43,19 €
Mehr erfahren.
- Herausgeber: Packt Publishing
- Kategorie: Wissenschaft und neue Technologien
- Sprache: Englisch
Get started with the art and science of digital forensics with this practical, hands-on guide!
About This Book
- Champion the skills of digital forensics by understanding the nature of recovering and preserving digital information which is essential for legal or disciplinary proceedings
- Explore new and promising forensic processes and tools based on 'disruptive technology' to regain control of caseloads.
- Richard Boddington, with 10+ years of digital forensics, demonstrates real life scenarios with a pragmatic approach
Who This Book Is For
This book is for anyone who wants to get into the field of digital forensics. Prior knowledge of programming languages (any) will be of great help, but not a compulsory prerequisite.
What You Will Learn
- Gain familiarity with a range of different digital devices and operating and application systems that store digital evidence.
- Appreciate and understand the function and capability of forensic processes and tools to locate and recover digital evidence.
- Develop an understanding of the critical importance of recovering digital evidence in pristine condition and ensuring its safe handling from seizure to tendering it in evidence in court.
- Recognise the attributes of digital evidence and where it may be hidden and is often located on a range of digital devices.
- Understand the importance and challenge of digital evidence analysis and how it can assist investigations and court cases.
- Explore emerging technologies and processes that empower forensic practitioners and other stakeholders to harness digital evidence more effectively.
In Detail
Digital Forensics is a methodology which includes using various tools, techniques, and programming language. This book will get you started with digital forensics and then follow on to preparing investigation plan and preparing toolkit for investigation.
In this book you will explore new and promising forensic processes and tools based on disruptive technology' that offer experienced and budding practitioners the means to regain control of their caseloads. During the course of the book, you will get to know about the technical side of digital forensics and various tools that are needed to perform digital forensics. This book will begin with giving a quick insight into the nature of digital evidence, where it is located and how it can be recovered and forensically examined to assist investigators. This book will take you through a series of chapters that look at the nature and circumstances of digital forensic examinations and explains the processes of evidence recovery and preservation from a range of digital devices, including mobile phones, and other media. This book has a range of case studies and simulations will allow you to apply the knowledge of the theory gained to real-life situations.
By the end of this book you will have gained a sound insight into digital forensics and its key components.
Style and approach
The book takes the reader through a series of chapters that look at the nature and circumstances of digital forensic examinations and explains the processes of evidence recovery and preservation from a range of digital devices, including mobile phones, and other media. The mystery of digital forensics is swept aside and the reader will gain a quick insight into the nature of digital evidence, where it is located and how it can be recovered and forensically examined to assist investigators.
Sie lesen das E-Book in den Legimi-Apps auf:
Seitenzahl: 497
Veröffentlichungsjahr: 2016
Ähnliche
Table of Contents
Practical Digital Forensics
Practical Digital Forensics
Copyright © 2016 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
First published: May 2016
Production reference: 1200516
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham B3 2PB, UK.
ISBN 978-1-78588-710-9
www.packtpub.com
Credits
Author
Richard Boddington
Reviewer
Colin J. Armstrong
Commissioning Editor
Veena Pagare
Acquisition Editor
Divya Poojari
Content Development Editor
Sanjeet Rao
Technical Editor
Vishal K. Mewada
Copy Editor
Madhusudan Uchil
Project Coordinator
Judie Jose
Proofreader
Safis Editing
Indexer
Hemangini Bari
Graphics
Jason Monteiro
Production Coordinator
Aparna Bhagat
Cover Work
Aparna Bhagat
About the Author
Richard Boddington commenced general policing with the London Metropolitan Police in 1968 and joined the Royal Hong Kong Police in 1971, later serving as a chief inspector in the Special Branch. In 1980, Richard moved to Australia and worked as a desk officer and case officer with the Australian Security Intelligence Organization. He later worked in several federal and state government agencies, including the Western Australia Department of Treasury and Finance, as a senior intelligence officer.
In 2008, he commenced developing and coordinating information security and digital forensics undergraduate and postgraduate courses at Murdoch University, where he was responsible for the creation of a digital forensic and information security degree offering. He provided a unique online virtual digital forensics unit for postgraduate students at the University of Western Australia in 2014.
