleted data or evidence of deleted data to help make your case.

The experts at Flashback Data have helped hundreds of law firms in the areas of IP theft, family law and criminal defense. Our digital crime lab is accredited under the same program as the FBI and state labs and we offer fast turnaround time to support the needs of your case. Contact us for more information or

CALL US AT 866-786-5700 FOR A FREE CONSULTATION.

UPDATED 7/16/18; ORIGINALLY POSTED 6/30/17

man checking off checkboxes with a city as a background

Choosing The Right Private Digital Crime Lab

The 6-18 month backlog at most RCFLs and state digital crime labs is forcing law enforcement and DA’s to consider alternatives to handle their growing need to analyze digital evidence. Private digital crime labs offer a compelling alternative to the RCFL or state lab with the ability to recover evidence from a wider range of devices and to deliver much faster turnaround times.

If you’re considering working with a private lab, here are a few suggestions to help you make the right choice for your department.

1) Lab Accreditations

Before you hire a private lab, you will obviously need to believe that they’re experts in the field of digital forensics. However, the question you should be asking is not whether YOU believe they’re experts but whether a COURT would believe they’re experts in the face of an adversarial cross-examination.

The most objective way to determine if a digital crime lab has institutional expertise is to look for 3rd party accreditations like those used by the FBI and state crime labs. The most well known of these accrediting bodies is the ASCLD/LAB International. This type of accreditation verifies that the lab follows procedures that produce accurate, consistent and reproducible findings. If you’re going to hire a private crime lab, you should consider such an accreditation as a minimum requirement.

2) Concise, Readable Reports

Expertise is obviously important, especially if a case goes to trial, but the ability to communicate a set of forensic findings clearly and concisely is almost more important. After all, not ever case goes to trial, but every case with digital evidence will have a forensic findings report. If a lab’s typical findings report can’t be easily understood by officers, detectives and attorneys then it has little value. Ask to see a few sample reports from prospective labs to see how clear and concise they actually are.

3) Budget Predictability and Flexibility

Cost is obviously a primary concern when hiring an outside lab. Rather than focusing on the hard dollar costs or an hourly rate, think about how you can structure an agreement that can give you a mix of predictability and flexibility. You’d like to fix the costs (predictability) and still have the ability to handle any of the wide range of digital devices your officers may encounter (flexibility). Some labs package their services in predefined “units” based on common device types so you can purchase a block of “units” and then use them in whatever combination you need.

4) Litigation Support

A final consideration is a lab’s ability to provide expert testimony via deposition or in court as necessary. While you may need this type of support only on occasion, it’s important to understand how well a lab can support and defend their analysis. Ask potential lab partners about their experience testifying in court and their availability to do so. You’ll also want to ask about the specific certifications that the examiners maintain. The accreditation of a lab is important to ensure consistency but if an examiner has to take the stand, you’ll also want to know that he or she has sufficient individual credentials as well.

If you’re considering hiring a private digital crime lab to support your department, contact Flashback Data. We work with law enforcement and DA’s around the country and are accredited under the same program as the FBI and state crime labs. We provide digital forensics services from pre-seizure planning through litigation, and offer a range of convenient packages that give you predictable costs and flexible service options.

CALL US AT 866-786-5700 FOR A FREE CONSULTATION.

digital forensics

Most Popular Digital Forensics Posts

We’ve assembled the 5 Digital Forensics posts that have been most popular with our readers in the law enforcement community. Check them out.

1.   3 Words Never To Use in a Courtroom

2.   Top 3 Mistakes Made On Scene with Digital Evidence

3.   Forensic Options for Locked or Broken Mobile Devices

4.   Securing Digital Evidence in a Water Emergency

5.   Forensics on Digital Images: Worth More Than 1,000 Words

If you or your team want help training officers on dealing with digital evidence on scene or you need help with forensic analysis of digital evidence, contact Flashback Data.

We help law enforcement and DA’s around the country with digital forensics analysis and are the first private digital crime lab accredited under the same program as the FBI and state labs.

CALL US AT 866-786-5700 FOR A FREE CONSULTATION.

