Digital devices like iPods, cameras, voice recorders, flash drives, and memory cards have become so commonplace that it is easy for first responders to assume they're unassociated with criminal activity. How can an iPod hold images, or a digital camera documents?
Yet convictions have been secured based on evidence contained in these devices. Thus officers and investigators must take care, when entering a crime scene, to seize any and all digital devices as evidence.
Focus on the suspect — not the device
New storage and entertainment devices are constantly released to the mass market. Files can be stored on anything that a computer sees as a "drive." It may be tempting to leave a digital camera at a crime scene because the investigator sees nothing on the screen. In fact, however, the documents contained on its SD card may not be viewable on its screen, or may have been deleted but are easily recoverable. Most cameras are made to only recognize files with a certain extension: .png, .jpg (images), and so forth — not .doc or .xls (Microsoft Word documents, Excel spreadsheets). In fact, many laptops now contain an SD slot that makes it easy to transfer the files from hard drive to card, which can expedite the media card review.
In one case, investigators searching a parolee's home saw pictures of his gang affiliations on the walls, which made enough of a parole-violation case for an arrest. Meanwhile, the digital camera on his dresser didn't immediately reveal additional photo evidence.
It was seized though. Later they recovered files that had been deleted from the memory card, which included not only the images on the walls, but also additional images of the suspect with his gang associates and tattoos. Together with the date and time stamps that showed the documents had been created since the suspect's parole, the images were enough to make a solid case against him.
Even "expected" digital data — an MP3 file stored on an iPod or other digital player — can be evidence. In the case of a murdered California Highway Patrol officer, the suspect, a rapper, had made a song detailing everything he had done to the officer. The only difference was the officer's agency.
The point then is not to think about which devices to seize, or even which kinds of evidence (video, e-mail, documents, etc.) to look for. The key word is "anything:" any kind of device, any kind of evidence.
Evidence at the scene
It's possible to preview digital devices on-scene while executing a search warrant. Lt. Chuck Cohen, commander of the Indiana State Police Special Investigations and Criminal Intelligence Section, says this is valuable to investigators in terms of time. "A remote lab's turnaround time is too long for someone who may be at risk," he explains. "Recovering images from a camera during interviews of a suspect, witness or victim can make a real difference."
How to accomplish this? Cohen says an investigator's laptop with an external USB media reader — a cell phone-sized box that plugs into the laptop's USB ports — can be used. To prevent evidence alteration, the investigator can write-protect the laptop's USB ports using Windows functionality.
It's possible to mount the external media as a virtual folder, just as one would any other Windows folder, enabling the investigator to pull and review even deleted files. "The imaging software looks at all the sectors on a flash drive, which contain data until it's overwritten," Cohen says.
On-scene evidence previews can also help investigators learn which specific devices to search for. A preview of a suspect's hard drive, or interrogation of the wireless router, can show whether an external device such as a thumb drive was connected to the computer — and when.
However, Gary Kessler, associate professor of digital investigation management at Champlain College and a member of the Vermont Internet Crimes Against Children Task Force, cautions that whether an investigator can or should perform this kind of function in the field depends on training and equipment.