Between 1991 and 2015, Richard was a security analyst and digital forensic practitioner, providing independent consultancy services for legal practitioners and organizations requiring independent digital forensic examinations and reports. This included analyzing case evidence in criminal and civil cases heard at Magistrate, District and Commonwealth Courts. His work included the compilation of digital forensic reports and testifying as an expert witness on complex technical matters to assist the jury in understanding digital evidence presented during trial.
Recent forensic examinations undertaken by him include analyzing digital evidence recovered from computers, mobile phones, and other digital devices and then preparing expert testimony relating to a broad range of criminal and civil cases, including:
Since 2015, Richard has continued his digital forensics examinations on behalf of TSW Analytical Pty Ltd in Western Australia, where he now heads the Digital Forensics and Data Recovery Team.
He is also the General Manager for Research and Training at eReveal Technologies Pty Ltd (TSW Global Company) and is responsible for designing and coordinating online digital forensics, multimedia forensics, and e-discovery training courses for a broad range of organizations.
Richard is presently developing online digital forensics and e-discovery academic postgraduate course for the evolving Institute for Applied Forensic Science, associated with TSW Analytical, as part of broader postgraduate forensic course offerings in Australasia and overseas.
In 2010, Richard authored two digital forensics chapters in Digital Business Security Development: Management Technologies. He has also written a number of journal articles on the validation of digital evidence, his ongoing research area.
In 2015, he authored an online video cast series, Emerging Forensic Tools for Locating and Analyzing Digital Evidence, on behalf of IGI Global Video Lecture E-Access Videos (http://www.igi-global.com/video/emerging-forensic-tools-locating-analyzing/134946).
Acknowledgment
I would like to acknowledge the constant love, support, and faith shown to me from my beautiful wife, Meiling, and our close family unit, which has helped me throughout my research and writing of the book, which I now dedicate to them.
The inspiration, technical brilliance, and forensic expertise of Jim Baker of Xtremeforensics and my colleague-at-arms, Dr. Richard Adams, have been the driving force behind my renewed dedication to digital forensics that has resulted in the writing of this book. James McCutcheon's leading work in testing forensic image containers was inspirational and I am pleased to share some of his grossly unrecognized research along with Dr. Adams' work on the ADAMS model. I hope some small but important mention of their work in this book goes some way to publicizing their research. I hope it will encourage other like-minded practitioners to get involved in some really helpful and needed research for the discipline.
Dr. Colin Armstrong's help in the technical review of the book has always been positive and encouraging and helped me reach my final goal, and I thank Colin for his time and constructive feedback to the publishers.
Finally, I am grateful for the support and encouragement from the academics and forensic practitioners and technicians at TSW, who had implicit faith in my forensic experience and provided me with a supportive environment in which to complete the book.
About the Reviewer
Colin J. Armstrong has extensive business experience in communications and information technology, information systems and services, security, and forensic science education, spanning the aviation, transport, hotel and catering, tertiary education, and charitable industries. His experience derives not only from industry roles, but studies acquiring bachelor, masters, and doctoral degrees, participation in the Australian Standards Expert Committee, memberships to various professional industry bodies, board memberships, and company directorships.
www.PacktPub.com
eBooks, discount offers, and more
Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at <[email protected]> for more details.
At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.
https://www2.packtpub.com/books/subscription/packtlib
Do you need instant solutions to your IT questions? PacktLib is Packt's online digital book library. Here, you can search, access, and read Packt's entire library of books.
Why subscribe?
Preface
This book will provide you with a clear understanding of digital forensics, from its relatively recent emergence as a sub-discipline of forensics to its rapidly growing importance alongside the more established forensic disciplines. It will enable you to gain a clear understanding of the role of digital forensics practitioners and their vital work in cybercrime and corporate environments, where they recover evidence of criminal offences and civil transgressions. Examples of real case studies of digital crime scenes will help you understand the complexity typical of many cases and the challenges digital evidence analysis poses to practitioners.
