#Article

How to Find Digital Evidence in an Investigation


How to Find Digital Evidence in an Investigation

Knowing where to look is as important as knowing what to look for.

When gathering evidence in an investigation, it’s easy to be overwhelmed by the volume of potential sources of both physical and digital evidence. But while physical evidence is tangible, visible and collectable, simple to collect, categorize and store, digital evidence poses some unique challenges. You can’t see it, you can’t contain it and it can exist in places you never thought possible.

That’s why it’s so important for investigators to be trained in the detection, collection and storage of digital evidence. And a lack of training can explain why so many investigators make mistakes when finding, collecting and storing digital evidence.

And a lack of training can explain why so many investigators make mistakes when finding, collecting and storing digital evidence.

“Some of the biggest mistakes investigators make when handling digital evidence are not properly securing, logging or even considering evidence,” says Adam Wandt, a professor at John Jay College of Criminal Justice and researcher with John Jay College’s Center for Cyber Crime Studies.

Knowing Where to Look

“The first mistake can be not considering digital evidence properly within the chain of custody and bringing it into the investigation in the first place,” says Wandt. “You lock up a suspect, for example, for drug dealing. Today we know to get their phone right away and to analyze their phone. But you might not think to analyze their iPad, for example, not thinking they’re communicating through the iPad,” he says.

Wandt uses the Casey Anthony trial as a classic example of a case in which investigators missed a plethora of digital evidence that could have changed the outcome of the case. While investigators examined all the activity Casey had conducted using Internet Explorer, the native search engine on her Windows computer, they missed the incriminating searches she had conducted using Firefox. “All the things she denied having any knowledge about allegedly was in her browser history the entire time, but not the browser history that was looked at,” says Wandt.

And it’s not just computers and mobile devices that can hold digital evidence. “If you go after a child molester or somebody who’s a pedophile, you may not think that the PlayStation under their TV has all the evidence you need to convict them.” says Wandt. “You can go in there, seize everything, not even look at the PlayStation and walk back out. The defendant gets bailed out 24 hours later and goes home and destroys the PlayStation.”

Evidence in the Cloud

Cloud computing makes things even more complicated, says Abraham Rivera, an investigator, former ED of IT and investigative operations and law enforcement officer for the City of New York, and teacher of digital forensics at John Jay College. There’s a staggering amount of data in the cloud, and knowing where evidence might be stored in such a huge repository is a must for investigators.

The key is to know where to look, and this requires training and experience.

“If you pair your iPhone with your PC using iTunes, for example, aside from having information on your personal computer, you may also have copies of it in the cloud,” says Rivera. The key is to know where to look, and this requires training and experience.

Hidden Storage

Add to this the fact that the subject of an investigation can purposely obscure evidence by hiding it on special devices with hidden memory storage designed to evade detection. “One of my favorite ones that they sell on the market, and it’s about $30, is a USB cable that has a hidden chip inside it,” says Wandt. “Unless you know to plug in the USB cable you’ll never know there’s data one it,” he says.

“They sell these A/C power-packs that you plug into the wall that have hidden cameras in them,” says Wandt. Such a device might contain enough video evidence to convict a sexual predator. The key is for the investigator to know that these storage devices exist and to find them.

“There are so many ways to hide data these days, including in the cloud,” says Wandt. “And unless we know how to get access to this data, record this data and use this data, we’re missing giant chunks.”