Computer Forensics: Computer Crime Scene Investigation (With CD-ROM) (Networking Series)

Many types of criminal and civil proceedings can and do make use of evidence revealed by computer forensics specialists:

• Criminal prosecutors use computer evidence in a variety of crimes where incriminating documents can be found, including: homicides, financial fraud, drug and embezzlement record-keeping, and child pornography.

• Civil litigations can readily make use of personal and business records found on computer systems that bear on: fraud, divorce, discrimination, and harassment cases.

• Insurance companies may be able to mitigate costs by using discovered computer evidence of possible fraud in accident, arson, and workman’s compensation cases.

• Corporations often hire computer forensics specialists to ascertain evidence relating to: sexual harassment, embezzlement, and theft or misappropriation of trade secrets and other internal/confidential information.

• Law enforcement officials frequently require assistance in pre-search warrant preparations and post-seizure handling of the computer equipment.

• Individuals sometimes hire computer forensics specialists in support of possible claims of: wrongful termination, sexual harassment, or age discrimination.

But there are concerns and problems with computer forensic evidence. So, let’s examine some of those problems.

Problems of Computer Forensic Evidence

Computer evidence is like any other evidence; it must be:

• Authentic

• Accurate

• Complete

• Convincing to juries

• In conformity with common law and legislative rules (admissible)^[vi]

However, there are also special problems:

• Computer data changes moment by moment.

• Computer data is invisible to the human eye; it can only be viewed indirectly after appropriate procedures.

• The process of collecting computer data may change it—in significant ways. The processes of opening a file or printing it out are not always neutral.

• Computer and telecommunications technologies are always changing so that forensic processes can seldom be fixed for very long.^[vii]

Forensic Technician

Contrary to what is often thought, in many cases it is possible to produce reliable computer-derived evidence without recourse to specialist tools. The general principles are:

• The scene of crime has to be frozen; that is, the evidence has to be collected as early as possible and without any contamination.

• There must be continuity of evidence, sometimes known as chain of custody; that is, it must be possible to account for all that has happened to the exhibit between its original collection and its appearance in court, preferably unaltered.

• All procedures used in examination should be auditable, that is, a suitably qualified independent expert appointed by the other side in a case should be able to track all the investigations carried out by the prosecution’s experts.^[viii]

Good results can be obtained by using the standard disk repair, network testing, and other utilities; however, very full records need to be kept. But for some purposes these may not be enough, for example, where it is hoped to recover previously deleted material or where a logic bomb or virus is suspected. In these circumstances, specialist tools are needed. However, special training is also required. The tools themselves don’t address all of the problems of producing evidence that will stand up in court. Thus, the key features of the forensic technician are:

• Careful methodology of approach, including record keeping

• A sound knowledge of computing, particularly in any specialist areas claimed

• A sound knowledge of the law of evidence

• A sound knowledge of legal procedures

• Access to and skill in the use of appropriate utilities^[ix]

Legal Tests

The actual rules vary from legislation to legislation, but one can give a broad outline of what happens in those countries with a common law tradition—the UK, USA, and the so-called old Commonwealth. The law makes distinctions between real evidence, testimonial evidence, and hearsay. Real evidence is that which comes from an inanimate object that can be examined by the court. Testimonial evidence is that which a live witness has seen and upon which he or she can be cross-examined.

The hearsay rule operates to exclude assertions made other than those made by the witness who is testifying as evidence of the truth of what is being asserted. The pure hearsay rule is extremely restrictive and has been extensively modified by various statutory provisions. Thus, there are rules about the proving of documents and business books. Bankers’ books have separate legislation. Some of the rules apply explicitly to computers, but many do not, although they can be (and have been) interpreted to cover many situations in which computers are involved.

For example, in the UK there have been situations where legal rules presumably designed to help the court may, in fact, hinder it. In practice, these issues may be circumvented. For instance, in a criminal case, evidence may be obtained by inadmissible methods. This evidence, however, then points investigators to admissible sources of evidence for the same sets of circumstances. An example of this could occur during a fraud investigation. In other words, computer search methods are often used to identify allegedly fraudulent transactions, but the evidential items eventually presented in court are paper-based invoices, contract notes, dockets, or whatever. In this manner, the prosecution can demonstrate to the jury the deception or breach of the Companies Act or other specific fraudulent act. Again, in civil litigation the parties may decide to jointly accept computer-based evidence (or not to challenge it) and instead concentrate on the more substantive elements in the dispute. A defendant may prefer to have a substantive defense rather than a technical one based on inadmissibility. Or, again, the legal team may not feel sufficiently competent to embark on a technical challenge.

In the United States, many practical problems exist around the actual seizure of computers containing evidence. Law enforcement officers must comply with the Fourth Amendment to the U.S. Constitution.

Subject Matter of Computer Forensics

The subject matter of computer forensics can, thus, not afford solely to concern itself with procedures and methods of handling computers, the hardware from which they are made up and the files they contain. The ultimate aim of forensic investigation is use in legal proceedings. At the same time, an obsession with common law and judicial rules is likely to inhibit many investigations. It might be a mistake for inquiries not to be commenced simply because of fear of possible inadmissibility. Furthermore, as we have already seen, a number of computer-investigatory methods may turn out not to be directly admissible, but may nevertheless be useful in locating noncomputer evidence that is admissible.

One may have to take a somewhat pragmatic view of the precise bounds of the subject matter, but it should still be possible to define its core activities. It might help to explore the way in which forensic science, in general, has developed and then see what expectations one might reasonably have of computer forensics.