During the past 10 years or so, there has been a growing interest in digital forensics as part of tertiary courses and as a career path in law enforcement and corporate investigations. New technologies and forensic processes have developed to meet the growing number of cases relying on digital evidence. However, it has been apparent that the increasing complexity, size, and number of cases is creating problems for practitioners, who also face resource and costing restrictions and a shortage of well-trained and experienced personnel. The book will describe these challenges and offer some solutions, which hopefully will assist and empower current and prospective practitioners to manage problems more effectively in the future.
These are truly exciting and challenging times for practitioners seeking to enhance their skills and experience in recovering evidence and assisting the legal fraternity in making sense of their important findings. For those wishing to enter the discipline, they do so at a time when banality, complacency, and fatigue are disappointingly quite common. The enthusiasm of entering the profession can rapidly dissipate because of tedium and heavy caseloads, notwithstanding the inherently exciting and important nature of the work. Presented in this book are new and more effective ways to reduce tedium and time wastage, reinvigorate practitioners, and restore the excitement of the hunt for evidence heralded by fresh winds of change.
What this book covers
Chapter 1, The Role of Digital Forensics and Its Environment, describes the digital forensics environment—an emerging discipline within the broader field of forensic science. It outlines the main digital forensics environments of criminal and civil law cases and describes the role of digital forensics practitioners.
Chapter 2, Hardware and Software Environments, presents the basic working of computer hardware, operating systems, and application software and describes the nature of recovered digital evidence. A basic introduction to filesystems and files commonly recovered during forensics examination is given as well as an insight into file encryption and password protection.
Chapter 3, The Nature and Special Properties of Digital Evidence, describes the special characteristics of digital evidence, including the nature of files, file metadata, and timestamps, which form an essential part in the reconstruction of suspected offences. The complex nature of digital evidence is introduced, and the expectations of the courts as to its admissibility in legal hearings is explained.
Chapter 4, Recovering and Preserving Digital Evidence, explains the importance of preserving digital evidence in accordance with legal conventions. It describes forensic recovery processes and tools used to acquire digital evidence without undue contamination under different forensic conditions.
Chapter 5, The Need for Enhanced Forensic Tools, emphasizes the redundancy of conventional forensic imaging and the indexing of increasingly larger datasets and introduces new forensic processes and tools to assist in sounder evidence recovery and better use of resources. The chapter introduces the disruptive technology now challenging established digital forensic responses and the overreliance on forensic specialists, who are themselves becoming swamped with heavier caseloads and larger, more disparate datasets.
Chapter 6, Selecting and Analyzing Digital Evidence, introduces the structure of digital forensic examinations of digital information through the iterative and interactive stages of selecting and analyzing digital evidence that may be used in legal proceedings. The chapter introduces the stages of digital evidence selection and analysis in line with acceptable forensic standards.
Chapter 7, Windows and Other Operating Systems as Sources of Evidence, provides you with an understanding of the complexity and nature of information processed on computers that assist forensic examinations. The chapter looks at the structure of typical Windows, Apple, and other operating systems to facilitate the recreation of key events relating to the presence of recovered digital evidence. It touches on malware attacks and the problems encountered with anti-forensics tactics used by transgressors.
Chapter 8, Examining Browsers, E-mails, Messaging Systems, and Mobile Phones, looks at Internet browsers, e-mail and messaging systems, mobile phone and other handheld devices, and the processes of locating and recovering digital evidence relating to records of personal communications such as e-mails, browsing records, and mobile phones. The value of extracting and examining communications between persons of interest stored on computer and mobile phones is described.
Chapter 9, Validating the Evidence, emphasizes the importance of validating digital evidence to ensure that as thorough as possible an examination of the evidence is undertaken to test its authenticity, relevance, and reliability. Some common pitfalls that diminish the admissibility of digital evidence, as well as the evidentiary weight or value of evidence, are discussed, as is the need for open-minded and unbiased testing and checking of evidence to be a routine matter. The presentation of digital evidence and the role of the forensic expert is outlined in the chapter.
Chapter 10, Empowering Practitioners and Other Stakeholders, provides a summary of the book and reflects on the changes presently occurring within the discipline. It offers some new processes and tools that enhance the work of practitioners and reduce the time spent on each case as well as untangling the complexity of analyzing large datasets.
What you need for this book
No software is required for the book.
