Top 3 Mistakes Made On Scene with Digital Evidence

Digital devices have become so ubiquitous that virtually every crime scene now includes one or more pieces of digital evidence in the form of a mobile phone, laptop, desktop, tablet or other device. Performing a proper forensic analysis on this type of evidence can take time, but it’s often decisions and actions taken during the initial evidence collection that can make or break the case. In our experience as an outsourced digital crime lab for local, state and federal law enforcement, these are the three biggest mistakes we see made on scene.

1) Failure to Isolate a Seized Mobile Device From Cellular or Wireless Networks

Of course, the purpose of seizing a device is to analyze and investigate the information it contains, but having physical control of a digital device doesn’t mean you automatically control access to the data on that device. If a mobile device can connect to a cellular or wireless network, the evidence it contains is automatically at risk.

Mobile devices are constantly syncing with cloud-based services that store photos, contacts, emails and other documents. While convenient for most uses, these background processes can corrupt or destroy digital evidence.

The greater risk to the evidence is that the device’s owner, or anyone with the right password, can remotely wipe or lock the device. This capability is a standard option on most mobile phones and many computers, and it doesn’t require much technical knowledge to execute.

There are rare instances where you want a seized device to operate as normal for a brief time, but if you seize a device to have it forensically examined, you’ll want to isolate it from cellular, wireless and Bluetooth connectivity as soon as possible. The options for doing this will depend on the status of the device and the details of the case.

If the device is on and accessible, you can simply turn off access to any remote connection by putting the device in airplane mode and turning off wireless and Bluetooth capability.

If the device is on, but not accessible, you have two options. First you can power the phone down and/or remove its battery. This can alter data on the device, so be careful. The best option is to physically shield the device from receiving RF signals using a Faraday bag or box.

The way to be sure that you make the right choice is to plan ahead. You should expect every seizure to include at least one digital device, and the more options you consider ahead of time, the better prepared you’ll be, and the safer your evidence will be.

2) Powering On a Computer

When a computer is seized, it can be very tempting to turn it on to look for obvious evidence. In some cases of terrorism or other immediate threat, powering on a computer may be necessary. However, there are so many background processes that go on when a computer powers up, that it’s almost always a mistake from the perspective of proper digital evidence handling.

Just think of your own computer. When you log on in the morning, your computer will connect to a network, run a virus check, check for software updates, sync with a cloud-based server, etc. It’s difficult to stop all these things from happening. Even if these processes don’t impact the specific evidence that’s important to a case, the mere fact that the computer is connected to the Internet, means that the information is at risk of being remotely deleted or modified.

If a seized computer is off, and you don’t need it on immediately, don’t turn it on.

Digital forensic examiners have special equipment that allows them to access a computer’s storage devices without actually turning the computer on. Some departments have mobile or “field” versions of this equipment in order to conduct an on-scene analysis without corrupting the evidence. If you’re planning a seizure and you’ll need immediate access to the information on a computer or hard drive, plan accordingly to protect the digital evidence.

3) Failure to Identify and Label All Digital Evidence and Derivative Media

The final mistake that we often see relates to improperly identifying and labeling all pieces of digital evidence and their derivative media.

It’s common to seize a desktop computer and think of it as a single device. It’s a computer, right? Wrong. From a digital forensics perspective, every component of that computer that can store data is a separate piece of digital evidence that requires the same level of labeling and chain of custody documentation.

For example, a computer may have 2 internal hard drives and a flash drive connected via USB port. Each of these pieces of media has its own serial number and must be tracked in relation to the seized computer.

Even mobile phones can have multiple storage media such as expandable storage, in addition to its SIM card.

When you seize a computer or other digital device, be aware that it may technically be multiple devices from a forensics perspective, and ensure that each device and its derivative media is properly recorded and secured. The DA will thank you later.

If you’re planning a significant seizure of digital evidence and want the assistant of a private, accredited digital crime lab to ensure the evidence is seized, processed and examined quickly and efficiently, contact Flashback Data.