Digital evidence guide for civilian analysts

man with a screen with numbers instead of a face, black baseball cat, hoodie, pink and orange — By Cybernews.

When I'm not writing articles, I do a lot of freelance OSINT work. While the majority of that work involves de-anonymizing predators or tracking missing persons, this realm of OSINT contains a vital, inalienable component: handling digital evidence.

Let me present a scenario. Imagine being part of a civilian-led OSINT group dedicated to hunting threat actors, even predators. You stumble upon a suspicious Facebook post by John Doe, and the more you dig, you discover that John Doe is using code words in relation to Child Sexual Abuse Material (CSAM).

Somewhere in the threads, you find a link to a WhatsApp group where John Doe is the admin. You pivot to WhatsApp and see that his display image is a headshot of a man with the unique username ‘jojodoebro1’. Furthermore, as you’re browsing his profile, you notice his phone number is set to public. This is an OSINT goldmine.

Moreover, the discussions and images being shared in his WhatsApp group confirm your suspicions - John Doe is running a CSAM marketplace.

brown teddy bear being torn by six black hands, pink background — By Cybernews.

Now you’re working with numerous data points to research.

You know he’s a Facebook user.
You know that the symbol he posted is commonly associated with CSAM.
You have his WhatsApp username, jojodoebro1.
You have a possible photo.
You have a phone number.
You have confirmation that John Doe is committing a serious crime.

Every step of the way, you’ve been taking screenshots and saving links in a notepad as you expand your investigation, all the way to de-anonymizing the true identity of the threat actor. You compile your findings into a ZIP folder and send it to the police, the FBI, or both.

But something isn’t right, because law enforcement, or NGOs like the National Center for Missing and Exploited Children (NCMEC), aren’t biting. Is it possible you sent them a zip folder with a bunch of random files, some of much contain screenshots or images of CSAM (which is illegal), and virtually no metadata at all?

6 brown adult shadows behind an orange filter and one boy shadow with ball — By Cybernews.

Chain of custody: your invisible shield

Does it seem most of the time that nobody is interested in what you found or what you can prove? Regardless of whether we’re talking about cyberattack attribution, terrorism, or predators, we find ourselves running into invisible red tape, even when the evidence is so crystal clear that a layperson can understand it.

Remember back in grade school, during math class, when our teachers would get so annoyed with us for not showing our work? It didn’t matter if the answer was correct - what mattered was being able to prove how we got the answer.

I will show you how to connect the dots. Regardless of the system, its red tape, or how it operates, if OSINT investigators show their work and the system refuses to acknowledge it, that’s on them. At the very least, you’ll know you followed procedure to the letter.

Join 25,260+ followers on Google News

Creating a simple entry log

This part is actually easy. All you’re doing is keeping a simple log of investigative events - the who, when, where, and how.

Let me break it down:

Date & Time: When you discovered the incident
Who discovered the incident
What action was taken
Where the evidence was stored upon collecting it
Where is the location of the incident
Hash at the point of capture. When evidence is first collected, such as a screenshot or image, a hash is generated using a hashing algorithm like SHA256, SHA1, or MD5. This establishes file integrity and protects against tampering

What counts as evidence?

Let’s say an OSINT investigator locates a Telegram message or group with CSAM trading indicators. Evidence that’s important may include:

URLs, screenshots, hash of the image (without downloading prohibited images). This means to hash your screenshots and the images you found in the Telegram message
Username(s) of the suspects in question
Time and date you collected the evidence
Who collected it and who it was passed to
Chain of transfer to law enforcement, if it’s applicable

Screenshots

Screenshots can only be admitted under the rules of evidence if they’ve been authenticated by a witness, but with some important caveats to consider. Let’s break it down.

Digital evidence has to be corroborated by other evidence, such as unaltered logs, metadata, emails, testimony, hash verification, or the original link to the post. This means something other than the screenshot itself has to substantiate its authenticity. Metadata is preferred, but not fundamentally needed.

blue and white police car, yellow curson in the middle, touching dotted square — By Cybernews.

They can be used to satisfy the legal requirement of probable cause when backed up by something more substantial, since screenshots alone can raise questions about authenticity, as they can be easily manipulated or lack context.

For example, if the content you’ve discovered includes threats, grooming behavior, terrorist communication, or indicators of CSAM, law enforcement can use the screenshots you provided as a basis for subpoenaing service providers, obtaining search warrants, and taking further investigative action.

Conversely, in practice, screenshots are often used when metadata is unavailable, especially by civilian complainants or in early investigative stages.

Moreover, courts in the US have ruled that even if metadata isn’t present, they will rely on circumstantial and testimonial evidence, which can help support authenticity. (e.g., United States v. Safavian, 435 F. Supp. 2d 36 (D.D.C. 2006).

Metadata: the digital fingerprint

When it comes to metadata, it is the preferred form of digital evidence for establishing key elements such as chain of custody, time of communication, and origin of data. These factors are exactly what the FBI and other agencies examine when they analyze, prioritize, and initiate an investigation.

PIC (Getty digital fingerprint)

This may include, but is not limited to:

IP addresses
Log files
EXIF data
GPS coordinates
Timestamps
Original uploads
Creation/modification dates
Original file paths
Usernames or devices used by the suspect
Thumbnail cache or embedded previews
Message ID’s
User IDs or handles
Post URLs or permalinks
Account Creation date
Display name patterns

You get the drift.

Everything is important.

Hashes: integrity at capture

Warning: You should never download, store, or hash CSAM yourself, even for investigative purposes. This is a hard line, as it will implicate you in the same crime you are documenting and reporting. Leave this to law enforcement.

This means, if you encounter CSAM, you can screenshot only the context, such as usernames, timestamps, and file names, but never download or open files containing CSAM under any circumstances. However, you can hash everything else.

Screenshots
PDF exports
Text documents
Any other file formats in order to establish file integrity.

Example of HashMyFiles Desktop app for Windows

For other investigative purposes, you can use tools such as HashMyFiles, which allows you to compute various cryptographic hash values for files on your system. This means it's useful for verifying file integrity, detecting duplicates, and ensuring that evidence authenticity is rock solid. You can also use the online file hashing tool, MD5File, or similar.

Remember, there’s a process and legal procedures law enforcement must follow. The problem is, you never really know how the chips will fall. That is why it is imperative to do everything you can to safeguard your investigation and everyone involved. That way, if there appears to be no action taken, you know you did everything you could.