Digital Evidence

Free essays 0 Comments




Permissions/authoritiesto conduct the search

Inthe United States v. Jacobsen(1984) 466 U.S. 109, 113, the Courtruled that the Fourth Amendment is completely irrelevant to a searchor seizure, even an irrational one, conducted by a private individualas long as they are not a government’s agent or acting with theinvolvement or knowledge of a government official.

Asthe InfoSec Specialist, I am simply an employee of Makestuff Companyand in no way connected with the government or working on behalf ofthe government. Moreover, I am acting out of my own discretion, andno government official is aware of the search. Consequently, I do notrequire any legal permissions/authorities to conduct the search.

Potentialitems of digital evidence

Thumbdrive- If Mr. Got Yourprop had inserted the thumb drive into hiscomputer he might have copied computer files containing vitalproprietary information the source code for Project X included. Hemight have also copied the company’s client lists, it`s marketingstrategies, contracts with clients and suppliers as well as an arrayof other sensitive data important to the company. The thumb is to bephotographed, put it an anti-static evidence bag, the bag sealed withevidence tape and labeled.

Voicerecorder- The audio voice recorder and its intended or actual use, aswell as its functions and capabilities and any recorded information,is potential evidence. Mr. Got Yourprop might have recordedconversations between Mr. Got Yourprop and his potential newemployer. The audio voice recorder should be put in an anti-staticevidence bag, the bag sealed with evidence tape and labeled.

Harddisk- potential evidence in the two external hard drives includes thecompany’s database, image files, emails, financial records,internet browsing history, pictures as well as event logs which areall valuable in the investigation. They should be put in ananti-static evidence bag, the bag sealed with evidence tape andlabeled.

Potentialitems of non-digital evidence

Notepad-The notepad may contain notes related to the investigation. It mightalso contain DNA and fingerprint evidence which is essential intelling who has used the notepad and if the notes contained thereinare pertinent to the investigation. The notepad should bephotographed, and its position described and then put in an evidencebag which should then be sealed and labeled.

Thesticky notes-The position of the three sticky notes is to bephotographed. They may contain notes related to the investigation.They might also contain DNA and fingerprint evidence which isessential to telling who used the sticky and if the notes containedtherein are important to the investigation. The sticky notes shouldbe photographed, and its position described and then put in anevidence bag which should then be sealed and labeled.

Folder-Thereis a folder on the computer and it is also evidence thoughnon-digital. It might contain the hardcopies of files printed fromthe computer. It might also contain other proprietary informationsuch as schematics and blueprints, client’s list, financialstatements, contracts with suppliers and clients or any othersensitive information related to the company. The folder should bephotographed and its position described and then put in an evidencebag which should then be sealed and labeled.


Thethumb drive- the description should include the location of the thumbdrive in relation to the computer, the capacity of the thumb drive.

Thevoice recorder- should have given the position of the recorder andindicate whether it was on/off

Harddisk drives-should have included the position of the hard drive andwhether it had been connected or not, also the capacity of the harddrives if indicated (Sun, 2005).


Thefirst step in collecting digital evidence is securing the scene inorder to make sure that no evidence is taken from the scene. Next isidentifying, seizing, taking note and securing any digital evidenceat the scene. In this case, the digital evidence includes a laptop, athumb drive, two hard disks, a PC with monitor, a mouse, keyboard andexternal speakers (Casey, 2004).

Standalone desktop computer. The first rule of preserving evidence is thatthe computer should not be used to search for evidence. Next, aphotograph of the scene is taken and in this a photograph of thescreen. Any live data is to be collected starting with the RAM image,all logged on users and any running processes. Any form of hard diskencryption is to be recorded by collecting a logical image of thehard disk using dd.exe. Next, the power cord is to be unplugged fromthe back of the tower and all the cords labeled in a diagram.Afterward, the devices model and serial numbers are to be documentedand then disconnect all the cords and devices from the computer. Theresponder should then check for Host Protected Area (HPA) and thenimage the hard drives. All the computer components should then bepackaged using anti-static evidence bags. It is important to notethat only paper bags and envelopes, cardboard boxes, and antistaticcontainers should be used to package any digital evidence. Under nocircumstances should plastic materials be used to collect digitalevidence for the reason that plastic can produce or transmit staticelectricity in addition to allowing moisture and condensation tobuild up, and this may damage or wipe out any evidence of them. Moreover, all digital evidence should be packaged in such a way thatit prevents it from bending, denting, or else distorted. All digitalevidence should then be kept away from radio transmitters, magnets orany other potentially damaging factors. Steps used in the seizureshould then be documented.


Thelaptop should be checked if it is on by moving the mouse cursor todetermine if it is on. A picture of the laptop is to be taken, andant wire and devices connected to the laptop labeled. A picture ofthe labeled wires and connected device is to be taken. The laptop isto be switched off if on, the charger disconnected and the batteryremoved. If the laptop has a functioning CD Rom, a tape should beplaced over it and if a retracted note of whether it is empty or not.A tape is to be placed over the power button and the make, model, andserial numbers recorded. It should then put in an anti-static bag andlabeled.

Thumbdrive, audio voice recorder and hard drives

Theyshould be placed in different anti-static bags which should then besealed and labeled. Care should be taken to ensure that they are notexposed to magnetic fields as this could potentially wipe out anyevidence contained therein (Singer, 2016).


Casey,E. (2004). Digitalevidence and computer crime.London: Academic Press.

FindLaw`sUnited States Supreme Court case and opinions..(2016). Findlaw.Retrieved 22 March 2016, from

Singer,R. (2016). Review of: Crime Scene Investigation Procedural Guide. JForensic Sci,61(1),290-290.

Sun,B. (2005). Research and Protection of the CollectingSystem. JournalOf Computer Research And Development,42(8),1422.