Digital evidence is digital data that may be used as evidence within the criminal justice system. At a crime scene investigators should follow procedures and guidelines in the collection and analysis of digital information and evidence aimed at ensuring the integrity of the evidence. Anything that can store and/or transmit digital data might be of interest to an investigator and may include data not at the physical scene, such as Internet service provider (ISP) logs. For analysis an exact copy of the data should be made. Digital evidence is collected within legislative frameworks, which have been critiqued for not keeping up with the pace of technological change. Some argue the use of such legislation is inconsistent and heavy-handed while others argue there are insufficient laws. There are also concerns regarding covert digital surveillance.
Devices must be handled differently depending on whether they are in an on or off state, and there are further precautions that need to be taken with mobile phones. Devices are normally analyzed with software suites but the use of such suites has been criticized as unscientific. Various data can be found on a personal computer (PC) hard drive including that created by automatic processes, temporary files, deliberately hidden data, deleted data, and Internet activity.
Digital Evidence
The term digital evidence is generally used in reference to digital data (in stored or transmitted forms) that has the potential to be used as evidence within the criminal justice system. It also refers to “data about data” (such as metadata); for example, the last accessed date of an MS Word document (to determine whether that document had been accessed recently). Digital evidence will often be encountered in so-called digital crimes such as unauthorized access and/or impairing of computer systems, the sharing of Internet child sexual abuse imagery, and online mediated frauds, such as phishing and Distributed Denial of Service (DDoS) attacks. However, digital evidence will also be frequently encountered in many other crimes, for example, using mobile phone network service provider data to determine (by cell site analysis) the phone’s approximate location when being used.
Crime Scene Investigation
In an investigation that requires handling of digital evidence, a digital evidence first responder (DEFR) will usually attend a crime scene in order to identify potential sources of digital evidence. Due to the nature of such evidence a DEFR will follow procedures specific to digital investigation, and these procedures are also often relevant to the subsequent analysis of digital information and evidence.
In some jurisdictions, before a DEFR enters a crime scene warrants might be required. Entry plans are also normally formulated, bearing in mind issues such as disruption to businesses that may be caused by seizure of equipment.
Once at a scene investigators will be expected to follow guidelines such as those of the U.S. Department of Justice (DOJ) or the Association of Chief Police Officers (ACPO) for England and Wales. The DOJ guidelines require that “[a]ctions taken to secure and collect digital evidence should not affect the integrity of that evidence,” that “[p]ersons conducting an examination of digital evidence should be trained for that purpose,” and that “[a]ctivity relating to the seizure, examination, storage, or transfer of digital evidence should be documented, preserved, and available for review.”
However, on occasions (as in the case of mobile phone analysis for data acquisition of running processes) there may be no alternative but to adopt actions that may alter the original evidence. Under such circumstances, most DEFRs would be expected to keep a record of their actions and their possible implications.
Locations of Digital Evidence
Anything that can store and/or transmit digital data might be of interest at a crime scene and this would commonly include PCs, Macs, tablet computers, hard drives, memory cards, Universal Serial Bus (USB) pen drives, optical and magneto optical disks (CDs, DVDs, dynamic random access memory, Blu-ray), mobile phones, personal digital assistants (PDAs), mobile navigation systems (Satnavs), digital video cameras (including closed-circuit TV), and networks. However there are less
270 Digital Evidence and Crime Scene Investigation obvious potential sources of digital evidence, for example, a washing machine may store wash time details that might be relevant in a sexual assault investigation. The investigators may need to consider widening their search beyond devices seized at the scene. Routers and modems may be external to the scene and ISP logs and caches may provide valuable evidence relating to digital communications. This widening of the net may also be necessary due to the increasing popularity of cloud-based storage and applications such as DropBox.
Having identified the sources of evidence to be examined, the next step is to secure a copy of this data in a forensic manner by creating an exact bit-by-bit image of the data. Time needs to be allowed for this lengthy process if business disruption is to be minimized by imaging in situ. The time allowed to hold suspects without charge may also be a consideration. Once an image has been created, investigators often need to be able to show it is an exact copy of the original data. In order to do this a hash value is calculated using a specific mathematical algorithm for both the original data and the image. In addition to disk images, data can be retrieved from the random access memory (RAM) of a computer while it is running. Such volatile data may include passwords entered by the user.
