"Most first responders, unless they are going to a scene where they know digital evidence is important, won't have the necessary imaging equipment," Kessler says. "The main thing we emphasize during training is for them to be cognizant about sources of evidence and to seize it rather than acquire the data."
He cites one case in which detectives seized a drug dealer's computer, but did not check the mass of CD jewel cases near his stereo to see if any of them contained data disks. As recently as a few years ago, officers at a crime scene might power on a suspect's computer to see if it contained information relevant to the crime. "We now train them to be aware — and that if they don't know what they're doing, not to touch it," Kessler says.
Recovering 'lost' evidence
Mishandled evidence is not always lost. Following a homicide, a California lieutenant took the department-issued digital camera from the detectives he was supervising. As he handled it, he inadvertently reformatted its memory. Nonetheless, the six images related to the murder were recovered along with more than 100 images indicating personal use by the lieutenant, including a motorcycle trip.
More frequently, witnesses use camera phones — which are becoming increasingly advanced with higher resolutions — to take still images or videos of their friends committing crimes. Often later deleted, this kind of evidence is becoming a factor in more criminal cases.
Actually recovering lost evidence is not complicated; a number of tools exist that require no specialized skills. The non-technical field officer can use them with ease, but it's important to take time to familiarize him or herself with the tools, to practice and learn to validate evidence.
"Validation" can be as simple as learning on a device owned at home, while training can be undertaken via software tools' manufacturers — or via the latest podcasts on the subject. Thus non-specialized officers have the ability to identify and acquire valuable evidence without significant consumption of either time or budget.
Still, vice president of the digital forensic and electronic discovery firm MJ Menz & Associates, Mark Menz, says that "the tools used to recover deleted digital images will vary depending on the media the images are stored on, along with the operating system and the file system used by the computer and media from which the files were deleted." (An operating system, such as Windows, controls the computer's hardware. Within operating systems, several levels of file systems exist.)
"Recovery can become even more complicated when the investigator adds the variable of the media — hard disk, floppy disk, flash drive, or optical drive — used to store the images, along with the image file's level of deletion," Menz says. Examples of the file's level of deletion include that it's located in the Recycle Bin; not in Recycle Bin but still listed in the directory or Master File Table (MFT); not listed in a directory or MFT; partially overwritten; or deleted and fragmented."
Each level of deletion requires different programs or processes, and in most cases involves hard or floppy disks and the assistance of a computer forensic specialist.
Menz adds, "On various storage media, traditional forensic tools such as FTK Imager [a free tool that requires somewhat of a learning curve to use] can work, but some vendor tools [such as SanDisk RescuePro] actually do a better job at image recovery."
Most mobile device service providers allow data to be uploaded to private servers. Third-party applications allow the same. Part of the concept of "cloud computing" services like Microsoft Mesh, Google Gspace, Evernote and Zoho allow data to be transferred from mobile device to server, then to the user's desktop — or vice versa.
While this is more common for individuals to do with cell phones, Evernote's software, for instance, is downloadable direct to a SanDisk U3 Flash drive, and Microsoft Mesh has plans to allow synchronization with digital photo frames and other portable devices.
In these cases, because evidence from these kinds of accounts can be time sensitive, investigators must take care to send a letter of preservation to the company to have it lock the account before the suspect can have evidence deleted.