Digital evidence is a term you will see more and more as cases progress through the criminal justice system. The digital realm has intersected with a physical realm, so much so it is almost impossible to interact with one realm without leaving evidence in the other realm. So what does that mean for an investigator? Is physical evidence that much different from digital evidence?
Yes, very much so. Physical evidence is very tangible. What I mean by that you can hold it, turn it, look at it, and it to another person, and when you receive it back, it is still in the same condition as when it left your control. Some examples of physical evidence include fingerprints, tool marks, shell casings, bloodstains, almost anything that exists in the physical realm that allows an investigator to determine what occurred. Digital evidence is much more fragile. Static electricity can kill a thumb drive full of digital evidence in a split second. Take precautions as you handle and collect digital evidence to ensure you do not make any unauthorized changes. Some examples of digital evidence can be log files, digital images, Internet history, emails, or any digital device that was used during the incident in question.
How do you authenticate the digital evidence? How do you prove that the “copy” the investigator has is a true and accurate representation of what they found within the digital container?
The investigator should use a cryptographic hash function. Two of the more common cryptographic hashing algorithms used are MD 5 and SHA 1. MD 5 provides 128-bit hash value, and an SHA 1 will give a 160-bit hash value, either of these values can be considered a digital fingerprint for a specific file. If anyone changes a single bit on the source file, it will cause a different hash value to be created. This function makes it very easy to determine if something had changed in the file since the investigator recovered it.
As you can see, it is essential to authenticate all digital evidence before its use in an administrative or judicial proceeding.
If you want to learn more about computer forensics and the usefulness of hash values, please check out my book Learn Digital Forensics available on Amazon.