Legislation and Investigation
Digital evidence is collected within a legislative framework. Such frameworks struggle to keep up with rapidly changing technology. Problems are also encountered because of the multijurisdictional nature of much cybercrime; for example, if a U.S. resident posts images that infringe United Kingom (UK) copyright on a Dutch hosted server, it is difficult to determine where the offense had been committed. The use of legislation is also criticized for being inconsistent, for example, some copyright-infringing Web sites are targeted for prosecution while others are not.
However, others insist that more laws are required to protect individuals, e-commerce, and society. There is also a debate as to who should be providing the regulation; commonly regulation occurs via coregulation that is government regulation along with nongovernmental organizations such as the Internet Watch Foundation. There is also argument regarding how much of the responsibility for avoiding crime in the first place should be placed on individual users and how much should be the purview of organizations and law enforcement.
Digital investigations usually obtain evidence by covert surveillance of a suspect, then from a communications service provider (CSP) and finally using search and seizure powers. Law enforcement powers of surveillance and interception of private electronic communications vary by country; for example, in the United States they are governed predominantly by the Electronic Communications Privacy Act of 1986 (ECPA 1986) and in the UK by the Regulation of Investigatory Powers Act 2000 (RIPA). The ECPA 1986 has been criticized for being outdated, drafted as it was some years before the Internet became popular as a place of commerce. RIPA has been criticized as open to abuse by local government requesting surveillance for trivial offenses.
The Crime Scene
At a crime scene devices may be in either the on or off state, and procedural decisions need to be made depending on which situation is encountered. There may be evidential reasons to continue allowing the downloading of indecent images, but equally, investigators might decide to interrupt uploading of such images. In most jurisdictions, if machines are encountered in the off state they will be left off since switching them on may initiate processes aimed at destroying any evidence of nefarious activity. Other steps are also often taken: power cables are removed from the backs of computers, and batteries are removed from laptops to avoid machines waking from sleep.
Likewise, PDAs, smartphones, and mobile phones are all normally left switched off. If they are encountered while on, they should be placed on charge as soon as possible so that they do not power down and potentially require passcodes when powering back up. However, phones should be shielded from mobile networks and Wi-Fi (as should any Wi-Fi-enabled device such as a laptop) so that they remain as far as possible in their original state. Indeed, applications exist that allow a remote user to wipe devices, hence the need to isolate devices as soon as possible. Isolation of devices can be performed in a number of ways but often a phone is placed in a Faraday bag, which does not allow electromagnetic signals to enter. While in the bag, a shielded charging cable (if it is not shielded it may act as an antenna) or other device is used to keep the phone charged. The phone will then be taken to a dedicated Faraday room for analysis.
Digital Forensic Analysis
Normally once evidential data is collected a digital forensic analysis is performed (although in practice this overlaps with the acquisition stage). This analysis usually involves one or more software suites such as Guidance Software’s EnCase and AccessData’s Forensic ToolKit.
During an analysis an investigator will form hypotheses about the provenance of the data. Normally for such hypotheses to be considered scientific they should be supported by reproducible experiments and be falsifiable. To provide this dual-tool validation—the checking of results from one tool by another different tool—is often proposed as a good way to ensure this. However, this is not beyond critique: It is possible that both tools could arrive at the same wrong result either by coincidence or by both using the same wrong method. Even if both tools arrive at the same correct result this is not scientific proof. The scientific approach is not to repeatedly look for confirmation of the hypothesis, but instead to formulate ways in which it can be falsified and instead test for this. Despite its lack of scientific rigor, dual-tool verification does help corroborate findings but claims of absolute certainty are usually avoided. Strictly speaking any results from such tools are probable rather than certainties.
When tools provide different answers corroboration is vital; an example of this was during the trial of Casey Anthony, who was charged with the murder of Caylee Marie Anthony in Orlando, Florida. Casey Anthony’s Internet browsing history was introduced as evidence and two Internet history tools produced different findings. A manual corroboration using a manual analysis of the raw data was performed by the developer of one of the tools.
This acceptance of dual-tool testing highlights the difference between what is deemed acceptable in legal and in scientific circles. Both accept the use of tools, but legal acceptance often derives from past case precedent, whereas scientific acceptance occurs by citing and carefully extending a previously established body of knowledge through hypothesis testing.