Crime Scene - Do not enter

Most Popular On-Scene Digital Forensics Tips

Digital devices present unique challenges to officers who may need to secure evidence from those devices. Decisions made by officers during the first few moments on scene can have far-reaching effects on the department’s ability to secure that evidence and eventually made a case.

Don’t miss our most popular on-scene tips to help officers protect and secure digital evidence.

1. Top 3 Mistakes Made On Scene with Digital Evidence

2. Securing Digital Evidence in a Water Emergency

3. On-Scene Tips for Securing Computers for Forensic Analysis

 

If you or your team want help training officers on dealing with digital evidence on scene or you need help with forensic analysis of digital evidence, contact Flashback Data.

We help law enforcement and DA’s around the country with digital forensics analysis and are the first private digital crime lab accredited under the same program as the FBI and state labs.

CALL US AT 866-786-5700 FOR A FREE CONSULTATION.

Forensics and forensic data analysis

Hidden Costs of an Internal Digital Forensics Lab

Many of our law enforcement clients currently have or have had their own internal digital crime lab. At some point, each of these departments built their own lab, but have moved away from that decision over time.

Here are the top 4 things these customers have told us about the hidden costs of running your own digital crime lab.

1) It takes longer than expected to develop in-house expertise.

Departments that choose to staff their lab with an existing sworn officer instead of an experienced civilian forensic examiner tell us that they underestimated how long it takes to develop digital forensics expertise.

The minimal training for a new examiner involves classes on basic forensic analysis and mobile device forensics. These classes are typically several weeks each and require travel.  In addition, new examiners need hands-on practice and need time to get familiar with new equipment.  Altogether, it can be six months before a new examiner is able to perform his or her first real forensic exam.

It takes another 12 months of regular work for that new examiner to be at the level of a “junior” examiner in the civilian world. Our clients tell us that during that 18 months, they’re still sending their most important and complex cases to the RCFL or a private lab.

2) Keeping your infrastructure up-to-date is surprisingly expensive.

An in-house digital forensics lab requires some up-front investment in equipment and software in order to properly track, manage, analyze and report on digital evidence. The costs associated with these up-front investments can easily run into the tens of thousands of dollars, but are predictable.

What is less predictable is the cost of keeping that equipment and software up to date. A digital crime lab must stay abreast of and be able to forensically analyze virtually every new device and operating system that comes along. It may be ok to skip a few upgrade cycles for your personal computer or mobile device, but your forensic analysis software and equipment has to stay as close to the cutting edge as possible.

3) It’s expensive to keep your expertise current

In addition to keeping your equipment and software up to date, you’ll also need to keep your examiners trained on the most up-to-date developments in digital forensics. In order to maintain an IACIS certification (which is highly recommended), your examiner will need to have 60 hours of continuing education every three years.

Even without this requirement, you would want your examiner to get at least that much training regularly to stay abreast of new technologies and forensic techniques.

4) The role of Digital Forensic Examiner doesn’t fit well into a typical law enforcement career path, and turnover is higher than expected.

Finally, our clients tells us that their department’s promotion and compensation systems aren’t set up to include the job of digital forensic examiner. Becoming a forensic examiner might sound like an attractive option to a career officer at first . Move off the street and into the office, get lots of new training, and make at least as much as you did before.

However, options for promotion and raises can be minimal for a digital forensics examiner. We’ve talked to examiners who love their job, but simply can’t continue to forgo the promotions and raises associated with a more traditional law enforcement career path. The challenges of ramping up a new examiner and keeping that examiner well-trained are compounded when you have high turnover among your examiners.

If your department is struggling to maintain an effective in-house crime lab or if you want to explore the potential of working with an accredited, private digital crime lab, contact Flashback Data today.

We work with law enforcement and DA’s around the country and provide faster turnaround than your local RCFL or state crime lab.

CALL US AT 866-786-5700 FOR A FREE CONSULTATION.

sign that reads how much?

Paying for a Private Digital Forensics Lab

Private computer forensics labs offer a great alternative to a local RCFL, state lab or even an in-house lab. They provide cutting-edge expertise, fast turnaround times (days or weeks instead of months or years) and can often deliver service that is more customized to the specific needs of each case. The question, of course, is how much does a private lab cost and how do you pay for it?

