C O R P O R A T I O N
Digital Evidence and the
U.S. Criminal Justice System
Identifying Technology and Other Needs to More Effectively
Acquire and Utilize Digital Evidence
Sean E. Goodison, Robert C. Davis, and Brian A. Jackson
• Law enforcement attendees were unanimous in
noting the considerable quantity of evidence
analyzed by examiners and challenges in obtain-
ing the necessary support, in terms of both funding
and staffing.
•
Both l
aw enforcement and courtroom participants
in our workshop noted potential difficulties with
prosecutors not understanding elements of digital
evidence. Judges, juries, and defense attorneys
also have a stake in appropriate use of digital
evidence. Of these, defense attorneys appear to
be farthest behind the curve, but are likely to catch
up quickly.
• The discussions of the panel identified 34 different
needs that, if filled, could improve the capabilities
of the criminal justice system with respect to digital
evidence. Nine top-tier needs were identified
through the Delphi process as highest priority.
Key findings
M
ajor shifts in the information technology landscape
over the past two decades have made the collection and
analysis of digital evidence an increasingly important
tool for solving crimes and preparing court cases. As technol-
ogy has become more portable and powerful, greater amounts of
information are created, stored, and accessed. Modern devices
can serve as huge repositories of personal information yet be
carried in a pocket and accessed with a single hand or even voice
command. ere is a clear benet to having ample information
to obtain convictions, but law enforcement and other criminal
justice partners need to balance the recovery and admissibility
of digital evidence with privacy concerns. is work discusses
the rise of digital evidence, unique challenges, and the results of
a workshop held to prioritize needs in digital evidence processing.
INTRODUCTION
While digital evidence exploitation is a relatively new tool for law
enforcement investigations, law enforcement relies extensively on
digital evidence for important information about both victims
and suspects. Due to the potential quantity of digital evidence
available, cases where such evidence is lacking are more dicult
to develop leads and solve. ree recent investigations illustrate
the importance of digital evidence for the criminal justice com-
munity—one case presents an example of how digital forensics
can be central to case closure and prosecution, another case dem-
onstrates how digital evidence missteps can have serious implica-
tions, and the nal case highlights the challenges for modern
investigation when digital evidence is limited or does not exist.
Christian Aguilar
In September 2012, University of Florida freshman Christian
Aguilar disappeared after last being seen with his friend, Pedro
Bravo, at a local Best Buy (Burch, 2014). Aguilar’s remains
were found about three weeks later more than 60 miles west
in a shallow grave. Police suspected Bravo had something to
do with the disappearance and death; searches found some
blood in Bravo’s car and he was in possession of Aguilar’s
backpack. Aguilar and Bravo had attended the same high
school, and there was a potential motive in that Bravo had
been upset that Aguilar had started a relationship with Bravo’s
ex-girlfriend.
However, digital evidence made this circumstantial case
far stronger. Digital examiners had access to Bravo’s cell phone
and found numerous key pieces of evidence. In the cache for
the phone’s Facebook app, examiners found a screen shot of a
Siri search made near the time of Aguilar’s disappearance that
read, “I need to hide my roommate.” While Bravo’s phone did
not have the Siri feature, the record was maintained because he
used Facebook to access the option. Analysis of pings, or deter-
mining the tower that received a signal from the cell phone,
showed that Bravo had headed far to the west after the disap-
pearance. Finally, examiners were able to determine that the
ashlight application on the phone had been used for over an
hour just after the disappearance. As a result of this evidence,
Bravo was brought to trial in August 2014 and convicted of
rst-degree murder.
Casey Anthony
e murder trial of Casey Anthony in 2011 captured national
media attention in the United States. Anthony reported her
two-year-old daughter, Caylee, missing in 2008. She claimed
Caylee was last seen being dropped o with a babysitter,
though she did not report the incident to police until over
one month later. e State of Florida arrested Anthony on
charges of child neglect, false statements, and obstruction.
As the police investigation continued, physical evidence from
Anthony’s car suggested potential homicide, which led to a
grand jury indicting her on murder charges as well. Months
after the indictment, Caylee’s remains were found in a wooded
area near her home.
