Digital evidence refers to any data stored or transmitted using a digital device that can be used as evidence in legal proceedings. With the proliferation of computers, smartphones, and other digital technologies, digital evidence is becoming increasingly important in criminal and civil court cases. Let’s explore some common examples of digital evidence and how they may be used.
Email communications can provide critical evidence in both criminal and civil cases. Emails may reveal communications between parties that confirm motives, plans, relationships, or coordination of activities. For example, in a fraud case, incriminating emails may exist between co-conspirators. Or in a divorce case, emails could contain proof of infidelity or hidden financial assets.
Key information investigators look for in emails includes:
- The email content, including any attachments
- Information about the sender, recipients, date/time sent
- The IP address the email originated from
Investigators use email header analysis to determine an email’s authenticity and path through email servers. Tracking email IPs can help link specific computers and locations to actions.
Text messages, chat logs, and instant messages can all serve as digital evidence. Like emails, the content can reveal incriminating conversations about criminal or unethical activity. The data logs can also trace communications back to specific mobile phones, computers, and IP addresses.
SMS text messages have been frequently used in criminal cases to demonstrate:
- Intent or motive
- Plans or coordination
- Relationships between suspects
Chat applications like WhatsApp, Facebook Messenger, Snapchat, and Telegram contain valuable message histories, though the data is encrypted. Investigators use phone forensics to retrieve the chat logs, which can serve as critical timeline evidence of conversations and activities.
Social Media Posts
Social networks like Facebook, Twitter, and Instagram are a goldmine of potential digital evidence. Posts, images, videos, and profile data can all be used to associate suspects with criminal or unethical acts. Investigators look for:
- Incriminating posts, uploads, and comments
- Timestamped post data to establish timelines
- Location data embedded in posts
- Account connections between suspects
Social media evidence has been used in cases ranging from violent threats to insurance fraud. Even deleted posts can sometimes be recovered through forensic analysis of the networks’ data records.
Digital Photos & Videos
Digital photos and videos found on phones, cameras, computers, or storage media can also provide investigators with visual evidence. Data embedded in image and video files (known as metadata) includes details like:
- Date, time, and location of recording
- Device used
Visual content may directly capture criminal activity, establish relationships between suspects, or contradict alibis. Photo analysis can even reveal location clues based on landmarks, weather patterns, shadows, and perspectives.
Internet & Website Activity
Internet browsing history and activity patterns can offer clues in criminal cases and provide evidence of online behavior. Investigators may look for:
- Visits to criminal or unethical websites
- Searches related to planning illegal acts
- Accesses of systems/accounts without authorization
Website login information can link suspects to accounts used for illegal purposes. Tracking browsing data may establish intent, especially in cases like cyberstalking, identity theft, or child exploitation.
GPS & Location Data
Location patterns captured by cell phone GPS, navigation systems, vehicle tracking systems, and mobile apps can provide both civil and criminal evidence. This data can:
- Link a suspect to a crime scene
- Verify (or contradict) statements and alibis
- Establish timelines of travel and activity
Historical GPS data is difficult to alter, making location evidence hard to refute. Tower connections for cell phones can also approximately map out locations and movements of suspects.
Computer Files & Network Activity
Digital files stored on computers, servers, flash drives, and cloud accounts may contain a wealth of potential evidence for investigators:
- Stored communications like emails and chats
- Financial records stored in formats like spreadsheets
- Documents revealing criminal plans, motives, or relationships
- System log files tracking access times and usage
Network logs can expose unauthorized system accesses to support cybercrime charges. Recovering deleted files is often possible through forensic analysis. Certain file formats may also include revealing metadata.
Purchase & Financial Records
Financial data stored by retailers, banks, and accounting systems can provide supporting evidence of criminal activity:
- Credit/debit card transactions indicating dates, times, locations of purchases
- Bank account activities showing transfers and payments
- Register and accounting system reports tracking sales and inventory
Investigators can use these records to establish timelines, identify associations between suspects, and look for suspicious transactions indicative of embezzlement, money laundering, or purchase of illicit materials.
With the growth of cloud-based services, vast amounts of potentially incriminating data are stored outside of direct user control. Examples include:
- File synchronization services like Dropbox and Google Drive
- Shared storage platforms like Box and SharePoint
- Cloud email and productivity suites such as Office 365
Investigators can seek court orders to access organization-hosted cloud data. Cloud backups of mobile devices may also yield valuable data otherwise inaccessible.
Voicemail & Phone Records
Cell phone call and text message logs can place suspects in locations to corroborate or contradict alibis. Timestamps help construct timelines of events and communications. Investigators also look at:
- Voicemail messages
- Caller ID information
- Call duration data
Voicemails often directly capture criminal planning, threats, or other incriminating evidence. Phone record analysis can reveal relationships between suspects based on frequency and timing of contact.
Wearable Tech Data
Wearable devices including smart watches, fitness trackers, and smart glasses record data that could offer digital evidence:
- precise GPS and activity logs from fitness trackers demonstrating locations, routes, timelines
- voice dictations and searches captured by smart watches and glasses
- biometric user data like heart rate
This time-stamped, location-tagged data from wearables may contradict claims made by suspects, placing them at crime scenes and tracking related activity.
Organizations often keep records in structured databases that can serve to verify or contradict witness statements:
- Access control systems with ID/badge logging
- User account records
- Inventory systems tracking assets, equipment, etc.
Properly authenticated database reporting can demonstrate unauthorized accesses or inventory discrepancies indicative of criminal activity. Investigators may look for inconsistencies between physical access records and suspect statements.
IoT Smart Home Data
The growing number of IoT “smart home” devices including cameras, sensors, and appliances generates data that can potentially serve as evidence:
- Video footage from smart security cameras
- Activity patterns from sensors and usage logs
- Voice recordings from smart assistants
Investigators can leverage this data to place suspects at home or demonstrate abnormal usage indicative of crimes like drug manufacturing. However, smart home data also raises privacy concerns.
Many vehicles now contain event data recorders and onboard computers logging system statuses and events. This automotive data may provide investigators information on:
- Vehicle speeds
- Sudden starts/stops
- Locations and travel routes
- Airbag deployments
Data from vehicle systems is difficult to manipulate, making it extremely credible for reconstructing traffic collisions or establishing timelines and locations. However, carmakers closely guard access to protect customer privacy.
Digital Audio & Video
Audio and video recordings captured digitally on devices provide some of the most direct evidentiary content for investigators:
- Nanny cam and security camera footage
- Recordings of criminal acts, threats, confessions
- Covert recordings capturing illegal discussions, transactions
The unedited nature and timestamps embedded in audio/video files make them highly credible. Additionally, audio and video contains not just words but tone and body language clues.
Metadata included within computer-generated documents can reveal information about its origins and history:
- Document authorship information
- File creation timestamps
- Revision history
- Markup and changes
Analyzing metadata can authenticate document origins, establish timelines, and even expose attempts to manipulate or falsify evidence. This is a rich source of subtext clues for investigators.
Suspects accused of computer and cybercrimes often generate extensive content that can serve as evidence:
- Hacking programs and exploit code
- Stolen data archives
- Documents detailing plans, techniques, identities, and motives
Self-documented user content provides investigators detailed insight into technical means, motives, co-conspirators, identities, and online handles used by cybercriminals.
In summary, nearly any user-generated digital content, activity logs, metadata, and contextual data associated with computers, phones, IoT devices and online services can serve as potential evidence for civil and criminal cases. However, accessing and authenticating digital evidence requires specialized forensic skills. Investigators must follow strict evidence handling procedures to prove its credibility in legal proceedings.