Digital forensics
Encyclopedia
Digital forensics is a branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime
. The term digital forensics was originally used as a synonym for computer forensics
but has expanded to cover investigation of all devices capable of storing digital data. With roots in the personal computing revolution of the late 1970s and early '80s, the discipline evolved in a haphazard manner during the 1990s, and it was not until the early 21st century that national policies emerged.
Investigations can fall into one of four categories. The most common is forensic analysis, in which evidence is recovered to support or refute a hypothesis before a criminal court, closely related to intelligence gathering, in which material is intended to identify other suspects/crimes. eDiscovery
is a form of discovery
related to civil litigation and intrusion investigation is a specialist investigation into the nature and extent of an unauthorized network intrusion
. The technical aspect of an investigation is divided into several sub-branches; computer forensics, network forensics
, database forensics
and mobile device forensics
.
The digital forensic process encompasses the seizure, forensic imaging (acquisition) and analysis of digital media and the production of a report into collected evidence for the benefit of courts or an employer. As well as identifying direct evidence of a crime, digital forensics can be used to attribute evidence to specific suspects, confirm alibi
s or statements, determine intent
, identify sources (for example, in copyright cases), or authenticate documents. Investigations are much broader in scope than other areas of forensic analysis (where the usual aim is to provide answers to a series of simpler questions) often involving complex time-lines or hypotheses.
Prior to the 1980s crimes involving computers were dealt with using existing laws. The first computer crime
s were recognized in the 1978 Florida Computer Crimes Act, which included legislation against the unauthorized modification or deletion of data on a computer system. Over the next few years the range of computer crimes being committed increased, and laws were passed to deal with issues of copyright
, privacy/harassment (e.g., cyber bullying, cyber stalking, and online predator
s) and child pornography
. It was not until the 1980s that federal laws began to incorporate computer offences. Canada was the first country to pass legislation in 1983. This was followed by the US Federal Computer Fraud and Abuse Act
in 1986, Australian amendments to their crimes acts in 1989 and the British Computer Abuse Act in 1990.
to begin establishing specialized groups, usually at the national level, to handle the technical aspects of investigations. For example, in 1984 the FBI
launched a Computer Analysis and Response Team and the following year a computer crime department was set up within the British Metropolitan Police
fraud squad. As well as being law enforcement professionals, many of the early members of these groups were also computer hobbyists and became responsible for the field's initial research and direction.
One of the first practical (or at least publicised) examples of digital forensics was Cliff Stoll's
pursuit of hacker Markus Hess
in 1986. Stoll, whose investigation made use of computer and network forensic techniques, was not a specialised examiner. Many of the earliest forensic examinations followed the same profile.
Throughout the 1990s there was high demand for the these new, and basic, investigative resources. The strain on central units lead to the creation of regional, and even local, level groups to help handle the load. For example, the British National Hi-Tech Crime Unit
was set up in 2001 to provide a national infrastructure for computer crime; with personnel located both centrally in London and with the various regional police forces (the unit was folded into the Serious Organised Crime Agency (SOCA) in 2006).
During this period the science of digital forensics grew from the ad-hoc tools and techniques developed by these hobbyist practitioners. This is in contrast to other forensics disciplines which developed from work by the scientific community. It was not until 1992 that the term "computer forensics" was used in academic literature
(although prior to this it had been in informal use); a paper by Collier and Spaul attempted to justify this new discipline to the forensic science world. This swift development resulted in a lack of standardization and training. In his 1995 book, "High-Technology Crime: Investigating Cases Involving Computers", K Rosenblatt wrote:
standard (ISO 17025, General requirements for the competence of testing and calibration laboratories). A European lead international treaty, the Convention on Cybercrime
, came into force in 2004 with the aim of reconciling national computer crime laws, investigative techniques and international co-operation. The treaty has been signed by 43 nations (including the US, Canada, Japan, South Africa, UK and other European nations) and ratified by 16.
The issue of training also received attention. Commercial companies (often forensic software developers) began to offer certification programs and digital forensic analysis was included as a topic at the UK specialist investigator training facility, Centrex
.
Since the late 1990s mobile devices have become more widely available, advancing beyond simple communication devices, and have been found to be rich forms of information, even for crime not traditionally associated with digital forensics. Despite this, digital analysis of phones has lagged behind traditional computer media, largely due to problems over the proprietary nature of devices.
Focus has also shifted onto internet crime, particularly the risk of cyber warfare and cyberterrorism. A February 2010 report by the United States Joint Forces Command
concluded:
The field of digital forensics still faces unresolved issues. A 2009 paper, "Digital Forensic Research: The Good, the Bad and the Unaddressed", by Peterson and Shenoi identified a bias towards Windows operating systems in digital forensics research. In 2010 Simson Garfinkel identified issues facing digital investigations in the future, including the increasing size of digital media, the wide availability of encryption to consumers, a growing variety of operating systems and file formats, an increasing number of individuals owning multiple devices, and legal limitations on investigators. The paper also identified continued training issues, as well as the prohibitively high cost of entering the field.
tools to extract evidence. This practice carried the risk of modifying data on the disk, either inadvertently or otherwise, which led to claims of evidence tampering. A number of tools were created during the early 1990s to address the problem.
