What is Computer and Mobile Phone Forensics?
Computer and mobile phone forensics is the identification, collection, preservation, acquisition, investigation, analysis and reporting of digital devices and data present on them so that any information identified is admissible in court proceedings.
The findings of any examination should be provided in an understandable and clear format and be supported by a technical or expert witness who is able to explain their findings to a variety of people who may be involved in a trial or the final court hearing.
Who Can Use Computer and Mobile Phone Forensics?
Anyone can use a computer or mobile phone forensic investigation service to identify and retrieve data from their device.
Law enforcement use computer and mobile phone forensics within any cases where a digital device may be involved. This is conducted to secure and obtain evidence to form the basis of a case or to support other more fundamental evidence within a Prosecution case.
Evidence present on a mobile phone or computer can also be used by a Defendant in a case to prove their innocence, for example, text messages sent or received on a mobile phone or Internet activity on a computer may show activity and/or intent that differs from the allegations being made by the Prosecution in a case.
A company may use computer and mobile forensic techniques to assess the activities of an employee to determine whether a breach in contract has occurred, for example, to identify browsing inappropriate websites or copying or distributing confidential client information including the examination of deleted emails from a server or workstation.
A private individual may require digital forensic services to identify whether a partner has been communicating with another party.
What Guidelines are there for Digital Forensic Providers?
The ACPO Guidelines sets out 4 main principles that digital evidence must be adhered to, they are as follows:
No action taken by law enforcement agencies, persons employed within those agencies or their agents should change data which may subsequently be relied upon in court.
In circumstances where a person finds it necessary to access original data, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
An audit trail or other record of all processes applied to digital evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
The person in charge of the investigation has overall responsibility for ensuring that the law and these principles are adhered to.
Why are the 4 Principles of Digital Evidence Necessary
The 4 principles of digital evidence are required to ensure that any such evidence produced from a computer or a mobile phone and placed before a court as part of legal proceedings is subject to the same rules and laws that apply to any other evidence and to ensure that evidence relied upon is no more and no less now than when it was first seized so that it is an accurate reflection of the ‘crime scene’ and so that an independent third party could review the findings and achieve the same result.
If, for example, a computer or mobile phone was switched on whilst in Police custody in an uncontrolled manner then the operating system would automatically alter the content of the data present, including Internet activity, time stamps and the removal of live or deleted data resulting in the loss of potential evidence.
A forensic copy of the computer or mobile phone should be acquired in a manner that does not cause the data present to be altered through the use of a write blocking hardware unit or through software. If starting the device is absolutely necessary, the individual responsible should be sufficiently qualified and experienced to be able to explain the consequences of that alteration.
The Processes Involved in the Examination and Investigation of Computer and Mobile Phone Evidence
In order to adhere to the main principles there are stages that a computer forensic investigation should follow. These stages are often fluid to the type of device involved and the type of potential evidence present on it, however, they are summarised in general below.
Seizure and Handling
It is critical to establish and follow strict guidelines and procedures when seizing digital evidence, in the same way as any other evidence. The seizure should be documented and the evidence secured sufficiently so that it can be uniquely identified and prevented from any destruction or alteration of the data present taking place.
Normally, the time/date and person responsible for the seizure, as well as the location would be noted contemporaneously.
It is often necessary for a device to be examined onsite, rather than taken away from the user, so that they can continue working with the device if it is essential to their business etc. In this event, whilst it is often less thorough than taking place offsite, a decision could be made for a search of the device to be conducted at the scene. Any procedures employed to examine a device onsite should adhere to the same principles to ensure that no alteration or loss of data takes place.
If seizure has taken place then the device can be transported securely to the storage location. The device would be conveyed securely without being subjected to any actions or environments likely to cause damage to it. The device would be booked into the property storage location and the log of any movement of the device is recorded.
In order that an examination of the device can take place the data present upon it also needs to be secured and this normally involves acquiring, where possible, a physical though often or logical copy of the data present. The copy of the data would then be used to form the basis of the examination and investigation.
During the acquisition of any data present, a contemporaneous record of actions and activities taken with the device or the hard drive, memory card or SIM card within it should be taken. The serial or unique numbers that can be used to specifically identify it are recorded and even photographed to ensure that it can be proven that the correct device was examined and the correct procedures were employed in obtaining an accurate and complete copy of the content of the device.
The Examination Process
Once an accurate and verified copy of the evidence has been acquired, the investigation and analysis of that digital evidence can take place.
The process of the examination relates specifically to the type of device to be examined, the specific nature of the investigation and the type of evidence that is being sought.
However, the process would include the use of specialist computer or mobile phone forensic software so that all of the live, deleted and hidden data can be included and considered as part of the examination. Additional software may be required to consider certain specific types of data, including through the use of virtual machines to replicate the operating system and the behaviour of it on the device.
It is also important if possible, at this stage, to identify any user specific activity that could allow for the identification of the user responsible as well as to test any theories that may be formed during the course of the digital investigation and examination.
Documenting and Reporting
Once the digital evidence has been examined, the findings of the investigation should be documented in a clear and concise format so that it can be considered by the instructing party and, if necessary, by the court.
The report should be completely free of bias and written by an individual sufficiently qualified and experienced to provide the type of report being produced. If the individual is providing a technical report then they should not offer opinion within it, if the individual is considered to hold an expert level of training and/or experience then the report can not only include factual technical information, it can also include expert opinion based upon the evidence found.
The findings and the reasons for the conclusions should also include detailed information to explain the evidence used and the rationale behind those findings. The report should provide enough material so that an independent third party examiner could identify the same data and consider it at a later date and adhere to the necessary requirements for the court due to hear the evidence (criminal, court martial or civil).
Expert Witness Testimony
Ultimately, it may be necessary for the examiner/expert to provide their examination findings verbally at court.
Initially that is likely to be to legal representatives in a conference to explain the findings and reasoning and to clarify any points that may arise from the report.
Once the final proceedings have begun, if the evidence identified during the examination is significant to the case then it is likely that verbal evidence would be required to explain the processes and procedures undertaken as well as the findings made as a result of the examination.
Depending upon the type of report produced and the acceptance by the court, the evidence given may include expert testimony which can include opinion based upon fact, however, any opinion and findings must be independent of any instruction and limited to assisting the court in the pursuit of truth and fact.
Written by Matthew Jackson BSc (Hons) MCSFS MBCS MEWI – Computer and Mobile Phone Expert Witness for 17 Years
Director, Senior Forensic Consultant and Expert Witness at Athena Forensics