The saga continues… Keep reading for some more ideas as to where you can look for digital evidence.
- Deleted data
Just because data has been deleted from a computer or mobile phone, doesn’t mean it’s gone forever.
When a file is deleted, it may remain on the hard drive. What are actually deleted are the instructions for finding the file – the pathway – not the file itself. Only if the data is overwritten by new files will it become irretrievable.
By analysing a device’s hard drive, investigators can recover a wealth of information that is no longer available to a regular user.
- Bluetooth/WiFi pairings
Although Bluetooth is less popular than it once was, with WiFi access now widely available, it can be a valuable source of potential evidence. Each Bluetooth device has a unique identifier, which is likely to be recorded when it is paired or connected.
Examining a phone’s Bluetooth history could prove vital in proving association between other exhibits in the case – some of which may be attributed to other relevant individuals.
Analysing the unique identifiers of WiFi networks that a phone device was connected to, can be instrumental in proving a particular device was present or even in use at a certain location.
- Cloud computing and sync
Cloud computing – whereby shared resources, software and information are provided to computers and other devices as a utility over a network (typically the internet) – allows users to access software, data management and storage without needing to know the location and other details of the infrastructure.
As the amount of data people and businesses create and use increases, data storage becomes increasingly expensive, so many people and organisations are now choosing to use the cloud to store data, or to make various settings and favourites portable between devices.
This means they can effectively have access to the same data, which can include settings, cookies and preferences, regardless of which device they are using at the time. So, activity may take place on an individual’s computer which is automatically updated on their smartphone via the cloud.
A user’s data and preferences basically follow them around, providing evidential opportunities for digital investigators.
It’s always worth considering that data from a mobile phone may be backed up onto the user’s computer.
Many people use their mobile phones almost as an extra limb (the author is guilty of this particular failing), so it’s a good idea to back up the phone on a regular basis just in case it’s lost, stolen or broken.
The evidence from backup files can be used to link a computer and phone as part of the same case, but there may also be more data on the computer from the phone’s backup than is still stored in the handset itself.
Additionally, many mobile applications (and even operating systems) are configured to sync with computers, leaving a digital trail and data on both devices. Systems such as iTunes and BlackBerry Backup are popular and store a huge amount of data. This can provide a valuable evidential opportunity.
In days of yore, voicemail was stored at the telephone exchange operated by the mobile phone network. Users would call their automated voice mailbox, and listen to messages as part of that call.
Many modern phones are now capable of having those voicemails “pushed” to the handset using an internet connection. They’re then stored on the phone for access anywhere – even if there is no phone signal.
Additionally, many phones have the facility to record voice memos (much like a dictation machine), which again could provide valuable evidence as part of an investigation.
As with any data stored on a digital device, it’s always possible for it to leave a digital trail, which can be recovered using the correct forensic tools and techniques.
The final instalment in this short series of blogs about hidden digital evidence will be posted in a few days. See you then!