The purpose of this book is to provide you with a clear understanding of digital forensics from its relatively recent emergence as a subdiscipline of forensics to its rapidly growing importance alongside the more established forensic disciplines. This chapter will enable you to gain a clear understanding of the role of digital forensic practitioners and the cybercrime and corporate environments, where they are actively seeking evidence of crimes and civil offences. A small sample of case studies of digital crime scenes will enable you to understand the complexity typical of many cases and the challenges posed to the forensic practitioner.
During the past 10 years or so, there has been a growing interest in digital forensics as a part of tertiary courses and as a career path in law enforcement and corporate investigations. New technologies and forensic processes have developed to meet the growing number of cases relying on digital evidence. However, it has been apparent that the increasing complexity, size, and number of cases is creating problems for practitioners, who also face resource and costing restrictions as well as a shortage of well-trained, experienced personnel. The book will describe these challenges and offer some solutions that have helped me in my practice and research endeavors, and which will hopefully assist and empower current and prospective practitioners to manage problems more effectively in the future.
Inherent security problems associated with personal computers, tied to their popularity in the workplace, have spawned new problems for law enforcement. For example, organizations undertaking criminal investigations or completing internal audits typically encounter the tedious examination of computer records to recover digital evidence. Such examinations urgently require new forensic processes and tools to help practitioners complete their examinations more effectively.
These are exciting times for those practitioners seeking to enhance their important role in assisting the legal fraternity. For those wishing to join the discipline, they will be doing so at a time when practitioners are at a crossroads in terms of changes affecting evidence recovery and management. Banality, complacency, and fatigue are common within the discipline, and the enthusiasm of entering the profession can rapidly dissipate because of the tedium and heavy caseloads, notwithstanding the inherently exciting and important nature of the work. What will be shared with you are new and more effective ways of reducing tedium and time wastage, reinvigorating practitioners, and restoring the excitement of the hunt for evidence, heralded by the gentle winds of change sweeping across the discipline that will eventually turn into a whirlwind if some challenges are left unattended.
The following topics will be covered in the chapter:
An outline of the history and purpose of forensics and, specifically, digital forensics
Definitions of the discipline and its role vis-à-vis more established forensic disciplines
Descriptions of criminal investigations and the rise and nature of cybercrime
An outline of civil investigations and the nature of e-discovery, disputes, and personnel disciplinary investigations
An insight into the role of digital forensic practitioners, the skills and experience required, and the challenges confronting them
A presentation of case studies of noteworthy digital forensic crime scenes to highlight the topic
Forensic evidence is used in courts of law or in legal adjudication, although some purists do not see forensics as a science. The term could be misleading but may be applied to the technologies related to specific sciences rather than the science itself. There are areas of specialization in forensics, such as questioned expert, forensic dentist, civil engineer, auto crash investigator, entomologist, fingerprint expert, and crime scene reconstruction expert.
In 1879, Paris police clerk Alphonse Bertillon introduced a process of documenting crime scenes by photographing corpses and other evidence left behind at the scene. Bertillon's novel photographic records of crime scenes and his precise cataloging and measurement of corpses provided the foundation for the forensic science relating to sudden deaths and homicides. It assisted in the identification of the deceased and provided important information during postmortems to assist in determining the circumstances of the events leading up to the death of the deceased.
Bertillon espoused a radical notion in criminal investigation at the time, positing that science and logic should be used to investigate and solve crime. His scientific work greatly influenced one of his followers, Edmond Locard.
Locard's exchange principle is a fundamental forensic tenet based on the common exchange of physical traces at a crime scene. For example, fingerprints or DNA traces may be left at the scene, or gunpowder residue from a gunshot may spread onto an attacker's clothes. Although circumstantial by nature, these traces help reconstruct what occurred at the crime scene and may identify those present. We will see how this principle also applies to digital forensics throughout the book.
Within the following quotation is found an oft-cited principle: "A criminal action of an individual cannot occur without leaving a mark," or, more succinctly, "Every contact leaves a trace." Inman and Rudin (2001, p. 44) more meaningfully assert that no one can act with the force that the criminal act requires without leaving behind numerous signs of it: either the wrongdoer has left signs at the scene of the crime or, on the other hand, has taken away with him—on his person or clothes—indications of where he has been or what he has done.
Although forensic analysis has developed considerably since the time of Bertillon and Locard, they introduced three core concepts that were major advancements in criminal justice and assist investigators—notably, crime scene documentation, suspect identification, and the discipline of trace analysis.
Unless there is some actual evidence, no hypothesis is of any use and it is as if there had been no crime. Unless a perpetrator may be identified through some valid process and placed at the crime scene via unadulterated evidence, the case cannot ultimately be solved. These principles are foremost in forensics and, of course, apply just as importantly to digital forensic examinations.
