Basics of Computer Investigation and Forensics
Identify, specify, or describe computer and network ethical, legal, and privacy issues.
Describe the basic process of a computer crime investigation.
The term forensic is an adjective that relates to the use of scientific methods to solve crimes (or more broadly, to decide questions in civil or criminal litigation). Forensic medicine, forensic accounting, and so on thus describe the use of medical or accounting skills to provide evidence for a court case. Computer forensics refers to the use of investigative tools and procedures to collect, preserve, identify, and document evidence pertaining to a criminal offense (or civil lawsuit) that is stored in the form of electronic data.
Computer forensics specialists may also be hired by corporations to uncover evidence of espionage, embezzlement, or theft of trade secrets or by insurance companies to discover evidence of insurance fraud.
The goal of a computer forensics expert, then, is to discover, collect, preserve, and document evidence.
Types of Evidence
Evidence is something that can be used to prove the guilt or innocence of someone accused of a crime, or in a civil case, that can be used to prove or disprove the allegations of damages suffered by the party bringing the lawsuit. There are three basic types of evidence recognized by the courts.
Physical Evidence
Physical evidence is a tangible object that can be used as proof. Examples include a gun that was used to commit a murder, carpet fibers on a suspect's shoes that place him at the scene of the crime, or photographs showing the body at the scene of the crime.
Testamentary Evidence
Testamentary evidence, sometimes called direct evidence, consists of the sworn testimony of a credible witness who saw or heard the crime being committed (or saw or heard something that proves a material fact in the case, such as observing the suspect leaving the location of the crime immediately after hearing gunshots fired).
Physical evidence, to be admissible in court, usually must be supported by testamentary evidence (the police officer who found the gun testifies as to its discovery, the crime lab technician who analyzed the carpet fibers from the shoes testifies that they match those of the rug at the crime scene, or the crime scene photographer testifies that the pictures are a true representation of what he or she saw at the scene).
Intangible Evidence
Intangible evidence is evidentiary material that doesn't fit into one of the other two categories. Computer data is intangible because it is not a physical object, but is instead a series of electromagnetic impressions or impulses that represent a collection of 0s and 1s, which themselves represent words, numbers, pictures, or other data.
Intangible evidence can be represented by a physical object (such as a computer printout), but you must then prove that it is an accurate and complete representation of the intangible data. This may require the testimony of an expert witness (forensics specialist).
Digital evidence can include data stored on hard disks, removable disks (floppy, Zip, Jaz, CD, DVD), tape, memory cards (Compact Flash, SmartMedia, Memory Stick), as well as data stored in handheld organizers (PDAs), mobile phones, fax machines, printers, and any other digital media.
Dealing with Evidence
Because the burden of proof in a criminal case is on the state, and because the level of proof to convict is so high, every piece of evidence may be crucial. Computer specialists and law enforcement officers must work together to build the case, respecting one another's areas of expertise.
Many cases have been lost because police investigators did not know how to obtain computerized evidence (for instance, police officers may not know that even if files on a hard disk have been deleted, the data may still be there—if you know how to recover it). On the other hand, many cases have been lost because computer specialists do not know the laws pertaining to admissibility of evidence, and in the process of examining disks, make changes to them that render them inadmissible in court.
Evidence Collection
The number one rule in examining a computer for evidence is that the integrity of the original media must be maintained. You must never work on the original. Instead, a copy should be made that you can use to work on.
A thorough investigation of a computer for evidence includes
Ensuring that during the investigation, the computer is protected from damage or any change to the data or introduction of new data or virus infection
Examination of all files, including hidden files, password-protected files, encrypted files, swap files, temp files, and “deleted” files that still remain on the disk
Examination of any data stored in “unallocated” or other generally inaccessible areas of the disk
Examination of apparently innocent files for data hidden using steganography to conceal data inside other data
Documentation of every step of the examination, including the software or tools used and the persons involved
When files are “deleted” by a user, normally the data on the disk is not erased. Even when a disk is formatted, the data is still there; although the pointers to the files in the tables that the operating system uses to find the data are removed, the data itself remains until it has been overwritten by new data (or destroyed deliberately by application of a strong magnet or by physically destroying the disk).