The need for such software was first recognised in 1989 at the Federal Law Enforcement Training Center
, resulting in the creation of IMDUMP (by Michael White) and in 1990, SafeBack (developed by Sydex). Similar software was developed in other countries; DIBS (a hardware and software solution) was released commercially in the UK in 1991, and Rob McKemmish released Fixed Disk Image free to Australian law enforcement. These tools allowed examiners to create an exact copy of a piece of digital media to work on, leaving the original disk intact for verification. By the end of the '90s, as demand for digital evidence grew more advanced commercial tools such as EnCase
and FTK were developed, allowing analysts to examine copies of media without using any live forensics.
More recently the same progression of tool development has occurred for mobile devices; initially investigators accessed data directly on the device, but soon specialist tools such as XRY or Radio Tactics Aceso appeared.
level duplicate (or "forensic duplicate") of the media, often using a write blocking
device to prevent modification of the original. Both acquired image and original media are hashed (using SHA-1 or MD5
) and the values compared to verify the copy is accurate.
During the analysis phase an investigators recover evidence material using a number of different methodologies and tools. In 2002 and article in the International Journal of Digital Evidence referred to this step as "an in-depth systematic search of evidence related to the suspected crime". In 2006, forensics researcher Brian Carrie described an "intuitive procedure" in which obvious evidence is first identified and then "exhaustive searches are conducted to start filling in the holes".
The actual process of analysis can vary between investigations, but common methodologies include conducting keyword searches across the digital media (within files as well as unallocated and slack space), recovering deleted files and extraction of registry information (for example to list user accounts, or attached USB devices).
The evidence recovered is analysed to reconstruct events or actions and to reach conclusions, work that can often be performed by less specialised staff. When an investigation is complete the data is presented, usually in the form of a written report, in lay persons
' terms.
In civil litigation or corporate matters the process is referred to as electronic discovery
(or eDiscovery). The forensic procedure is similar to that used in criminal investigations but with different legal requirements and limitations. Finally, intrusion investigation is a specialist examination into the nature and extent of an unauthorized network intrusion
. Intrusion analysis is usually performed as a damage limitation exercise after an attack, both to establish the extent of any intrusion and to try to identify the attacker. Such attacks were commonly conducted over phone lines during the 1980s, but in the modern era are usually propagated over the internet.
The main use of digital forensics is to recover objective evidence of a criminal activity (termed actus reus
in legal parlance). However the diverse range of data held in digital devices can help with other areas of investigation.
Attribution
Alibis and statements
Intent
Evaluation of source
Document authentication
are still relatively new and controversial.
. The "International Organization on Computer Evidence" (IOCE) is one agency that works to establish compatible international standards for the seizure of evidence.
In the UK the same laws covering computer crime can also affect forensic investigators. The 1990 computer misuse act
legislates against unauthorised access to computer material; this is a particular concern for civil investigators who have more limitations than law enforcement.
An individuals right to privacy is one area of digital forensics which is still largely undecided by courts. The US Electronic Communications Privacy Act
places limitations on the ability of law enforcement or civil investigators to intercept and access evidence. The act makes a distinction between stored communication (e.g. email archives) and transmitted communication (such as VOIP). The latter, being considered more of a privacy invasion, is harder to obtain a warrant for. The ECPA also affects the ability of companies to investigate the computers and communications of their employees, an aspect that is still under debate as to the extent to which a company can perform such monitoring.
Article 5 of the European Convention on Human Rights asserts similar privacy limitations to the ECPA and limits the processing and sharing of personal data both within the EU and with external countries. The ability of UK law enforcement to conduct digital forensics investigations is legislated by the Regulation of Investigatory Powers Act
.
When used in a court of law digital evidence falls under the same legal guidelines as other forms of evidence; courts do not usually require more stringent guidelines. In the United States the Federal Rules of Evidence
are used to evaluate the admissibility
of digital evidence, the United Kingdom PACE and Civil Evidence acts have similar guidelines and many other countries have their own laws. US federal laws restrict seizures to items with only obvious evidential value. This is acknowledged as not always being possible to establish with digital media prior to an examination.
Laws dealing with digital evidence are concerned with two issues: integrity and authenticity. Integrity is ensuring that the act of seizing and acquiring digital media does not modify the evidence (either the original or the copy). Authenticity refers to the ability to confirm the integrity of information; for example that the imaged media matches the original evidence. The ease with which digital media can be modified means that documenting the chain of custody
from the crime scene, through analysis and, ultimately, to the court, (a form of audit
trail) is important to establish the authenticity of evidence.
Attorneys have argued that because digital evidence can theoretically be altered it undermines the reliability of the evidence. US judges are beginning to reject this theory, in the case US v. Bonallo the court ruled that "the fact that it is possible to alter data contained in a computer is plainly insufficient to establish untrustworthiness". In the United Kingdom guidelines such as those issued by ACPO
are followed to help document the authenticity and integrity of evidence.
Digital investigators, particularly in criminal investigations, have to ensure that conclusions are based upon factual evidence and their own expert knowledge. In the US, for example, Federal Rules of Evidence state that a qualified expert may testify “in the form of an opinion or otherwise” so long as:
The sub-branches of digital forensics may each have their own specific guidelines for the conduct of investigations and the handling of evidence. For example, mobile phones may be required to be placed in a Faraday shield
during seizure or acquisition to prevent further radio traffic to the device. In the UK forensic examination of computers in criminal matters is subject to ACPO
guidelines.
