Blog Post

Cybercrime and the Significance of Electronic Media Taken from Damaged Devices as Evidence in Crime Investigations

Vernon Fryer • November 15, 2024

Incorporation of digital evidence in crime investigations

In an effort to fight cybercrime and to collect relevant digital evidence for all crimes, law enforcement is incorporating the collection and analysis of digital evidence into their case dockets and investigating departments.

 Digital forensics essentially involves a three-step, sequential process:

  1. Seizing the media.
  2. Acquiring the media; that is, creating a forensic image of the media for examination.
  3. Analyzing the forensic meta data of the original media. This ensures that the original media are not modified during analysis and helps preserve the probative value of the evidence.

Large-capacity media seized as evidence, such as computer hard drives, cell phones and external drives, may be 1 terabyte (TB) or larger. This is equivalent to about 17,000 hours of compressed recorded audio. Today, media can be acquired forensically at approximately 1.5 gigabytes (GB) per minute.

The forensically acquired media is stored in a RAW image format, which results in a bit-for-bit copy of the data contained in the original media without any additions or deletions, even for the portions of the media that do not contain data.

This means that a 1 TB hard drive will take approximately 11 hours for forensic acquisition. Although this method captures all possible data stored in a piece of digital media, it is time-consuming and creates backlogs.

Some new ways of committing crimes are through electronic devices and the only evidence in these cases is electronic evidence. The very nature of data and information stored in electronic form, unlike traditional ones, makes it easier to manipulate.

 

Several forensic Models or Standing Operating Procedures (SOP) have been created to address various levels of investigative complexity. Risk Diversion has developed various training models which require uniformity during an investigation.

 

Even with law enforcement, there are instances where "evidence not being admissible in the court of law" happens occasionally. This highlights the necessity for developing a thorough process model for digital forensic inquiry. To ensure that the search and seizure is conducted in the proper forensic manner the correct SOP must be followed.

 

The SOP is crucial so that the process is applicable in various investigations. However, it may be insufficient to support novice digital forensic practitioners. It might sound like flying an airplane which may only involve three steps: take-off, fly, and land. An experienced pilot may not have any problem completing the task even if unforeseeable circumstances occurred; novice pilots, however, are more likely to ask additional questions to gather more detailed information regarding the flight.

 

Applying the scenario in a digital forensic investigation - if a person is given an order to collect information from a system according to the order of volatility, it is assumed that the person knows the order of volatility and can execute the task without error so that enough evidence is gathered.

 

Similarly, a process model should be comprehensive to provide insight into the entire investigation process and to support and improve the usability for digital forensic practitioners.

 

Digital forensic evidence deals with the collection of digital evidence from the cybercrime scenes and other scene scenarios.

 

The cybercrime scene  is one computer (or more computers) that attacks another computer (or more computers) through some means. It is important that the evidence material provided from the crime scene can be used as evidence and to be completed in the context of the investigation case. There are three types of forensics that refer to computer systems and electronic evidence. Evidence does not have to be created from a computer, but from something else we always associate with a computer, for example from a printer, a router, tablets, smart watch and drones.

 

  • The first type is the traditional digital forensics is the collection of digital evidence from a computer, disk or from a device that includes a computer or is considered to be able to create or process electronic (digital) data.

 

  • The second type of digital forensics is cyber-forensics or network forensics. It involves gathering evidence showing that certain digital data has crossed through a medium between two points in the network. The evidence collected in this way is always collected by making conclusions from a device in the path.

 

For example:  physically we cannot see the data passing on the Internet. However, a sniffer can be used to record packets of data as they are sent and to get an interpretation of that data packet. Or we need to make a comparison between the sender's and the receiver's receipts from the two devices that are considered to have been transmitted between them and to conclude the transfer from the records. Most often you need to make a direct collection of data from the hard disk.

 

  • Forensic analysis of software  that deals with identifying the author, on the part of the software code of the code itself.

Digital forensics provides the provision of relevant electronic evidence necessary for the process of proving the criminal offense before the court and the guilt of the perpetrators.

 

  • Hardware Chip-off involves extracting evidence from devices that have damaged hardware components that cannot be recovered by using normal software methods.

 

Using the Chip-off method when collecting evidence from damaged electronic media uses four simple steps.


It is important for computer forensics investigators to understand the vast array of digital devices that they may encounter at a crime scene. This knowledge is essential because each device needs to be handled differently, and investigators must maintain and update different power and data cables over time. Moreover, with each device there are different types of evidence associated with each device and a different methodology needed to acquire evidence from these devices.

 

Finally, the handling of computer hardware in an investigation has legal ramifications. Evidence must be seized and handled in accordance with standard operating procedures that follow the law. Ultimately, the process by which you acquired the evidence is just as important as the evidence itself.



Risk Diversion Blog

The Increasing Growth in IoT Digital Forensic Investigations

By Vernon Fryer November 28, 2024
Looking at the growth of IoT (Internet of Things) in Digital Forensics

Magnet AXIOM Cyber 8.2 with Magnet Copilot Artificial Intelligence

By Vernon Fryer November 14, 2024
An Introduction by Risk Diversion

Risk Diversion Tackles Cyberbullying in a Digital enabled World

By Vernon Fryer August 1, 2024
Cyberbullying - causing harm through the use of digital technology

Supplementary - Hiding in Cloud, you can run but not hide

By Francois van Staden June 28, 2024
Magnet AUTOMATE with brilliant features

Hiding in Cloud, you can run but not hide

By Vernon Fryer June 10, 2024
Conducting digital forensics investigations using cloud-based services

When the Answers You Need are Tied to the Mobile World, Who Can Help?

By Vernon Fryer May 24, 2024
Delving further into Mobile Forensics

Discovering The World of Forensic Speech Analysis

By Vernon Fryer May 13, 2024
Exploring the complex and fascinating world of Speech Analysis

Digital Forensics at 32000 Feet Above Sea Level

By Vernon Fryer May 6, 2024
Digital Forensics in Aircrafts

Managing the demand for digital forensic examinations

By Vernon Fryer April 29, 2024
The superhighways and byways of cyber space has enabled millions of IoT devices to be connected to the internet.

Amped FIVE

By Vernon Fryer April 5, 2024
Video and photo enhancement software
More Posts
Share by: