Sources of Evidence
By definition, digital forensic evidence is found in computing and other electronics devices. Evidence can be found in a wide variety of places, including on storage devices, in the memory of a running computer, or somewhere on a network. By far, the most stable sources of digital forensic evidence are found on persistent storage devices, such as hard drives, solid state drives, memory cards, and other media designed to keep data for long periods of time. These evidence sources are less fragile than memory or network information, since they are non-volatile, meaning that they retain data even if power is lost. In contrast, information stored in volatile locations, such as a computer’s Random Access Memory (RAM), is typically lost whenever the computer is turned off.
Building a forensic case based upon evidence found in non-volatile storage is much easier than trying to build one consisting of artifacts that readily disappear. For starters, evidence found in persistent storage is much easier to acquire. The acquisition of such evidence can readily be done without spoliation, or making changes to the evidence during the acquisition process that could make it inadmissible in court. Furthermore, evidence that is readily retrievable more than one time is more difficult for the opposing party to refute, since the device can be reexamined and shown to contain the same information. In contrast, an opposing party can easily raise questions about the collection methods, accuracy, and veracity of evidence obtained from strictly volatile storage. In such cases, courts might rule the evidence inadmissible, or if not, the inability to reproduce the same findings could be a basis for raising reasonable doubt.