, where the judge is responsible for ensuring that the processes and software used were acceptable. In a 2003 paper Brian Carrier argued that the Daubert guidelines required the code of forensic tools to be published and peer reviewed. He concluded that "open source tools may more clearly and comprehensively meet the guideline requirements than would closed
source tools".
s (digital devices with rudimentary computing power and onboard memory) and static memory (such as USB pen drives).
Computer forensics can deal with a broad range of information; from logs (such as internet history) through to the actual files on the drive. In 2007 prosecutors used a spreadsheet
recovered from the computer of Joseph E. Duncan III
to show premeditation
and secure the death penalty
. Sharon Lopatka
's killer was identified in 2006 after email messages from him detailing torture and death fantasies were found on her computer.
data from a mobile device investigation helped to exonerate Patrick Lumumba in the murder of Meredith Kercher
.
Mobile devices are also useful for providing location information; either from inbuilt gps/location tracking or via cell site
logs, which track the devices within their range. Such information was used to track down the kidnappers of Thomas Onofri in 2006.
traffic, both local
and WAN
/internet
, for the purposes of information gathering, evidence collection, or intrusion detection. Traffic is usually intercepted at the packet level, and either stored for later analysis or filtered in real-time. Unlike other areas of digital forensics network data is often volatile and rarely logged, making the discipline often reactionary.
In 2000 the FBI
lured computer hackers Aleksey Ivanov and Gorshkov to the United States for a fake job interview. By monitoring network traffic from the pair's computers, the FBI identified passwords allowing them to collect evidence directly from Russian-based computers.
Computer crime
Computer crime, or cybercrime, refers to any crime that involves a computer and a network. The computer may have been used in the commission of a crime, or it may be the target. Netcrime refers to criminal exploitation of the Internet. Such crimes may threaten a nation’s security and financial health...
. The term digital forensics was originally used as a synonym for computer forensics
Computer forensics
Computer forensics is a branch of digital forensic science pertaining to legal evidence found in computers and digital storage media...
but has expanded to cover investigation of all devices capable of storing digital data. With roots in the personal computing revolution of the late 1970s and early '80s, the discipline evolved in a haphazard manner during the 1990s, and it was not until the early 21st century that national policies emerged.
Investigations can fall into one of four categories. The most common is forensic analysis, in which evidence is recovered to support or refute a hypothesis before a criminal court, closely related to intelligence gathering, in which material is intended to identify other suspects/crimes. eDiscovery
Electronic Discovery
Electronic discovery refers to discovery in civil litigation which deals with the exchange of information in electronic format . Usually a digital forensics analysis is performed to recover evidence...
is a form of discovery
Discovery (law)
In U.S.law, discovery is the pre-trial phase in a lawsuit in which each party, through the law of civil procedure, can obtain evidence from the opposing party by means of discovery devices including requests for answers to interrogatories, requests for production of documents, requests for...
related to civil litigation and intrusion investigation is a specialist investigation into the nature and extent of an unauthorized network intrusion
Hacker (computer security)
In computer security and everyday language, a hacker is someone who breaks into computers and computer networks. Hackers may be motivated by a multitude of reasons, including profit, protest, or because of the challenge...
. The technical aspect of an investigation is divided into several sub-branches; computer forensics, network forensics
Network forensics
Network forensics is a sub-branch of digital forensics relating to the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection. Unlike other areas of digital forensics, network investigations deal with volatile and...
, database forensics
Database Forensics
Database Forensics is a branch of digital forensic science relating to the forensic study of databases and their related metadata.The discipline is similar to computer forensics, following the normal forensic process and applying investigative techniques to database contents and metadata...
and mobile device forensics
Mobile device forensics
Mobile device forensics is a branch of digital forensics relating to recovery of digital evidence or data from a mobile device under forensically sound conditions...
.
The digital forensic process encompasses the seizure, forensic imaging (acquisition) and analysis of digital media and the production of a report into collected evidence for the benefit of courts or an employer. As well as identifying direct evidence of a crime, digital forensics can be used to attribute evidence to specific suspects, confirm alibi
Alibi
Alibi is a 1929 American crime film directed by Roland West. The screenplay was written by West and C. Gardner Sullivan, who adapted the 1927 Broadway stage play, Nightstick, written by Elaine Sterne Carrington, J.C...
s or statements, determine intent
Mens rea
Mens rea is Latin for "guilty mind". In criminal law, it is viewed as one of the necessary elements of a crime. The standard common law test of criminal liability is usually expressed in the Latin phrase, actus non facit reum nisi mens sit rea, which means "the act does not make a person guilty...
, identify sources (for example, in copyright cases), or authenticate documents. Investigations are much broader in scope than other areas of forensic analysis (where the usual aim is to provide answers to a series of simpler questions) often involving complex time-lines or hypotheses.