During trial, the state argued that digital evidence would
prove Anthony searched for information on various homicide-
related issues (methods, techniques, etc.) on the day her
daughter was last seen. Most such evidence focused on Internet
browser searches. Digital investigators initially used software
that later would be found highly inaccurate (Alvarez, 2011).
Investigators testied that Anthony’s browser searched 84 times
for “chloroform,” a chemical that had been found in her car
trunk; however, the software designer later discovered serious
faults in the program and subsequently testied that the term
was only searched for once. is error likely contributed to the
reasonable doubt jurors found when they acquitted Anthony
of rst-degree murder, especially since the correction occurred
during trial.
Interestingly, further evidence came to light in the years
after the trial to suggest more digital evidence mistakes that
served to further weaken the case. Investigators used tools that
only tapped into Microsoft’s Internet Explorer history. While
technicians determined the computer was being used through
a password-protected account of Anthony’s, thus strongly sug-
gesting it was Anthony and not other family members using the
computer, they missed that Anthony preferred Mozilla’s Firefox
browser with their software; as result, investigators did not have
information on more than 98 percent of the browser history
records at trial, including a search for “foolproof suocation”
(Pipitone, 2012).
Philip Welsh
Philip Welsh was murdered in his home in Silver Spring,
Maryland, in February 2014 (Morse, 2014). He worked as a
taxicab dispatcher for many years, and in the workplace he
used computers and technology daily. However, he eschewed
Abbreviations
CALEA Communications Assistance
for Law Enforcement Act
CCTV closed-circuit television
ECPA Electronic Communications
Privacy Act
GPS Global Positioning System
ISP Internet service provider
IoT Internet of ings
MLAT mutual legal assistance treaty
NIJ National Institute of Justice
NIST National Institute of Standards
and Technology
PERF Police Executive Research Forum
PPA Privacy Protection Act
VoIP Voice over Internet Protocol
2
all digital devices in his private life. Welsh did not own a cell
phone or computer, instead relying on landlines, typewrit-
ers, and hand-written letters. Even his television was an older,
cathode ray tube model. By all accounts, Welsh was perfectly
happy without modern technological devices—friends and
family would prompt him to try a new device or the Internet
but Welsh preferred nondigital technology.
Welsh did not report for work one day and was found
murdered in his home. He lived alone and had no known ene-
mies; in fact, he was well-liked and often left his home open
to taxi drivers who needed a place to sleep between shifts.
With a limited pool of leads, the lack of digital evidence was
even more noticeable. Investigators have no ready way to
determine what Welsh’s activities were or who he met without
evidence like text messages, email, and web history. As of this
publication, the murder of Philip Welsh remains unsolved and
ocials note that this is in considerable part due to the lack of
digital evidence.
The Nature of Digital Evidence
Digital evidence is conceptually the same as any other
evidence—it is information leveraged in an attempt to place
people and events within time and space to establish causality
for criminal incidents. However, digital evidence has a wider
scope, can be more personally sensitive, is mobile, and requires
dierent training and tools compared with physical evidence.
is section incorporates a general classication system to
understand types of digital evidence and techniques for extract-
ing data from digital devices.
Digital evidence is “information and data of value to an
investigation that is stored on, received, or transmitted by an
electronic device” (National Institute of Justice [NIJ], 2008).
1
While such evidence has existed for decades in limited forms,
such as mainframe computers and telephonic systems, the
importance of processing digital evidence has increased with
the rapid proliferation of personal electronic devices. e 21st
century has been partially dened by advances in portable
music players, cell phones, and computing devices. e U.S.
Supreme Court recently noted that cell phones are not simply
communication devices, but rather microcomputers that can
serve as a telephone, calendar, diary, and email system; the
“element of pervasiveness that characterizes” modern technol-
ogy (see the discussion of Riley v California later in this section)
results in three characteristics central to understanding how
digital evidence diers from traditional physical records and
evidence: (1) Digital evidence has a wider scope, (2) it deals
with both physically and personally sensitive information, and
(3) it taps into interconnected criminal justice issues that go
beyond law enforcement’s typical role in collecting evidence.
