Electronically Stored Information in digital forensics: looking beyond the usual suspects
15th August 2014
Computers and the Internet have brought about an massive change in the way we live our lives. We are living in the ‘digital age’ in which many of the everyday tasks we perform can be traced back to some type of Electronically Stored Information (ESI), being constantly recorded on disparate systems. The challenge to digital forensics experts like CYFOR is to apply well-tested digital forensic techniques to a rapidly changing world.
Think of the routine you followed today. You would most likely have used email, text messaging and logged into various websites and platforms, but what about the other interactions you have had with modern amenities? Did you have to swipe a key card to gain access to your hotel room, office or gym? How about that coffee shop rewards card or digital wallet on your Smartphone? Our day to day activities use applications which write to databases or log files leaving behind digital footprints that could be relevant to a digital forensics investigation.
Digital evidence usual suspects
For most lawyers and digital forensics practitioners the term ‘digital evidence’ brings to mind the “usual suspects”, including emails and office documents stored on servers, personal computers and laptops. However, ESI can be even more ubiquitous, intermingled and atypical, with data from our private and public activities being increasingly interconnected and stored on electronic media.
Types of digital evidence
Over and above the “usual suspects”, CYFOR’s digital forensics investigators can reconstruct the activities of an individual by examining the following types of digital evidence:
• Social networking and blog posts
• Key card and time clock entries
• Telephone records
• Mobile phone network (cell site) analysis
• SMS text messages
• Audio recordings
• VoIP conversations
• Images taken on devices with or without GPS information
• Word processing and spreadsheet files
• Smartphone transactions
• Copy machine access codes
• Website activity and histories
• CCTV and security camera footage
• And more
Not every matter, therefore, hinges upon finding the decisive email or damning text message, but in this day and age most matters tend to include some type of ESI that can be identified through use of digital forensic tools (CYFOR’s main computer analysis tools are EnCase and Forensic ToolKit). Therefore, even electronic storage systems apart from the “usual suspects” and ones that predate the social media era must be properly preserved and maintained.
The challenge – different but the same
In this day and age, the limits and possibilities of finding electronically stored information that may hold relevant evidence are constantly growing. Regardless of where we find the digital evidence, the rules remain the same – reasonable steps must be taken to identify, preserve, collect and process the forensic image.
DISCLAIMER: The contents of this article are intended for general information purposes only and shall not be deemed to be, or constitute legal advice. We cannot accept responsibility for any loss as a result of acts or omissions taken in respect of this article.