History
Computer crime
Computer crime, or cybercrime, refers to any crime that involves a computer and a network. The computer may have been used in the commission of a crime, or it may be the target. Netcrime refers to criminal exploitation of the Internet. Such crimes may threaten a nation’s security and financial health...
s were recognized in the 1978 Florida Computer Crimes Act, which included legislation against the unauthorized modification or deletion of data on a computer system. Over the next few years the range of computer crimes being committed increased, and laws were passed to deal with issues of copyright
Copyright
Copyright is a legal concept, enacted by most governments, giving the creator of an original work exclusive rights to it, usually for a limited time...
, privacy/harassment (e.g., cyber bullying, cyber stalking, and online predator
Online predator
An online predator is an adult Internet user who exploits vulnerable children or teens, usually for sexual or other abusive purposes.Online victimization of minors can include child grooming, requests to engage in sexual activities or discussions by an adult, unwanted exposure to sexual material ,...
s) and child pornography
Child pornography
Child pornography refers to images or films and, in some cases, writings depicting sexually explicit activities involving a child...
. It was not until the 1980s that federal laws began to incorporate computer offences. Canada was the first country to pass legislation in 1983. This was followed by the US Federal Computer Fraud and Abuse Act
Computer Fraud and Abuse Act
The Computer Fraud and Abuse Act is a law passed by the United States Congress in 1986, intended to reduce cracking of computer systems and to address federal computer-related offenses...
in 1986, Australian amendments to their crimes acts in 1989 and the British Computer Abuse Act in 1990.
1980s–1990s: Growth of the field
The growth in computer crime during the 1980s and 1990s caused law enforcement agenciesLaw enforcement agency
In North American English, a law enforcement agency is a government agency responsible for the enforcement of the laws.Outside North America, such organizations are called police services. In North America, some of these services are called police while others have other names In North American...
to begin establishing specialized groups, usually at the national level, to handle the technical aspects of investigations. For example, in 1984 the FBI
Federal Bureau of Investigation
The Federal Bureau of Investigation is an agency of the United States Department of Justice that serves as both a federal criminal investigative body and an internal intelligence agency . The FBI has investigative jurisdiction over violations of more than 200 categories of federal crime...
launched a Computer Analysis and Response Team and the following year a computer crime department was set up within the British Metropolitan Police
Metropolitan police
Metropolitan Police is a generic title for the municipal police force for a major metropolitan area, and it may be part of the official title of the force...
fraud squad. As well as being law enforcement professionals, many of the early members of these groups were also computer hobbyists and became responsible for the field's initial research and direction.
One of the first practical (or at least publicised) examples of digital forensics was Cliff Stoll's
Clifford Stoll
*High-Tech Heretic: Reflections of a Computer Contrarian, Clifford Stoll, 2000, ISBN 0-385-48976-5.-External links:* at Berkeley's Open Computing Facility**, December 3, 1989* copy at Electronic Frontier Foundation, May 1988...
pursuit of hacker Markus Hess
Markus Hess
Markus Hess, a German citizen, is best known for his endeavours as a hacker in the late 1980s. Hess was recruited by the KGB to be an international spy with the objective of securing U.S...
in 1986. Stoll, whose investigation made use of computer and network forensic techniques, was not a specialised examiner. Many of the earliest forensic examinations followed the same profile.
Throughout the 1990s there was high demand for the these new, and basic, investigative resources. The strain on central units lead to the creation of regional, and even local, level groups to help handle the load. For example, the British National Hi-Tech Crime Unit
National Hi-Tech Crime Unit
The National Hi-Tech Crime Unit previously formed part of the National Crime Squad, a British Police organisation which dealt with major crime....
was set up in 2001 to provide a national infrastructure for computer crime; with personnel located both centrally in London and with the various regional police forces (the unit was folded into the Serious Organised Crime Agency (SOCA) in 2006).
During this period the science of digital forensics grew from the ad-hoc tools and techniques developed by these hobbyist practitioners. This is in contrast to other forensics disciplines which developed from work by the scientific community. It was not until 1992 that the term "computer forensics" was used in academic literature
Academic publishing
Academic publishing describes the subfield of publishing which distributes academic research and scholarship. Most academic work is published in journal article, book or thesis form. The part of academic written output that is not formally published but merely printed up or posted is often called...
(although prior to this it had been in informal use); a paper by Collier and Spaul attempted to justify this new discipline to the forensic science world. This swift development resulted in a lack of standardization and training. In his 1995 book, "High-Technology Crime: Investigating Cases Involving Computers", K Rosenblatt wrote:
2000s: Developing standards
Since 2000, in response to the need for standardization, various bodies and agencies have published guidelines for digital forensics. The Scientific Working Group on Digital Evidence (SWGDE) produced a 2002 paper, "Best practices for Computer Forensics", this was followed, in 2005, by the publication of an ISOInternational Organization for Standardization
The International Organization for Standardization , widely known as ISO, is an international standard-setting body composed of representatives from various national standards organizations. Founded on February 23, 1947, the organization promulgates worldwide proprietary, industrial and commercial...
standard (ISO 17025, General requirements for the competence of testing and calibration laboratories). A European lead international treaty, the Convention on Cybercrime
Convention on Cybercrime
The Convention on Cybercrime, also known as the Budapest Convention on Cybercrime or just the Budapest Convention, is the first international treaty seeking to address Computer crime and Internet crimes by harmonizing national laws, improving investigative techniques and increasing cooperation...
