According to the a Universe study report,6 the amount of digital data produced by
humans and machines (e.g., IoT devices) will exceed 44 zettabytes by the year 2020
(1 zettabyte = 1 billion terabytes). People are increasingly accessing the Internet and
using it on a daily basis to socialize, send e-mails, and browse the Internet; most of
these activities will produce traces and remain present on users’ computing devices
for many years to come. Most computer users are not tech savvy; they might think that
the deletion of a file erases it completely and forever from their hard drive, but this is
quite wrong. Data stored on storage units can be restored even after formatting the
drive many times; although certain tools can be used to further wipe hard drive space
to make it irrecoverable (this is discussed in Chapter 9), even these advanced tools can
still leave traces, allowing computer forensic investigators to obtain essential evidence
to help them solve criminal cases and prevent other crimes using computer forensic
Computer forensics involves acquiring digital evidence-sometimes known as
electronically stored information (ESI)-from a computer hard drive, a mobile phone, a
tablet or PDA, or other storage media (like CD/DVD, USB thumb drive) among other
places, in a systematic way; this ESI is to be used in court during trials.
Digital Evidence Types
1. We can differentiate between two main types of digital artifacts
according to who has created them:
2. User-created data
3. User-created data includes anything created by a user (human)
using a digital device. It includes the following and more:
4. Text files (e.g. MS Office documents, IM chat, bookmarks),
spreadsheets, database, and any text stored in digital format,
5. Audio and video files,
6. Digital images,
7. Webcam recordings (digital photos and videos),
8. Address book and calendar,
9. Hidden and encrypted files (including zipped folders) created by
the computer user,
10. Previous backups (including both cloud storage backups and
offline backups like CD/DVDs and tapes),
11. Account details (username, picture, password),
12. E-mail messages and attachments (both online and client e-mails
13. Web pages, social media accounts, cloud storage, and any online
accounts created by the user.
Files created by a computer user also contain metadata; the metadata could be
either produced on purpose by the computer user (e.g., author name and e-mail) or
generated automatically by the software used to create it (e.g., GPS coordination of
a specific photo, captured camera type, and resolution). As we insist in Chapter 2,
metadata should also be investigated thoroughly during any investigation, as it may
contain substantial evidence about the case in hand.
Just for note : In Windows os, you can view any file metadata be right-clicking over
it and selecting “Properties.” however, keep in mind that whenever you access a
file under Windows, you are changing some system-created metadata (last access
date) about it, which should be taken into account during investigation.
Machine/network-created data includes any data which is autogenerated by a digital
device. It includes the following and more:
1. Computer logs. These include the following logs under Windows
OS: Application, Security, Setup, System, Forward Events,
Applications, and Services Logs,
2. Router logs, including third-party service provider (e.g., Internet
service providers (ISPs) commonly store users’ account web
browsing history logs),
3. Configuration files and audit trails,
4. Browser data (browser history, cookies, download history),
5. Instant messenger history and buddy list (Skype, WhatsApp),
6. GPS tracking info history (from devices with GPS capability),
7. Device Internet protocol (IP) and MAC addresses in addition to
the IP addresses associated with a LAN network and the broadcast
8. Applications history (e.g., recently opened file on MS Office) and
9. Restore points under Windows machines,
10. Temporary files,
11. E-mail header information,
12. Registry files in Windows OS,
13. System files (both hidden and ordinary),
14. Printer spooler files,
15. Hidden partition and slack space (can also contain hidden user
16. Bad cluster,
17. Paging and hibernation files,
18. Memory dump files,
19. Virtual machines,
20. Surveillance video recordings.
We can summarize “digital evidence” as any kind of file or data/metadata that is
presented in digital format (binary format) and could be used during a trial.
Locations of Electronic Evidence
Digital evidence is commonly found on hard drives; however, with the continual
advance of computing technology, digital evidence becomes present in almost all
digital-aware devices. The following list shows most of the different devices that must be
investigated for digital evidence:
4. Servers and RAIDs
5. Network devices like hubs, switches, modems, routers, and
wireless access points
6. Internet-enabled devices used in home automation
(e.g., AC and smart refrigerator)
7. IoT devices
8. DVRs and surveillance systems
9. MP3 players
10. GPS devices
13. Game stations (Xbox, PlayStation, etc.)
14. Digital cameras
15. Smart cards
17. Digital voice recorders
18. External hard drives
19. Flash/thumb drives
22. Fax machines (e.g., incoming and outgoing fax numbers)
23. Copiers (e.g., recently copied files)
24. Fixed telephony and cordless phones (e.g., calls made, received,
and answered, voice messages and favorite numbers)
25. Answering machines
26. Backup tapes
Just for note there are different sources of digital evidence, and each one requires
a different method/tool to acquire it. the focus of this book will be on acquiring
digital evidence from computers running Windows os in addition to thumb drives
and external hard drives.
