This module is a resource for lecturers

Digital evidence

Digital forensics "is underpinned by [forensic principles, such as Edmond] Locard's exchange principle" (Albert and Venter, 2017, p. 24), which holds that "objects and surfaces that come into contact will transfer material from one to another" (Maras and Miranda, 2014, pp. 2-3). In the field of digital forensics, digital traces are left behind as the result of individuals' use of information and communication technology (ICT) (Albert and Venter, 2017). Particularly, a person utilizing ICT can leave a digital footprint, which refers to the data left behind by ICT users that can reveal information about them, including age, gender, race, ethnicity, nationality, sexual orientation, thoughts, preferences, habits, hobbies, medical history and concerns, psychological disorders, employment status, affiliations, relationships, geolocation, routines, and other activities. This digital footprint can be active or passive. An active digital footprint is created by data provided by the user, such as personal information, videos, images, and comments posted on apps, websites, bulletin boards, social media, and other online forums. A passive digital footprint is data that is obtained and unintentionally left behind by the users of the Internet and digital technology (e.g., Internet browsing history). Data that are part of active and passive digital footprints can be used as evidence of a crime, including cybercrime (i.e., digital evidence). This data can also be used to prove or disprove a matter being asserted; refute or support the testimony of a victim, witness, or suspect; and/or implicate or exculpate a suspect of a crime.

Data is stored on digital devices (e.g., computers, smartphones, tablets, phones, printers, smartTVs, and any other devices that have digital memory capacity), external storage devices (e.g. external hard drives and USB flash drives), network components and devices (e.g., routers), servers, and the cloud (where data is stored "at multiple data centres in different geographic locations"; UNODC, 2013, p. xxv). The type of data that could be obtained is content (i.e., words in written communications or spoken words in audio files; e.g., videos, the text of emails, text messages, instant messages, and social media content) and non-content data or metadata (i.e., data about the content; e.g., identity and location of users and transactional data, such as information about senders and receivers of telecommunications and electronic communications).

Data obtained online and/or extracted from digital devices can provide a wealth of information about users and events. For instance, gaming consoles, which operate like personal computers, store personal information about users of the devices (e.g., names and email addresses), financial information (e.g., credit card data), Internet browsing history (e.g., websites visited), images, and videos, among other data. Gaming console data has been used in cases of child sexual exploitation and online child sexual abuse material (Read et al., 2016; Conrad, Dorn, and Craiger, 2010) (these cybercrimes are further explored in Module 12 on Interpersonal Cybercrime). Another digital device that collects a significant amount of data about its users is the Amazon Echo (with Alexa voice service). The data collected by this device could provide valuable information about users/owners, such as their interests, preferences, queries, purchases, and other activities, as well as their location (e.g., whether or not at home, by reviewing timestamp and audio recordings of interactions with Alexa). Evidence from an Amazon Echo was sought in a murder case in the United States. While the charges against the suspect were ultimately dropped, this case brought home the lesson that data collected by new digital technologies will inevitably be introduced as evidence in a court of law (Maras and Wandt, 2018).

Data can be obtained and used for intelligence purposes (for more information, see UNODC (2011), Criminal Intelligence Manual for Analysts) and/or can be introduced as digital evidence in a court of law. With respect to the latter, digital evidence can serve as direct evidence by "establish[ing] a fact" or circumstantial evidence by"infer[ing] the truth of a given fact" (Maras, 2014, pp. 40-41). Consider the following hypothetical incident: a racist tweet was posted from a Twitter account (Account A). The direct evidence is that Account A was used to post the racist tweet. The circumstantial evidence is that the account holder posted the tweet. To prove that the account holder posted the tweet, further corroborating evidence is required (as Module 6 on Practical Aspects of Cybercrime Investigations and Digital Forensics shows, identifying the perpetrators of cybercrime is no easy task).

Before a digital device can be introduced in court as direct or circumstantial evidence it must be authenticated (i.e., it must be shown that the evidence is what it purports to be). To illustrate authentication practices, consider the following general categories of digital evidence: content generated by one or more persons (e.g., text, email or instant messages, and word processing documents, such as Microsoft Word); content generated by a computer or digital device without user input (e.g., data logs), which is considered as a form of real evidence in, for example, the United Kingdom (see Regina (O) v. Coventry Magistrates Court, 2004); and content generated by a combination of both (e.g., spreadsheets from programmes such as Microsoft Excel, which include user input data and calculations made by the software). User-generated content can be admitted if it is trustworthy and reliable (i.e., it can be attributed to a person). Device-generated content can be admitted if it can be shown to function properly at the time the data was produced, and if it can be shown that when data was generated security mechanisms were present to prevent the alteration of data. When content is both generated by a device and user, the trustworthiness and reliability of each needs to be established.

When compared to traditional evidence (e.g., paper documents, weapons, controlled substances, etc.), digital evidence poses unique authentication challenges because of the volume of available data, its velocity (i.e., the speed with which it is created and transferred), its volatility (i.e., it can quickly disappear by being overwritten or deleted), and its fragility (i.e., it can easily be manipulated, altered or damaged). While some countries have implemented rules of evidence with authentication requirements that specifically pertain to digital evidence, others have similar authentication requirements for traditional evidence and digital evidence. In France, for example, both paper-based and electronic documents must be authenticated by verifying the identity of the creator of the documents and the integrity of the documents (Bazin, 2008). The latter refers not only to its accuracy, but also its ability to maintain its accuracy (i.e., consistency) over time. What is more, in an effort to treat non-digital and digital evidence the same, Singapore amended its rules of evidence with the Singapore Evidence (Amendment) Act of 2012 to ensure the same authentication practices for non-digital and digital evidence.

In addition to determining the authenticity of digital evidence, many countries also examine whether the evidence represents the best evidence (i.e., the original piece of evidence or an accurate duplicate of the original), and/or can be admitted under hearsay (i.e., out of court statements) exceptions (Biasiottie et al., 2018; Kasper and Laurits, 2016; Alba, 2014; Duranti and Rogers, 2012; Goode, 2009). Cases in point are Tanzania (Evidence Act of 1967, Written Laws (Miscellaneous Amendments) Act of 2007, and Electronic Transactions Act of 2015); Belize (Electronic Evidence Act of 2011); Indonesia (Law No. 11 of 2008 Concerning Electronic Information and Transactions, and Government Regulation No. 82 of 2012); Malaysia (Evidence Act 1950); India (Information Technology Act of 2000); and Singapore (Evidence (Amendment) Act 2012), to name a few.

Furthermore, assessments of the authenticity of digital evidence also involve an examination of the processes, methods, and tools used to collect, acquire, preserve, and analyse digital evidence to ensure that the data was not modified in any way. These processes, methods, and tools are explored in the next sections of this Module.

Next: Digital forensics
Back to top