, came into force in 2004 with the aim of reconciling national computer crime laws, investigative techniques and international co-operation. The treaty has been signed by 43 nations (including the US, Canada, Japan, South Africa, UK and other European nations) and ratified by 16.
The issue of training also received attention. Commercial companies (often forensic software developers) began to offer certification programs and digital forensic analysis was included as a topic at the UK specialist investigator training facility, Centrex
Centrex (police training agency)
Centrex, the common name of the Central Police Training and Development Authority , was established under Part 4 of the Criminal Justice and Police Act 2001, and was the primary means of police training in England and Wales. It was based at Bramshill House, formerly known as the Police Staff...
.
Since the late 1990s mobile devices have become more widely available, advancing beyond simple communication devices, and have been found to be rich forms of information, even for crime not traditionally associated with digital forensics. Despite this, digital analysis of phones has lagged behind traditional computer media, largely due to problems over the proprietary nature of devices.
Focus has also shifted onto internet crime, particularly the risk of cyber warfare and cyberterrorism. A February 2010 report by the United States Joint Forces Command
United States Joint Forces Command
United States Joint Forces Command was a former Unified Combatant Command of the United States Armed Forces. USJFCOM was a functional command that provided specific services to the military. The last commander was Army Gen. Raymond T. Odierno...
concluded:
The field of digital forensics still faces unresolved issues. A 2009 paper, "Digital Forensic Research: The Good, the Bad and the Unaddressed", by Peterson and Shenoi identified a bias towards Windows operating systems in digital forensics research. In 2010 Simson Garfinkel identified issues facing digital investigations in the future, including the increasing size of digital media, the wide availability of encryption to consumers, a growing variety of operating systems and file formats, an increasing number of individuals owning multiple devices, and legal limitations on investigators. The paper also identified continued training issues, as well as the prohibitively high cost of entering the field.
Development of forensic tools
During the 1980s very few specialised digital forensic tools existed, and consequently investigators often performed live analysis on media, examining computers from within the operating system using existing sysadminSystem administrator
A system administrator, IT systems administrator, systems administrator, or sysadmin is a person employed to maintain and operate a computer system and/or network...
tools to extract evidence. This practice carried the risk of modifying data on the disk, either inadvertently or otherwise, which led to claims of evidence tampering. A number of tools were created during the early 1990s to address the problem.
The need for such software was first recognised in 1989 at the Federal Law Enforcement Training Center
Federal Law Enforcement Training Center
The Federal Law Enforcement Training Center serves as an interagency law enforcement training organization for 90 United States government federal law enforcement agencies.-Location:...
, resulting in the creation of IMDUMP (by Michael White) and in 1990, SafeBack (developed by Sydex). Similar software was developed in other countries; DIBS (a hardware and software solution) was released commercially in the UK in 1991, and Rob McKemmish released Fixed Disk Image free to Australian law enforcement. These tools allowed examiners to create an exact copy of a piece of digital media to work on, leaving the original disk intact for verification. By the end of the '90s, as demand for digital evidence grew more advanced commercial tools such as EnCase
EnCase
EnCase is a computer forensics product produced by Guidance Software used to analyze digital media . The software is available to law enforcement agencies and corporations.EnCase includes tools for data acquisition, file recovery, indexing/search and file parsing...
and FTK were developed, allowing analysts to examine copies of media without using any live forensics.
More recently the same progression of tool development has occurred for mobile devices; initially investigators accessed data directly on the device, but soon specialist tools such as XRY or Radio Tactics Aceso appeared.
Forensic process
A digital forensic investigation commonly consists of 3 stages: acquisition or imaging of exhibits, analysis, and reporting. Acquisition involves creating an exact sectorDisk sector
In computer disk storage, a sector is a subdivision of a track on a magnetic disk or optical disc. Each sector stores a fixed amount of user data. Traditional formatting of these storage media provides space for 512 bytes or 2048 bytes of user-accessible data per sector...
level duplicate (or "forensic duplicate") of the media, often using a write blocking
Forensic disk controller
A forensic disk controller or hardware write-block device is a specialized type of computer hard disk controller made for the purpose of gaining read-only access to computer hard drives without the risk of damaging the drive's contents. The device is named forensic because its most common...
device to prevent modification of the original. Both acquired image and original media are hashed (using SHA-1 or MD5
MD5
The MD5 Message-Digest Algorithm is a widely used cryptographic hash function that produces a 128-bit hash value. Specified in RFC 1321, MD5 has been employed in a wide variety of security applications, and is also commonly used to check data integrity...
) and the values compared to verify the copy is accurate.
During the analysis phase an investigators recover evidence material using a number of different methodologies and tools. In 2002 and article in the International Journal of Digital Evidence referred to this step as "an in-depth systematic search of evidence related to the suspected crime". In 2006, forensics researcher Brian Carrie described an "intuitive procedure" in which obvious evidence is first identified and then "exhaustive searches are conducted to start filling in the holes".
The actual process of analysis can vary between investigations, but common methodologies include conducting keyword searches across the digital media (within files as well as unallocated and slack space), recovering deleted files and extraction of registry information (for example to list user accounts, or attached USB devices).
