First responders actions to cope with volatile digital evidence

Allan Charles Watt*, Jill Slay

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

2 Citations (Scopus)


Everyday law enforcement officers are executing search warrants and encounter digital devices that form part of the evidence. Agencies are now training first responders to handle upper level searches for relevance, prior to seizure. However problems exist, that this may not locate evidence in a cloud, a container or even a virtual machine. This evidence is essentially volatile in that once the device is turned off, connectivity with the cloud will be lost, encrypted containers will close, virtual machines will cease to operate and drive encryption will be invoked. The once accessible data may now become beyond reach of digital forensic staff, when the credentials to access the data are unknown or not available. This paper has focused on scene actions that need to be considered when staff, specifically first responders are confronted with a device, that could contain evidence that could be lost if the device is shut down.

Original languageEnglish
Pages (from-to)381-399
Number of pages19
JournalInternational Journal of Electronic Security and Digital Forensics
Issue number4
Publication statusPublished - 2015


  • Anti-forensics
  • Computer forensics
  • Crime scene
  • Digital forensics
  • File concealment
  • First responder
  • Forensic analysis
  • Investigative framework
  • Live forensic analysis
  • Search warrant


Dive into the research topics of 'First responders actions to cope with volatile digital evidence'. Together they form a unique fingerprint.

Cite this