Digital Evidence FAQ
What should I document during the acquisition of video evidence from a digital video recorder (DVR)?
- Type of DVR (e.g. stand alone, hybrid, networked, server based, personal computer)
- Make, model, and serial number
- Account username(s) and password(s)
- Number of cameras capable of recording and number of cameras connected
- System time and date and actual time and date
- System settings:
- Image quality (e.g. high, medium, low)
- Frames per second
- Recorded image/frame size (e.g. 320 x 240)
- Alarm or motion trigger settings for cameras
- System logs
- Whether the cameras have infrared (IR) capabilities
How should mobile devices be handled to prevent loss of evidence (data)?
- Mobile devices should be isolated from communication networks at the time of seizure in order to prevent the transmission and destruction of data on the device, as well as to maintain the device in its most vulnerable security state. This can be accomplished in one of the following ways:
A. If the device is seized powered on:
- Determine if any security measures (e.g. Secure Startup, PIN, password, pattern-lock, encryption) are enabled;
- If unsecured or the passcode is known:
-
- Enable the device's "Airplane Mode" – a setting available on many mobile devices that suspends the device's signal transmitting/receiving functions;
-
-
-
- Disable any other communication settings (e.g. Wi-Fi, Bluetooth, etc.) that are not automatically disabled by enabling Airplane Mode;
- If applicable, remove its battery and Universal Integrated Circuit Card (UICC) (aka Subscriber Identity Module [SIM] card);
- Power down the device via its interface or by long-pressing its power button and, if applicable, remove its battery;
- Depending on enabled security measures, this process may prevent future access to the device
-
- Secured Apple and Android devices with an unknown passcode require specific handling in order maximize the amount of data available for extraction and the speed of passcode identification. The following evidence handling guidelines should be followed:
-
-
- Ensure the device stays powered on and is sufficiently charged – DO NOT ALLOW THE DEVICE TO POWER OFF OR REBOOT;
- Shield the device from communication networks by putting the device into "Airplane Mode" and placing it in a shielded enclosure;
- If neither options are available, remove* the UICC from the device;
*Removing the UICC from a device that is powered on may result in the device being placed into a more secure state;
- Submit the device to the Central laboratory as soon as possible.
B. If the device is seized powered off:
- If applicable, remove its battery and UICC
-
- For applicable mobile devices, it is important to determine if the device (handset) contains a UICC or flash memory card such as a micro Secure Digital (microSD) card
-
-
- Either card can be located internally, typically under the battery, or externally along the side of the
device;
- These storage devices should be indicated on the RFLE as additional items of evidence; typically as sub-items to the handset.
- Also, if the device is reliant on a UICC to authenticate the device to a service provider's network(s),
removal may be an additional shielding measure.
The Virginia Department of Forensic Science recommends mobile devices be packaged at the time of seizure and prior to lab submission as follows:
- Place in an anti-static bag (e.g. paper envelope)
- Wrap in aluminum foil (5 times with heavy duty or 10 times with standard thickness)
- This step can be skipped if the device's battery has been removed or Airplane Mode has been enabled (confirming cellular/data, Wi-Fi, and Bluetooth are disabled)
- Place in a >3 mil thick shielded enclosure (e.g., "Faraday" bag)
- This step can be skipped if the device's battery has been removed or Airplane Mode has been enabled (confirming cellular/data , Wi-Fi, and Bluetooth are disabled)
- Place in an outer storage bag (container) and seal
- If applicable, label that the battery has been removed or Airplane Mode has been enabled (confirming cellular/data, Wi-Fi, and Bluetooth are disabled)
Packing kits may be available from a third party vendor for purchase. Can you acquire digital evidence (e.g. device backups, video recordings, etc.) stored on cloud-based platforms?
- No, the Digital & Multimedia Evidence section cannot acquire data from a cloud-based storage platform. However, we can provide technical support in identifying and requesting cloud-based sources of evidence.
What format should I acquire and submit video recordings in?
- The Digital & Multimedia Evidence Section recommends acquiring and submitting video recordings in both the recording device's native (proprietary) file format AND an open file format (e.g. .avi). This will allow the examiner to determine which recording is the best candidate for the requested examination.
Can you analyze a device protected by a security measure?
- The DME Section maintains capabilities for bypassing security measures on a multitude of devices. Please contact the DME Section for guidance specific to the device.
Can you recover deleted text messages from a mobile phone?
- The ability to recover deleted text messages depends on the make and model of the mobile phone, the length of time that has passed since the messages were deleted, the number of new text messages that have been sent or received since the messages were deleted, whether the deleted messages have been overwritten, and if phone has been reset or restored.
Please contact the Digital & Multimedia Evidence section for additional information.
Can you determine location information from a mobile device?
- Depending on the device's capabilities and settings, Global Positioning System (GPS) coordinates and available/connected WiFi access point identifiers may be present. This information can be extracted and interpreted to determine locations the device was near.
Please contact the Digital & Multimedia Evidence section for additional information.
Can you determine what Internet resources a user has accessed?
- Most web-browsers and web-based applications, record a user’s activity – logging what Internet resources were accessed. Even when a user attempts to delete this information, the browsing activity can often be recovered. If the data hasn’t been overwritten, the exact time, resource and content of the activity may be available.
Please contact the Digital & Multimedia Evidence section for additional information.