Finding and Preserving Online Evidence
Every court conviction requires evidence to be presented. In order to be considered admissible by a court, evidence must be preserved properly to ensure that no one has altered it.
In many instances however, internet evidence is inadvertently destroyed which makes obtaining a conviction using internet forensics alone a fairly difficult task. Internet evidence is fragile and can easily become inadmissible in a court due to questions regarding it’s authenticity.
Examples of digital evidence include personal computers or laptops, mobile phones- especially smartphones which usually contain GPS which can give you information concerning a person’s whereabouts, social media accounts, and digital cameras which can contain photos with metadata identifying the time and location in which the photos were taken.
Evidence that is found in an email, an online forum such as 4chan or Reddit, or within a social media platform is still subject to the same duty to preserve relevant and material information as any other type of traditional evidence or ESI (electronically stored information). However the similarities between traditional evidence and ESI end there. For instance, there are no auto-delete systems in place that will find and erase things such as fingerprints or trace evidence as there are in the digital world, you also can’t use programs such as photo editing software to doctor most traditional evidence. This creates a predicament belonging exclusively to the preservation of internet evidence.
So in a world where it has become incredibly simple for anyone with a smartphone to doctor internet evidence it is crucial to ensure that you can prove that the evidence you are presenting to the court is legitimate. How do you do that?
The simplest solution is to impound the device in question IMMEDIATELY- lessening the odds that files can be deleted or edited- tweet this. Once the device is in custody it should remain off until it is examined by a trained computer forensic examiner; Computer Forensics examiners prepare chain of custody documentation and use techniques that establish that evidence that was found and duplicated is an exact, verifiable copy of the information that was originally found. Next the examiner will need to create a documented forensic image- many lawyers employ the services of programs such as WebCase or WinHTTrack- programs such as these document web content by recording keystrokes and geo-locations of IP addresses, they also allow someone to download an entire website, which can they can then save and open- showing the website exactly as it looked at any given point in time, virtually eliminating the possibility of the evidence being tampered with. It is then imperative to verify that the images that were created during this process are accurate using a process known as hash verification. According to Wikipedia hash verification is used for assuring integrity of transmitted data, and is the building block for HMACs, which provide message authentication. Once hash values are compared, if they match, the file is then considered uncorrupted and accurate.