Chapter 1: Digital evidence is everywhere and permeates every aspect of the average citizen’s life. No matter what you are doing these days, a digital footprint is probably being created that contains some type of digital evidence that can be recovered. Sending an e-mail, writing a document, taking a picture with your digital camera, surfing the web—all of these activities create digital evidence. This chapter will give an overview of what digital evidence is, how it is created, and where it is stored.

Chapter 2: In this chapter, we discuss a short history of personal computers, computer forensics, and the basic tenets of digital forensics. Digital forensics includes the acquisition, preservation, analysis, and presentation of electronic evidence, no matter where it may come from. This chapter gives a brief overview of the four areas of digital forensics and explains the importance of each.

Chapter 3: Originally the field of digital forensics only included computers, primarily personal computers. Over the last 20 years or so, as computers have become connected through small local networks and ultimately through the largest network of them all, the Internet, the term computer forensics has become too limited to encompass the entire field. In this chapter we provide an overview of the various subdisciplines in digital forensics.

Chapter 4: Digital forensics is a relatively new field compared to traditional forensic sciences. Digital forensics began as computer forensics in the early 1990s and has expanded with the introduction of new technology such as cellular phones, digital cameras, global positioning devices, and the explosive growth of Internet usage. With that comes the issue of whether or not there are established best practices and who is following them. What best practices should digital forensics examiners be following, why, and what are they really doing?

Chapter 5: In the realm of digital forensics, there are a variety of tools in use today. There are tools for acquiring digital evidence and tools for analyzing digital evidence. There are three types of digital forensics software in use today: commercial tools, open source (free) tools, and tools developed for and available only to law enforcement agencies. In this chapter we take a look at the different types of tools and who uses them. We will also review the requirements for a tool to be “forensically sound.”

Chapter 6: Digital forensics evidence is used in many ways in legal matters not only as part of civil and criminal trials, but also during the pre-trial and post-trial phases. Sometimes a forensic examination can result in charges being dropped, sentences being reduced, and civil matters being settled, all without ever going to trial. The other side of the coin is that the result of a forensic examination may help a defendant to understand that going to court is too risky versus taking a plea bargain. In this chapter we will look at how some of these roles are played out through case examples and example trial questions.

Chapter 7: When digital evidence is part of a case, it can be dangerous to proceed without an expert. Experts worth their salt are needed to help you get the evidence, find the information you need, and then analyze that information to find data that is useful to your case. Experts can act as an equalizer, and this is especially true when the opposing side has an expert themselves. To proceed in a case where the other side has an expert and you do not can lead to undesirable results in litigation. A qualified digital forensics expert can guide you through the intricacies of digital evidence in a way that makes sense in your case. This chapter will explain why you need to employ an expert when you are dealing with electronic evidence and why employing an expert is a time-sensitive task.

Chapter 8: With the ready access to computer technology and the explosion of people who support that technology, a gap has formed between those that know and those that do not. Because computer and digital technology has grown so rapidly in just a matter of a few years and become an integral part of our society, we have a technology generation gap. Those who were not raised with computers tend to be left behind in the understanding of how these devices work. The problem is that people who know something about computers appear to know more than they actually do. The ability to fix your computer, help you get you hooked up to the Internet, or even restore your crashed computer has no bearing on forensically examining a computer. In this chapter we explain the differences between digital forensics experts and computer experts.

Chapter 9: This chapter covers how to go about locating and prequalifying an expert. Also included are recommended selection criteria as well as an explanation of the currently available certifications and what they mean. Additionally, we will give you the information you need to avoid getting burned by an expert with a “reputation.”

Chapter 10: Depending on the type of service you need in a particular case, an expert should be expected to assist you with all of the steps regarding digital evidence. Many attorneys and commercial clients are dealing with digital evidence for the very first time, and there is a significant knowledge gap as to the handling of cases involving digital evidence. It is the expert’s role to bridge this gap by assisting the attorney in identifying and obtaining evidence through discovery, reviewing expert reports and providing an assessment of the case, making sure that any evidence is properly collected and handled in a forensically sound manner, educating the attorney about the specific evidence in the case, and assisting the attorney with trial preparation. This chapter will explain what this process looks like and how it should proceed.

Chapter 11: Digital forensics experts are products of their background, education, and experience. For this reason, different types of examiners take different approaches to the same problems. This can result in a wide disparity in the quality and efficacy of the results of their work in a case. These differences show themselves not only in the examiners’ approach to an examination of the actual evidence but their approach to the entire case.

