9.2 Identification

Identification of digital evidence is a two-fold process. First, digital investigators have to recognize the hardware (e.g. computers, floppy disks, network cables) that contains digital information. Second, digital investigators must be able to distinguish between irrelevant information and the digital data that can establish that a crime has been committed or can provide a link between a crime and its victim or a crime and its perpetrator. During a search, manuals and boxes related to hardware and software can give hints of what hardware, software, and Internet services might be installed/used.

9.2.1 Identifying Hardware

There are many computerized products that can hold digital evidence such as telephones, hand held devices, laptops, desktops, larger servers, mainframes, routers, firewalls, and other network devices. There are also many forms of storage media including compact disks, floppy disks, magnetic tapes, high capacity flip, zip and jazz disks, memory sticks, and USB storage devices (Figure 9.1).

click to expand
Figure 9.1: A selection of storage media and computerized devices.

In addition, wires, cables, and the air can carry digital evidence that, with the proper tools, can be picked out of the ether and stored for future examination.

Exposure to different kinds of computing environments is essential to develop expertise in dealing with digital evidence. Local organizations (especially local Computer Science departments and Internet Service Providers) may provide a tour of their facilities. Visits can be made to local computer stores, university computer labs, and Internet cafes. Whenever possible, ask people about their systems. Most system administrators are delighted to talk about their networks if asked. Also, many computer manufacturers and suppliers have Web sites with detailed pictures and functional specifications of their products. Digital investigators can use this information to become more familiar with a variety of hardware.

Before approaching a crime scene, try to determine which types of hardware might be encountered since different equipment and expertise is required for terabytes of storage versus miniature systems.

Examples of various computer systems with photographs are available in USDOJ (2001). This guide also provides useful checklists of digital evidence to look for in certain types of investigations, including online auction fraud, child exploitation/abuse, computer intrusion, death investigation, domestic violence, economic fraud, e-mail threats/harassment/stalking, extortion, gambling, identity theft, narcotics, prostitution, software piracy, and telecommunications fraud.

9.2.2 Identifying Digital Evidence

Different crimes result in different types of digital evidence. For example, cyber-stalkers often use e-mail to harass their victims, computer crackers sometimes inadvertently leave evidence of their activities in log files, and child pornographers sometimes have digitized images stored on their computers. Additionally, operating systems and computer programs store digital evidence in a variety of places. Therefore, the ability to identify evidence depends on a digital investigator's familiarity with the type of crime that was committed and the operating system(s) and computer program(s) that are involved.