Who this book is for
This book is for anyone who wants to get into the field of digital forensics. Prior knowledge of programming languages may be helpful but is not required and is not a compulsory prerequisite. This is a helpful guide for readers contemplating becoming a digital forensic practitioner and others wishing to understand the nature of recovering and preserving digital information that may be required for legal or disciplinary proceedings. The book will appeal to a range of readers requiring a fundamental understanding of this rapidly evolving discipline, including:
Conventions
In this book, you will find a number of text styles that distinguish between different kinds of information. Here are some examples of these styles and an explanation of their meaning.
Code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles are shown as follows: "MS Word document, a file denoted by the .docx extension."
New terms and important words are shown in bold. Words that you see on the screen, for example, in menus or dialog boxes, appear in the text like this: "The exact view of file is shown in the following screenshot, which displays the Properties sheet."
Note
Warnings or important notes appear in a box like this.
Tip
Tips and tricks appear like this.
Reader feedback
Feedback from our readers is always welcome. Let us know what you think about this book—what you liked or disliked. Reader feedback is important for us as it helps us develop titles that you will really get the most out of.
To send us general feedback, simply e-mail <[email protected]>, and mention the book's title in the subject of your message.
If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide at www.packtpub.com/authors.
Customer support
Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.
Downloading the color images of this book
We also provide you with a PDF file that has color images of the screenshots/diagrams used in this book. The color images will help you better understand the changes in the output. You can download this file from https://www.packtpub.com/sites/default/files/downloads/PracticalDigitalForensics_ColorImages.pdf.
Errata
Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books—maybe a mistake in the text or the code—we would be grateful if you could report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded to our website or added to any list of existing errata under the Errata section of that title.
To view the previously submitted errata, go to https://www.packtpub.com/books/content/support and enter the name of the book in the search field. The required information will appear under the Errata section.
Piracy
Piracy of copyrighted material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works in any form on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy.
Please contact us at <[email protected]> with a link to the suspected pirated material.
We appreciate your help in protecting our authors and our ability to bring you valuable content.
Questions
If you have a problem with any aspect of this book, you can contact us at <[email protected]>, and we will do our best to address the problem.
Chapter 1. The Role of Digital Forensics and Its Environment
The purpose of this book is to provide you with a clear understanding of digital forensics from its relatively recent emergence as a subdiscipline of forensics to its rapidly growing importance alongside the more established forensic disciplines. This chapter will enable you to gain a clear understanding of the role of digital forensic practitioners and the cybercrime and corporate environments, where they are actively seeking evidence of crimes and civil offences. A small sample of case studies of digital crime scenes will enable you to understand the complexity typical of many cases and the challenges posed to the forensic practitioner.
During the past 10 years or so, there has been a growing interest in digital forensics as a part of tertiary courses and as a career path in law enforcement and corporate investigations. New technologies and forensic processes have developed to meet the growing number of cases relying on digital evidence. However, it has been apparent that the increasing complexity, size, and number of cases is creating problems for practitioners, who also face resource and costing restrictions as well as a shortage of well-trained, experienced personnel. The book will describe these challenges and offer some solutions that have helped me in my practice and research endeavors, and which will hopefully assist and empower current and prospective practitioners to manage problems more effectively in the future.
Inherent security problems associated with personal computers, tied to their popularity in the workplace, have spawned new problems for law enforcement. For example, organizations undertaking criminal investigations or completing internal audits typically encounter the tedious examination of computer records to recover digital evidence. Such examinations urgently require new forensic processes and tools to help practitioners complete their examinations more effectively.
These are exciting times for those practitioners seeking to enhance their important role in assisting the legal fraternity. For those wishing to join the discipline, they will be doing so at a time when practitioners are at a crossroads in terms of changes affecting evidence recovery and management. Banality, complacency, and fatigue are common within the discipline, and the enthusiasm of entering the profession can rapidly dissipate because of the tedium and heavy caseloads, notwithstanding the inherently exciting and important nature of the work. What will be shared with you are new and more effective ways of reducing tedium and time wastage, reinvigorating practitioners, and restoring the excitement of the hunt for evidence, heralded by the gentle winds of change sweeping across the discipline that will eventually turn into a whirlwind if some challenges are left unattended.