The next milestone in forensic science relates to fingerprint evidence. Fingerprints have been used on Chinese legal documents for centuries as a proof of identity and the authenticity of the documents. However, it was not until the end of the nineteenth century that Edward Henry devised a workable classification system and implemented it in India in 1897, publishing his book, Classification and Uses of Fingerprints, in 1900. The following year, Henry's classification was introduced to the London Metropolitan Police; later that year, it was fully functional at the Fingerprint Office at New Scotland Yard, with the first court conviction by fingerprint evidence being obtained in 1902.
However, the reliability of fingerprint evidence has recently been challenged in a number of jurisdictions, with concerns over the lack of valid standards for evaluating whether two prints match. No uniform process exists for determining a sound basis for confirming identification based on fingerprint examinations. Some examiners rely on counting the number of similar ridge characteristics on the prints, but there is no fixed requirement about the number of points of similarity, and this varies significantly in different jurisdictions. Some courts in the USA have gone as far as to state that fingerprint identification is not based on sound forensic science principles. Similar criticism about the lack of standardization and scientific research has been directed at digital forensics, a far newer discipline.
Through recent scientific developments, Deoxyribonucleic Acid (DNA), is used for determining the inherited characteristics of each person. DNA evidence can be extracted from a range of samples, such as saliva, used postage stamps and envelopes, dental floss, used razors, hair, clothing, and, more recently, fingerprints. This form of evidence has gained much publicity, with DNA samples recovered from a crime scene being compared with a sample from a suspect to establish a reliable and compelling match between the two. DNA evidence was first used to secure a conviction by matching samples recovered from the scene and obtained from the suspect in Oregon in 1987. Since then, it has brought to account many transgressors who might have otherwise remained beyond the reach of the law. It has also been used in "cold cases", proving the innocence of many wrongly convicted persons.
Because of the complexity of DNA evidence, juries were at first hesitant to accept DNA evidence as conclusive. As the discipline evolved, DNA evidence became more readily accepted in court. More recently, courts have been confronted with challenges to DNA evidence. Defense lawyers have claimed that DNA was planted at the scene to implicate the defendant or that the forensic collection or examination of the sample contaminated the evidence, rendering it inadmissible.
The probability of a sound match between the suspect and the crime scene sample has been questioned by the phenomenon of touch DNA, which are genetic markers left behind on many surfaces. It is common for the transfer of an innocent party's DNA involving a handshake with the offender's hand to be later inadvertently transferred to the murder weapon. Through this form of contamination, up to 85% of swabs have recovered traces of persons who never handled the weapons in question.
The onus is now squarely placed on the practitioner to determine the relevance of recovered samples and the history of how they got onto the artifacts recovered from the crime scene. It is also incumbent on practitioners to assist in determining the antecedents of recovered DNA to ensure the evidence does not implicate innocent parties. Evidence only tells part of the story. The fact that DNA is found at a location and/or on an implement only tells us that that is where DNA was found. It tells little else. It does not always tell when the person was there, nor does it guarantee that the person was there—only that their DNA was found to be there. It does not tell us what they were doing if it is established that they were in fact present. All too often, evidence is just evidence and we interpret the results to meet our expectations or achieve our desired outcomes. The problems created because of cross-contamination of evidence in the context of digital forensics is discussed in greater detail in Chapter 4, Recovering and Preserving Digital Evidence.
Some order is required when commencing any type of investigation, and forensic science has some key objectives that must be met. Preserving the crime scene is the primary objective because if the evidence is contaminated, lost, or simply not identified and overlooked, then all that follows may be of limited value to the investigators putting together the case evidence.
Recognizing the evidence and identifying where it is located and knowing just where to look can only enhance the outcome of an examination. This requires practitioner skills, knowledge, and experience. Once located, evidence needs to be collated and classified. This brings order to the examination and makes it easier for practitioners to ensure that nothing is overlooked and that the inclusion of recovered artifacts is correctly classified as relevant evidence.
Evidence cannot be viewed in isolation and should be compared with other evidence, and corroborating evidence should be identified. Then it should be described in scientific terms that can highlight the evidence with clarity so that a helpful reconstruction of the events may be presented.
Digital forensics is still in its infancy, and non-standardized processes are common in some civil and criminal investigation agencies. Standards, if they do exist, vary significantly in different jurisdictions. Various digital forensic investigation models are in use, showing slightly different stages in the examination process; however, there is no universal standard model used by practitioners.
Injustices based on faulty or mischievous forensic evidence are not a recent phenomenon. In the United Kingdom, during the past 30 years, for example, some high-profile injustices occurred, including the cases of the Birmingham Six, the Guildford Four, and the Sally Clark case, based on the ineptitude of the expert. Background information on the Clark case may be accessed at http://netk.net.au/UK/SallyClark1.asp.
These and similar cases that resulted in the conviction of innocent persons cast serious questions on the credibility and authority of forensic practitioners and their expert evidence. Forensic issues surrounding the Azaria Chamberlain case at Ayres Rock, more than 30 years ago, had profound implications on the quality of forensic practices here in Australia and had repercussions in other jurisdictions.
