Digital Forensic Investigative Tools: Preventing Data Loss When Seizing Electronic Devices of Interest

Important digital evidence such as operating system data, networking information, recent social networking activity, web history and recently accessed, created and modified files can be erased or encrypted when the device is turned off.

Investigators need to acquire this type of information, known as volatile or live data, but they must still turn off devices to transport them to law enforcement facilities. For this reason, tools are needed to support the acquisition of live data at crime scenes.

Developing Live Data Acquisition Tools

NIJ is funding the development of a tool at WetStone Technologies, Inc., that could be used at crime scenes, prior to shutdown of computer devices, to:

  • Obtain information about the device's hardware and peripherals (such as printers and portable hard drives).
  • Acquire critical details about networking information, storage and contents of the device's memory.
  • Determine the need for a "live image," a replica of the device's contents that would be stored on a secondary storage device.

This new software tool, called the USB Live Acquisition and Triage Tool (US-LATT), resides on a customized USB device that can launch applications. US-LATT automatically captures and stores evidence from suspects' computers.

The tool is also intended to be:

During the process of digital evidence collection, the US-LATT tool logs any changes that were made to the computer system or files and why those changes were made. This reduces the risk of creating files that are not admissible in court. However, standards and legal procedures still need to be established for live data acquisition and courtroom admissibility.

Date Created: November 5, 2010