Digital & Multimedia Evidence in Forensics

Questions and Answers

What is one of the main services provided by the Digital & Multimedia Evidence Section?

• Surveying individuals involved in investigations
• Acquisition of information from digital formats (correct)
• Storing physical evidence
• Setting up court dates

Which sub-discipline is NOT mentioned in the Digital & Multimedia Evidence Section's capabilities?

• Mobile Device Analysis
• Video & Image Analysis
• Computer Device Analysis
• Biometric Analysis (correct)

What is crucial for the timely processing of DME examinations?

• Timely submission and sufficient details about requests (correct)
• Waiting until close to court dates
• Count of the evidence items
• Detailed submission of physical evidence

Where is the Digital & Multimedia Evidence Section located?

At the Central Laboratory in Richmond (C)

What should individuals do if there are significant changes in the investigation?

Notify DME of changes that affect examination prioritization (C)

Which of the following is NOT involved in DME examination services?

Investigation of physical crime scenes (B)

Who should be contacted for inquiries regarding Digital & Multimedia Evidence?

The Digital & Multimedia Evidence Section Supervisor (C)

What is the importance of timely submission of evidence for DME examinations?

It allows for prioritization based on scheduled court dates (C)

What is a technique used to enhance specific details of a person or object in video analysis?

Image deblurring (D)

Which of the following methods reduces the visual speed of a recorded video?

Reduction in playback speed (D)

What should be included in the digital multimedia evidence submission to assist analysis?

Passcodes and any removable storage devices (C)

What is the purpose of applying a date/time filter during the analysis of parsed data?

To focus the analysis on a relevant time frame (A)

Which of the following is a guideline for processing digital evidence?

Protect evidence from extreme temperatures (D)

What is a potential benefit of frame averaging in video analysis?

Improves clarity by reducing noise (A)

What is a necessary step before submitting digital evidence for analysis?

Documenting any present damage (B)

Which of the following items is not required when submitting digital evidence?

Previous owner's contact information (B)

What should a device be placed in to ensure proper protection during evidence packaging?

A shielded enclosure like a Faraday bag (B)

What is one method that allows skipping the shielding step for device packaging?

The device's battery has been removed (C)

What should be included on the DME Submission Supplement form?

Removable storage devices (D)

What can be applied to parsed data unless otherwise directed?

A date/time filter beginning six months prior to the offense date (A)

What material should be used to wrap a device if a Faraday bag is not available?

Aluminum foil multiple times (C)

What indication should be labeled on the storage bag if the battery has been removed?

Battery removed or Airplane Mode enabled (D)

What type of authentication information is important to provide for device analysis?

Required passcodes (D)

How many times should aluminum foil be wrapped around a device for effective protection?

Five times with heavy duty or ten times with standard (A)

Which type of device is included in the category of computer devices?

Laptops (D)

What kind of information can be recovered from digital devices?

Deleted and existing data (A)

Which of the following is a method for acquiring data from devices?

Physical and logical data acquisition (A)

What does Video & Image Analysis primarily focus on?

Scientific examination of videos and images (D)

What type of multimedia files can be analyzed from digital devices?

Video and audio recordings (D)

From what devices can video recordings originate for analysis?

Cellular telephones and body-worn cameras (A)

Which option is NOT a consideration during data acquisition from a device?

User's personal preferences (B)

What are some elements of user activity that can be tracked from digital devices?

Internet browsing and timeline of events (C)

What is the first action to ensure that a device remains usable during the seizure process?

Keep the device powered on and charged (B)

What should be done to shield a device from communication networks?

Put the device into Airplane Mode (C)

When is it crucial to submit the device to the Central laboratory?

As soon as possible after seizure (B)

What specific action should be taken if the device is powered off when seized?

Remove the battery and UICC if applicable (B)

Where can a UICC or flash memory card typically be found in mobile devices?

Internally under the battery or externally along the side (D)

Why is packaging a mobile device at the time of seizure recommended?

To provide multi-layer protection for static dissipation (B)

Which of the following is NOT a recommended action when preparing a device for lab submission?

Use a cardboard box for packaging (B)

What is a potential consequence of removing the UICC from the device?

Future access to the device may be restricted (C)

Flashcards are hidden until you start studying

Study Notes

Digital & Multimedia Evidence

• The Virginia Department of Forensic Science (DFS) Digital & Multimedia Evidence (DME) Section provides examination services for information stored in analog or digital formats.

