Digital & Multimedia Evidence in Forensics

Questions and Answers

What is one of the main services provided by the Digital & Multimedia Evidence Section?

Surveying individuals involved in investigations

Acquisition of information from digital formats (correct)

Storing physical evidence

Setting up court dates

Which sub-discipline is NOT mentioned in the Digital & Multimedia Evidence Section's capabilities?

Mobile Device Analysis

Video & Image Analysis

Computer Device Analysis

Biometric Analysis (correct)

What is crucial for the timely processing of DME examinations?

Timely submission and sufficient details about requests (correct)

Waiting until close to court dates

Count of the evidence items

Detailed submission of physical evidence

Where is the Digital & Multimedia Evidence Section located?

At the Central Laboratory in Richmond

What should individuals do if there are significant changes in the investigation?

Notify DME of changes that affect examination prioritization

Which of the following is NOT involved in DME examination services?

Investigation of physical crime scenes

Who should be contacted for inquiries regarding Digital & Multimedia Evidence?

The Digital & Multimedia Evidence Section Supervisor

What is the importance of timely submission of evidence for DME examinations?

It allows for prioritization based on scheduled court dates

What is a technique used to enhance specific details of a person or object in video analysis?

Image deblurring

Which of the following methods reduces the visual speed of a recorded video?

Reduction in playback speed

What should be included in the digital multimedia evidence submission to assist analysis?

Passcodes and any removable storage devices

What is the purpose of applying a date/time filter during the analysis of parsed data?

To focus the analysis on a relevant time frame

Which of the following is a guideline for processing digital evidence?

Protect evidence from extreme temperatures

What is a potential benefit of frame averaging in video analysis?

Improves clarity by reducing noise

What is a necessary step before submitting digital evidence for analysis?

Documenting any present damage

Which of the following items is not required when submitting digital evidence?

Previous owner's contact information

What should a device be placed in to ensure proper protection during evidence packaging?

A shielded enclosure like a Faraday bag

What is one method that allows skipping the shielding step for device packaging?

The device's battery has been removed

What should be included on the DME Submission Supplement form?

Removable storage devices

What can be applied to parsed data unless otherwise directed?

A date/time filter beginning six months prior to the offense date

What material should be used to wrap a device if a Faraday bag is not available?

Aluminum foil multiple times

What indication should be labeled on the storage bag if the battery has been removed?

Battery removed or Airplane Mode enabled

What type of authentication information is important to provide for device analysis?

Required passcodes

How many times should aluminum foil be wrapped around a device for effective protection?

Five times with heavy duty or ten times with standard

Which type of device is included in the category of computer devices?

Laptops

What kind of information can be recovered from digital devices?

Deleted and existing data

Which of the following is a method for acquiring data from devices?

Physical and logical data acquisition

What does Video & Image Analysis primarily focus on?

Scientific examination of videos and images

What type of multimedia files can be analyzed from digital devices?

Video and audio recordings

From what devices can video recordings originate for analysis?

Cellular telephones and body-worn cameras

Which option is NOT a consideration during data acquisition from a device?

User's personal preferences

What are some elements of user activity that can be tracked from digital devices?

Internet browsing and timeline of events

What is the first action to ensure that a device remains usable during the seizure process?

Keep the device powered on and charged

What should be done to shield a device from communication networks?

Put the device into Airplane Mode

When is it crucial to submit the device to the Central laboratory?

As soon as possible after seizure

What specific action should be taken if the device is powered off when seized?

Remove the battery and UICC if applicable

Where can a UICC or flash memory card typically be found in mobile devices?

Internally under the battery or externally along the side

Why is packaging a mobile device at the time of seizure recommended?

To provide multi-layer protection for static dissipation

Which of the following is NOT a recommended action when preparing a device for lab submission?

Use a cardboard box for packaging

What is a potential consequence of removing the UICC from the device?

Future access to the device may be restricted

Study Notes

Digital & Multimedia Evidence

• The Virginia Department of Forensic Science (DFS) Digital & Multimedia Evidence (DME) Section provides examination services for information stored in analog or digital formats.

• The DME Section is divided into three sub-disciplines:

  • Computer Device Analysis
  • Mobile Device Analysis
  • Video & Image Analysis

• The DME Section has capabilities that include preservation, repair, acquisition, processing/identification, analysis/verification, clarification, and reporting.