Although forensic science had been established long before then and indeed forms a central feature of many of Conan Doyle’s Sherlock Holmes stories published from 1892 onwards; up until the 1970s, each forensic scientist tended to develop his or her own methods and present them ad hoc to juries. Obviously, reliance was placed on descriptions of methods used by others, but for courts, the tests of whether to believe the forensic evidence were the manner of presentation—the supposed eminence of the forensic scientist and the skill of the opposition lawyer (and/or rival expert) who might be called. During the 1970s, a more formal checklist-based approach was introduced. This was partly to bring about standardization as between different laboratories and partly in response to the criticism (in the UK) that arose over such controversial cases as the Birmingham Six. In the UK Home Office Forensic Service, these checklists would be devised by senior staff. Obviously, such checklists are revised in the light of experience—the publication of new specialist research or adverse experience during a trial. An increasing feature of modern practice is quality control, which involves work being checked by an otherwise uninvolved coworker before being offered to external scrutiny. In any event, the broad tests for evidence include:

• Authenticity: Does the material come from where it purports?

• Reliability: Can the substance of the story the material tells be believed and is it consistent? In the case of computer-derived material, are there reasons for doubting the correct working of the computer?

• Completeness: Is the story that the material purports to tell complete? Are there other stories that the material also tells that might have a bearing on the legal dispute or hearing?

• Freedom from interference and contamination: Are these levels acceptable as a result of forensic investigation and other post-event handling^[x].

Any approach to computer forensics would, thus, need to include the elements of:

• Well-defined procedures to address the various tasks

• An anticipation of likely criticism of each methodology on the grounds of failure to demonstrate authenticity, reliability, completeness and possible contamination as a result of the forensic investigation

• The possibility for repeat tests to be carried out, if necessary, by experts hired by the other side

• Checklists to support each methodology

• An anticipation of any problems in formal legal tests of admissibility

• The acceptance that any methods now described would almost certainly be subject to later modification^[xi]

Divergences from Conventional Forensic Investigation

There will be divergences from the expectations of more traditional areas of forensic investigation. The main reason is the rate of change of computer technology. The devisor of a test for the presence of a prohibited drug, an explosive, fabric fibers, bodily tissues, and the like, can expect that over a period of time, the test may be improved or shown to be defective. But, the actual need for the test and most of its essential detail will probably not change. But, in computers, newness and obsolesce is the norm.

For example, a key feature of computer forensics is the examination of data media: New forms and techniques of methods of data storage occur at intervals of less than 5 years (the floppy disk of 10 years ago was in 5.25 in format and held 360k). The current equivalent is 3.5 inches and holds 1.44 MB; and much higher densities are expected soon. A typical hard-disk size on a PC of the same date was 20–30 MB, was in 5.25 inch form and used modified frequency modulation (MFM) controller technology. Today most PCs have hard-disks in excess of 350 MB in 3.5 inch or even 2.5 inch form using integrated development environment (IDE) or run length limited (RLL) technology. On minis and mainframes, data may be held on Redundant Array of Independent (or Inexpensive) Disks (RAID), where individual files may be split and spread over 8 or more separate disk surfaces. Similar changes have taken place in tape technology and the use of erasable programmable read-only memory (EPROMs).

Computer architectures have shown profound change in the same short period. PCs have become much more powerful, the large central mainframe is now a rarity and large companies are now served by a multiplicity of smaller computers that all interact via a complex network.

Computer peripherals keep changing as well. Modems and network routers have become intelligent, and digitizing scanners are fairly common devices. They can be subverted, for example, for forgery.

Wide-area telecoms methods are being used more and more. There are opportunities for both high-tech criminals and forensic investigators. The protocols they use also keep changing.

The foregoing simply lists technological changes. Similar changes that have taken place in computer applications; these, in turn, have affected the type of information one might expect to find held on a computer. For example, over the same 10 years, the following technological changes have taken place:

• The growth of e-mail, both locally within a large organization and worldwide

• The growth of client/server applications

• The software outcome of the more complex hardware architectures

• The client/server situation (software on)

• A PC or small local machine interacts with software and data held on other nonlocal machines and large mainframes, in a way that appears to be seamless to the user. One key effect of this is that a computer document often does not exist in some computer equivalent of a filing cabinet; but, rather, is assembled on demand by the activity of one computer drawing information from many others.

• The evidence of a transaction or event may, therefore, only be provable by the presentation of all the records from all the computers involved, plus an explanation of how the assembly of the report relied on took place.

• The greater use of EDIs and other forms of computer-based orders, bills of lading, payment authorizations, etc. EDIs have very complex structures, with some evidence being held in computers owned by the counter-parties and some by the EDI supplier/regulator.

• Computer graphics: computer-aided design (CAD) methods, particularly those that provide an element of autocompletion or filling-in of basic design ideas

• More extended, easier-to-use databases

• The greater use of computer-controlled procedures (sales, dispatch and emergency services, computer-controlled processes, traffic control, and manufacturing)

• The methods of writing and developing software have also changed. There is much greater use of libraries of procedures (of new computer language models). For example, object-oriented programming environments, and new, more formal methods of program development; standards, and methods of testing have also changed.^[xii]

As a result, computer forensic methods may not have the time in which to establish themselves, nor the longevity, that more traditional chemistry and physics-based forensics enjoys. Nevertheless, the usual way in which specific forensic methods become accepted is via publication in a specialist academic journal. For example, a forensic scientist seeking to justify a methodology in court can do so by stating that it is based on a specific published method, which had not up to the point of the hearing been criticized.

^[vi]Peter Sommer, “Computer Forensics: An Introduction,” Virtual City Associates, PO Box 6447, London N4 4RX, United Kingdom, 2001. Academic URL: http//csrc.lse.ac.uk.

^[vii]Ibid.

^[viii]Ibid.

^[ix]Ibid.

^[x]Ibid.

^[xi]Ibid.

^[xii]Ibid.