Digital Evidence and Legal Proceedings

When it comes to submitting digital evidence for use in a trial, the same levels of care need to be applied as with non-digital evidence.

Crime is a part of human life and, for a crime to be resolved, investigators have to reconstruct the crime scene and analyse the actions of both the suspect and the victim so that any evidence can be identified and used to support and legal proceedings.

As technology has evolved, criminals are now able to use new methods to commit traditional crimes and develop new types of crimes. Crimes committed through the use of technology still require the same principles of investigation, though the scene can now be a virtual environment that must be secured and examined as digital evidence.

Digital evidence is information or data of an evidential value that is stored on or transmitted by a computer or digital device and can be defined as follows:

‘Any data stored or transmitted using a computer that support or refute a theory of how an offense occurred or that address critical elements of the offense such as intent or alibi’ (Casey, E., Dunne, R. (2004) Digital Evidence and Computer Crime Forensic Science, Computers and the Internet. St. Louis: Academic Press).

A wider array of devices are capable of holding larger amounts of data and digital evidence can be found on an increasing number of types of storage media, including, computer hard drives, mobile phones and removable media such as memory cards.

As an expert witness and Digital Forensic Consultant I am finding that digital evidence is becoming more prevalent within a wider range of both criminal and civil cases including murder, unlawful images, child care cases, commercial and employment disputes. These cases can require the examination of evidence to determine whether it had been used to commit or facilitate a crime as well as to identify supportive material for either side of a legal case.

In order for digital evidence to be admissible in court a number of criteria must be met, including, ensuring that the evidence has not been altered and that an auditable trail has been kept relating to the storage and investigation of the evidential device or media. The key points of the handling and investigation of digital evidence is provided as follows:

Actions taken to secure and collect digital evidence should not affect the integrity of that evidence;
Persons conducting an examination of digital evidence should be trained for that purpose;
Activity relating to the seizure, examination, storage, or transfer of digital evidence should be documented, preserved, and available for review.

(U.S. Department of Justice (2004) Forensic Examination of Digital Evidence: A Guide for Law Enforcement, Washington).

The nature of digital devices therefore makes them particularly susceptible to damage or corruption. Due to the constant requirement for devices to be physically smaller in size yet bigger in capacity, the components become ever smaller and more delicate, therefore, even storing the devices in an unsuitable environment can cause the corruption and loss of some or all of the data present.

Therefore, to ensure its integrity, a ‘chain of custody’ relating to the evidence should be established. This usually amounts to a paper trail detailing the whereabouts of all evidential sources during custody, along with the details of individuals having access to it, when and any actions taken with it. This, along with a comparison and review of the digital media itself should allow for the acceptance by an independent examiner that a given item of media has not been corrupted or compromised following seizure.

As the level of understanding of the operation of computers and mobile phones has developed within legal cases, those investigating cases involving digital evidence have a better awareness of the methods of seizure and handling. Previously it was not uncommon to find cases where the digital evidence had been switched on and operated by a ‘curious’ investigating officer to ‘see what was there’.

Thankfully, far greater emphasis is now placed on audit trails and storing the evidence correctly and, today, such activity by untrained individuals is now rare. The adherence to computer evidence guidelines is crucial to ensuring that the evidence considered is all that was available and basing an examination on flawed evidence that is only partially complete.

As a forensic investigator, I was recently involved in a case that highlights the importance of ensuring the completeness of digital evidence. The case involved an unemployed middle-aged man who lived on his own and kept himself to himself, though, used his computer to talk to other people within chat rooms.

He had been in contact with one of his online friends via a chat room for eight months before they asked for him to do them a favour and cash a cheque that their elderly mother was unable to do. His expenses were to be covered and he saw no problem with then transferring the money to the mother’s account. Unfortunately, he did not even think that the cheque could be fraudulent until he found himself in a police station and being interviewed on suspicion of attempting to cash a fraudulent cheque.

He provided police with his version of events; fortunately, they had also seized his home computer. They examined the computer and found evidence to indicate that the defendant had been in contact with the individual, yet found no evidence to support the origins of the cheque or the story behind it. He was subsequently charged with fraud and was due to appear for trial at Crown Court.

Given the partial evidence identified by the police, the defendant’s solicitors understood the situation sufficiently to know that a second opinion should be conducted of the computer hard drive to determine whether the evidence of any chat logs could be found on the computer.

It was only after a careful review of the deleted areas of the hard drive, along with the use of data recovery software that chat log activity was identified that supported the defendant’s version of events. The log proved that the defendant and his friend had conversed on a number of occasions and it also confirmed the origins of the cheque. After months of investigation, after the identification of this evidence, the case was dropped on the morning of the trial.

Had the computer evidence not been sufficiently protected and secured following seizure and the data present altered in any way, whether it be by use of the hard drive or improper handling of the drive, the relatively small piece of crucial evidence may have been lost and the defendant’s version of events could not have been supported.

