Published: 05-03-2019, Remon Verkerk

Computers, smartphones, IP camera, drones, cars, smart lighting and kettles; what do these objects have in common? They can potentially contain digital data that could contribute to a truth finding investigation. This evidence may be supportive of ‘regular’ tactical research, but is often decisive and provides a breakthrough in the research. We speak in the proverbial sense of a smoking gun.

That smoking gun rarely presents itself on a serving leaf and in practice looks more like a needle in a haystack. In order to maximise the chances of finding the digital evidence, it is important to identify and secure potential data carriers as well as possible. This securing is preferably done by making a forensic copy by a specially trained forensic specialist. This specialist takes care of the correct preparation of the evidence, while continuously monitoring the integrity of the data, which benefits the usefulness in legal disputes or criminal cases.

The process of handling digital evidence is at its core quite simple:

  1. Identification data sources
  2. Reservation/securing dates
  3. Processing/analysis data
  4. Production evidence
  5. Presentation evidence

However, this seemingly simple process has many pitfalls. In the coming weeks we will reflect on the TOP 3: Missed opportunities!

1. Identification of data sources

As mentioned, we are surrounded by computers of all shapes and sizes and which can contribute more or less to the research. It’s not feasible to collect all this data. It is therefore necessary to be selective.

When the police see a mobile phone on the table during the search of a suspect’s home, we can add that it is confiscated and is involved in the investigation. Provided this can be of some relevance of course.

Otherwise, if there is no direct view of a phone, tablet, laptop on similar device. Too often in such studies we see that too much is relied on the investigators’ own perception or on the ‘blue eyes’ of the suspect who indicates that they do not have such devices. Are we going to settle for that old Nokia that pulls the suspect down a drawer?!

Through a digital triage, extracts can be obtained on the spot from the many digital sources, which can reveal the presence of digital sources, hitherto unknown.

Digital triage is the first investigative step of the forensic examination. The digital triage comes in two forms, live triage and post-mortem triage. The primary goal of the live triage is a rapid extraction of an intelligence from the potential sources.

Methods and Tools of Digital Triage in Forensic Context: Survey and Future Directions
Vacius Jusas, Darius Birvinskas and Elvar Gahramanov

If in doubt, it makes sense to secure a little more digital data than seems relevant at first. In retrospect, the collection is not always possible because devices are taken away or data overwritten.

Summary; increases the likelihood of success of the study by identifying as many data sources as possible. A first digital triage provides insight, after which the collection of digital data can be started. Proportionate and hopefully inclusive smoking gun!

!