What is Digital Evidence?
Digital evidence is information stored on, received, or transmitted by an electronic device. An electronic device can be a PC, laptop, smartphone, and other devices that accomplishes a purpose electronically. Information on these devices can range from log files, Windows registry values, and bytes on a hard drive. This post will go over different devices and information you can find on them at a higher level.
Computer Systems
A computer system has many forms such as a laptop, desktop, minicomputer, or mainframe computer. A system has many components such as memory, a hard drive, and a keyboard and mouse. A system can have the following information on them:
- Photos
- Databases
- Internet browsing history
- Chat logs
- Documents
Storage Devices
There are many different types of storage devices that hold information relevant to forensic examiners. These devices vary in size and how they store and retain data.
Hard Drives (HDD) / Solid-State Drives (SDD)
Hard drives and solid-state drives store information for a longer period of time than memory. These drives are usually found inside a system. A forensic examiner will usually create a bit-by-bit copy of the drive called an image. An image will be analyzed by an examiner to determine what occurred on a system. There will be posts later on to demonstrate the process of creating and analyzing an image.
External hard drive
An external hard drive is similar to a hard drive or solid-state drive but can be moved from one system to another. These drives are used to add storage to a system to store more files. It can be tricky to map what happened on a system if an external hard drive was used on multiple systems. An image can be taken of it similar to a hard drive to be analyzed later by an examiner.
Thumb/USB drive
A thumb drive is similar to an external hard drive in that they are commonly used on multiple systems. Thumb drives usually have less storage than external hard drives but that is not always the case! Thumb drives have gotten bigger as technology keeps advancing. The Windows registry can show information to what the version and manufacturer of the thumb drive that was plugged into a system. An image can be taken and analyzed of these drives like the others.
Memory/RAM
Memory is temporary (volatile) data that is stored on a computer system. Memory changes instantaneously, which means that different forensic procedures and tools are needed compared to hard drives. Software is run that captures the current state of memory as a snapshot, or known as a memory dump. Tools such as Volatility can be used to analyze a memory dump to determine processes that were run when the capture was taken. This information can only be gathered when a system is offline as this data is gone when a system is shut off.
Handheld devices
These devices are portable data storage devices that provide similar functionality as computer systems. The same information can be obtained for an investigation as a normal computer. Different tools and techniques such as Cellebrite will need to be used to capture and analyze an image of a handheld device.
Peripheral devices
Peripheral devices are devices that are connected to a computer system. Keyboard and mouse, microphones, and web cameras are all peripheral devices. These devices don’t contain data, but an examiner can find information regarding these devices in an investigation. Determining what devices and when they were connected to a system are valuable artifacts.
Network devices
Network devices can have information when a system communicates with another system. Routers, modems, and access points are devices that contain a small amount of storage that an examiner that extract. Tools such as NetworkMiner and Wireshark can be put on a system to capture and analyze packets incoming and outgoing.
Other devices
Other electronic devices have data that can be captured and analyzed to help an investigation. These devices include:
- Xbox and Playstation gaming consoles
- Surveillance equipment
- Video cameras
- DVD and Blu-ray sets
- GPS devices
- IPod and IPad
- Amazon Echo and Dot stereos
Research is still ongoing as to what evidence can be obtained.
Ben Kixmiller's DFIR Website 
Leave a comment