During the examination process of digital evidence it is standard procedure for the evidence to be connected to a suitable system using write protecting hardware so that no alteration or access to the original device is possible.

Due to the volatility of digital evidence it is best practise to take a forensic ‘image’ of the hard drive or storage device that consists of an exact byte-by-byte copy of all data and space, both live files and deleted information, which is present on the device. This forensic image then forms the basis of the investigation and analysis and the original exhibit can then be securely stored.

At the start of the forensic copying process, the device is assigned an acquisition hash value (most commonly an MD5 hash value). Once the evidence has been forensically acquired (imaged, similar to copied) the evidence is assigned a verification hash value.

Currently, it is believed that the hash value mechanism indicates that the acquired evidence is a complete and accurate copy of the data contained on the original device and that if the acquisition and verification hash values match then no alteration of the evidence can have taken place.

Various types of hash value exist, including, HAVAL, MD5 and SHA. The forensic arena has adopted the MD5 hash as a method of proving that one file is identical to another or an item of digital evidence has not been altered since its original acquisition. The MD5 hash value was developed from 1991 by Professor Ronald L. Rivest.

As the MD5 algorithm is based on a 128-byte data block, it would appear that there is the possibility that the data on an item of digital media could be manipulated, yet the MD5 hash value not be altered. Given this, I am currently undertaking research to attempt to verify whether an item of digital evidence can be altered without changing its MD5 hash value.

This will enable the adoption of a technique to allow for the alteration of digital evidence without changes to the assigned hash value. The result of this research may be that it is possible to alter an item of digital evidence sufficiently to make the current hashing techniques unreliable in court.

Online Computer Forensics

Online computer forensics covers a wide area of data investigation and retrieval. It can involve internet crimes, email abuse and trading of intellectual property, to name a few.

Hackers aren’t the only ones committing online crimes these days. Computer forensics analysts are being called on in large numbers to investigate company employees and crime in the work place.

Many corporations are hiring teams of online computer forensics experts to track employees and their daily habits. It can be minor cases such as internet or email abuse causing wasted hours on the clock, or it can be a more critical crime such as employees selling intellectual property or using it to operate a competing business on the side.

Another area where computer forensics is extremely useful is when investigating criminal cases. There are many people out there participating in illegal online activities, such as child pornography sites and trading of information. It’s good that our system puts a high level of importance on bringing these people to justice and shutting down these sites and digital forensics are what makes it possible to find these people and prosecute them to the fullest extent of the law. These practices are not tolerated and with the proper input from an online computer forensics expert, people participating in these unlawful practices can easily be found guilty and put behind bars.

It’s best to gain access to a computer before anyone has a chance to destroy evidence. But even if an individual knows they might be investigated it is very possible to retrieve any information they try to delete. It’s also very easy to monitor their actions through computer or phone spying software.

Cell phones are very common these days and with this technology comes a new area where computer forensics can be utilized. A lot of illegal activity happens over cell phones. Text messaging, picture messaging and basic phone calls can contain information that is highly relevant if trying to prosecute a person of a cyber crime. Phones these days are basically small computers that can send and receive the same data as most computers. It’s important for computer forensics experts to keep up with this changing technology and be able to handle any scenario thrown their way.

Cell phone spyware is new software that allows anyone to tap into a phone’s calls, messaging and internet usage. With a simple application put onto a phone you can track everything that phone does. This can be good and bad. It’s not very settling to know that anyone can track everything you do on your phone, but from a computer forensics standpoint, this is a valuable tool that could possibly bring severe criminals to justice.

Online computer forensics is all about keeping up with the criminals and their practices. As they learn new ways to hack into systems or run email scams, it’s important that digital forensics experts keep up and are able to use their knowledge to solve crimes and keep our internet safe.

Getting Started With Digital Forensics

The increasing number of computer crimes has caused losses in billion of dollars annually. Due to this unhealthy trend, digital forensics has emerged to be the fast growing career field. It is a technical job that provides great satisfaction of working in the criminal justice system without the danger of being a police officer. For those people who are in the midst of deciding their career path, computer forensics is an ideal career for their consideration.

To start involving yourself in this fascinating field, you will likely need a computer forensics degree or any degree related to computer science, criminal justice or engineering. Besides education, it is also a must for you to attend digital forensics training from accredited training institutes. You can either obtain computer forensics training program online or offline. To be a professional digital forensics, you need to make sure that you equip yourself with a broad range of knowledge which is related to computer storage devices, operating systems, software applications and programming languages.

While you are pursuing the program, it is suggested that you should consider an internship in any of the computer forensics company. Through internship, you are able to obtain real world knowledge in the real working environment. Besides, being an intern helps to open the door for you to enhance the technical and analytical skills which are typically a must for all computer forensics careers. At the same time, your resume will definitely look great when you have job experience in this particular line.

After you have obtained the formal education and training, then you are ready to decide which agency you would like to work in. There are many job opportunities in law enforcement, police and military, intelligence agencies, public listed corporations and even Federal Bureau of Investigation. Secure yourself a job and start investigating!