What is the Cost?

No matter the details or complexity of your case, you want the same deliverable – a concise forensic analysis that can stand up in court. The general cost of a digital forensic analysis can range from a few hundred to a few thousand dollars depending on the complexity of the case and the number of devices involved. Generally, simple cases that involve a single mobile device can cost a few hundred dollars. More complex cases with multiple devices and device types that require an examiner to testify in court can cost several thousand dollars.

Package Options

If you’re looking for a private lab that is more than an occasional, one-off solution, you may opt for a package option. Some digital forensics labs offer casework packages that let you choose a fixed annual price for a pre-defined quantity of work.  Rather than buying hours, you’re buying case “units” based on common device types. For example, a simple mobile device acquisition may be 1 unit and a damaged mobile device that requires a chip-off or JTAG process may be 3 units.

This approach lets you select an annual budget amount that your department can afford and still have the flexibility to pursue cases that include a wide range of device types.

Justifying the Expense

Finding money for a private digital crime lab can be difficult. As with most expenses, the question is not what the actual cost is but how that cost compares with your next best alternative. Flashback Data serves as the outsourced digital forensics lab for law enforcement agencies across the country.  The two most common ways that our customers justify their partnership with us are:

  • It’s cheaper than maintaining an in-house lab. Lots of departments that choose to build an in-house lab underestimate the ongoing costs associated with keeping their examiners trained and their equipment and software up-to-date, not to mention the headache of actually managing a lab. A private digital forensics lab can offer cutting edge expertise, equipment and results at a more affordable cost than an in-house lab.
  • Save money on overtime. If you’re paying officers overtime to maintain surveillance during a critical investigation, waiting 6 months to analyze a seized mobile device costs your department real money. Many of our law enforcement customers rely on our rapid turnaround time to finish cases faster and save unnecessary overtime.

If you’re considering using a private digital forensics lab, contact Flashback Data today. We can be your own private forensics lab or can help with one-off cases as needed. We’re proud to be the first private digital forensics lab accredited under the same program as the FBI and state crime labs.

CALL US AT 866-786-5700 FOR A FREE CONSULTATION.

Encrypted Data

On Scene Tips: Securing Computers for Forensic Analysis

Choices you make in securing digital evidence on scene can make or break your department’s ability to recover evidence and make a case. In the past, we’ve covered common mistakes made on scene  and offered advice for water emergencies. Today we share best practices for securing a computer, especially one that is powered ON and potentially encrypted.

In a previous post, we talked about ways to secure mobile devices and computers that are powered OFF. We encourage you to read that entire post, but if you seize a computer that is OFF, don’t turn it ON. Just bag it, tag it and send it to the digital crime lab for analysis.

If A Computer is ON and Accessible

If the computer is ON and accessible, the traditional way to secure the evidence is to unplug the device from its power source. This prevents any unexpected changes to data that may occur during a “normal shutdown”. However, the increasing use of data encryption is forcing first responders to change that protocol slightly. If the computer is ON and accessible, you’ll need to perform a few cursory checks for encryption before you do anything else.

If a hard drive is encrypted, the data on that drive is effectively inaccessible to a forensic examiner (or anyone) without the appropriate password. So if you come across a computer that is ON, accessible and encrypted, you have a unique opportunity to access the data on that drive that will be lost if you simply pull the plug and process it like other devices. If you believe that the device is encrypted, you should immediately seek the help of a trained forensic examiner, who may perform a field analysis of the device.

Determining If The Data Is Encrypted

To detect full disk encryption on a computer that is ON may be as easy as identifying the operating systems and version of those operating systems that support full disk or full volume encryption schemes like Windows BitLocker full volume encryption. This feature is available on most modern versions of Windows and is enabled by default on certain clean installs of Windows 8.1 Pro and higher.