Digital evidence is progressively being used in legal proceedings and has been subject to scrutiny by the courts. This places an onerous burden on digital forensic practitioners to endeavor to present reliable evidence and sound analyses of their findings, which may also be useful to establish and test precedents for future court rulings. The dramatic increase in desktop computing and proliferation of cyber-based crime that exploits network systems has resulted in the need for enhanced information security management. It also requires practitioners to untangle the mess and try to bring to account the transgressors. Unrelenting attacks against computing devices and network servers are increasing and serve as the medium from which to exploit a wide range of victims, often based in another country. Computers and networks, however, are rich in information of evidentiary value that can assist practitioners in reconstructing transgressions.
Digital forensics emerged in response to the escalation of crimes committed by the use of computer systems as either an object of a crime, an instrument used to commit a crime, or a repository of evidence related to a crime. The requirements of investigating and examining digital evidence while at the same time ensuring that the integrity of original evidence remains unaltered were quickly identified as important functions.
In the 1980s, it became apparent that similar to other developments such as DNA evidence and advances in molecular analysis, a new discipline was emerging: digital forensics. As computers became affordable, relatively easy to use, and were interconnected through local and wide area networks, computer crime emerged in tandem with the wonders offered by cyberspace.
Traditional laws became outdated, even by legal standards. Questions were raised, for example, as to how the theft of a computer device might be compared with the theft of intangible information copied from a computer and used without lawful authority. The information may remain on the computer although it has been copied without the owner's permission, yet the thief assumes permanent, albeit shared, ownership of the information.
Theft traditionally has a key element of transportability facilitating the permanent removal of tangible property. The file is there and then it is not, yet it is an intangible object stored on a computer. The copying process may well leave the original file information on the device, but it has been stolen from the point of view of its owner. Is copying theft or misuse of a computer? It is certainly a breach of privacy in most cases, and while there is a perception by an owner that their privacy has been breached, how does one claim so when the information is simply copied but yet to be disseminated? Does stalking a person in the street equate to stalking them online? The original legislation was intended to cover the former, and this raised serious questions as to whether established laws could be used to encompass new computer-based crimes.
Electronic and digital information is held or stored on devices and can be abused through such unauthorized activities. Computer crimes are a cyber version of well-established physical-world crimes. Extortion and threats are not new, but the use of computers to deliver the payload is. There was a call for new legislation to redefine computer-related crime, and largely, these recently introduced laws appear to serve the community well. However, confusion reigns in many jurisdictions as to the meaning of digital information tendered in court and an imprudent tendency of some practitioners and members of the legal fraternity to accept it at face value.
Digital forensics has yet to come of age according to many observers and practitioners and does require a scientific and impartial approach to analyzing digital information, sometimes in isolation if no other evidence is available. The evidence may be required in criminal or civil proceedings as well as in administrative and disciplinary cases. Courts and legal adjudicators expect that in line with more established forensic disciplines, scientific processes and tools will be used to preserve and assist in evidence analysis.
The stages of a digital forensic examination are geared toward the recovery and protection of evidence and a scientific approach to analyzing and interpreting the evidence, validating the evidence, and providing clear and precise forensic reports. Chapter 4, Recovering and Preserving Digital Evidence, and Chapter 6, Selecting and Analyzing Digital Evidence, describe these stages of digital forensic examination.
Digital forensics is a relatively new phenomenon. Computers have been around for many decades and required a small number of staff to input data for processing and then receive the output in hardcopy form. They were regarded as secure information repositories as so few had the expertise and understanding to use the devices. Security was simply not a problem, and computer printouts were readily accepted by courts without issue. However, the advent of cheaper and easier-to-use desktop machines, combined with network systems, changed the security landscape of computing.
During the 1970s, computers were not readily available to all but large organizations, government departments, and, particularly, defense and intelligence communities using mainframe computers. What forensic activities surrounded these computers is not clear and is shrouded in secrecy.
The origins of digital forensics in the public domain emerged later and may be traced back to as early as 1984, when the FBI laboratory and other law enforcement agencies began developing programs to examine computer evidence. Andrew Rosen wrote the first purpose-built digital forensic tool, Desktop Mountie, for the Canadian police, which he followed up with versions of Expert Witness, Encase, and SMART. The rapid and almost worldwide acquisition of relatively cheap and easy-to-use desktop computers for personal and work use quickly attracted the attention of transgressors keen to exploit the new technology.
In response to mounting attacks on computers and networks, private organizations and governments began to develop and implement computer security policies and countermeasures. Digital forensics emerged in response to victims of cyberattacks and exploitation realizing that some structure was needed to deal with an escalating problem. Eventually, some established forensic processes emerged in the late eighties, but much of the research and development of digital forensic tools and software was vendor-driven or produced by enthusiastic law enforcement officers with some basic computer knowledge.
Some of the first government agencies with an overt and publicly visible requirement of carrying out forensics on external systems relating to criminal offences were taxation and revenue-collection agencies. It soon became apparent to those struggling to recover digital evidence that a level of specialist knowledge was needed to investigate this new technology.