Types of Digital Evidence
e wide range of digital devices and extraction processes
yields a commensurate potential for recoverable evidence. We
briey note the most common outcomes from digital evidence
processing. is listing is not exhaustive but does touch on
the major areas of evidence, providing both a picture of the
range of ways digital evidence can aect criminal justice and
the potential challenges faced by agencies in collecting, ana-
lyzing, and utilizing it.
Internet
Some of the rst digital evidence used in law enforcement
investigations came from communication websites, particu-
larly message boards and chat rooms. ese types of sites
continue to be a source of information for current investiga-
tions, though the proliferation of other Internet and Internet-
enabled technologies means that they are now numbered
among many potential sources of evidence. Both message
boards and chat rooms allow users to read and respond to
chains of communication either as an archive or in real time.
ere are a number of law enforcement challenges in using
these sources. e locations and addresses of such sites are not
always public knowledge, meaning that initial intelligence
Digital evidence has a wider scope, can be more
personally sensitive, is mobile, and requires different
training and tools compared with physical evidence.
3
work or online searching may be required to nd the sites.
Users rely on anonymity and potentially encoded or encrypted
communications to prevent most readers from understand-
ing the communication and identifying the participants. e
worldwide nature of the Internet complicates this, as even a
successful identication may yield an individual outside the
investigator’s jurisdiction. Still, these sites can provide useful
intelligence and indicate linkages between participants.
File-sharing networks are another major source used during
investigations. ese networks connect users to transfer data les,
such as pictures and video. Numerous major le-sharing net-
works have been shut down or revamped following law enforce-
ment investigations and legal action, particularly in reference to
copyright violations and the exchange of other illegal materials.
Users can be tracked, and downloaded les can often be linked
to specic IP addresses. For example, a music copyright case may
be less concerned with a specic music le than it is with the
statutory violation of the copyright and with which users partici-
pated. However, the content of the transfers can also be relevant
to a case, such as in child pornography investigations.
Some Internet technologies have been designed speci-
cally to enable hiding the identity and location of individuals
who are accessing or sharing information. For example, the
Tor Project provides a high degree of anonymity for Internet
users. Developed through funding primarily from the U.S.
government, the Tor Project was designed to enable safer
Internet access by individuals in countries with considerable
censorship or repressive regimes. However, the system is now
used worldwide to mask legal and illegal activities though
Tor’s “onion” security protocols that encrypt information
multiple times over. Some major illegal activities using Tor,
such as the Silk Road trading site that featured a wide market
of illicit drugs, have been shut down by law enforcement in
recent years. ese types of sites are part of the Deep Web,
which is the area of the Internet not covered through standard
search engines like Google or Yahoo.
Computers
ere is a wealth of potential digital evidence on a personal
computer. Many of these items can be obtained through a man-
ual or logical extraction process. While some of the evidence
overlaps with information found online, there are a few notable
sources that can be found on a physical device rather than on
the Internet.
When browsing the Internet, programs will often maintain
temporary Internet les, cookies, and a browsing history. Each
of these items can be used in an investigation to determine
the user’s web activity. In fact, temporary les and cookies are
typically used by websites themselves to track users and store
information.
Email and other messages may be found on the physical
computer as well. ough most email is held on Internet
servers—which themselves can be a target of law enforcement,
as seen in recent court cases against Google and Microsoft—
some messaging software archives prior messages onto a com-
puter hard drive.
Portable Electronics
Currently, digital evidence processing from portable electronics
such as cell phones is the primary focus of interest to examiners
and researchers. Within the past decade, the use and power of
such devices has increased drastically, leading to mass-marketed
small electronics containing potentially more-personal infor-
mation than any prior combination of electronic and physical
sources, all in one portable device.
ere should be no surprise that cell phones are the domi-
nant interest within the eld of digital evidence. ese devices
are nearly ubiquitous in our modern society, have undergone a
revolution of capabilities during the 21st century, and present
new legal challenges such that the U.S. Supreme Court recently
ruled that a warrant is required for most searches of cell phones
at a scene. According to industry surveys, the number of
wireless subscriptions in the United States currently exceeds
the total population (336 million subscriptions to 313 million
population); this subscription estimate is more than double the
Some Internet technologies
have been designed
specifically to enable
hiding the identity and
location of individuals who
are accessing or sharing
information.
