Law Enforcement and Digital Evidence

J. Philip Craiger and Jeff Swauger, University of Central Florida

Mark Pollitt, DigitalEvidencePro

Digital Evidence and Digital Forensics

Who Should Read This Chapter?

Challenges to Law Enforcement

Data Obfuscation


What Information Can Be Encrypted?

Breaking Encryption

Automated Tools: Password Crackers

Passwords on Disk

Break Other Accounts


Coping with Steganography

Digital Forensic Tool Validation

Validation Testing Challenges

Validation Testing Approaches

Test Samples

Analysis of Results


Forensic Countermeasures

File Wiping

Trace Evidence in RAM

Trace Evidence in the Swap and Hibernation Files

Trace Evidence in Unallocated Space


Digital Evidence: Growing in Volume and Diversity

Consequences for Law Enforcement

Solutions for Data Reduction

Using Technology to Cope

The Explosion of Diverse Digital Media

A Law Enforcement View of the Future of Digital Evidence


Cross References


Further Reading


One of the by-products of the growth of information technology has been the proliferation of the “computer criminal.” Forensic evidence at a crime scene that once was limited to physical items and attributes (carpet fibers, tool marks), and biological matter (hair, blood, fingerprints) now often includes digital evidence. In 1999, the Scientific Working Group on Digital Evidence ( defined digital evidence as:

Information of probative value stored ...

Get Handbook of Information Security: Information Warfare, Social, Legal, and International Issues and Security Foundations, Volume 2 now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.