Unfortunately for the digital forensic practitioner, no specific forensic tools existed in the eighties, which resulted in developers designing their own suites of forensic utilities based on MS-DOS. Many of these forensic software applications have been refined and updated, and persist in use to this day. Data-protection and recovery utility suites of that time that still exist include:
Central Point Software
In 1990, there were 100,000 registered users of Mace Utilities, and Norton's Utilities became one the most popular utility suites available.
Initially, the only method of preserving evidence available to the forensic examiner was to take a logical backup of files from the evidence disk on magnetic tape. It was hoped that this process would be able to preserve vital file attributes and metadata and then be capable of restoring these files to another disk. This would then allow the practitioner to examine the recovered data manually using command-line file-management software such as these:
Executive Systems, Inc.
Norton Commander (NC)
Appropriate file-viewing software, including the sector imaging method
The size of computer datasets at the time was in the megabyte range, but still sufficiently large to make the process of evidence retrieval a tedious and time-consuming task. There was a call for some forensic standards, guidelines, and definitions to assist digital forensics practitioners as well as an urgent call to revise existing legislation to ensure that newly forming cybercrimes were correctly defined. Sound legislation was overdue to recognize and be effective against old crimes now in a new format.
In the mid-eighties, concerns were raised about the lack of understanding among various legal practitioners and lawmakers for failing to address the problems brought about by the increasing reliance of digital evidence in legal proceedings. This was a worldwide phenomenon caused by the dramatic upsurge in computer use and the advent of new devices, including digital mobile phones. Consequently, a coordinated approach to assist forensics and legal practitioners was mooted in the USA to assist them in overcoming difficulties encountered with tendering digital evidence.
By the turn of the century, the US and the European Union established a research corpus that would apply scientific processes to find solutions to forensic challenges driven by practitioner needs. Researchers at the time raised concerns about widespread misunderstanding as to the true nature of digital evidence. More worrying to them was the inefficiency and ineffectiveness of some forensic processes used in its recovery, analysis, and subsequent use in legal proceedings.
It was recognized that digital forensic examinations commenced with seeking answers about the identity of suspected transgressors, notably, establishing some digital link between the binary data and the suspect. Although mere possession of a digital computer was generally considered sufficient to link a transgressor to all the data the device contained, concerns were being raised as to the soundness of such assumptions. Would the assumption be valid in the future because of extensive computer networking? Would the data itself be capable of providing clues to the motive of a transgression?
In 1999, digital forensics designer Andrew Rosen appeared for the defense in Clarkson versus Clarkson (Circuit Court for Roanoke County, Virginia: case 3CH 01.00099), where it was eventually determined that the defendant's wife had placed child pornography on his computer and then tried to incriminate him so she could exit the marriage, maintain custody of the children, and marry her new lover. This case caused Rosen to be considered a "traitor" by law enforcement/prosecution-focused practitioners, who were evidently more interested in winning the case than seeking a just outcome.
This set the scene for a dangerous precedent, encouraging some practitioners to assume that the owner and chief user of a computer was the most likely transgressor. In my experience, in the handling of defense cases in criminal trials, the sound identification of other users, who are also potential suspects, has often been paid lip service to. This suggests suspect-driven and not evidence-led examinations, which is hardly an unbiased and scientific approach. This contradicts the concept that the practitioner is the "servant of the court". The nature and special properties of digital evidence are presented in Chapter 3, The Nature and Special Properties of Digital Evidence.
The years from 1999 to 2007 were considered the golden age for digital forensics, when the practitioner could see into the past through the recovery of deleted files and into the criminal mind through the recovery of e-mails and messages, thus enabling practitioners to freeze time and witness transgressions. Digital forensics was once a niche science that primarily supported criminal investigations. Nowadays, digital forensics is routinely incorporated in popular crime shows and novels. The dramatization of digital forensics and considerable exaggeration as to the technical prowess of practitioners and forensic tools is what is described as the Crime Scene Investigation (CSI) syndrome.
In 1984, the FBI had established the Computer Analysis and Response Team (CART) to provide digital forensic support, but it did not become operational until 1991.
Research groups have since been formed to discuss computer forensic science as a discipline, including the need for a standardized approach to examinations. In the USA, these include the following:
Scientific Working Group on Digital Evidence (SWGDE)
Technical Working Group on Digital Evidence (TWGDE)
National Institute of Justice (NIJ)
By 2005, digital forensics still lacked standardization and process, and was understandably heavily oriented toward Windows and, to a lesser extent, standard Linux systems. Even in 2010, while the basic phases involved in digital forensics examinations were well documented, a standardized or widely accepted formal digital forensic model was still considered by some researchers as being in its infancy. To those observers, it was clearly not in the same league as other physical forensic standards such as blood analysis.