To check for Windows BitLocker, you’ll need to view a list of the computer’s hard drives or volumes. From the START menu, click on COMPUTER or FILE EXPLORER. From there you should see a list of the storage media connected to the computer. A BitLocked drive will have a closed LOCK through the icon. (see the image below)

Encrypted hard drive

BitLocker Enabled on Windows 10

Close attention should also be given to the volume names at this point. The presence of a volume name that contains the word “CRYPT”, “VAULT”, “LOCKED” or similar phrase should serve as a clue that volume level encryption may be present.

If BitLocker can be ruled out, then a minimally intrusive look for other encryption tools should be undertaken.

STEP 1 – Check the Desktop: Perform a close visual inspection of all desktop icons. Note any programs with names like PGP, VeraCrypt, TrueCrypt, BestCrypt or FreeOTFE.

STEP 2 – Check the System Tray: Visually inspect the systray area (usually in the lower right of the screen) to check for icons associated with FreeOTFE.

STEP 3 – Check the Program List: Review the list of program files for applications capable of providing encryption. You can see this list from START > PROGRAMS (or All Programs) or in the PROGRAM FILES folder in FILE EXPLORER. Look for names including PGP, VeraCrypt, TrueCrypt, BestCrypt, Jettico, Kremlin, Protector, Shredder, and anything containing the word Encrypt or Crypt.

Any of these programs or icons indicates the presence of an encrypted drive or volume. Photograph these icons and immediately seek the assistance of a trained examiner.

If you complete this triage and do not detect any suspicious items, then disk encryption is likely not present, and you can proceed accordingly.

If you need help with a planned seizure or with forensic data analysis, Contact Flashback Data today. We work with law enforcement and DA’s around the country and provide faster turnaround than your local RCFL or state crime lab.

CALL US AT 866-786-5700 FOR A FREE CONSULTATION.

On Scene in a Water Emergency

Securing Digital Evidence in a Water Emergency

Water and electrical devices do not mix, especially if the device contains valuable data. When you’re on scene in a water emergency, the decisions you make in handling potential digital evidence can have huge impacts down the line in your department’s ability to recover evidence and use it to make a case. We’d like to share a few on-scene tips to help protect digital evidence that may be damaged by water.

How Water Damages Electronic Devices

Before we talk about what to do with a device in water, it helps to understand the two most common ways that water actually damages electronic devices.

Electrical Damage

Water is rarely pure water. It contains dissolved electrolytes, such as sodium chloride (table salt). Pure water is a very poor conductor of electricity, but when it contains ions (sodium and chloride), it can act as a good conductor of electricity. So, if this ion-filled water commonly known as tap, coastal, lake, river, or sewage water comes into contact with any electronic device in an ON state, it is going to make connections in places where there should be no connections. This can result in a large current, which in turn, damages the circuit.

Corrosion

Corrosion is another problem when water is involved with electronic devices. Corrosion happens when you have long-term exposure to water. The electrical connections within electronic devices are made of metal. When that metal comes into contact with water, it starts corroding and converting to another non-conducting compound. The additional ions that water contains can speed up this process of corrosion. If the metal connection between two parts of a circuit is sufficiently corroded, the connection is broken and the electronic device stops working.

What To Do On Scene

The decisions you make on scene in a water emergency can have significant impacts on your department’s ability to recover and analyze digital evidence for future use. We recommend the following steps to help protect the integrity of digital evidence in a water emergency:

1) Assume The Device Was Powered On

Technically, it matters whether a device is in the ON state of OFF state when disaster strikes. If the device is in its OFF state, it is very possible that it will start working as long as you dry and clean it up sufficiently before turning it on, as the dried water can no longer make any undesired connections. This can be done using rice, solvent, or other methods that will absorb or displace the water content without leaving anything to interfere with the circuit.

Unfortunately, when most disasters or accidents strike, devices found are in an unknown state. It is unknown if the device was originally in the OFF or ON state. The most conservative approach from a data recovery perspective is to assume the device was ON and has short-circuited.

2) If It’s Dry, Keep It Dry

This may sound obvious, but even a good-intentioned effort to wipe down a device with a damp cloth can do permanent damage. If a digital device has dried after a flood, storm or fire, it’s best to keep it dry. Simply get the device as it is to your digital crime lab and make sure they know it may have water damage. If there are contaminants on or inside the media, an accredited crime lab will follow specific protocols when recovering data to address any potential contaminants.

