Private and Public Digital Evidence and Forensic Investigation

digital_evidenceThis article discusses the specific sub-field of digital forensics and the types of crimes that would need digital forensics for an investigation.

Digital Forensics

This sub-field of forensics examines data and information from computer storage media so that it may be used as evidence in a court of law or to answer a specific legal question as it may need.

For example in private investigations, digital forensics investigator may use digital forensics at the request of a private attorney for a defendant in a public case. And evidence may be gathered to prove that an employee is using company resources for personal private business use such as selling goods online or visiting the site that is against the company rules and regulation about Information technology. In this case, the employee may be subject to disciplinary action by the company, more personal liability, and perhaps criminal liability.

More so, evidence that proves an employee has violated an employment agreement. For example, evidence may be gathered that proves an employee accessed records or other information without authorization. It may also give that one employee has harassed another employee or perhaps stolen company information.

While public investigations require digital forensics only when a crime has been committed and computers can be used in crimes in one of the following ways, such as, Crimes associated with the prevalence of computers i.e. copyright violations, crimes in which computer is the instrument of the crime or crime in which computer are incidental to another crime such as using it to store illegal records and crimes in which the computer is the target such as crimes that involve stealing information from a computer or denial of service crimes.

Digital Evidence Collection

The collection of digital evidence may have several prominent roles in collection. These roles may include:

    • Physical Technology Collection: Investigators will collect the physical media. Physical media is any technology that stores data or information. E.g. hard disks, PDAs, flash and other electronic devices.


    • Physical Media Analysis: Investigators will analyze the physical evidence for finger prints or other evidence found on the surfaces of the physical technology. This role requires a deep understanding of the technology and may be able to aid the roles of digital evidence collection and digital evidence analysis even when the physical device is severely damaged.


    • Digital Evidence Collection: Investigators will collect the digital data from the physical device. Here, the evidence is the full set of files, folders, and bits stored on the physical media.


  • Digital Evidence Analysis: Investigators will analyze the data collected. Analysis of digital evidence may show hidden information.

Digital Evidence

Digital evidence is both the full set of bits, bytes, and blocks retrieved from the technology. It is also any subset of that full set such as e-mail, log files, text documents, spreadsheets, and other files.

Digital evidence has several unique challenges and questions that must be addressed. The highest challenge is found in modern computers which are implanted as multi-user systems with potentially hundreds of users. Since evidence must conclusively show facts in an investigation, it becomes critical to clear up ambiguities of who owns the data, how the data came to be on the system, and who or what originated the data.

Another concern is the legal issues surrounding the collection of evidence from privately owned devices such as cell phones in private investigations as well the expectation of privacy for employees using company provided resources. While no clear answers have emerged, many businesses specify the proper use of their assets and need employees to waive any such rights to privacy on company assets as part of their employment contract.

Furthermore, this issue has recently become more complicated with the onset of free publicly available encryption technologies. This specific question is whether or not a user retains an expectation of privacy by using encryption on company assets. Clearly, the company has the right to the encrypted version of the data; but does the company have the right to mandate the employee offer an unencrypted version? Subsequently, can a person be ordered by a court of law to give a password to law enforcement to decrypt the digital evidence?

One may be tempted to argue that no digital bit has ever been seen, so plain sight is not possible and not an issue. This issue of privacy raises the question of “plain sight” while collecting evidence from digital sources. Others may argue that a permit to collect any digital evidence stored on a disk or computer device is enough to collect any and all evidence from a computer for any crime.

The plain sight doctrine is best interpreted conservatively so that any seizure of evidence of one crime revealed during the search for evidence for another crime should be then justified by a permit.