Chapter 12: An expert must be technically proficient in digital forensics—this is a given. However, the other skills needed to see a case to the end are often overlooked. In this chapter we will explain the challenges an attorney will face in employing and using a digital forensics expert, as well as how to spot problems early before you put the expert on the stand.

Chapter 13: Qualifying an examiner as an expert in court appears to be a very straightforward process on the surface. However, making sure you know what the minimum qualifications should be for a computer forensics expert or other type of digital forensics expert is important for two reasons: One, can the examiner you have engaged qualify as an expert? And two, does the expert on the other side have the necessary qualifications to testify as an expert? It happens too often that someone will try to pass themselves off as a forensics expert when in fact they have no training or experience in the field. Persons with computer experience alone, no matter how extensive, are not forensic experts and should not be allowed to qualify as such.

Chapter 14: With the ubiquitous nature of digital evidence, it may seem as if finding and recovering digital evidence is a simple task. It is not. There are legal and technical barriers to obtaining digital evidence that must be overcome in every instance involving electronic data. Depending on the type and location of the evidence, if one can even make that determination, there are legal hurdles to cross before you can obtain that evidence, whether it is protected in some way by the Stored Communications Act (SCA), Electronic Communications Privacy Act (ECPA), HIPAA, Fourth Amendment protections against unlawful search and seizure, or expectations of privacy in the workplace.

Chapter 15: We will show how to analyze initial discovery documents to determine what digital evidence should be available to be discovered, as well as the language needed to get everything that is relevant for examination by an expert. We will also show you what to ask in order to get evidence that was collected but not examined or copied due to technical limitations of law enforcement agencies. We will also cover some not-so-obvious items that are helpful to get during the discovery process.

Chapter 16: Methods for getting the evidence in civil cases are different than those in criminal cases because civil cases are governed by different rules. In this chapter we briefly discuss the rules governing civil discovery. We also begin laying out the process for determining what to ask for and where it might be and take a walk-through approach of the method by using a case scenario. Also included are simple examples of civil discovery orders for electronic evidence.

Chapter 17: In this chapter we cover the language needed to get discovery of computer and storage media. We include here examples of language you can use for simple discovery orders, restraining orders, and a consent to search form. These are only examples and should be modified to suit your individual case.

Chapter 18: Whenever you must deal with video evidence, in any format, you will want to attempt to have the evidence properly preserved by specifying early on that the evidence is not to be viewed on the original media. Taking immediate steps to issue a preservation order for the evidence and specifying that the evidence is to be properly handled, preserved, and copied are critical elements in having evidence that can be used in litigation.

Chapter 19: In order to have the best results possible in any enhancement or forensics work performed against an audio recording, it needs to be treated with care during the processes of collection, preservation, and copying. Also, simply getting a copy of the recording without specifying the output format and copy process may not be the best option, as there are numerous factors with audio recordings that can cause deterioration in the audio quality.

Chapter 20: Social media evidence is a factor in more and more cases, both civil and criminal. Getting this type of evidence poses a challenge both from the standpoint of properly asking for the evidence but also in the ability to get the evidence due to both technical and legal barriers. In this chapter we will look at some of the methods for crafting subpoenas to obtain social media evidence from service providers.

Chapter 21: Cases involving contraband, specifically child pornography, require that you follow specific rules to make sure that you get what you need in the case and also can get access to the evidence to be examined by a digital forensics examiner. In this chapter we will discuss how to go about handling discovery in a child pornography case.

Chapter 22: In this chapter we will look at various types of record requests and include the technical language for those requests. We have included links to web sites where you can locate the custodian of records for nearly all of the Internet service providers. We show you how to find the custodian of records for a web address by following a step-by-step process you can perform using your Internet-connected computer, and we also show how to obtain subscriber information for web-based e-mail accounts.

Chapter 23: Evidence in cases involving Global Positioning Systems (GPS) can be a vital factor. Gathering that evidence can be a challenge as the data or evidence being sought can reside in several places: on physical devices, at third-party service providers, and as backups or data downloads. In this chapter we will look at where the data might be found and the motion language to use to make sure you get all of the evidence for analysis by your GPS expert.

Chapter 24: Call detail records are used in many criminal cases to attempt to determine where a subject was from the cell tower location information. Getting the right records can make a difference in being able to properly analyze and interpret this type of evidence. This chapter covers what to ask for and how to ask for it to make sure you get everything possible.