The evidence recovered is analysed to reconstruct events or actions and to reach conclusions, work that can often be performed by less specialised staff. When an investigation is complete the data is presented, usually in the form of a written report, in lay persons
Layman
A layperson or layman is a person who is not an expert in a given field of knowledge. The term originally meant a member of the laity, i.e. a non-clergymen, but over the centuries shifted in definition....
' terms.
Forms and uses
Investigations can take one of four forms. Firstly as a forensic examination, traditionally associated with criminal law, where evidence is collected to support or oppose a hypothesis. Like other areas of forensics this is often part of a wider investigation spanning a number of disciplines. A related form is "intelligence gathering", functionally identical to a forensic examination the digital evidence is intended to be used as intelligence to (for example) locate, identify or halt other crimes. As a result intelligence gathering is sometimes held to a less strict forensic standard.In civil litigation or corporate matters the process is referred to as electronic discovery
Electronic Discovery
Electronic discovery refers to discovery in civil litigation which deals with the exchange of information in electronic format . Usually a digital forensics analysis is performed to recover evidence...
(or eDiscovery). The forensic procedure is similar to that used in criminal investigations but with different legal requirements and limitations. Finally, intrusion investigation is a specialist examination into the nature and extent of an unauthorized network intrusion
Hacker (computer security)
In computer security and everyday language, a hacker is someone who breaks into computers and computer networks. Hackers may be motivated by a multitude of reasons, including profit, protest, or because of the challenge...
. Intrusion analysis is usually performed as a damage limitation exercise after an attack, both to establish the extent of any intrusion and to try to identify the attacker. Such attacks were commonly conducted over phone lines during the 1980s, but in the modern era are usually propagated over the internet.
The main use of digital forensics is to recover objective evidence of a criminal activity (termed actus reus
Actus reus
Actus reus, sometimes called the external element or the objective element of a crime, is the Latin term for the "guilty act" which, when proved beyond a reasonable doubt in combination with the mens rea, "guilty mind", produces criminal liability in the common law-based criminal law jurisdictions...
in legal parlance). However the diverse range of data held in digital devices can help with other areas of investigation.
Attribution
- Meta data and other logs can be used to attribute actions to an individual. For example, personal documents on a computer drive might identify its owner.
Alibis and statements
- Information provided by those involved can be cross checked with digital evidence. For example, during the investigation into the Soham murdersSoham murdersThe Soham murders was an English murder case in 2002 of two 10-year-old girls in the village of Soham, Cambridgeshire.The victims were Holly Marie Wells and Jessica Aimee Chapman...
, the offenders alibi was disproven when mobile phone records of the person he claimed to be with showed she was out of town at the time.
Intent
- As well as finding objective evidence of a crime being committed, investigations can also be used to prove the intent (known by the legal term mens reaMens reaMens rea is Latin for "guilty mind". In criminal law, it is viewed as one of the necessary elements of a crime. The standard common law test of criminal liability is usually expressed in the Latin phrase, actus non facit reum nisi mens sit rea, which means "the act does not make a person guilty...
). For example, the Internet history of convicted killer Neil EntwistleNeil EntwistleNeil Entwistle is an English man convicted of murdering his American wife, Rachel, and their infant daughter Lillian on 20 January 2006 in Hopkinton, Massachusetts, US.-Early life:...
included references to a site discussing How to kill people.
Evaluation of source
- File artifacts and meta-data can be used to identify the origin of a particular piece of data; for example, older versions of Microsoft WordMicrosoft WordMicrosoft Word is a word processor designed by Microsoft. It was first released in 1983 under the name Multi-Tool Word for Xenix systems. Subsequent versions were later written for several other platforms including IBM PCs running DOS , the Apple Macintosh , the AT&T Unix PC , Atari ST , SCO UNIX,...
embedded a Global Unique Identifer into files which identified the computer it had been created on. Proving whether a file was produced on the digital device being examined or obtained from elsewhere (e.g., the Internet) can be very important.
Document authentication
- Related to "Evaluation of Source", meta data associated with digital documents can be easily modified (for example, by changing the computer clock you can affect the creation date of a file). Document authentication relates to detecting and identifying falsification of such details.
Limitations
One major limitation to a forensic investigation is the use of encryption; this disrupts initial examination where pertinent evidence might be located using keywords. Laws to compel individuals to disclose encryption keysKey disclosure law
Key disclosure laws, also known as mandatory key disclosure, is legislation that require individuals to surrender cryptographic keys to law enforcement. The purpose is to allow access to material for confiscation or digital forensics purposes and use it either as evidence in a court of law or to...
are still relatively new and controversial.
Legal considerations
The examination of digital media is covered by national and international legislation. For civil investigations, in particular, laws may restrict the abilities of analysts to undertake examinations. Restrictions against network monitoring, or reading of personal communications often exist. During criminal investigation, national laws restrict how much information can be seized. For example, in the United Kingdom seizure of evidence by law enforcement is governed by the PACE actPolice and Criminal Evidence Act 1984
The Police and Criminal Evidence Act 1984 is an Act of Parliament which instituted a legislative framework for the powers of police officers in England and Wales to combat crime, as well as providing codes of practice for the exercise of those powers. Part VI of PACE required the Home Secretary...
. The "International Organization on Computer Evidence" (IOCE) is one agency that works to establish compatible international standards for the seizure of evidence.