The following topics will be covered in the chapter:
Understanding the history and purpose of forensics – specifically, digital forensics
Forensic evidence is used in courts of law or in legal adjudication, although some purists do not see forensics as a science. The term could be misleading but may be applied to the technologies related to specific sciences rather than the science itself. There are areas of specialization in forensics, such as questioned expert, forensic dentist, civil engineer, auto crash investigator, entomologist, fingerprint expert, and crime scene reconstruction expert.
The origin of forensics
In 1879, Paris police clerk Alphonse Bertillon introduced a process of documenting crime scenes by photographing corpses and other evidence left behind at the scene. Bertillon's novel photographic records of crime scenes and his precise cataloging and measurement of corpses provided the foundation for the forensic science relating to sudden deaths and homicides. It assisted in the identification of the deceased and provided important information during postmortems to assist in determining the circumstances of the events leading up to the death of the deceased.
Bertillon espoused a radical notion in criminal investigation at the time, positing that science and logic should be used to investigate and solve crime. His scientific work greatly influenced one of his followers, Edmond Locard.
Locard's exchange principle
Locard's exchange principle is a fundamental forensic tenet based on the common exchange of physical traces at a crime scene. For example, fingerprints or DNA traces may be left at the scene, or gunpowder residue from a gunshot may spread onto an attacker's clothes. Although circumstantial by nature, these traces help reconstruct what occurred at the crime scene and may identify those present. We will see how this principle also applies to digital forensics throughout the book.
Within the following quotation is found an oft-cited principle: "A criminal action of an individual cannot occur without leaving a mark," or, more succinctly, "Every contact leaves a trace." Inman and Rudin (2001, p. 44) more meaningfully assert that no one can act with the force that the criminal act requires without leaving behind numerous signs of it: either the wrongdoer has left signs at the scene of the crime or, on the other hand, has taken away with him—on his person or clothes—indications of where he has been or what he has done.
Although forensic analysis has developed considerably since the time of Bertillon and Locard, they introduced three core concepts that were major advancements in criminal justice and assist investigators—notably, crime scene documentation, suspect identification, and the discipline of trace analysis.
Unless there is some actual evidence, no hypothesis is of any use and it is as if there had been no crime. Unless a perpetrator may be identified through some valid process and placed at the crime scene via unadulterated evidence, the case cannot ultimately be solved. These principles are foremost in forensics and, of course, apply just as importantly to digital forensic examinations.
The evolution of fingerprint evidence
The next milestone in forensic science relates to fingerprint evidence. Fingerprints have been used on Chinese legal documents for centuries as a proof of identity and the authenticity of the documents. However, it was not until the end of the nineteenth century that Edward Henry devised a workable classification system and implemented it in India in 1897, publishing his book, Classification and Uses of Fingerprints, in 1900. The following year, Henry's classification was introduced to the London Metropolitan Police; later that year, it was fully functional at the Fingerprint Office at New Scotland Yard, with the first court conviction by fingerprint evidence being obtained in 1902.
However, the reliability of fingerprint evidence has recently been challenged in a number of jurisdictions, with concerns over the lack of valid standards for evaluating whether two prints match. No uniform process exists for determining a sound basis for confirming identification based on fingerprint examinations. Some examiners rely on counting the number of similar ridge characteristics on the prints, but there is no fixed requirement about the number of points of similarity, and this varies significantly in different jurisdictions. Some courts in the USA have gone as far as to state that fingerprint identification is not based on sound forensic science principles. Similar criticism about the lack of standardization and scientific research has been directed at digital forensics, a far newer discipline.
DNA evidence
Through recent scientific developments, Deoxyribonucleic Acid (DNA), is used for determining the inherited characteristics of each person. DNA evidence can be extracted from a range of samples, such as saliva, used postage stamps and envelopes, dental floss, used razors, hair, clothing, and, more recently, fingerprints. This form of evidence has gained much publicity, with DNA samples recovered from a crime scene being compared with a sample from a suspect to establish a reliable and compelling match between the two. DNA evidence was first used to secure a conviction by matching samples recovered from the scene and obtained from the suspect in Oregon in 1987. Since then, it has brought to account many transgressors who might have otherwise remained beyond the reach of the law. It has also been used in "cold cases", proving the innocence of many wrongly convicted persons.
