Digital Evidence and Computer Crime, Second Edition
9.8 Summary
This chapter presents concepts from forensic science and computer science that can be used to process and analyze digital evidence stored on a computer. The Forensic Science concepts described in this chapter are applicable to any investigation and are applied to specific operating systems and computer networks in later chapters. Although this chapter focuses on information, it also provides some suggestions for dealing with hardware as contraband, fruits of crime, instrumentality, and evidence.
Computer technology is evolving rapidly but the fundamental components and operations are relatively static. A central processing unit starts the basic input and output system, which performs a power-on self test and loads an operating system from a disk. The process of collecting, documenting and preserving evidence also remains fairly static, making it possible to develop standard operating procedures (SOP) to avoid gross mistakes.
CASE EXAMPLE
A system administrator of a large organization was the key suspect in a homicide. The suspect claimed that he was at work at the time and so the police asked his employer to help them verify his alibi. Coincidentally, this organization occasionally trains law enforcement personnel to investigate computer crimes and was eager to help in the investigation. The organization worked with police to assemble an investigative team that seized the employee's computers - both from his home and his office - as well as backup tapes of a server the employee administered. All of the evidence was placed in a room to which only members of the team had access. These initial stages were reasonably well documented but the reconstruction process was a disaster. The investigators made so many omissions and mistakes that one computer expert, after reading the investigator's logs, suggested that the fundamental mistake was that the investigators locked all of the smart people out of the room. The investigators in this case were either unaware of their lack of knowledge or were unwilling to admit it.
This case demonstrates how critical it is for digital investigators to realize their limitations and seek help when necessary. As a result of the investigators' omissions and mistakes, the suspect's alibi could not be corroborated. Digital evidence to support the suspect's alibi was found later but not by the investigators. If the investigators had sought expert assistance to deal with the large amount of digital evidence they might have quickly confirmed the suspect's alibi rather than putting him through years of investigation and leaving the murderer to go free.
Given the variety of systems and situations, it is difficult to create procedures that anticipate all eventualities. Additionally, writing down exactly how something should be done limits the individual's ability to make intelligent decisions and gives attorneys opportunity to criticize such intelligent decisions because they were not part of a SOP. Therefore, an SOP should contain general descriptions of important steps and should be used as a memory aid rather than a rigid guide.
Digital investigators must be capable of going beyond procedures, applying the concepts presented in this chapter to new situations. Comparing items to discern class characteristics or determine where they originated is a fundamental task in forensic analysis. On their own, class characteristics may not be particularly illuminating, but in combination they can help direct an investigation, eliminate suspects, or create a break in a theory. Evaluation of source often requires extensive searching of surroundings, examination of similar objects, and comparative research. Evaluating the source of digital evidence is particularly important when trying to prove that an individual manufactured child pornography, created a computer virus, or stole a piece of intellectual property. In the case of child pornography, class characteristics can indicate that one image was created on the defendant's digital camera while another image was a photograph that was digitized using his neighbor's flatbed scanner.
Performing temporal, functional, and relational analyses of digital evidence is necessary to recreate a complete picture of a crime. Combining the results of such analyses into a full investigative reconstruction can help investigators understand the crime and the offender as detailed in Chapter 5. As the final stage, reporting is one of the most important activities and should be given the time and attention it deserves. Without a clearly written report, it is difficult for decision makers to understand the results of a digital evidence examination and impairs their ability to reach a verdict based on the truth.
Категории