Your case matters. We commit our full resources and attention to a successful result.

Understanding Three Key Types of Electronic Evidence

Electronic evidence has been used in investigations and cases for decades. Whenever a computer, smart phone, tablet or other electronic device is used, chances are some kind of evidence of the transaction can be found somewhere and used to prove what happened, and perhaps who is responsible. In this article, I hope to explain the basics of some of the more commonly used types of electronic evidence: the Internet Protocol Address (IP Address), location data, and deleted files.

IP Address

The Internet Protocol (IP) Address identifies a device connected to a network. When computers communicate with each other over a network, they do so through messages we will call “packets”. Much like an envelope used to send postal mail, these packets contain the data to be sent, the sender’s (IP) address, and the recipient’s (IP) address.

The recipient’s IP address is needed because the internet is actually a series of interconnected networks, and the packets arrive at their destination by being passed off from one network to the next. Each time one network passes the packet to another network, the receiving network looks at the recipient IP address to determine the next destination along the route. When the packet reaches its destination, the receiving device processes the packet and uses the sender’s IP address to, among other things, send responses. Commonly, when connecting to services like a website, a social media app, or a file sharing service, the service will keep a log of all communications – including the sender’s IP address, date and time.

Because the IP address is used to identify which device, of the billions of devices connected to the internet, was used in a communication, it can be powerful evidence in the hands of law enforcement. Moreover, the many networks along the route likely keep their own logs, including the internet service provider, which will keep records establishing which customers had particular IP addresses assigned to them on a particular date and time. A credible allegation of a crime combined with the IP address records, and customer data (which will include the street address) is typically enough in many states for law enforcement to obtain a warrant to search the residence, and almost any device located therein.

There are some weaknesses regarding IP addresses as well. For instance, current residential internet service typically provides one IP address at a time, which is assigned to the “router”, and multiple devices connect through this router. Such a network setup means the IP address allegedly related to a crime may not identify the specific device used, but rather the router to which the device was connected at the time. For this reason, it is important to secure your home routers with strong passwords and encryption schemes (currently WPA2). Not properly securing your device could result in the police showing up at your door if someone accesses your network and commits a crime using your internet service.

Location Data

Like it or not, your smartphone is essentially a location tracker used to talk, text and take pictures.  It is not uncommon for your phone to record location data, and possibly share this data with certain services which can store it and create a history of where you were and when. It is also common for smartphones, when a photo is taken, to store the location at which the photo was taken in the metadata of the image. Naturally, this can be problematic if sharing a picture of your home, for example. For this reason, many social media platforms remove metadata from pictures by default. You should, however, check with the policies of any site to which you wish to post a picture, or remove any such metadata yourself before posting, to make sure you do not accidentally reveal personal information to those who know how to look at it.

While it is possible to disable location services in the phone’s settings, which may also prevent the phone from storing the location in the metadata as described above, law enforcement may still have access the device’s historical location through what are called “network events”. Some mobile service providers, when a phone uses their service, store the location of the device, relative to the cell tower used, at the time of the use. Certain software, which is available to law enforcement, allows this data to be converted into highly accurate maps, which can help provide a path of travel, travel time, etc.

Deleted Files

Files are basically groups of ones and zeros stored on a particular section of a storage device. The computer knows which sections make up which files, and knows to keep those sections protected from being overwritten. When a file is deleted, the computer is essentially told the section now corresponds to nothing, and it should no longer be protected, but the data remains intact until something else is written to those sections. Thus, a recovery attempt immediately after a file was deleted should almost always been successful.

Storage devices do not prioritize reusing deleted sections. Instead, the opposite may be true – meaning the device may tend to favor writing new data to lesser used portions of the device first to maximize the lifespan of the device. If one of the sections making up the deleted file data is later used to store data for another file, but the remaining sections are left untouched, partial file recovery may still be possible. Thus, how long a file is recoverable depends on factors such as the type of storage device, and how often data is written to the device. If a storage device is heavily used, it may take a short time for a deleted file to no longer be recoverable. However, if a storage device is rarely used, the file could be recoverable for years after it is deleted.


Understanding the nature of electronic evidence, how it may be obtained, and how it may be used either in an investigation or in a court of law is important. If you or someone you know is charged with a crime, the attorneys at Larkin Ingrassia & Tepermayster have over fifty years of combined experience in Orange, Dutchess, Ulster, Rockland, Westchester, Sullivan and Putnam Counties, including taking cases to trial, and successfully negotiating favorable resolutions for our clients.