Because of the complexity of DNA evidence, juries were at first hesitant to accept DNA evidence as conclusive. As the discipline evolved, DNA evidence became more readily accepted in court. More recently, courts have been confronted with challenges to DNA evidence. Defense lawyers have claimed that DNA was planted at the scene to implicate the defendant or that the forensic collection or examination of the sample contaminated the evidence, rendering it inadmissible.
The probability of a sound match between the suspect and the crime scene sample has been questioned by the phenomenon of touch DNA, which are genetic markers left behind on many surfaces. It is common for the transfer of an innocent party's DNA involving a handshake with the offender's hand to be later inadvertently transferred to the murder weapon. Through this form of contamination, up to 85% of swabs have recovered traces of persons who never handled the weapons in question.
The onus is now squarely placed on the practitioner to determine the relevance of recovered samples and the history of how they got onto the artifacts recovered from the crime scene. It is also incumbent on practitioners to assist in determining the antecedents of recovered DNA to ensure the evidence does not implicate innocent parties. Evidence only tells part of the story. The fact that DNA is found at a location and/or on an implement only tells us that that is where DNA was found. It tells little else. It does not always tell when the person was there, nor does it guarantee that the person was there—only that their DNA was found to be there. It does not tell us what they were doing if it is established that they were in fact present. All too often, evidence is just evidence and we interpret the results to meet our expectations or achieve our desired outcomes. The problems created because of cross-contamination of evidence in the context of digital forensics is discussed in greater detail in Chapter 4, Recovering and Preserving Digital Evidence.
The basic stages of forensic examination
Some order is required when commencing any type of investigation, and forensic science has some key objectives that must be met. Preserving the crime scene is the primary objective because if the evidence is contaminated, lost, or simply not identified and overlooked, then all that follows may be of limited value to the investigators putting together the case evidence.
Recognizing the evidence and identifying where it is located and knowing just where to look can only enhance the outcome of an examination. This requires practitioner skills, knowledge, and experience. Once located, evidence needs to be collated and classified. This brings order to the examination and makes it easier for practitioners to ensure that nothing is overlooked and that the inclusion of recovered artifacts is correctly classified as relevant evidence.
Evidence cannot be viewed in isolation and should be compared with other evidence, and corroborating evidence should be identified. Then it should be described in scientific terms that can highlight the evidence with clarity so that a helpful reconstruction of the events may be presented.
Digital forensics is still in its infancy, and non-standardized processes are common in some civil and criminal investigation agencies. Standards, if they do exist, vary significantly in different jurisdictions. Various digital forensic investigation models are in use, showing slightly different stages in the examination process; however, there is no universal standard model used by practitioners.
Injustices based on faulty or mischievous forensic evidence are not a recent phenomenon. In the United Kingdom, during the past 30 years, for example, some high-profile injustices occurred, including the cases of the Birmingham Six, the Guildford Four, and the Sally Clark case, based on the ineptitude of the expert. Background information on the Clark case may be accessed at http://netk.net.au/UK/SallyClark1.asp.
These and similar cases that resulted in the conviction of innocent persons cast serious questions on the credibility and authority of forensic practitioners and their expert evidence. Forensic issues surrounding the Azaria Chamberlain case at Ayres Rock, more than 30 years ago, had profound implications on the quality of forensic practices here in Australia and had repercussions in other jurisdictions.
Defining digital forensics and its role
Digital evidence is progressively being used in legal proceedings and has been subject to scrutiny by the courts. This places an onerous burden on digital forensic practitioners to endeavor to present reliable evidence and sound analyses of their findings, which may also be useful to establish and test precedents for future court rulings. The dramatic increase in desktop computing and proliferation of cyber-based crime that exploits network systems has resulted in the need for enhanced information security management. It also requires practitioners to untangle the mess and try to bring to account the transgressors. Unrelenting attacks against computing devices and network servers are increasing and serve as the medium from which to exploit a wide range of victims, often based in another country. Computers and networks, however, are rich in information of evidentiary value that can assist practitioners in reconstructing transgressions.