3) If It’s Wet, Keep it Wet

If the device is still wet, DON’T TRY TO DRY IT! Trying to dry a wet electronic device on scene is usually done with the best of intentions, but it’s a mistake from a data recovery perspective. As noted above, it’s not the actual water that does the damage, but the ions and contaminants in the water. If you try to dry the device you may be ensuring that those ions stay in places they shouldn’t be. The most conservative approach is to package the media with a wet towel and immediately send it to the digital crime lab.

4) If It’s Submerged, Keep It Submerged (In Distilled Water)

In a flood emergency, you may find digital devices that are completely submerged. In this situation, don’t try to dry the device. Instead, place the device in a bucket of distilled water and get it to a digital crime lab. Remember that it’s the extra ions from things like salt or other contaminants in the water that damage the device, not the water itself. Distilled water is, by definition, pure water that doesn’t contain the additional ions that can do damage.

It sounds counterintuitive to bring water to a flooded crime scene, but if you need to secure digital evidence during a flood emergency, a few gallons of distilled water could help you make the case.

If you need help recovering digital evidence that may have water damage, contact Flashback Data. We’ve worked with devices damaged by hurricanes, floods, fires and sabotage. We are the first private crime lab accredited under the same specifications as the FBI and state labs. We can help you prepare, recover, analyze and use digital evidence especially in unique and time-sensitive cases.

CALL US AT 866-786-5700 FOR A FREE CONSULTATION.

Ask the right questions image

3 Questions to Ask When Hiring a Private Digital Crime Lab

The 6 to 18 month backlog to process digital evidence at almost every state crime lab and RCFL is forcing law enforcement agencies to consider alternatives, especially for high-profile and time-sensitive cases. Private labs and digital forensics services are available to help, but law enforcement needs to be aware of the differences in working with a public lab and a private lab or expert. Here are the three most important questions to ask a private digital forensics lab or service before you hire them:

1) What accreditation does your lab maintain?

The same third-party organizations that offer accreditation to state and federal crime labs are also available to private labs. This isn’t a question you ever have to ask a state lab, but it’s a “must” before working with any private lab. Maintaining accreditation through a third party organization, such as ASCLD/LAB-International, ensures that the lab follows specified policies and procedures, validates tools, and keeps its team trained and competent within their field of expertise. Is it possible to get a great forensic analysis from a lab that isn’t accredited? Of course it is, but an accreditation makes the evidence much more bullet proof in court.

2) Can I review a sample, redacted findings report?

This is another question you would rarely ask a state lab. They typically have such a high volume of cases that their reports are standardized and can be somewhat limited. With a more manageable case load, private labs are able to conduct more in-depth investigations and provide more detailed explanations of their findings within a report. Always ask for a redacted lab report to review in order to get a sense of the quality of reporting. Of course, quality does not just mean more detail. The report should be clear, concise and easy for a case agent and district attorney to understand. Forensic examiners at private labs frequently testify in court, so it’s also important to ask for the CV of the examiner who will work on your evidence.

3) How much will it cost?

OK, you probably won’t forget to ask this one, but it’s the biggest difficulty of dealing with a private lab. While public labs aren’t free, their cost has already been included in your department’s budget, regardless of how long their backlog is. You’re going to have to fight for some budget authority, even if the payoff is easy to justify with something like reduced surveillance overtime. You should ask the private lab if they have options that can be structured like a budget line item. Many labs have “case work packages” where you pay a fixed amount for a budget year that can be applied to specific cases as needed. The flexibility and fast turnaround times available with private digital forensics labs like Flashback Data offer huge benefits to law enforcement agencies. It’s important to know how and when to engage a private lab in a way that will get your case completed quickly and ensure that any evidence can stand up in court.

If you’re interested in getting the help of a private digital crime lab for better, faster forensic investigation contact Flashback Data.

CALL US AT 866-786-5700 FOR A FREE CONSULTATION.