• The DME Section can analyze information from devices including:

  • Computers: servers, desktops, laptops, game systems, magnetic card skimmers, and "Internet of Things" (IoT) devices
  • Mobile Devices: cellular telephones, tablets, and GPS navigation devices
  • Digital Storage Devices: hard disk drives, flash memory, and optical discs

• DME Section has the capability to acquire decrypted physical and logical data from a variety of devices.

Computer and Mobile Device Analysis

• Computer and Mobile Device Analysis involve examining electronically stored information originating from a wide variety of devices.
• Analysis of devices can result in the identification and recovery of a wide variety of information, including:
  • Existing and previously-existing (deleted) data
  • Data decryption and security measure identification or circumvention
  • Electronic communications such as email, chat, text/multimedia messages, call logs, and contacts
  • Multimedia files such as pictures, audio recordings, and video recordings
  • Documents and spreadsheets
  • User activity or usage patterns, such as web-browser activity, location information, device or application usage, file activity, timeline of events, and activity attribution.

Video & Image Analysis

• Video & Image Analysis involves the scientific examination of analog or digital video recordings, and print or digital still images.
• Devices analyzed include:
  • Cellular telephones
  • Hand-held video cameras
  • Body-worn cameras
  • Security/surveillance systems
  • Dashboard cameras
  • Home videos or digital cameras
• Analysis of video recordings or still images can result in:
  • Existing and previously-existing (deleted) recordings and still images
  • Confirmation of correct visual display
  • Clarification (enhancement) of specific details of a person or object
• Clarification techniques include:
  • Image deblurring
  • Magnification (aka Zoom)
  • Frame Averaging
  • Reduction in playback speed
  • Demultiplexing
  • Redaction of sensitive information or material

Collection Guidelines

• Evidence descriptions should be listed on the Request for Laboratory Examination (RFLE).
• The Area of Interest (AOI) (i.e., requested information and/or time frame) being sought should be indicated on the DME Submission Supplement form.

Computer or Digital Storage Devices

• Evidence should be in a rigid container protected from extreme temperature and strong magnetic sources.
• Only submit relevant items to be analyzed.
• Provide this information on the DME Submission Supplement form:
  • The area(s) of interest to be identified/recovered
  • Any removable storage devices
  • Any power cables/adapters/manuals
  • Any required passcodes
  • Any damage present
  • Any access to or modifications made
  • Authorization to utilize potentially destructive processes
• Unless otherwise directed, a date/time filter may be applied to parsed data encompassing a time frame beginning (at most) six (6) months prior to the offense date listed on the RFLE, and ending with the most recent date/time of activity identified within the parsed data.

Mobile Device Analysis

• Ensure the device stays powered on and is sufficiently charged – DO NOT ALLOW THE DEVICE TO POWER OFF OR REBOOT
• Shield the device from communication networks by putting the device into Airplane Mode, removing its UICC, and/or placing it in a shielded enclosure.
• Submit the device to the Central laboratory as soon as possible.

Mobile Device Seizure

• Power down the device via its interface or by long-pressing its power button and, if applicable, remove its battery.
• If the device is seized powered off, remove its battery and UICC (if applicable).

UICC and Flash Memory Cards

• It is important to determine if the device contains a UICC or flash memory card such as a microSD card.
• These storage devices should be indicated on the RFLE as additional items of evidence, typically as sub-items to the handset.

Mobile Device Packaging

• Place in an anti-static container (e.g., paper envelope).
• Place in a >3 mil thick shielded enclosure (e.g., "Faraday" bag) or wrap in aluminum foil (5 times with heavy duty or 10 times with standard thickness).
• Place in an outer storage bag (container) and seal
• Packaging kits may be available from a third party vendor for purchase.

Mobile Devices Continued

• Provide this information on the DME Submission Supplement form:
  • The area(s) of interest to be identified/recovered
  • Any removable storage devices
  • Any power cables/adapters
  • Any required passcodes
  • Any damage present
  • Any access to or modifications made
  • Authorization to utilize potentially destructive processes
• Unless otherwise directed, a date/time filter may be applied to parsed data encompassing a time frame beginning (at most) six (6) months prior to the offense date listed on the RFLE, and ending with the most recent date/time of activity identified within the parsed data.

Description

Explore the crucial role of the Digital & Multimedia Evidence (DME) Section of the Virginia Department of Forensic Science. This quiz covers various sub-disciplines such as Computer Device Analysis, Mobile Device Analysis, and Video & Image Analysis, along with the capabilities involved in analyzing digital information from various devices.