NOTE
Offsite Evidence Investigators should always consider the possibility that electronic evidence may have been stored offsite. If there is a removable storage device (floppy, Zip or Jaz drive, tape drive, CD or DVD burner), important evidence may have been written to removable media. If there is a modem or DSL/cable Internet connection, evidentiary data may have been uploaded to a server at another location.
There are a number of “undelete” utilities and data recovery services that can be used to recover supposedly erased data.
Backup tapes or disks may contain copies of evidence that was thought to have been destroyed.
Email and other data sent over the Internet passes through an Internet service provider (ISP) and copies may still exist on the ISP server(s) of either the sender or recipient, or both. Copies of internal email may be found on the company's mail server.
Chain of Custody
EXAM TIP
Chain of Custody All transfers of evidence from one person to another should be documented in a custody log, showing the date/time and reason for transfer, and the signatures of the person relinquishing custody and the person taking possession of the evidence.
Evidence generally passes through many hands between the time it is collected by investigators and the time it is presented in court. Because of the possibility of its being changed by someone who handles it, the court requires that a chain of custody be maintained. This is a way of proving where the evidence was and who handled it.
Computerized evidence may be transferred in the form of the entire computer system or media on which the data is stored.
Preservation of Evidence
The original evidence must be preserved with no changes. This is especially important for computer crimes investigators to understand because it is so easy to change electronic data just by accessing it. Simply using the system can destroy the existing evidence stored on it.
Evidence Admissibility
To be used in a trial to prove the case of one side or the other, evidence must be deemed admissible by the judge. The judge rules on admissibility based on the rules of evidence under which the court operates (which may differ somewhat, depending on the jurisdiction; that is, there are federal rules of evidence, state rules of evidence, and so on).
Rules of Evidence
Rules of evidence generally require that evidence be relevant (that is, that it pertain directly to the case in question) and that it be material (that is, that it prove or disprove some fact that is at issue in the case). The rules also govern competency of witnesses, qualifications of expert witnesses (who are allowed to give opinions, unlike other witnesses who may only testify as to facts), hearsay (third-party evidence), requirements for physical evidence (such as whether and when a duplicate of a writing, recording, or photograph can be admitted in place of the original), and how the evidence was obtained.
“Fruits of the Poisonous Tree”
The “Fruits of the Poisonous Tree” doctrine stipulates that evidence that is obtained illegally is not admissible in court. This means that even though the evidence itself shows incontrovertible proof of guilt, if it was obtained in violation of the suspect's Fourth Amendment rights (protection against unreasonable search and seizure), it won't be considered at trial.
Generally, this means that to conduct a search of a computer, you must have one of the following:
A search warrant signed by a magistrate and based on an affidavit providing probable cause
The consent of the owner of the computer or data (it is best to get this in writing, and it must not be obtained by duress or fraud)
Exigent circumstances (emergency circumstances, such as proof that the evidence was about to be destroyed)
It is essential that law enforcement agencies have the proper authority before seizing computers or digital media that may provide evidence, or the case can be lost because the evidence was ruled inadmissible. It is always best to have a search warrant because this provides an impartial judicial determination that probable cause for the search/seizure exists.
Applicable Case and Statutory Law
The U.S. Federal Rule of Criminal Procedure 41(b)(3) authorizes warrants to seize the instrumentalities of crime; that is “property designed or intended for use or which is or has been used as a means of committing a criminal offense.” Most states have similarly worded provisions in their codes of criminal procedure.
The U.S. Supreme Court, in Warden v. Hayden (387 U.S. 294), held that “mere evidence,” as well as the instrumentalities of crime, fruits of a crime (such as stolen property), and contraband (items that it is illegal to possess) could be seized. The Federal Rule was also amended after this, to authorize seizing “mere evidence.” Thus, it is not as important to distinguish between whether the computer and its data constitute an instrumentality or just provide evidence.