Chapter 25: Anyone who deals with indigent clients knows that requesting funding is a basic part of getting an expert engaged. In this chapter we provide some sample language for an Ex Parte Order for Expert Funds as well as some information regarding dealing with extraordinary expense requests by covering some of the questions that a judge may want clarified in a case where you may need to engage a nonlocal expert, and the answers to those questions.

Chapter 26: Hash values play an important role in digital forensics, especially in verifying that a forensic image of digital evidence is exactly the same as the original; a digital fingerprint if you will. When asked on the witness stand, any examiner should be able to show that he or she took the proper steps to verify the evidence collected using hash values for verification of the forensic copy against the original evidence.

But to ignore the benefit of hash values in a case beyond simply verifying evidence does them a great disservice. If a particular file is of interest in your case, hash values can be used to find that file buried just about anywhere in a computer, even if the name of the file has been changed. Hash values can be used to link one device to another, such as a USB thumb drive to a computer, which can be particularly useful in cases that involve data theft or the distribution of contraband. Likewise, hash values can be used to help prove that something does not exist on a computer or other digital device. A good examiner knows the importance of hash values and how to use them. In this chapter we will highlight some of the more common uses of hash values and how you can put them to work in a case, and we will share some examples of how we have used them ourselves.

Chapter 27: Metadata can be a veritable gold mine of useful information in a case. The prefix meta in English is used to express the idea that some information is about its own category. Hence the meaning of metadata is “data about data,” just as metacognition means “knowing about knowing.” While this might seem somewhat cryptic, when you get down to the nuts and bolts, metadata is not hard to understand. Metadata is found inside a file, kind of behind the scenes where an ordinary computer user will not see it. It stores useful information that the operating system uses to make a computer user’s experience easier and more enjoyable. The information stored within metadata can be used to build timelines, establish alibis, and so much more. In the hands of a skilled digital forensics expert, metadata can shed light on a particular issue in a case, or be the turning point altogether. In our experience as examiners, we have seen tiny snippets of metadata change how entire sequences of events were interpreted.

Chapter 28: When you open a folder like your My Pictures folder, you can view the files in a thumbnail format, like a bunch of small pictures. These small pictures or thumbnails are stored in a special file called a thumbnail cache database. These thumbnail databases can be read using special software and used as evidence in both civil and criminal cases.

Thumbnail caches are used in a wide variety of cases, mostly to attempt to establish whether or not an image file existed on the computer at some point in the past, even if that purpose is to corroborate some other piece of digital evidence.

Chapter 29: One of the foundations of digital forensics is data recovery. Luckily for digital forensics examiners, truly deleting data on digital devices, especially computers, is quite hard to do. This chapter explains the ins and outs of how a computer works when it deletes data, and the different ways it does so. Usually in digital forensics, it is not a matter of whether data still exists or is really gone. The black and white are thin lines bordering the chasm of grey when it comes to deleted data. Usually it is just a matter of to what degree the data has actually been deleted. This chapter will explain the different levels of deletion, such as the Recycle Bin and unallocated space, and how this data is recovered and used.

Chapter 30: Computer time stamps play a role in many cases, both civil and criminal. Computer time artifacts are undoubtedly one of the most important forms of digital evidence. They play a critical role when establishing a timeline for a body of evidence for any case where time is important. If the case involves an alibi, computer time artifacts can be used as part of a body of evidence to negate or validate the alibi claims. If the case involves data theft, computer time artifacts can be used to help determine when the alleged theft occurred.

The purpose of this chapter is to familiarize you with the complexity of interpreting the date and time stamps recorded by computer operating systems and applications. To completely cover the subject of computer time stamps would require an entire technical book.

Chapter 31: As you surf the Internet, the web browser you are using saves information to your computer in temporary storage. This process of saving web pages and documents in temporary storage is called Internet browser caching or web caching. The purpose of web caching is to improve the experience of the computer user as he or she browses the Internet. In this chapter we cover what web caching is and how it is used as evidence.

Chapter 32: A shortcut or link file is a pointer to a file in a different location, which is called the target file. Link files are used liberally by the Windows operating system, and they can be created in numerous ways. A user can create a link file intentionally, for example, by placing a shortcut on the desktop, or they can also be created by Windows, without the user’s knowledge. The overall purpose of a link file is to enhance the user’s experience as he or she navigates a computer. A link file can help you find documents you recently opened or quickly open a program on a computer via an icon placed on the Windows desktop. Digital forensic examiners certainly appreciate the convenience link files lend to the experience of using a computer, but they appreciate much more the trail of digital bread crumbs that link files leave sprinkled about. Link files can be used in a case in many ways, such as helping establish timelines, proving or disproving the existence of a file on a computer, and showing the transfer of a file from one device to another.