In 2008, the International Standard Organization's Joint Technical Committee (ISO/IEC JTC 1) investigated the feasibility of an international standard on digital forensic governance, but to date, there are no ISO/IEC JTC1 standards that specifically address the issue. There exists, however, an international awareness of problems associated with the variations in the inter-jurisdictional transfer of information relating to legal proceedings (ISO 2009:4).
The digital forensics discipline developed rapidly but to date has very little international standardization regarding processes, procedures, or management, yet it does require governance similar to Information Systems and Information Technology (IS and IT) governance. Recently, some researchers have expressed concern over the intersection between the highly technical digital forensic discipline and the business approach of governance, making digital forensics a highly specialized discipline. There is a feeling of misgiving that few practitioners have sufficient interdisciplinary knowledge of computer, legal, and business aspects. That is perhaps unfair criticism of the majority of practitioners who do remarkable work with limited resources and support.
A conflicting view is that the emergence of organizations such as the High Technology Criminal Investigators Association (HTCIA) and the International Association of Computer Investigative Specialists (IACIS) did lend weight to the forensic process to ensure legal acceptance of digital evidence by ensuring the data is reliable, accurate, verifiable, and complete.
In line with more established forensic disciplines, digital forensics, a comparatively new field, also involves preserving the crime scene in a digital environment. Digital forensics practitioners examine evidence recovered from the complete range of digital devices and networks. This requires some understanding of computer technology, notwithstanding the advent of more automated forensic processes and tools.
Many examinations do not necessarily end in a criminal case and may become part of civil legal action or internal disciplinary procedures. The reverse, of course, is also common, when a civil case can result in criminal prosecution.
Digital forensics falls into three broad categories:
Public investigations: These are state initiated
Private investigations: These are corporate
Individual: These are often in the form of e-discovery
Personnel misconduct investigation requiring digital forensic examinations is an emerging category. Defense and intelligence forensic examinations are considered another category, but it is not covered in this book.
Evidence found on a computer may be presented in a court of law to support accusations of crime or civil action such as:
Murder and acts of violence
Fraud, money laundering, and theft
Involvement with narcotics
Sabotage and record destruction
Pedophilia and cyberstalking
Terrorism and bomb threats
Typically, criminal investigations and prosecutions involve government agencies that work within the framework of criminal law. Law enforcement officers are granted search and seizure powers under relevant criminal laws that enable them to locate and capture devices suspected of being used in crimes or to facilitate them.
Private organizations are not governed by criminal law per se and usually involve litigation disputes and disciplinary investigations involving computers and network systems, which are becoming more frequent. Civil investigations may escalate and become criminal cases. Civil cases rely on civil law, torts, and process, and information may be recovered from the opposing party through civil remedies, notably, "discovery" as well as powers of search and seizure, such as those provided by Anton Piller orders or search orders.
This book looks primarily at digital forensics and, to some extent, civil investigations. However, in my experience, there is no real distinction between criminal and civil examinations when using digital forensics. Each group is looking for the same sort of evidence but arguably to different standards. The e-discovery is almost entirely a civil matter as it involves disputes between different organizations, so the concept of evidence is slightly different. I contend that the approach used in the past for e-discovery typically involved a large number of machines, and it can be applied to digital forensics with some refinements as the only way to handle large data volumes. Chapter 5, The Need for Enhanced Forensic Tools, outlines some new software tools capable of processing large datasets, offering some long-overdue support to practitioners working in both environments.
Forensic practitioners not only recover and analyze evidence, but they also present and interpret its meaning to investigators, lawyers, and, ultimately, to the jury. Being a sound analyst is of course a fundamental requirement but practitioners must also be able to communicate with clarity their findings and professional opinion to the layperson. Evidence is blind and cannot speak for itself, so it needs an interpreter to explain what it does or might mean and why it is important to the case, among other things. I spend much time on casework explaining technical matters to the legal teams and juries to ensure that they have a clear understanding of the evidence—a rewarding task when the penny eventually drops!
Under normal circumstances, hearsay evidence is not permitted in courts, and the opinion of witnesses is distinctly prohibited. Expert witnesses and scientific experts, however, may provide opinion based on their extensive practice and research, provided it is restricted to the evidence presented. These privileged witnesses may share with the court any inferences they have made from the evidence they have observed, provided that it is within their sphere of expertise.
Forensic experts are expected to provide information that may help the court form its conclusion, and the expert's subjective opinion may be included. However, it is the court's obligation to form its own opinion or conclusion as to the guilt or innocence of the defendant based on the testimony provided. The forensic practitioner, when acting as a forensic expert, should do no more than provide scientific opinion about the information to help the court form judgmental opinions.
Experts must avoid providing final opinions themselves since sometimes, expert knowledge is not completely certain. Across a range of legal jurisdictions, courts expect forensic practitioners to possess sound understanding of computer technology for their testimony to have any credibility.