In the United States, the Daubert test (dating from the Supreme Court decision in the case of Daubert v. Merrell Dow Pharmaceuticals, 1993) is used by the judiciary to evaluate scientific evidence and expert testimony. The Daubert test requires that the theoretical basis underlying a particular technique must be accepted by the relevant scientific community. But the digital forensic community is still in its infancy, and its output tends not to be rigorously scientifically tested. The validity of forensic tools is often justified by fallacious arguments of the form, as in “This forensic tool is used by law enforcement nationwide. So by common consent it is a valid and reliable tool.” This assertion assumes that because large numbers of people believe something to be true, it is therefore true. Indeed it has been argued that the popularity of particular tools is not necessarily because they are valid, but because they have particular interfaces and support by their manufacturers. There are also many who choose software based on familiarity rather than efficacy.
Analysis of PCs
The logical analysis of digital evidence will depend on the requirements of the investigation, but often an analysis will involve a PC’s hard drive. Initially the operating system (OS)—for example, Microsoft Windows 8—is identified, as there are distinct differences between OSs. Most PCs run one form or another of the Microsoft Windows OS; therefore, that is what will be described here (although much of this will be similar for other OSs).
The Windows OS operating system maintains information about the various actions performed on a PC. Windows contains a database known as the registry, which contains a wealth of configuration and other details. For example, it stores an event log, which allows investigators to identify who was apparently logged on to the machine at a particular time. Of course this example highlights one of the problems with digital evidence: It requires other authentication, because in this case it may be that a person logged onto the machine using someone else’s credentials.
Processes may leave behind temporary files, such as the list of files that have been recently accessed, and shortcuts to files, drives, and external media. Such files could be used as evidence when a user denies having accessed certain media or devices. Temporary files may also be created during software installation that may also help refute a suspect’s denials. Useful evidence may also be created by OS automatic processes (not as a direct result of user action) and such evidence may reside in locations other than user-created folders. One example of this is the use of a “swap” file that is a large text file that the OS writes to when RAM memory is getting low. This file can be searched for potentially useful data such as file fragments.
As well as automatically generated data, users may deliberately hide data by altering it or placing it in a hidden location. A simple form of this is when a suspect changes the extension of an image file to “.doc” so that it appears to be a Word document. A file’s metadata may also be altered so that, for example, it appears to have been created by a different user. File time stamps are often used in evidence to show files were accessed at certain times, but they depend on machine or network clocks that may not be accurate and time stamps can also be altered using software.
Files that a user had deleted may be recoverable from a hard drive because Windows does not actually delete a file when requested to do so. Even after the recycle bin is emptied, files or fragments of them may still remain on a PC. (However this is sometimes not the case for solid state drives given the unusual way in which the drives “tidy up” data after it is no longer required).
Internet activity may leave traces such as Web browsers’ history records, e-mail data, and temporary Internet files (such as graphics from a page visited by a user). Browser privacy modes may reduce the amount of data left by a user but are not infallible.
Mobile Phones
Because of the large number of handsets and mobile OSs, digital forensics for mobile phones is very different from that of PCs. Phones also cannot be imaged in the same way as a PC hard drive. Like PCs there are guidelines for investigators such as the National Institute of Standards and Technology’s (NIST) guidelines Cell Phone Forensics. Many aspects of the investigation of mobile phones can be automated using commercial tools such as Paraben’s Device Seizure or Radiotactics’ XRY. However, due to the large number of handsets sometimes these tools will not cover a particular device and then investigators will have to manually document its contents. More technically adept investigators may also make use of the Joint Action Test Group (JTAG) interface to a phone’s memory structure, or use a “chip off” procedure, which involves removing chips from phones and reading them directly.
Bibliography:
- Brenner, Susan. Cyber Crime: Criminal Threats From Cyberspace. New Delhi: Pentagon Press, 2012.
- Bryant, Robin and Sarah Bryant, eds. Policing Digital Crime. London: Ashgate Publishers, 2014.
- Casey, Eoghan. Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet. 2nd ed. New York: Academic Press, 2011.
This example Digital Evidence and Crime Scene Investigation Essay is published for educational and informational purposes only. If you need a custom essay or research paper on this topic please use our writing services. EssayEmpire.com offers reliable custom essay writing services that can help you to receive high grades and impress your professors with the quality of each essay or research paper you hand in.