Digital Evidence

What is Digital-Evidence?

According to the National Institute of Justice, digital-evidence is information and data of value to an investigation that is stored on, received, or transmitted by an electronic device. This evidence is acquired when data or electronic devices are seized and secured for examination.


  • Is latent, like fingerprints or DNA evidence.
  • Crosses jurisdictional borders quickly and easily
  • Is easily altered, damaged, or destroyed.
  • Can be time sensitive.
  • It is important to remember that digital-evidence may also contain physical evidence such as DNA, fingerprints, or serology. As such, physical evidence should be preserved for appropriate examination.

    The Critical Role of First Responders in Collecting Digital-Evidence

    As technology advances, so have the knowledge and duties required of law enforcement officers at a crime scene. The scope of evidence to be searched for and collected at a crime scene now includes digital-evidence such as cell phones and computer networking devices. Some of these devices might be hidden in ceilings or other locations that are not immediately evident.

    At the same time, forensics experts face an ever-expanding backlog of digital-evidence due to the increased use of computers. Training and preparing first responders to perform preliminary investigations could help reduce the digital-evidence backlog and help law enforcement make significant headway into solving a range of crimes, including:

  • Computer Threats
  • Missing Person Cases
  • Fraud Cases
  • Theft
  • Onsite analysis by first responders would speed up initial investigative tasks, reducing the workload of digital forensics experts and allowing them to focus on more in-depth digital-evidence analysis.

    The Critical Role of First Responders in Collecting Digital-Evidence

    In the early days of digital-evidence collection and analysis, law enforcement officers would confiscate a computer, and then create an exact duplicate of the original evidentiary media — called an image — onto another device. Analysis of the device's image would then be conducted in a controlled setting.

    However, some data cannot be recovered once the device is shut down, so law enforcement has moved away from "grab-and-go" tactics. The emphasis is now on capturing as much data as possible at crime scenes while devices are still running.

    When dealing with digital evidence, first responders should still observe general forensic and procedural principles, including:

  • Evidence should not be changed while it is being collected, secured and transported.
  • Digital evidence should be examined only by those trained specifically for that purpose.
  • Everything done during the seizure, transportation and storage of digital evidence should be fully documented, preserved and available for review.

  • Types of Images Captured by Digital-Evidence Investigative Tools

    Digital-evidence investigative tools capture two types of images:

    1. Physical images: Images of passwords stored in memory, whole disk encryption keys, information stored by Windows and other user-related information that may not be stored once volatile memory is flushed upon reboot or shutdown. Physical images hold up better in court as evidence.

    2.Logical images: Information that could be easily viewed by any user, including a list of running processes and programs, screen captures (to document open windows) and graphic files or documents that may be relevant to an open investigation.

    Handling Digital-Evidence at the Scene

    Precautions should be taken in the collection, preservation, and transportation of digital-evidence. First responders may follow the steps listed below to guide their handling of digital-evidence at an electronic crime scene:

  • Recognize, identify, seize, and secure all digital-evidence at the scene.
  • Document the entire scene and the specific location of the evidence found.
  • Collect, label, and preserve the digital evidence.
  • Package and transport digital evidence in a secure manner.
  • Before collecting evidence at a crime scene, first responders should ensure that.

  • Legal authority exists to seize evidence.
  • The scene has been secured and documented.
  • Appropriate personal protective equipment is used.
  • First responders without the proper training and skills should not attempt to explore the contents of or to recover information from a computer or other electronic device other than to record what is visible on the display screen. Do not press any keys or click the mouse.

    (Information provided courtesy of the U.S. Department of Justice).

    Recommended Digital Evidence Reading

    Digital Evidence and Computer Crime by Eoghan Casey

    Digital evidence - evidence that is stored on or transmitted by computers - can play a major role in a wide range of crimes, including homicide, rape, abduction, child abuse, solicitation of minors, child pornography, stalking, harassment, fraud, theft, drug trafficking, computer intrusions, espionage, and terrorism.

    Though an increasing number of criminals are using computers and computer networks, few investigators are well-versed in the evidentiary, technical, and legal issues related to digital evidence. As a result, digital evidence is often overlooked, collected incorrectly, and analyzed ineffectively. The aim of this hands-on resource is to educate students and professionals in the law enforcement, forensic science, computer security, and legal communities about digital evidence and computer crime.

    This work explains how computers and networks function, how they can be involved in crimes, and how they can be used as a source of evidence. As well as gaining a practical understanding of how computers and networks function and how they can be used as evidence of a crime, readers will learn about relevant legal issues and will be introduced to deductive criminal profiling, a systematic approach to focusing an investigation and understanding criminal motivations. Readers will receive access to the author's accompanying Web site which contains simulated cases that integrate many of the topics covered in the text. Frequently updated, these cases teaching individuals about:

  • Components of computer networks
  • Use of computer networks in an investigation
  • Abuse of computer networks
  • Privacy and security issues on computer networks
  • The law as it applies to computer networks
  • In addition, Digital Evidence and Computer Crime provides a thorough explanation of how computers and networks function, how they can be involved in crimes, and how they can be used as a source of evidence. It offers readers information about relevant legal issues, features coverage of the abuse of computer networks and privacy and security issues on computer networks and comes with free unlimited access to author's Web site which includes numerous and frequently updated case examples.

    See following link for full details.

    Digital Evidence and Computer Crime, Second Edition

    UK Visitors Click Here

    Back To Top of Page

    Go Back To The Main Computer Forensics Page

    Go From Digital Evidence Back To The Home Page

    Enjoy this page? Please pay it forward. Here's how...

    Would you prefer to share this page with others by linking to it?

    1. Click on the HTML link code below.
    2. Copy and paste it, adding a note of your own, into your blog, a Web page, forums, a blog comment, your Facebook account, or anywhere that someone would find this page valuable.