Editor’s note: "Criminal Justice Technology in the 21st Century, 4th Ed.” by Laura J. Moriarty comes just about five years after the COVID-19 pandemic, when technology took a more prominent role in our everyday lives and, more importantly, in the criminal justice system. This is an excerpt from chapter 8, Digital Forensics, which explores the …
Book excerpt: ‘Criminal Justice Technology in the 21st Century, 4th Ed.’ – Police1
Editor’s note: “Criminal Justice Technology in the 21st Century, 4th Ed.” by Laura J. Moriarty comes just about five years after the COVID-19 pandemic, when technology took a more prominent role in our everyday lives and, more importantly, in the criminal justice system. This is an excerpt from chapter 8, Digital Forensics, which explores the principles, processes, tools and legal considerations involved in digital forensics, including the identification, preservation, analysis and presentation of digital evidence in criminal investigations.
The utilization of digital technology to investigate digital-based crimes has brought forth one of the newest, constantly evolving fields of law enforcement: digital forensics. There are several definitions of digital forensics, including strict policing, scientific, and broad legal code definitions. The policing definition is narrow in focus and identifies digital forensics as “the process of identifying, preserving, analyzing and presenting digital evidence in a manner that is legally acceptable” (McKemmish, 1999). The forensic definition is more scientific in its approach. It defines the concept as the “collection of techniques and tools used to find evidence in a computer” (Caloyannides, 2001), while the legalistic definition is the broadest and defines computer forensics as “the preservation, identification, extraction, documentation, and interpretation of computer data” (Kruse & Heiser, 2002).
One can see the common aspects and unique differences based on the disciplines in which these definitions have been created. Digital forensics draws on technical computer and digital device and criminal investigation skills. Further, skilled practitioners require the combination and effective utilization of both of these skill sets within the court system. Law enforcement professionals must not only understand the complexities and appropriate techniques associated with utilizing technology to investigate crimes and collect evidence, but they must also maintain legally acceptable procedures and have a thorough knowledge of the various case law surrounding each investigation. These complexities highlight how digital forensics draws from many disciplines within the criminal justice system. As a result, there must be a fundamental understanding of the various definitions of digital forensics and the primary areas associated with the discipline if one hopes to accurately investigate digital crimes in a judicially appropriate manner.
Along with the primary areas of digital forensics, there are also some uniform activities that all criminal justice professionals should recognize and should do when processing a crime scene with digital evidence. To that end, six principles exist for seizing and handling digital evidence. First, all of the general forensic and procedural principles must be applied when dealing with digital evidence. Second, upon seizing digital evidence, actions taken should not change or alter that evidence. Third, when a person must access original digital evidence, that person should be trained and authorized for the purpose. Fourth, all activity relating to the seizure, access, storage, or transfer of digital evidence must be fully documented, preserved, and available for review. Fifth, an individual is responsible for all actions taken concerning digital evidence while it is in their possession. Six, any agency responsible for seizing, accessing, storing, or transferring digital evidence is responsible for compliance with these principles.
Most law enforcement agencies either have an in-house digital forensic unit or utilize a state or federal digital forensic unit as needed. These units usually focus exclusively on the storage, forensic analysis, and reporting of the processed evidence.
According to most digital forensic experts, there are basic fundamental components that, if followed, increase the likelihood of the digital forensic evidence being legally acceptable. These methods include properly identifying, collecting, and preserving the evidence. Maintaining validated lab and examination tools. Maintaining a documented chain of custody. Forensically sound examination of evidence. Analysis and interpretation of findings following the scope of the warrant. Documentation and presentation of digital evidence and analysis. Following these methods results in a legally appropriate manner that is effective and acceptable in the courtroom (Baryamureeba & Tushabe, 2011).
The identification of technological evidence is the process of identifying what technological evidence is present at a crime scene, what evidentiary material it may contain, and establishing an appropriate plan for removing the evidence from the crime scene while maintaining its authenticity (Casey, 2002). Before collecting evidence at the crime scene, first responders ensure that legal authority exists to seize evidence, the scene is secured and documented, and appropriate personal protective equipment is used (U.S. Department of Justice, 2009). This allows both the lead investigator and the forensic examiner to determine what items to include in a search warrant and to form the most effective plan for the search and seizure of evidence.
