An interesting snippet from the United States Secret Service on how to recognize digital evidence:
Computers and digital media are increasingly involved in unlawful activities.
The computer may be contraband, fruits of the crime, a tool of the offense,
or a storage container holding evidence of the offense. Investigation
of any criminal activity may produce electronic evidence. Computers and
related evidence range from the mainframe computer to the pocket-sized personal data
assistant to the floppy diskette, CD or the smallest electronic
chip device. Images, audio, text and other data on these media are easily
altered or destroyed. It is imperative that law enforcement officers recognize,
protect, seize and search such devices in accordance with applicable statutes,
policies and best practices and guidelines.
Answers to the following questions will better determine the role of
the computer in the crime:
- Is the computer contraband of fruits of a crime?
For example, was the computer software or hardware stolen?
- Is the computer system a tool of the offense?
For example, was the system actively used by the defendant to commit
the offense? Were fake IDs or other counterfeit documents prepared using
the computer, scanner, and color printer?
- Is the computer system only incidental to the offense, i.e., being
used to store evidence of the offense?
For example, is a drug dealer maintaining his trafficking records in
- Is the computer system both instrumental to the offense and a storage
device for evidence?
For example did the computer hacker use her computer to attack other
systems and also use it to store stolen credit card information?
Once the computer's role is understood, the following essential questions should be answered:
- Is there probable cause to seize hardware?
- Is there probable cause to seize software?
- Is there probable cause to seize data?
- Where will this search be conducted?
- For example, is it practical to search the computer system on
site or must the examination be conducted at a field office or lab?
- If law enforcement officers remove the system from the premises
to conduct the search, must they return the computer system, or
copies of the seized date, to its owner/user before trial?
- Considering the incredible storage capacities of computers, how
will experts search this data in an efficient, timely manner?
Source: US Secret Service
Copyright © by Computer Forensics World All Right Reserved.