The United Kingdom's Civil Procedure Rules (1998) require compliance by all expert witnesses, and Part 35 stipulates that the expert (practitioner) has an overriding duty to help the court and maintain strict impartiality and not to support the engaging party. The rules stipulate that:
The facts used in the expert's report must be true
The expert's opinions must be reasonable and based on current experience of the problem in question
When there is a range of reasonable opinion, the expert is obligated to consider the extent of that range in the report and to acknowledge any matters that might adversely affect the validity of the opinion provided
The expert is obligated to indicate the sources of all the information provided and not to include or exclude anything that has been suggested by others (particularly the instructing lawyers) without forming an independent view
The expert must make it clear that the opinions expressed represent the practitioner's true and complete professional opinion
In 2008, the Council for the Regulation of Forensic Practitioners reiterated these stipulations and added further conditions expected of practitioners (Carroll and Notley 2005):
They must disclose all material they have had access to
They must express their range of opinion on the matter in question
They must explain why they prefer their view to a different view
They must provide the evidence based on which their opinion is offered
They must not give evidence outside their field of expertise
The United Kingdom's guidance booklet for experts, Disclosure: Experts' Evidence, Case Management and Unused Material, published in 2010 by the Crown Prosecution Service, emphasized the need for practitioners to ensure that due regard be given to any information that points away from, as well as toward, the defendant. The booklet stresses that practitioners must not give expert opinion beyond their area of expertise. The booklet also addresses the independence of the practitioner as well as reiterating the requirement to examine and share exculpatory evidence with the court and other parties.
Case prosecutors in the USA are required to disclose materials in their possession to the defense based on the Brady Rule (Brady versus Maryland, 1963). Under the Brady Rule, the prosecutor is required to disclose any evidence to the defense, including any evidence favorable to the accused (exculpatory evidence), notably "evidence that goes toward negating a defendant's guilt, that would reduce a defendant's potential sentence, or evidence going to the credibility of a witness."
If it were shown that the prosecution failed to disclose such exculpatory evidence under this rule, and prejudice ensued as a result, the evidence would be rejected and suppressed by the court, irrespective of whether the prosecution knew the evidence was in its possession or whether the withholding of the evidence was intentional or inadvertent. However, the defendant would have to prove that the undisclosed evidence was material and show that there was a reasonable prospect that there would be a difference in the outcome of the trial if the prosecutor had shared the evidence.
This is something the digital forensic practitioner must constantly be aware of and comply with during case examination and evidence presentation. Known factors detrimental to the disclosure of digital evidence include the knowledge of exculpatory evidence that would challenge the evidence of an inculpatory or incriminating nature. Practitioners may be employed by the prosecution or defense, but ultimately, they have an overriding duty to the courts to present all relevant facts for or against their clients. It may be a poor legal strategy to disclose information that hurts your own case, but the courts do expect an open and honest exchange of evidence between the parties involved.
Experts must resist common pressure from courts to provide opinion on the probability of guilt or innocence and persist with the contention that their statements of opinion cannot substitute the opinions of the courts. It is common knowledge that jurors tend to be influenced by practitioners who exude confidence but whose testimony is sometimes biased and mistaken.
There is compelling reasoning to support an evidence-led approach to forensics and investigation. A suspect-led approach is judgmental and often biased to the detriment of those being investigated. Experienced investigators will let the evidence lead and avoid preoccupation with likely suspects cloud the impartiality of an investigation and affect their judgement unreasonably. The same stratagem must apply to forensic examiners. If for no other reason than to identify the weaknesses in a case, the examiner should always adopt this approach. If the analysis is flawed and reckless, it hardly serves the cause of justice. Kaptein (2009, p. 3) attributes United States Supreme Court Associate Justice A. Scalia from the Herrera versus Collins case (506 US 390, 1993) with the following statement: "Mere factual innocence is no reason not to carry out a death sentence properly reached."
However, the late Judge Scalia has been somewhat misquoted here, and I urge you to find more about the meaning behind the statement attributed to him, as is provided at the following website:
On commencement of an examination, practitioners are usually confronted with determining the type of acquisition processes required, then locating the data required to complete the examination, and, most importantly, selecting the appropriate evidence analysis process. Careful planning of the examination is not always supported by existing processes and certainly not for practitioners faced with unfamiliar case types or unusually complex, large-scale cases. In such circumstances, practitioners need to be provided with the correct balance of case background information to assist them with filtering voluminous case information, which may otherwise prove overwhelming.
The examination of larger datasets may make it difficult to characterize the evidence of a crime and clearly define the scope and goals in the absence of tools, standards, or structured support processes. Regrettably, current forensics tools often fail to provide adequate investigatory support to practitioners and may be described as first generation without incorporating any decision support to aid the practitioner.
As early as 2001, the Digital Forensics Research Workshop (DFRWS) observed that practitioners were struggling to understand the daily challenges and dilemmas they faced, notably, missing or unconsidered steps in the investigative approach compared to proven investigative processes existing in more traditional forensic disciplines. The rapid pace of technological advancement together with the changeability of software applications and hardware have in effect compounded the challenges practitioners face.
