Areas Digital Forensic Investigators Find Evidence

The purpose of this document is to provide a basic understanding of computer forensics by identifying five areas in computers and computer applications a forensic investigator can look for digital evidence. Also included within this document are three types of criminal investigations that can utilize the services of computer forensic investigators. Lastly, a description of these three types of criminal investigations can benefit from computer forensics. This document is intended for anybody looking to gain a basic knowledge or understanding of computer forensics and criminal investigations.

With as much of technology that is in use today there may be a time that criminal investigative services may be required to collect data as evidence for criminal prosecution. The criminal investigative services may choose to use computer forensic investigators to gather the evidence to be used for prosecution. In order for a forensics investigator to be proficient at their job, they need to know where they can find the evidence they are looking for. The evidence forensic investigators look for is for the purpose of criminal investigation. There are different types of criminal investigations and there are different ways each of these investigations can benefit from forensic investigators.

When digital investigators are looking for evidence there are different areas where they can look. One of the simplest and most obvious place for investigators to look for evidence is on floppy diskettes, CD ROMs, DVD ROMS, Thumb drives, and any other type of removable media (Strickland, 2009). By looking on storage media criminal investigators can get an idea of what type of data is being stored or loaded onto the system. This can prove to be useful in the event that third-party applications are being used to circumvent investigations. By finding an application on a removable storage device, investigators can gather information that may be useful for returning a system back to its original condition when the crime was being committed. It is also possible that storage devices can provide clues or evidence against the suspects that are being investigated.

System storage devices are other places to look for digital evidence. System hard drives can storage mass amounts of data that can be used as evidence, however these mass storage devices may take longer to find the evidence depending on how many different types of applications were used, if anti-forensic software tools were used, and if encryption software was used. System and application log files, as well as, browser history and cache files, e-mails, digital photographs, and global positioning system logs can hold important pieces of data which can identify how the system was being used, what it was being used for, what types of crimes were being committed, and they can also tell an investigator about some of the software applications that were being used on the system (Kennedy, 2006). When a forensic investigator searches a hard drive they may have to use third-party software to search through Meta data that identifies what types of files reside on the system. Meta data is information that is used by the computer to, not only identify what type of file is on the computer, but also what files link to other files. Additional forensic tools may need to be used on a system storage device to look for evidence that is embedded within applications or even hidden. System storage devices can hold critical evidence, however depending on what software was used on the system, the recovery of the evidence can take long periods of time.

Computer memory is a place where forensic investigators can find chunks of data that was stored when the system was being used. As systems use more and more random access memory, this type of memory is used to store data for faster access during the system’s operation. Since RAM is used to store information when the system is being used, it is clearly a good location to find evidence. Although, RAM is used by the computer it is unlikely that the type of information that is found to be stored in RAM is going to be readable by humans, so forensic applications will most likely need to be used in order to find the critical evidence.

Documentation that has been printed out from a computer system is considered original documentation and is permissible as digital evidence. Under the best evidence rule, many judges allow digital printouts to be used as evidence. Digital printouts are considered original forms of work, as it is unique to the printer that was used when the crime was committed. Some printers even are sophisticated enough to have memory built into them and the memory found in the printer may contain digital evidence for forensic investigators.

There are many different types of criminal investigations, however some types of criminal investigations that can greatly benefit from digital forensics are investigations that involve crimes of: sex, hate, theft, narcotics, wrongfully accused, and even kidnapping. For crimes that involve sex, to include sex with minors, many times chat application log files can hold much evidence against the accused. For a crime of theft a spreadsheet that holds information like, items, serial numbers, locations, and other information can prove to be a great asset. Crimes that involve narcotics can benefit from possible chat log information, but more likely e-mail traffic can prove to be a greater asset for evidence. No matter which criminal investigation is being conducted the investigation can greatly benefit from the use of digital forensics.

In conclusion, there are many types of criminal investigations that can benefit from the use of forensic investigators. Many of the criminal investigations include crimes of sex, narcotics, hate, wrongfully accused, and kidnapping. When digital forensic investigators are being used to gather digital evidence for a criminal case some of the locations where evidence can be found include: printouts, removable storage devices, internal storage devices, application logs, browser history files, browser cache files, e-mail, random access memory, and possibly even printer memory. No matter what type of criminal offense was committed, as long as a computer was utilized to commit the crime, the different types of criminal investigations can benefit from digital investigators gathering evidence to prove the crime was committed.

1. Strickland, Jonathan (2009). How Computer Forensics Works. Retrieved March 29, 2009, from Howstuffworks “How Computer Forensics Works” Web site:
2. Kennedy, Ian (2006, August). Looking for foul play – digital forensics Part 2. Retrieved March 29, 2009, from Looking for foul play – digital forensics Part 2 Web site:

Spread the love