4
count from ten years ago of 159 million (Annual wireless indus-
try survey, 2014). As Chief Justice John Roberts noted in the
Riley decision, cell phones are “microcomputers” that serve a
large number of critical uses for people. is is one reason why
the Court ruled that law enforcement must have a warrant to
search cell phones at a scene—unlike a piece of paper or other
portable item, the information within a cell phone could be
equivalent to large, nonportable items, such as ledgers, diaries,
or personal computers. Additionally, cell phones have standard
features allowing for photography, Global Positioning System
(GPS) location, and text messaging distinct from email or
other documents. ese features nearly eclipse that a cell phone
is also a telephone, which often has a contact list, log of calls
made and received, and call duration.
As technology progresses, portable electronics will be cen-
tral in the Internet of ings (IoT) due to increased connectiv-
ity and integration. IoT generally refers to the interconnection
of electronic devices to share a greater range of data (e.g., sen-
sory inputs rather than simply manual entry) and provide auto-
mation of other tasks associated with electronics (e.g., control-
ling one’s DVD remotely or making changes to robotic factory
lines). Portable electronics would serve as an input and output
device, taking in environmental information and time-
stamping changes while also providing users control over a
wide array of other technological processes. In terms of digital
evidence, the advancing power and storage in portable elec-
tronics suggest that connection with an IoT would result in far
more data than seen currently, which could be both a bless-
ing and curse for investigations—automation could provide
key evidence that may be dicult to alter or destroy, but the
quantity of information could possibly overload investigative
resources.
e rst wave of this interconnected information involves
uses of metadata, or detailed information about a particular
piece of digital data such as a picture or document. Metadata
provides an additional layer of encoded information within
the main le. Examples of metadata are time stamps, geospa-
tial information, or even copyright information. Often, the
inclusion of metadata is automatic on mobile devices though
there are options to disable encoding. Such data have clear
evidentiary value for investigations but can also tap into privacy
concerns, given the range of additional information. Addition-
ally, this data can be altered either directly or remotely by a
knowledgeable technology consumer—as a result, investigation
protocols will need to become more sophisticated as strategies
shift focus onto metadata validation.
Extraction Techniques
ough initially created to describe mobile extraction tools (see
National Institute of Standards and Technology [NIST], 2013),
the hierarchy shown in Figure 1 is also useful to understand
the challenges posed by digital evidence extraction generally.
Each stage in the gure requires a dierent skill set and equip-
ment and may yield evidence not obtainable through any other
stage. Extraction is not simply scrolling through text messages
or copying les from a hard drive, though such activities often
represent the rst stage of the extraction process.
Manual techniques involve using standard inputs included
with or built into the device, such as touch screens or keyboards.
is is the most basic level of extraction as it does not require
specialized tools, though knowledge of le structure and operat-
ing systems will aid considerably in analysis. Manual extraction
allows access only to information available through the standard
interface. For example, deleted items would not be obtainable
through this process, as deleted le clusters cannot be explored
through basic point-and-click operations. is level of processing
is comparable to sitting at a computer looking for a particular le
by exploring le folders with a mouse and keyboard.
Logical extractions incorporate external computer equip-
ment to provide commands through code to the targeted
device. Examiners can use a number of dierent connection
tools and software products to communicate with the device
through the examiner’s computer, where extracted data would
appear. is level of processing is comparable to using a DOS
prompt to control a computer rather than a modern operating
system. More precise control is available at the coding level, but
Figure 1: Digital Evidence Extraction Scheme
SOURCE: NIST, 2013.
RAND RR890-1
Micro
read
Chip-off
Physical extraction
Logical extraction
Manual extraction
5