From text messages to invisible metadata, digital forensics teams focus on these reliably admissible types of digital evidence
Digital evidence has become vital to law enforcement, with 66% of agency managers considering it more important than DNA. As a result, crime labs are investing in technology and personnel that help them navigate this rapidly evolving space.
Yet even as the technology changes, some things remain the same — certain types of digital evidence with a proven track record of closing cases tend to be what digital forensics experts and legal professionals focus on in the courtroom.
This article highlights the most common categories of digital evidence and the digital evidence analysis techniques that legal professionals use to present airtight cases.
What is digital evidence?
Digital evidence refers to any information stored or transmitted in an electronic format considered admissible as courtroom evidence. However, it is distinct from evidence sources or storage formats, such as a hard drive, smartphone, or optical disc. For example, when police seize a computer, they will uncover several gigabytes of data that bear no relation to the case they are investigating. Therefore, they would only classify the extracted information as digital evidence, even if the physical system remains in storage.
This distinction matters because digital evidence and digital evidence sources are equally important but cannot be named interchangeably. For example, when a judge reviews CCTV footage, they can’t just consider its content, they also must know how the information was recorded and whether digital forensics teams modified or formatted it. They may also need to understand how the recording was obtained or whether specialized equipment is required to present the information at trial. Without this information, the footage might be inadmissible as evidence.
What are the most common types of digital evidence?
1) Digital messages
Some of the most reliable pieces of evidence in legal history consist of written communications between two or more parties. These kinds of communications help investigators gain new insights into a crime, but they also define relationships between suspects, validate statements made under oath, or establish a timeline of events.
While investigators are primarily interested in the content of a digital message, they cannot overlook its source. Our digital age offers an overwhelming array of communication methods that could be submitted as evidence, including:
2) Browser and search history
Given that the average person spends over six hours per day on the internet, browsers can be a valuable source of evidence. Each search and website visit leaves a trail investigators can follow, and browsing history is usually the easiest path.
Of course, more cautious individuals might clear their browsing histories, but there are other ways to gather this information. For example, many websites and platforms — including Google — store each user’s search history data by account. A warrant for this data can reveal a wealth of data that might aid an investigation or act as evidence during a trial.
3) Digital photographs and video footage
Digital images and video are often essential evidence in a criminal trial. This type of digital evidence is also easy to alter or change the content, and many people don’t realize they’re doing it. Simply playing the video with the wrong player, compressing the video to share, or converting the files to a playable format can alter their contents. For these reasons, it’s vital for agencies and law firms to follow the correct procedures for acquiring, storing, and presenting evidence.
The most crucial detail is that agencies must retrieve, investigate and submit original, unaltered files as digital evidence. First-party sources, particularly body-worn and dashboard cameras, are invaluable because they are generated and stored under the complete oversight of law enforcement agencies. However, third-party sources — such as CCTV cameras, smartphone camera photographs, and digital video files — must be collected, stored, and analyzed using forensically sound procedures that ensure they can be presented objectively in a courtroom.
Leveraging a public safety grade video investigation tool like Axon Investigate can help investigators maintain the forensic integrity of video throughout the process.
4) Log files
Most computer software generates activity logs, from operating system processes to video game errors. While these logs are intended for maintenance purposes, they can also confirm the activities of specific individuals or determine where investigators can find additional evidence. The location and contents of each log file can vary depending on the software that generates them, but some common examples used as digital evidence include:
Phone logs: Smartphones store extensive records of day-to-day activities, from call frequency to location data. Phone logs can also verify when a smartphone captured a photo or recorded a video.
IP logs: Every device on the internet has an IP address to authorize incoming and outgoing information. IP logs can verify which devices or users access a given website and where they are physically located.
Transaction logs: Some logs keep track of file changes so administrators can roll back changes to a previous state. These transaction logs are used in servers, databases, and even cloud-based document processors like Google Docs.
Event logs: Computer software and operating systems keep records of every activity to determine the cause of errors or system crashes. They can also confirm whether a human being or a computer process initiated a given event.
Message logs: Most software that lets users communicate with each other, including instant messaging services and video game chat tools, makes copies of conversations for future review.
5) Invisible data
Some types of digital evidence are “invisible,” meaning the information cannot be viewed in normal circumstances and requires specialized tools or techniques to make it as visible as any other record. Invisible data can include hidden files, deleted information, or supplementary data behind a video or image file. Here are some common examples:
Metadata: Each file includes supplementary metadata that provides information about the file itself. For example, a digital photograph might compile metadata such as a file’s creation date, when it was last modified, and any tools used during editing.
Active data: Most apps and computer programs generate temporary files to reference while the software runs. For example, most word processors create short-term backups of documents that can be retrieved if the device shuts down suddenly.
Residual data: When someone deletes information from a hard drive, it is not necessarily gone. In some cases, digital forensics specialists can retrieve or reconstruct information that still needs to be overwritten by new files added to the drive.
Volatile data: When any digital device is active, it stores information in the RAM to avoid wasting time reloading from a hard drive. This data can be retrieved using digital forensics, but only while the device is turned on — once the power is cut, volatile files disappear forever.
Replicant data: Most operating systems generate support files that are invisible to end users, such as backups, web caches, and temporary directories. These files can include copies of visible data files where the originals are lost.
As technology advances, law enforcement agencies and legal professionals must constantly account for new types of digital evidence. Furthermore, for this evidence to be admissible in court, it must be collected, reviewed, and presented using forensically sound tools and procedures.
Axon Evidence, our DEMS for law enforcement agencies, can accomplish each goal while seamlessly transferring digital evidence to attorneys. Meanwhile, Axon Justice Premier offers additional features for legal professionals, such as unlimited transcription, centralized data collection, third-party video conversion, playback support, and more.