Challenges to Attaining the Full Potential of Digital Evidence

Challenges to Attaining the Full Potential of Digital Evidence

July 12th, 2017

By Lynnette Reese, Editor-in-Chief, Embedded Systems Engineering

Digital forensics is a white hat operation that is underfunded.

A smartphone is a portable multicore computer, packed with sensors, and the hub of our digital lives. Digital evidence has a broader scope than we are used to, coming from a single physical device. As such, digital evidence corroborates physical evidence that otherwise might have been only circumstantial. Conceptually, digital and physical evidence aren’t that different. Evidence is defined as information that’s used to determine events and people in a framework of time and place so that a cause can be established for illegal events.[i] The information found in a cell phone is not trivial; it can be equivalent to non-portable items such as diaries, ledgers, and personal computers.

Figure 1: Digital extraction methods require specialized tools and expertise.

Can a cell phone tip evidence against a suspect? A murder in 2012 provided digital evidence to prosecute a suspect where the physical evidence in the case was not enough, as it was only circumstantial. In September 2012, a college freshman disappeared. He was last seen with an old high school friend at an electronics store. The freshman’s remains were found 3 weeks after, and 60 miles west of, the last time he was seen. Circumstantial evidence found in the high school friend’s car included some of the victim’s blood and his backpack. The suspect’s cell phone held several pieces of evidence, however. The phone’s Facebook app cache held a screenshot of an incriminating search because the suspect had used Facebook for access. After the victim disappeared, ping analysis to cell towers showed that the suspect travelled west for a long distance, and that the phone’s flashlight app was used for about an hour that same night.  Law enforcement used several levels of extraction.

Budgets Playing Catch Up
Digital extraction starts with manual techniques such as using the touch screen to look through messages. (See Figure 1.) Logical extraction tools involve external computer equipment whose commands are executed on the target device, much like a host-target embedded development setup. Physical extraction involves more sophisticated tools that can excise deleted information from memory (e.g., a flash drive). Chip-off and micro-read techniques at the top of the pyramid involve physically removing memory chips from the device to read them, requiring expertise on how to communicate with the chip directly and the ability to emulate the device’s communication process.[ii]

Digital forensics is impressive from a Hollywood perspective, but in reality, budgets for training and equipment lag far behind. As more devices come online with the Internet of Things, additional funding and training are needed at every level of the criminal justice system so that digital evidence can make the best impact possible to deterring crime.

Lynnette Reese is Editor-in-Chief, Embedded Intel Solutions and Embedded Systems Engineering, and has been working in various roles as an electrical engineer for over two decades. She is interested in open source software and hardware, the maker movement, and in increasing the number of women working in STEM so she has a greater chance of talking about something other than football at the water cooler.

[i] Goodison, S., Davis, R., & Jackson, B. (2015, March 24). Digital Evidence and the U.S. Criminal Justice System. Retrieved July 5, 2017, from