In the UK the same laws covering computer crime can also affect forensic investigators. The 1990 computer misuse act
Computer Misuse Act 1990
The Computer Misuse Act 1990 is an Act of the Parliament of the United Kingdom, introduced partly in response to the decision in R v Gold & Schifreen 1 AC 1063 . Critics of the bill complained that it was introduced hastily and was poorly thought out...
legislates against unauthorised access to computer material; this is a particular concern for civil investigators who have more limitations than law enforcement.
An individuals right to privacy is one area of digital forensics which is still largely undecided by courts. The US Electronic Communications Privacy Act
Electronic Communications Privacy Act
The Electronic Communications Privacy Act is a United States law.- Overview :The “electronic communication” means any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or...
places limitations on the ability of law enforcement or civil investigators to intercept and access evidence. The act makes a distinction between stored communication (e.g. email archives) and transmitted communication (such as VOIP). The latter, being considered more of a privacy invasion, is harder to obtain a warrant for. The ECPA also affects the ability of companies to investigate the computers and communications of their employees, an aspect that is still under debate as to the extent to which a company can perform such monitoring.
Article 5 of the European Convention on Human Rights asserts similar privacy limitations to the ECPA and limits the processing and sharing of personal data both within the EU and with external countries. The ability of UK law enforcement to conduct digital forensics investigations is legislated by the Regulation of Investigatory Powers Act
Regulation of Investigatory Powers Act 2000
The Regulation of Investigatory Powers Act 2000 is an Act of the Parliament of the United Kingdom, regulating the powers of public bodies to carry out surveillance and investigation, and covering the interception of communications...
.
Digital evidence
Federal Rules of Evidence
The is a code of evidence law governing the admission of facts by which parties in the United States federal court system may prove their cases, both civil and criminal. The Rules were enacted in 1975, with subsequent amendments....
are used to evaluate the admissibility
Admissible evidence
Admissible evidence, in a court of law, is any testimonial, documentary, or tangible evidence that may be introduced to a factfinder—usually a judge or jury—in order to establish or to bolster a point put forth by a party to the proceeding...
of digital evidence, the United Kingdom PACE and Civil Evidence acts have similar guidelines and many other countries have their own laws. US federal laws restrict seizures to items with only obvious evidential value. This is acknowledged as not always being possible to establish with digital media prior to an examination.
Laws dealing with digital evidence are concerned with two issues: integrity and authenticity. Integrity is ensuring that the act of seizing and acquiring digital media does not modify the evidence (either the original or the copy). Authenticity refers to the ability to confirm the integrity of information; for example that the imaged media matches the original evidence. The ease with which digital media can be modified means that documenting the chain of custody
Chain of custody
Chain of custody refers to the chronological documentation or paper trail, showing the seizure, custody, control, transfer, analysis, and disposition of evidence, physical or electronic...
from the crime scene, through analysis and, ultimately, to the court, (a form of audit
Audit
The general definition of an audit is an evaluation of a person, organization, system, process, enterprise, project or product. The term most commonly refers to audits in accounting, but similar concepts also exist in project management, quality management, and energy conservation.- Accounting...
trail) is important to establish the authenticity of evidence.
Attorneys have argued that because digital evidence can theoretically be altered it undermines the reliability of the evidence. US judges are beginning to reject this theory, in the case US v. Bonallo the court ruled that "the fact that it is possible to alter data contained in a computer is plainly insufficient to establish untrustworthiness". In the United Kingdom guidelines such as those issued by ACPO
Association of Chief Police Officers
The Association of Chief Police Officers , established in 1948, is a private limited company that leads the development of policing practice in England, Wales and Northern Ireland.ACPO provides a forum for chief police officers to share ideas and coordinates the strategic...
are followed to help document the authenticity and integrity of evidence.
Digital investigators, particularly in criminal investigations, have to ensure that conclusions are based upon factual evidence and their own expert knowledge. In the US, for example, Federal Rules of Evidence state that a qualified expert may testify “in the form of an opinion or otherwise” so long as:
The sub-branches of digital forensics may each have their own specific guidelines for the conduct of investigations and the handling of evidence. For example, mobile phones may be required to be placed in a Faraday shield
Faraday cage
A Faraday cage or Faraday shield is an enclosure formed by conducting material or by a mesh of such material. Such an enclosure blocks out external static and non-static electric fields...
during seizure or acquisition to prevent further radio traffic to the device. In the UK forensic examination of computers in criminal matters is subject to ACPO
Association of Chief Police Officers
The Association of Chief Police Officers , established in 1948, is a private limited company that leads the development of policing practice in England, Wales and Northern Ireland.ACPO provides a forum for chief police officers to share ideas and coordinates the strategic...
guidelines.
Investigative tools
The admissibility of digital evidence relies on the tools used to extract it. In the US, forensic tools are subjected to the Daubert standardDaubert Standard
The Daubert standard is a rule of evidence regarding the admissibility of expert witnesses' testimony during United States federal legal proceedings. Pursuant to this standard, a party may raise a Daubert motion, which is a special case of motion in limine raised before or during trial to exclude...
, where the judge is responsible for ensuring that the processes and software used were acceptable. In a 2003 paper Brian Carrier argued that the Daubert guidelines required the code of forensic tools to be published and peer reviewed. He concluded that "open source tools may more clearly and comprehensively meet the guideline requirements than would closed
source tools".