The procedural inadequacies of digital forensics, in which practitioners were required to collect large volumes of data unprecedentedly in support of investigations, were further hampered by non-standardized analytical procedures and protocols lacking standard terminology. It was apparent then, and remains so to this day, that there was a need for forensic tools to be more carefully crafted to analysis processes. This would then meet the needs of the practitioner by providing more friendly user interfaces to address the problem of training and enhancing practitioner experience.
Better forensics processes were identified early on by researchers as urgently in need of being tested and put through trials in order to overcome the deficiencies in existing practitioner skill levels. Many researchers predicted this would inevitably become increasingly problematic. Their prediction was evidently well founded, as this now appears to be the norm.
Chapter 5, The Need for Enhanced Forensic Tools, emphasizes the redundancy of conventional forensic imaging and the indexing of increasingly larger datasets, and introduces new forensic processes and tools.
Expert witnesses are often challenged by the opposing legal team and their expert, and this is very true in cases where digital evidence is being tendered. US courts are especially sensitive to expert testimony relating to digital evidence, and the much-publicized legal case in 1993 between Daubert and Merell Dow Pharmaceuticals set a precedent for forensic practitioners and the processes and tools they used to recover evidence. The ruling has set a standard of expectation by US courts based on case law where the initial ruling held sway. The Daubert Standard, which replaced earlier case law, requires practitioners to establish their personal expert qualifications and necessitates them validating the reliability and accuracy of the forensic processes and tools they use in recovering evidence.
Digital forensics tools are typically produced to obtain the "lowest-hanging fruit." In other words, they tend to encourage practitioners to look for the evidence that is easiest to identify and recover. Often, these tools do not have the capability to look for or even recognize other less obvious evidence. This issue is described in more detail in Chapter 5, The Need for Enhanced Forensic Tools.
Forensics software certification to confirm forensic soundness is not widely and formally tested. Vendor hype and practitioner willingness to accept untested, open source, and non-validated tools have created a miasma that the legal fraternity should, but cannot usually, see through. Researchers have advocated a structure to measure whether digital evidence meets specific criteria to address the need, applicability, and admissibility of digital forensics practitioners in a given situation, such as the one in the United States based on the Frye test, now replaced by the Daubert Standard.
Forensic practitioners are often confronted with the inefficacy of conventional security processes embedded in computers and networks designed to preserve documents and network functionality; they aren't specifically designed to enhance digital evidence recovery. However, these processes can help in the identification of potential evidence and event reconstruction.
A common difficulty encountered by practitioners is a requirement for them to provide expert testimony to verify whether, for example, network systems provide and have maintained a sound protection of the stored data. Vendor hype used to secure the sale of a network system is not always reflected in them providing reassurance as to the accuracy and completeness of the data stores. Vendors often do not provide sufficient information about the software and networks' ability to protect the integrity of data. Consequently, practitioners are unable to validate the devices to the extent that they could survive legal challenge.
Because of the great number of inherent, technical complexities, it is often impractical for practitioners to determine fully the reliability of computer devices or network systems and provide assurances to the court about the soundness of the processes involved. An ordered process would be helpful for practitioners to ensure that no parts of the examination process were overlooked or were repetitive, thereby ensuring efficacious examinations through time saving and completeness.
During examinations, the practitioner may revisit portions of the evidence to determine its validity, which may require new lines of investigation and further verification of other evidence as circumstances dictate. It is often a tedious process, and frequently, an inordinate amount of time and resources is required to collect and analyze digital evidence. The sheer volume of the cases and the time required for investigation can negate the efficacy of practitioners to reconstruct and provide an accurate interpretation of the evidence.
However, from a pragmatic perspective, the amount of time and effort involved in the digital forensic process should pass the acceptable "reasonableness test", meaning that all possible effort shouldn't be put into finding all conceivable trace evidence and then seizing and analyzing it. This is especially becoming more challenging to practitioners as the volume of data to be analyzed becomes enormous and crosses over many networks. In my casework, it is evident that in practice, a gap exists between what is theoretically possible and what is necessary to complete an examination. While in theory there may be a desire to complete analysis of every byte of data, there is rarely any justification in doing so.
Digital forensics, also known as cyber forensics and computer forensics, is generally considered to consist of three roles in one: that of a cyber analyst familiar with the working of computer devices and networks, a detective with knowledge of investigating crime, and a lawyer with a sound understanding of the law and court procedures.
There is a growing cottage industry of self-claimed cyber forensic experts as well as a tendency for mediocrity in the industry. Self-qualified "experts" bamboozle the legal system and are not always challenged, and the truth of their evidence is seldom sought. However, there are basic standards of practitioner professionalism and experience required by computer and information security bodies, the courts, governments, and corporations
Forensic practitioners involved in the examination of digital crime scenes must assume command of the situation and identify all relevant digital evidence, which must be collated and compiled into a professional report for presentation to the lawyers and ultimately the courts. It is most important that to satisfy a court of law, a digital forensic examination must be legally well founded as well as convincing in the everyday sense. The practitioner must use sound and well-established processes for recovering data from computer storage media and processes that validate its accuracy and reliability.