• The DME Section is divided into three sub-disciplines:

  • Computer Device Analysis
  • Mobile Device Analysis
  • Video & Image Analysis

• The DME Section has capabilities that include preservation, repair, acquisition, processing/identification, analysis/verification, clarification, and reporting.

• The DME Section can analyze information from devices including:

  • Computers: servers, desktops, laptops, game systems, magnetic card skimmers, and "Internet of Things" (IoT) devices
  • Mobile Devices: cellular telephones, tablets, and GPS navigation devices
  • Digital Storage Devices: hard disk drives, flash memory, and optical discs

• DME Section has the capability to acquire decrypted physical and logical data from a variety of devices.

Computer and Mobile Device Analysis

• Computer and Mobile Device Analysis involve examining electronically stored information originating from a wide variety of devices.
• Analysis of devices can result in the identification and recovery of a wide variety of information, including:
  • Existing and previously-existing (deleted) data
  • Data decryption and security measure identification or circumvention
  • Electronic communications such as email, chat, text/multimedia messages, call logs, and contacts
  • Multimedia files such as pictures, audio recordings, and video recordings
  • Documents and spreadsheets
  • User activity or usage patterns, such as web-browser activity, location information, device or application usage, file activity, timeline of events, and activity attribution.

Video & Image Analysis

• Video & Image Analysis involves the scientific examination of analog or digital video recordings, and print or digital still images.
• Devices analyzed include:
  • Cellular telephones
  • Hand-held video cameras
  • Body-worn cameras
  • Security/surveillance systems
  • Dashboard cameras
  • Home videos or digital cameras
• Analysis of video recordings or still images can result in:
  • Existing and previously-existing (deleted) recordings and still images
  • Confirmation of correct visual display
  • Clarification (enhancement) of specific details of a person or object
• Clarification techniques include:
  • Image deblurring
  • Magnification (aka Zoom)
  • Frame Averaging
  • Reduction in playback speed
  • Demultiplexing
  • Redaction of sensitive information or material

Collection Guidelines

• Evidence descriptions should be listed on the Request for Laboratory Examination (RFLE).
• The Area of Interest (AOI) (i.e., requested information and/or time frame) being sought should be indicated on the DME Submission Supplement form.

Computer or Digital Storage Devices

• Evidence should be in a rigid container protected from extreme temperature and strong magnetic sources.
• Only submit relevant items to be analyzed.
• Provide this information on the DME Submission Supplement form:
  • The area(s) of interest to be identified/recovered
  • Any removable storage devices
  • Any power cables/adapters/manuals
  • Any required passcodes
  • Any damage present
  • Any access to or modifications made
  • Authorization to utilize potentially destructive processes
• Unless otherwise directed, a date/time filter may be applied to parsed data encompassing a time frame beginning (at most) six (6) months prior to the offense date listed on the RFLE, and ending with the most recent date/time of activity identified within the parsed data.

Mobile Device Analysis

• Ensure the device stays powered on and is sufficiently charged – DO NOT ALLOW THE DEVICE TO POWER OFF OR REBOOT
• Shield the device from communication networks by putting the device into Airplane Mode, removing its UICC, and/or placing it in a shielded enclosure.
• Submit the device to the Central laboratory as soon as possible.

Mobile Device Seizure

• Power down the device via its interface or by long-pressing its power button and, if applicable, remove its battery.
• If the device is seized powered off, remove its battery and UICC (if applicable).

UICC and Flash Memory Cards

• It is important to determine if the device contains a UICC or flash memory card such as a microSD card.
• These storage devices should be indicated on the RFLE as additional items of evidence, typically as sub-items to the handset.

Mobile Device Packaging

• Place in an anti-static container (e.g., paper envelope).
• Place in a >3 mil thick shielded enclosure (e.g., "Faraday" bag) or wrap in aluminum foil (5 times with heavy duty or 10 times with standard thickness).
• Place in an outer storage bag (container) and seal
• Packaging kits may be available from a third party vendor for purchase.

Mobile Devices Continued

• Provide this information on the DME Submission Supplement form:
  • The area(s) of interest to be identified/recovered
  • Any removable storage devices
  • Any power cables/adapters
  • Any required passcodes
  • Any damage present
  • Any access to or modifications made
  • Authorization to utilize potentially destructive processes
• Unless otherwise directed, a date/time filter may be applied to parsed data encompassing a time frame beginning (at most) six (6) months prior to the offense date listed on the RFLE, and ending with the most recent date/time of activity identified within the parsed data.