Crime Scene - Do not enter

Top 3 Mistakes Made On Scene with Digital Evidence

Digital devices have become so ubiquitous that virtually every crime scene now includes one or more pieces of digital evidence in the form of a mobile phone, laptop, desktop, tablet or another device. Performing a proper forensic analysis on this type of evidence can take time, but it’s often decisions and actions taken during the initial evidence collection that can make or break the case. In our experience as an outsourced digital crime lab for local, state and federal law enforcement, these are the three biggest mistakes we see made on scene.

1) Failure to Isolate a Seized Mobile Device From Cellular or Wireless Networks

Of course, the purpose of seizing a device is to analyze and investigate the information it contains, but having physical control of a digital device doesn’t mean you automatically control access to the data on that device. If a mobile device can connect to a cellular or wireless network, the evidence it contains is automatically at risk.

Mobile devices are constantly syncing with cloud-based services that store photos, contacts, emails and other documents. While convenient for most uses, these background processes can corrupt or destroy digital evidence.

The greater risk to the evidence is that the device’s owner, or anyone with the right password, can remotely wipe or lock the device. This capability is a standard option on most mobile phones and many computers, and it doesn’t require much technical knowledge to execute.

There are rare instances where you want a seized device to operate as normal for a brief time, but if you seize a device to have it forensically examined, you’ll want to isolate it from cellular, wireless and Bluetooth connectivity as soon as possible. The options for doing this will depend on the status of the device and the details of the case.

If the device is on and accessible, you can simply turn off access to any remote connection by putting the device in airplane mode and turning off wireless and Bluetooth capability.

If the device is on, but not accessible, you have two options. First, you can power the phone down and/or remove its battery. This can alter data on the device, so be careful. The best option is to physically shield the device from receiving RF signals using a Faraday bag or box.

The way to be sure that you make the right choice is to plan ahead. You should expect every seizure to include at least one digital device, and the more options you consider ahead of time, the better prepared you’ll be, and the safer your evidence will be.

2) Powering On a Computer

When a computer is seized, it can be very tempting to turn it on to look for obvious evidence. In some cases of terrorism or other immediate threat, powering on a computer may be necessary. However, there are so many background processes that go on when a computer powers up, that it’s almost always a mistake from the perspective of proper digital evidence handling.

Just think of your own computer. When you log on in the morning, your computer will connect to a network, run a virus check, check for software updates, sync with a cloud-based server, etc. It’s difficult to stop all these things from happening. Even if these processes don’t impact the specific evidence that’s important to a case, the mere fact that the computer is connected to the Internet means that the information is at risk of being remotely deleted or modified.

If a seized computer is off, and you don’t need it on immediately, don’t turn it on.

Digital forensic examiners have special equipment that allows them to access a computer’s storage devices without actually turning the computer on. Some departments have mobile or “field” versions of this equipment in order to conduct an on-scene analysis without corrupting the evidence. If you’re planning a seizure and you’ll need immediate access to the information on a computer or hard drive, plan accordingly to protect the digital evidence.

3) Failure to Identify and Label All Digital Evidence and Derivative Media

The final mistake that we often see relates to improperly identifying and labeling all pieces of digital evidence and their derivative media.

It’s common to seize a desktop computer and think of it as a single device. It’s a computer, right? Wrong. From a digital forensics perspective, every component of that computer that can store data is a separate piece of digital evidence that requires the same level of labeling and chain of custody documentation.

For example, a computer may have 2 internal hard drives and a flash drive connected via USB port. Each of these pieces of media has its own serial number and must be tracked in relation to the seized computer.

Even mobile phones can have multiple storage media such as expandable storage, in addition to its SIM card.

When you seize a computer or other digital device, be aware that it may technically be multiple devices from a forensics perspective, and ensure that each device and its derivative media is properly recorded and secured. The DA will thank you later.

If you’re planning a significant seizure of digital evidence and want the assistant of a private, accredited digital crime lab to ensure the evidence is seized, processed and examined quickly and efficiently, contact Flashback Data.

CALL US AT 866-786-5700 FOR A FREE CONSULTATION.