Digital forensics emerged in response to the escalation of crimes committed by the use of computer systems as either an object of a crime, an instrument used to commit a crime, or a repository of evidence related to a crime. The requirements of investigating and examining digital evidence while at the same time ensuring that the integrity of original evidence remains unaltered were quickly identified as important functions.
Definitions of digital forensics
In the 1980s, it became apparent that similar to other developments such as DNA evidence and advances in molecular analysis, a new discipline was emerging: digital forensics. As computers became affordable, relatively easy to use, and were interconnected through local and wide area networks, computer crime emerged in tandem with the wonders offered by cyberspace.
Traditional laws became outdated, even by legal standards. Questions were raised, for example, as to how the theft of a computer device might be compared with the theft of intangible information copied from a computer and used without lawful authority. The information may remain on the computer although it has been copied without the owner's permission, yet the thief assumes permanent, albeit shared, ownership of the information.
Theft traditionally has a key element of transportability facilitating the permanent removal of tangible property. The file is there and then it is not, yet it is an intangible object stored on a computer. The copying process may well leave the original file information on the device, but it has been stolen from the point of view of its owner. Is copying theft or misuse of a computer? It is certainly a breach of privacy in most cases, and while there is a perception by an owner that their privacy has been breached, how does one claim so when the information is simply copied but yet to be disseminated? Does stalking a person in the street equate to stalking them online? The original legislation was intended to cover the former, and this raised serious questions as to whether established laws could be used to encompass new computer-based crimes.
Electronic and digital information is held or stored on devices and can be abused through such unauthorized activities. Computer crimes are a cyber version of well-established physical-world crimes. Extortion and threats are not new, but the use of computers to deliver the payload is. There was a call for new legislation to redefine computer-related crime, and largely, these recently introduced laws appear to serve the community well. However, confusion reigns in many jurisdictions as to the meaning of digital information tendered in court and an imprudent tendency of some practitioners and members of the legal fraternity to accept it at face value.
Digital forensics has yet to come of age according to many observers and practitioners and does require a scientific and impartial approach to analyzing digital information, sometimes in isolation if no other evidence is available. The evidence may be required in criminal or civil proceedings as well as in administrative and disciplinary cases. Courts and legal adjudicators expect that in line with more established forensic disciplines, scientific processes and tools will be used to preserve and assist in evidence analysis.
The stages of a digital forensic examination are geared toward the recovery and protection of evidence and a scientific approach to analyzing and interpreting the evidence, validating the evidence, and providing clear and precise forensic reports. Chapter 4, Recovering and Preserving Digital Evidence, and Chapter 6, Selecting and Analyzing Digital Evidence, describe these stages of digital forensic examination.
Looking at the history of digital forensics
Digital forensics is a relatively new phenomenon. Computers have been around for many decades and required a small number of staff to input data for processing and then receive the output in hardcopy form. They were regarded as secure information repositories as so few had the expertise and understanding to use the devices. Security was simply not a problem, and computer printouts were readily accepted by courts without issue. However, the advent of cheaper and easier-to-use desktop machines, combined with network systems, changed the security landscape of computing.
The early days
During the 1970s, computers were not readily available to all but large organizations, government departments, and, particularly, defense and intelligence communities using mainframe computers. What forensic activities surrounded these computers is not clear and is shrouded in secrecy.
The origins of digital forensics in the public domain emerged later and may be traced back to as early as 1984, when the FBI laboratory and other law enforcement agencies began developing programs to examine computer evidence. Andrew Rosen wrote the first purpose-built digital forensic tool, Desktop Mountie, for the Canadian police, which he followed up with versions of Expert Witness, Encase, and SMART. The rapid and almost worldwide acquisition of relatively cheap and easy-to-use desktop computers for personal and work use quickly attracted the attention of transgressors keen to exploit the new technology.
In response to mounting attacks on computers and networks, private organizations and governments began to develop and implement computer security policies and countermeasures. Digital forensics emerged in response to victims of cyberattacks and exploitation realizing that some structure was needed to deal with an escalating problem. Eventually, some established forensic processes emerged in the late eighties, but much of the research and development of digital forensic tools and software was vendor-driven or produced by enthusiastic law enforcement officers with some basic computer knowledge.