Challenge of Acquiring Digital Evidence
Criminals use different ways to frustrate digital forensic examiners by destroying and
hiding their incriminating activities; also, seizing digital devices is subject to different
laws across states and countries. The following lists the main obstacles facing examiners
when obtaining digital evidence:
1. Locked computer with a password, access card, or dongle.
2. Digital steganography techniques to conceal incriminating data
in images, videos, audio files, file systems, and in plain sight (e.g.,
within MS Word document).
3. Encryption techniques to obscure data, making it unreadable
without the password.
4. Full disk encryption (FDE) including system partition (e.g.,
BitLocker drive encryption).
5. Strong passwords to protect system/volume; cracking them is very
time consuming and expensive.
6. File renaming and changing their extensions (e.g., changing
DOCX into DLL, which is a known Windows system file type).
7. Attempts to destroy evidence through wiping the hard drive
securely using various software tools and techniques.
8. Removing history from the web browser upon exit and disabling
system/application logging where available.
9. Physically damaged digital media; for example, we cannot retrieve
deleted files from a failed HDD before repairing it.
10. Sensitivity of digital evidence; if not handled carefully it might be
destroyed. Heat, cold, moisture, magnetic fields, and even just
dropping the media device can destroy it.
11. Easy alteration of digital evidence; for instance, if a computer
is ON, you must leave it ON and acquire its volatile memory
(if possible), but if the computer is OFF, leave it OFF to avoid
changing any data.
12. Laws governing the collection of digital evidence and device
seizure, which differ from one state to another (and between one
country and another). Cybercrimes can cross boarders easily
through the Internet, making the lack of cyberlaw standardization
a major issue in this domain.
13. The issue of data ownership; for example, if investigators captured
a USB thumb drive that belongs to a suspect, but the data inside it
is fully encrypted and protected with a password, the suspect can
deny its ownership of this thumb, making the decryption process
very difficult to achieve without the correct password/key file.
The techniques mentioned briefly herein to frustrate computer investigators will
be described in some detail in Chapter 9; however, keep in mind that the majority of
criminals are not tech savvy. Those people will not employ advanced methods to cover
their tracks. Even though some of them may use different privacy techniques to cover
their files and activities on the computer, the majority will not implement them 100%
correctly, and this will leave a door open for examiners to do their job and break in to
acquire valuable information from the suspect computing device.
Who Should Collect Digital Evidence?
Digital evidence should be examined only by trained professionals who have the
expertise and knowledge to handle sensitive data without destroying it during the
investigation. Those investigators should have the following general skills.
• Analytical thinking: This includes the ability to make correlations
between different events/facts when investigating a crime.
• Solid background in IT knowledge: This includes wide knowledge
about different IT technologies, hardware devices, operating systems,
and applications. This does not mean that an investigator should
know how each technology works in detail, but he should have a
general understanding of how each technology operates.
• Hacking skills: To solve a crime, you should think like a hacker.
Knowing attack techniques and cybersecurity concepts is essential
for a successful investigation.
• Communication and organizational skills: An investigator should
have documentation skills to organize his/her findings and present
them to other members of the team and to attorneys and judges.
• Understanding of legal issues concerning digital crime investigations.
• Excellent knowledge of technical skills related to digital forensics like
data recovery and acquisition and writing technical reports.
• Online searching skills and ability to gather information from
publicly available sources (i.e., OSINT).
sometimes, a digital forensics professional will play the role of expert witness in a court of law,
but what differentiates an expert witness from a nonexpert witness or conventional witness?
the typical witness will testify on what he saw or heard, while the expert witness will have the
opportunity to give his/her opinion to the court. Judges and jury are not always familiar with
the technical details associated with digital crimes, so an expert witness should help them to
assimilate and understand these technical details.
An expert witness does not have to hold an advanced academic degree to testify, however.
he needs to show a proven technical ability that clearly demonstrates he fully understands
the subject he is going to testify about. to make expert witness testimony effective in court, it
is recommended that this expert have the ability to convey complicated technical details for
something easy to assimilate by nontechnical people like judges and jury members. often,
such people work in the teaching field and authors can play this role very well.