Branches
Digital forensics includes several sub-branches relating to the investigation of various types of devices, media or artefacts.Computer forensics
The goal of computer forensics is to explain the current state of a digital artifact; such as a computer system, storage medium or electronic document. The discipline usually covers computers, embedded systemEmbedded system
An embedded system is a computer system designed for specific control functions within a larger system. often with real-time computing constraints. It is embedded as part of a complete device often including hardware and mechanical parts. By contrast, a general-purpose computer, such as a personal...
s (digital devices with rudimentary computing power and onboard memory) and static memory (such as USB pen drives).
Computer forensics can deal with a broad range of information; from logs (such as internet history) through to the actual files on the drive. In 2007 prosecutors used a spreadsheet
Spreadsheet
A spreadsheet is a computer application that simulates a paper accounting worksheet. It displays multiple cells usually in a two-dimensional matrix or grid consisting of rows and columns. Each cell contains alphanumeric text, numeric values or formulas...
recovered from the computer of Joseph E. Duncan III
Joseph E. Duncan III
Joseph Edward Duncan III is an American convicted serial killer and sex offender who is currently serving multiple concurrent death sentences and life sentences in conjunction with the 2005 kidnapping and murders of members of the Groene family of Coeur d'Alene, Idaho...
to show premeditation
Premeditated murder
Premeditated murder is the crime of wrongfully causing the death of another human being after rationally considering the timing or method of doing so, in order to either increase the likelihood of success, or to evade detection or apprehension.State laws in the United States vary as to definitions...
and secure the death penalty
Capital punishment
Capital punishment, the death penalty, or execution is the sentence of death upon a person by the state as a punishment for an offence. Crimes that can result in a death penalty are known as capital crimes or capital offences. The term capital originates from the Latin capitalis, literally...
. Sharon Lopatka
Sharon Lopatka
Sharon Rina Lopatka was an Internet entrepreneur in Hampstead, Maryland, United States, who was killed in a case of apparent consensual homicide. Lopatka was tortured and strangled to death on October 16, 1996, by Robert Frederick Glass, a computer analyst from North Carolina. The apparent...
's killer was identified in 2006 after email messages from him detailing torture and death fantasies were found on her computer.
Mobile device forensics
Mobile device forensics is a sub-branch of digital forensics relating to recovery of digital evidence or data from a mobile device. It differs from Computer forensics in that a mobile device will have an inbuilt communication system (e.g. GSM) and, usually, proprietary storage mechanisms. Investigations usually focus on simple data such as call data and communications (SMS/Email) rather than in-depth recovery of deleted data. SMSSMS
SMS is a form of text messaging communication on phones and mobile phones. The terms SMS or sms may also refer to:- Computer hardware :...
data from a mobile device investigation helped to exonerate Patrick Lumumba in the murder of Meredith Kercher
Murder of Meredith Kercher
The murder of Meredith Kercher occurred in Perugia, Italy, on 1 November 2007. Kercher, aged 21 at the time of her death, was a British university exchange student from Coulsdon, south London. She was found dead on the floor of her bedroom with stab wounds to the throat...
.
Mobile devices are also useful for providing location information; either from inbuilt gps/location tracking or via cell site
Cell site
A cell site is a term used to describe a site where antennas and electronic communications equipment are placed, usually on a radio mast, tower or other high place, to create a cell in a cellular network...
logs, which track the devices within their range. Such information was used to track down the kidnappers of Thomas Onofri in 2006.
Network forensics
Network forensics is concerned with the monitoring and analysis of computer networkComputer network
A computer network, often simply referred to as a network, is a collection of hardware components and computers interconnected by communication channels that allow sharing of resources and information....
traffic, both local
Local area network
A local area network is a computer network that interconnects computers in a limited area such as a home, school, computer laboratory, or office building...
and WAN
Wide area network
A wide area network is a telecommunication network that covers a broad area . Business and government entities utilize WANs to relay data among employees, clients, buyers, and suppliers from various geographical locations...
/internet
Internet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
, for the purposes of information gathering, evidence collection, or intrusion detection. Traffic is usually intercepted at the packet level, and either stored for later analysis or filtered in real-time. Unlike other areas of digital forensics network data is often volatile and rarely logged, making the discipline often reactionary.
In 2000 the FBI
Federal Bureau of Investigation
The Federal Bureau of Investigation is an agency of the United States Department of Justice that serves as both a federal criminal investigative body and an internal intelligence agency . The FBI has investigative jurisdiction over violations of more than 200 categories of federal crime...
lured computer hackers Aleksey Ivanov and Gorshkov to the United States for a fake job interview. By monitoring network traffic from the pair's computers, the FBI identified passwords allowing them to collect evidence directly from Russian-based computers.
Database forensics
Database forensics is a branch of digital forensics relating to the forensic study of databases and their metadata. Investigations use database contents, log files and in-RAM data to build a time-line or recover relevant information.Related journals
- Journal of Digital Forensics, Security and Law
- International Journal of Digital Crime and Forensics
- Journal of Digital Investigation
- International Journal of Digital Evidence
- International Journal of Forensic Computer Science
- Journal of Digital Forensic Practice
- Small Scale Digital Device Forensic Journal