I am often asked by tertiary students wishing to enter the profession what skills and experience are required to get a head start. Well, saying you like reading books really does not mean you are suited to being a librarian and have all the considerable skills that librarianship entails. So it is with any profession. It really is important to pursue in life what really interests you rather than a passing fancy. What forensic team leaders look for in someone entering the profession without any forensic experience is a real desire to engage with the discipline. An interest in information technology through work or study and holding an information technology tertiary qualification or a BSc in ICT would certainly stand a prospective candidate in good stead.
For a law enforcement officer seeking to specialize in a forensic discipline, they would be expected to have the investigative skills and case experience; an understanding of the law would obviously be advantageous. As such, they would have much to bring to the role if they could also demonstrate some proficiency in and knowledge of computer systems.
It must be stressed that a forensic examiner and an investigator are interchangeable roles and they are often combined roles. Many practitioners will undertake forensic training courses and forensic tool competency training. Others will also publish blogs and even journal papers reflecting their research and involvement in important forensic matters.
Undergraduate courses, typically a three-year course of study, usually include some digital forensics but are predominantly oriented toward computer science and information security. Postgraduate diplomas and certificates based on theory and practical casework offer an effective entrée to the profession. They are cheaper, shorter in duration, and can be offered to graduates and those in law enforcement and investigation professions possessing the basic skills required to gain a position. The procurement of these certifications, provided they are based on sound theory and practical components, is highly recommended. Masters courses in digital forensics are another option but costlier and longer in duration.
I am currently preparing a four-unit graduate certificate course in digital forensics that includes e-discovery and multimedia forensics and can be completed online using virtual crime simulations. The certificate can be a foundation for a graduate diploma and masters in digital forensics. The offering is directed at law enforcement officers and Information and Communications Technology (ICT) graduates wishing to join the discipline and seek some basic theoretical and practical qualifications.
Some of my ablest students entered the profession lacking in field experience, but from the outset, their keen interest in digital forensics, competency in IT studies, and sound results in the experiential forensic training they completed made up for it to some extent. It gave them a solid foundation and cemented their interest in the discipline.
The following examples highlight a small sample of previous cases that rely on digital evidence. Chapter 3, The Nature and Special Properties of Digital Evidence, will describe digital evidence in more detail.
In 2003, Caffrey was acquitted of an offence: the unauthorized modification of computer material by sending data from his computer that shut down the Port of Houston computer servers. This was one of a few cases where a malware defense was accepted by the court without any proof of it controlling the computer. You can find details here:
School teacher Julie Amero had serious charges of the possession of indecent images, which were seen by her students; she was dismissed, thereby avoiding a lengthy jail sentence. The police examination was shown to be faulty, and malware on Amero's computer was thought responsible for the downloading of the indecent files. Refer to these links for details:
A similar case was dismissed when the defendant was able to obtain confirmation from a practitioner that malware was probably responsible for the presence of the indecent files you will find details here:
Carroll, R. and R. G. Notley. 2005. "Negligence of medical experts." British Medical Journal 330: 1024-1027.
Inman, K. and N. Rudin. 2001. "Principles and Practice of Criminalistics: The Profession of Forensic Science." CRC Press.
Kaptein, H. 2009. "Rigid anarchic principles of evidence and proof: Anomist panaceas against legal pathologies of proceduralism." in Legal Evidence and Proof: Statistics, Stories, Logic. Edited by H. Kapstein, H. Prakken, and B. Verheij. Ashgate Publishing [(1-3)].
This chapter outlined the nature of forensics, provided a potted history of the development of digital forensics, and defined its purpose in light of more established forensic disciplines. An outline was presented of its value in public and private investigations and the rise and nature of cybercrime. The role of digital forensic practitioners, the skills and experience required, and the challenges they face were provided along with some case studies of digital forensic crime scenes to highlight the topic. The chapter provided not only a brief insight into the challenges the discipline faces but also some solutions to better manage them through enhanced forensic processes and tools that are emerging. Finally, the chapter endeavored to share some basic ideas for those of you considering becoming a practitioner, which you will hopefully find insightful and constructive.
Digital evidence was presented in this chapter and will be described in detail in Chapter 3, The Nature and Special Properties of Digital Evidence. Understanding the qualities of digital evidence, and indeed its vagaries, is essential groundwork for practitioners. Digital evidence can provide a rich treasure chest of clues about a transgression. A clue may be considered a mistake by another name, and finding and interpreting them is what really adds to the excitement of a forensic examination. Analyzing digital evidence can be rewarding, disappointing, and often a frustrating process, but a greater understanding is always gained.
Chapter 2, Hardware and Software Environments, will outline the basic workings of computer hardware and operating systems and applications typically installed on them. It will describe how these environments are used to create, store, and transfer electronic data. An insight will be provided into the workings of computers and storage devices and the location of datasets where digital evidence may be located. This sets the scene for introducing digital evidence and the analytical approach to digital forensics.