Preserving electronic evidence is the key aspect of forensic computing concerning the judicial system. The digital forensic process commences with the seizure of the computer. Generally, this process begins with acquiring a bitstream image of the original evidence storage media, usually hard disk drives, but also includes CDs, DVDs, portable USB drives, smartphones, cell phones, etc. A bitstream image replicates all data versus a “copy” that may only contain current data accessible by the operating system. This bitstream image is made while simultaneously protecting the integrity of the original evidence, thereby preserving the authenticity of the original electronic evidence. Thus, examiners use either hardware write-blocking devices or software write-blocking programs. Write-blocking prevents data from being added, removed, or altered on the original device. Using either a hardware or software write-blocking device, additional software is used to make the bitstream image and to hash the image. Once the original evidence has been imaged and hashed, the original evidence is stored according to operating procedures. It is after the imaging process occurs that the actual examination begins.
During the preservation phase, all processes must be recorded and documented for presentation in court. To be successful in court, the forensic examiner must be able to document the process utilized in the extraction. Accurately conducted and clearly documented preservation of digital evidence allows for the effective prosecution of criminals in the courtroom. However, when the process is not accurately conducted or clearly documented, the evidence becomes more beneficial for the defense to establish doubt about the case.
Digital evidence is analyzed and interpreted solely on the bitstream image (“Forensic Copy”). After the data have been extracted from the electronic medium, they must be analyzed and presented in an understandable and useable manner for investigation. This component is the most commonly recognized aspect of digital forensics, allowing the forensic examiner to serve as a translator of the electronic data for the criminal investigator. When electronic data is recovered, it must be analyzed and translated into a meaningful form to the investigation.
A variety of software tools allows the forensic examiner to do this. Most examiners use automated forensic software tools. The software most often used falls into two main categories: (1) primary forensic products that image, hash, and analyze, and (2) secondary/supplementary forensic products that perform limited or narrower functions. The most frequently used products are Encase, Forensic Toolkit (FTK), and Ilook. They are all examples of widely used forensic software tools.
These all-inclusive products create bitstream images, provide hash values, have multiple search and analysis features, and create forensic reports. Each of these “big three” forensic products has a GUI-based interface that allows examiners to manage large volumes of data easily, display all data (deleted files, file slack, and unallocated), search the data, and produce report-generating options. Each of these products has strengths and weaknesses, and it is best to have various computer forensic tools available.
Other forensic software products also exist for special circumstances and features. For example, E-mail Examiner analyzes e-mails particularly well and allows the examiner to view the data in a “native” format. NetAnalysis processes both the Internet History files and the unallocated areas for Internet and network activity. NavRoad displays HTML and Internet image files offline. Password Recovery Toolkit recovers passwords on protected files and systems. ACDSee displays virtually all graphic files. Finally, Mobile Forenscis is useful in retrieving data from most cellphones in the U.S. Many other forensic tools also exist. Ultimately, these tools allow examiners to offer law enforcement professionals more evidence to investigate criminal offenses.
The presentation of the electronic evidence is the final component of the forensic computing process. Law enforcement professionals must be able to present the electronic evidence to succeed in court. The examiner or other appointed law enforcement professional must be able to explain how the evidence is extracted, maintained, analyzed, and utilized in the overall criminal investigation. A key aspect of discovery focuses on the training, the qualifications, and the ability of the forensic examiner and criminal investigator to present the highly technical evidence understandably in the courtroom. The presentation determines the effectiveness of the digital forensics process and its impact on the crime (Casey, 2002).
About the authors
Chapter 8 of “Criminal Justice Technology in the 21st Century” was written by Christine Bryce, Robyn D. McDougle and Jessica Robertson. Order a paper or eBook from Charles C Thomas Publisher, Ltd.
Copyright © 2025 Lexipol. All rights reserved.
Do Not Sell My Personal Information
