By Dr. Jarrod Sadulski
Faculty Member, Criminal Justice
Seizing digital evidence from cell phones or computers is common in criminal investigations as technology is used in the commission of crime all the time. Human trafficking, drug trafficking, child pornography, stalking, homicides and identity theft are just some of the crimes that commonly involve the use of technology.
Computers typically have digital evidence through their temporary internet files, computer cookies and browsing history. Computer hard drives are also a source of evidence. Similarly, cell phones contain evidence in text and call records, browsing data, and photographs stored on the phone.
The Proper Collection of Digital Evidence
For criminal investigators and first responders, it is critically important that digital evidence is properly collected and not lost. Avoiding the loss of such evidence can be challenging because criminals may have systems in place that result in data destruction if an electronic device is seized by law enforcement. This protection may include anti-forensic techniques that cause data erasure if the proper code is not entered into the device or by using remote access tools that cause data destruction once a smartphone or computer is in police custody.
Avoiding Data Manipulation on Seized Devices
To prevent the loss of valuable digital evidence, one of the first steps officers should take when collecting a computer or cell phone is to avoid data manipulation. For example, if the device is powered off, then it should remain off. If the computer or cell phone is on and something is being displayed on a screen, photographs of the information on that screen should quickly be taken.
Start a Criminal Justice degree at American Military University.
To assist forensic investigators later in active investigations, field officers or crime scene technicians should photograph connected devices and their computer cords. Seizing power cables along with the device is also important. The way a device is seized and placed into evidence should be properly documented in a police report.
Protecting Seized Devices from the Remote Destruction of Evidence
Another important step to preserve digital evidence is to prevent the phone or computer from communicating with another electronic device or receiving wireless communications. This tactic is essential in preventing a criminal from remotely destroying evidence.
For instance, a device seized during the collection of evidence could be placed in antistatic packaging that blocks communication to the device, such as a Faraday bag. A Faraday bag prevents signals from being sent from or received to an electronic device, such as a cell phone or laptop computer.
With cell phones, removing the subscriber identification module (SIM) card prevents the device from connecting to a cellular network. It also prohibits anyone from remotely accessing information on the phone and destroying digital evidence.
For cell phones, it is best to remove the battery on devices that are already off. For cell phones that are powered on, place the phone in airplane mode.
Preserving Digital Evidence on Stand-Alone Computers
When police officers seize stand-alone computers, such as a household or business desktop computer, there are several steps that can be taken to preserve digital evidence. First responders who seize the computer may move the mouse without pressing any other buttons to photograph what is on the screen. If the computer is running destructive software that deletes information, then the device’s power should immediately be disconnected.
When police officers investigate and collect field evidence involving cell phones and computers, they should not attempt to locate digital evidence without a computer forensic examiner. Otherwise, digital evidence can inadvertently be destroyed. For example, incorrect password attempts may lock up a phone permanently.
To help patrol officers to properly collect cell phone and computer evidence in the field, recurrent training should be implemented in the agency’s annual in-service training. That training will help officers remain current on best practices for collecting digital evidence.