What is digital evidence explain the types characteristics and roles of digital evidence?

As a result of the fastest growth in technology, there is an infinite list of types and sources for Digital evidence, and in each case, you’re involved in, there will be different kinds of evidence. So we are going to discuss in deep about Types and Sources of evidence w.r.t Digital Forensics.

The most important reason to explore the types and sources of digital evidence is that they will determine the tool you will use or build to analyze your evidence. For example, to analyze windows operating system artifacts you will need tools that are completely different from Linux or Mac O.S tools. Also, tools that are used to extract data from memory vary in their implementation in reference to tools used to analyze hard disk drives!

So let’s start with data types, why they are used, and how you could benefit from them.

Active Data

This type includes all data and files that are created by the operating system or by a word processor, web browser, mail client, or a scanner such as documents, cached files, emails, and images.

Archive and Backup Data

This is all data that is organized and preserved for long-term storage to avoid data loss due to attacks or disasters. Backup data is created by making an identical copy of original files and folders. Almost everyone has a CD; its content is an example of archived or backup data. or like data stored on network storage (SAN device).

Hidden Data Types

The mentioned types of data are apparent and accessible for all users, but their opposition is hidden data types. During your analysis, hidden data will mostly be more important and essential to examine, especially if the suspect in your case has a good knowledge of using the computer.

Hidden data types encompass the following :

• Metadata
• Residual data
• Replicant data

Metadata

It is defined as “data about data”, which is used to provide context or additional information about data and files, such as date of file creation, or information about the file structure. It is considered one of the most valuable pieces of evidence as it contains a lot of information about a file such as the name of the file owner, and file last access, and modification time. You could benefit from metadata information in your analysis to prove that a document was created on the suspect’s device if they were not altered or modified.

Now let me tell you one of the famous stories of Dennis Rader who is known as BTK (Bind, Torture, Kill). The serial killer, Dennis, murdered 10 people within 90 days. Regular investigations revealed nothing, but when Dennis sent the police a floppy disk that contained a letter in the form of a word document file from him, analyzing the word document metadata revealed the identity of Dennis and resulted in arresting him.

Residual Data

This is deleted data on the disk. An important issue to know is that even after data deletion occurs the data “might” still be there, but you just cannot see it, for example, the directory list of your Windows Explorer. So why did we say “might”?, Because if the storage location was overwritten with the new data (example: a new file), it will be hard to reach back to the old data that used to be there. With that said, it is not hard to retrieve residual data, all you need is the right tool. It is important for you to understand how to deal with this type of data because deleting files is the first thing any suspect might do; after all, he/she wants to hide his incriminating actions, right?

Replicant data

This type of data is generated when a program like a word processor creates a temporary copy of an opened file, this is needed as a backup to avoid data loss in case an error occurs and the file is forced to close without saving the changes. Files created by Replicant data may help to discover the last actions the suspects have done, like the last printed documents. The importance of these files is that they could be retrieved even after the documents file was deleted. Some of the examples of residual data include:- Web cache, Temporary directories, Data blocks resulting from a move, Memory, etc. Let me tell you another story of Edward Ray, who was sentenced for having a picture of a young model in his “temporary internet files folder”. The defense of the suspect was that he typed the wrong website URL, and when he realized what it was he closed it immediately. Having the pictures stored in the temporary internet files have supported his claims and exonerated him.

Volatility

The last issue to consider about data types is the volatile nature of data. This is essential to consider before starting a Digital Forensic investigation because it determines which data you should collect first to avoid losing digital artifacts. These types are

• Non — volatile data
• Volatile data

Non — Volatile data

All previously mentioned types are considered non — volatile data and could be retrieved even if the computer has been turned off.

Volatile Data

The data that resides in RAM and is acquired only when the device is running comes under this category. Collecting volatile data is a perilous task, because of its changing nature (for example: running your forensic tool will change part of the memory), and if the power is disconnected we will lose all of its data.

This was all for today. So stay tuned, coming up next is an Article especially focusing on Devices when it comes to Types and Sources of Digital Evidence. Till then

What is digital evidence explain the characteristics of evidence?

What are the types of digital evidence?

What are the two types of digital evidences?

What are the characteristics of digital forensics?