Title: First responders actions to cope with volatile digital evidence

Authors: Allan Charles Watt; Jill Slay

Addresses: Centre for Policing, Intelligence and Counter Terrorism, Macquarie University, Building Y3A, Sydney, NSW 2109, Australia ' UNSW Canberra at the Australian Defence Force Academy, P.O. Box 7916, Canberra BC 2610, Australia

Abstract: Everyday law enforcement officers are executing search warrants and encounter digital devices that form part of the evidence. Agencies are now training first responders to handle upper level searches for relevance, prior to seizure. However problems exist, that this may not locate evidence in a cloud, a container or even a virtual machine. This evidence is essentially volatile in that once the device is turned off, connectivity with the cloud will be lost, encrypted containers will close, virtual machines will cease to operate and drive encryption will be invoked. The once accessible data may now become beyond reach of digital forensic staff, when the credentials to access the data are unknown or not available. This paper has focused on scene actions that need to be considered when staff, specifically first responders are confronted with a device, that could contain evidence that could be lost if the device is shut down.

Keywords: computer forensics; digital forensics; anti-forensics; forensic analysis; investigative framework; file concealment; first responders; live forensic analysis; crime scene; search warrants; first responder actions; volatile digital evidence; law enforcement; cloud computing; encrypted containers; virtual machines; drive encryption; cryptography; evidence loss.

DOI: 10.1504/IJESDF.2015.072182

International Journal of Electronic Security and Digital Forensics, 2015 Vol.7 No.4, pp.381 - 399

Received: 14 Nov 2014
Accepted: 07 Jun 2015

Published online: 02 Oct 2015 *

Full-text access for editors Access for subscribers Purchase this article Comment on this article