Chapter 33: Call detail records are coming into play more often in cases every day. The purpose of the call detail records is to attempt to place the cell phone user in a geographical location based on the tower used by the cell phone to send or receive a phone call, text message, or Internet data connection. This kind of evidence is fraught with potential misunderstanding by courts and juries alike and should be treated accordingly. This chapter gives an overview of cellular systems and looks at how the evidence is viewed in many cases.

Chapter 34: E-mail is probably one of the most prolific forms of evidence available today. It seems that everyone has an e-mail account, from children to octogenarians. With the availability of free e-mail accounts that can be set up in a matter of minutes, the number of e-mail accounts exploded in the late 1990s.

This chapter examines e-mail as evidence and how and where it is stored. Also included in this chapter are some case studies of e-mail used as evidence in actual criminal and civil cases.

Chapter 35: The widespread use of social media outlets such as Facebook, Twitter, MySpace, and LinkedIn ultimately means that evidence is continually being created, and is often available right in the public domain. The usage of social media does not require that someone be tethered to a computer anymore. Almost all social media outlets can be accessed using phones, iPads, and other mobile devices. And all of these can leave some type of evidence on a computer, a phone, or at a third-party service provider that can be collected for use in a criminal or civil case.

Chapter 36: There is no “server” needed for peer-to-peer file sharing. Every computer connected to the network is both a server and a workstation. As of this writing, one of the largest of the file-sharing companies, LimeWire, has been ordered to cease operations. However, the file-sharing community is still alive and well thanks to the many other providers of this type of software and services, such as FrostWire, BearShare, BitTorrent, and dozens of others. This chapter covers how the file-sharing system works and how evidence is obtained and used in cases.

Chapter 37: Cell phones can store more data and perform more functions than ever before. Today’s smart phones can perform functionalities that were only possible with a computer a handful of years ago. Ultimately, this increase in complexity means that people tend to use their cell phones for more and more functions. In turn, the more functions someone can perform with a phone, the more data that phone stores, and that makes cell phones a tremendous source of potential evidence in all kinds of cases. This chapter covers the evidence available from cell phones, along with the proper methods for collecting and preserving cell phone evidence.

Chapter 38: Video and image evidence must be handled with great care, and any examinations or enhancements performed must be thoroughly documented. If the evidence is not received in the most viable format and preserved correctly, or if the examiner does not perform the forensic examination properly, it is possible to jeopardize the evidence by creating new evidence through the addition of image artifacts. In this chapter, we look at some of the ways that video and photo evidence is used in cases, and also at how evidence should be properly handled and enhanced. This chapter also shows some of the documentary methods that should be included with any enhancement to show exactly what was done in the enhancement process.

Chapter 39: The sole purpose of database systems is to allow for fast and accurate storage and retrieval of records. Data is the lifeblood of businesses from the smallest home business to global mega-corporations. This chapter explores how data is stored, how it is retrieved, and how it can be a factor in electronic evidence. We will also look at the challenges involved in getting data as evidence and at metadata, or data about the data, and its value as evidence.

Chapter 40: You have probably heard the phrase, “follow the money.” This is true in all kinds of cases, from domestic disputes to Ponzi schemes and murder cases. Since so many people and businesses manage their money electronically today, there is a wealth of potential electronic evidence available residing anywhere from the Internet cache on a computer, to an e-mail attachment, inside an accounting program database, and even on a person’s phone.

Chapter 41: Online gaming today is now the most popular form of gaming in the world. With the advent of high-speed Internet, it became possible for online gaming to really take off as a genre, and today tens of millions of people play games such as World of Warcraft, Everquest 2, The Sims Online, and Second Life. Console gaming units like the Xbox and PlayStation platforms now have online capability so that people can play together online. Where games like this exist, evidence also exists that can be used in investigations and legal actions.

Chapter 42: Global positioning systems, or GPS units, have become commonplace in modern society. As is true with any device that can record and store data, these devices can become a source of evidence in civil and criminal cases. In using GPS data as evidence, it is important to understand what impacts the accuracy of the data these devices produce as well as the potential for errors in analyzing the data. The first part of this chapter provides some background on how global positioning systems work, and how they store data that can become evidence in a case.