Have you looked everywhere for digital evidence?

Building a good case means gathering as much relevant evidence as possible to build a full picture of the situation.

There are several obvious places to look for evidence: a computer’s hard drive; a flash drive; a SIM card from a mobile phone, for example. But looking down the back of the proverbial sofa can reveal a whole heap of potential evidence you may not have thought of.

Here at CCL-Forensics, we like to be helpful – and we also love a good list. So here, for your delectation, are five places you may not have looked…

  1. Location-based services

SatNav devices are not the only way to stop yourself from getting lost these days. Quite apart from the traditional paper map, most mobile devices now contain built-in GPS which works with applications to provide location-specific data to the user.

A few examples: weather apps showing the local forecast need a GPS fix in order to deliver the correct data; social networking apps such as Facebook and foursquare also use GPS to place the user and their online friends in various locations; and a significant number of devices run GPS in the background without the user even noticing.

All this can leave valuable forensic traces on the device. It’s worth considering whether this data is relevant to your case, and if the geographical location of the person attributed to the phone is important. If so, this data should be requested as part of a handset examination. When combined with, for example, ANPR hits or cell site analysis it could strengthen your case.

  1. Geo-tagged images

Following on from location-based services, it’s now possible to tag photographs and other files with a code from a GPS signal to show where the device was when the file was created.

It’s not just mobile digital devices that do this, either; many digital cameras now use GPS signals to geo-tag their photographs.

This metadata can be used to associate individuals or locations featured in photos with a set of geographic coordinates. It’s potentially valuable data that could go unnoticed using “traditional” forensic tools.

  1. SatNav in your hand

Dedicated SatNav devices are well known among digital forensics investigators, but SatNav apps are becoming increasingly common on mobile devices, with smartphones beginning to replace windscreen-mounted devices. (There are a couple of interesting articles on this subject.)

There is an additional evidential opportunity available on the phones themselves, as there is the potential for them to contain records of directions, searches and other SatNav-based activity. If geographic location is relevant to your case, this opportunity should not be underestimated.

Search terms which coincide with significant locations in your investigation can, for example, show that the user had a specific interest in that location. GPS fixes, where recorded and retrieved, may show that the device had moved to or from that location.

  1. Instant messaging

Instant messaging facilities are now a major part of many computer and phone social media applications – not to mention newer tablet technology.

Using smartphones for instant messaging allows suspected criminals to communicate without details being recorded in text message history or on the billing records. Many tariffs now include data as well as airtime, making IM a much more accessible medium – and it can also be used over WiFi.

Most smartphones will have an inbuilt IM app, or will allow users to download one. Chats are conducted via the internet – but there is the potential to leave a forensic trace behind on the device itself.

This won’t be detailed in a standard examination report containing calls, texts and contact lists – but it’s worth considering whether this type of communication is relevant to your case.

A recent example of how instant messaging can be used extremely effectively in crime is last August’s riots. The BlackBerry Messenger (BBM) service is free and secure, and was used extensively to organise disturbances in the capital, and then throughout the UK. There are plenty of articles documenting how the system works, and how it worked during the riots.

It’s pretty obvious that recovering “fleeting” instant messages can be vital evidence in criminal cases – for the prosecution and for the defence.

  1. Organiser

How much of your life is on your mobile phone? With the widespread rejection of antique items such as paper diaries, smartphone organisers contain a huge amount of information about people’s appointments and movements.

They’re available on computers, smartphones and other mobile devices, and are often synced with other apps via online sites such as Google or Hotmail. It’s not just a diary, either; notes apps and programs are the modern equivalent of scribbling a note on a post-it, and can add a valuable extra dimension to evidence.

The data contained therein can provide a great evidential opportunity, complementing data found elsewhere on the suspect’s device(s).

There are 20 places you could try looking, in all – so stay tuned over the next couple of weeks.


Suspected computer misuse – would you know what to do?

46% of large companies have had staff lose or leak confidential data*

People live a large part of their lives through their computers and mobile phones, and these devices can be seen as an extension to the minds of employees – so it stands to reason that the evidence they contain can be pivotal in internal investigations, disciplinaries and tribunals.

A quarter of frauds suffered by business during 2010-2011 were digital crimes

Computer misuse is almost inevitable, no matter how robust your IT security, policies and procedures. When employees have round-the-clock access to company computer systems and smartphones, there will always be those who will misuse equipment or take liberties with sensitive data to which they have legitimate access.

Whatever the scenario, no matter how small, the initial response is crucial to avoid potential legal problems.

What can you do?

No matter how effective your policies and procedures, and IT security, there will always be risks. CCL-Forensics has put together a one-day course providing delegates with techniques to understand and implement best-practice in dealing with digital evidence.


  • Computer misuse – why I might need a forensic response
  • Contemporaneous notes – how and why
  • Handling digital evidence – chain of custody
  • Locating the data (evidence)
  • Seizing digital devices – theory and practice
  • Forensic data imaging – the theory
  • Forensic data imaging – practical
    • PC
    • Laptop
    • Flash drive
  • Getting data from a network
  • Home directories
    • Email
    • Custom content image
    • Storing digital evidence

When, where and how to book

Date: February 23

Price: £195 + VAT per delegate

Location: Stratford-upon-Avon

For more information and to book online, please visit our website, email info@ccl-forensics.com or call 01789 261200.