Some of the first government agencies with an overt and publicly visible requirement of carrying out forensics on external systems relating to criminal offences were taxation and revenue-collection agencies. It soon became apparent to those struggling to recover digital evidence that a level of specialist knowledge was needed to investigate this new technology.
A paucity of reliable digital forensic tools
Unfortunately for the digital forensic practitioner, no specific forensic tools existed in the eighties, which resulted in developers designing their own suites of forensic utilities based on MS-DOS. Many of these forensic software applications have been refined and updated, and persist in use to this day. Data-protection and recovery utility suites of that time that still exist include:
Note
In 1990, there were 100,000 registered users of Mace Utilities, and Norton's Utilities became one the most popular utility suites available.
Initially, the only method of preserving evidence available to the forensic examiner was to take a logical backup of files from the evidence disk on magnetic tape. It was hoped that this process would be able to preserve vital file attributes and metadata and then be capable of restoring these files to another disk. This would then allow the practitioner to examine the recovered data manually using command-line file-management software such as these:
The size of computer datasets at the time was in the megabyte range, but still sufficiently large to make the process of evidence retrieval a tedious and time-consuming task. There was a call for some forensic standards, guidelines, and definitions to assist digital forensics practitioners as well as an urgent call to revise existing legislation to ensure that newly forming cybercrimes were correctly defined. Sound legislation was overdue to recognize and be effective against old crimes now in a new format.
The legal fraternity's difficulty understanding digital evidence
In the mid-eighties, concerns were raised about the lack of understanding among various legal practitioners and lawmakers for failing to address the problems brought about by the increasing reliance of digital evidence in legal proceedings. This was a worldwide phenomenon caused by the dramatic upsurge in computer use and the advent of new devices, including digital mobile phones. Consequently, a coordinated approach to assist forensics and legal practitioners was mooted in the USA to assist them in overcoming difficulties encountered with tendering digital evidence.
By the turn of the century, the US and the European Union established a research corpus that would apply scientific processes to find solutions to forensic challenges driven by practitioner needs. Researchers at the time raised concerns about widespread misunderstanding as to the true nature of digital evidence. More worrying to them was the inefficiency and ineffectiveness of some forensic processes used in its recovery, analysis, and subsequent use in legal proceedings.
It was recognized that digital forensic examinations commenced with seeking answers about the identity of suspected transgressors, notably, establishing some digital link between the binary data and the suspect. Although mere possession of a digital computer was generally considered sufficient to link a transgressor to all the data the device contained, concerns were being raised as to the soundness of such assumptions. Would the assumption be valid in the future because of extensive computer networking? Would the data itself be capable of providing clues to the motive of a transgression?
In 1999, digital forensics designer Andrew Rosen appeared for the defense in Clarkson versus Clarkson (Circuit Court for Roanoke County, Virginia: case 3CH 01.00099), where it was eventually determined that the defendant's wife had placed child pornography on his computer and then tried to incriminate him so she could exit the marriage, maintain custody of the children, and marry her new lover. This case caused Rosen to be considered a "traitor" by law enforcement/prosecution-focused practitioners, who were evidently more interested in winning the case than seeking a just outcome.
This set the scene for a dangerous precedent, encouraging some practitioners to assume that the owner and chief user of a computer was the most likely transgressor. In my experience, in the handling of defense cases in criminal trials, the sound identification of other users, who are also potential suspects, has often been paid lip service to. This suggests suspect-driven and not evidence-led examinations, which is hardly an unbiased and scientific approach. This contradicts the concept that the practitioner is the "servant of the court". The nature and special properties of digital evidence are presented in Chapter 3, The Nature and Special Properties of Digital Evidence.
More recent developments in digital forensics
The years from 1999 to 2007 were considered the golden age for digital forensics, when the practitioner could see into the past through the recovery of deleted files and into the criminal mind through the recovery of e-mails and messages, thus enabling practitioners to freeze time and witness transgressions. Digital forensics was once a niche science that primarily supported criminal investigations. Nowadays, digital forensics is routinely incorporated in popular crime shows and novels. The dramatization of digital forensics and considerable exaggeration as to the technical prowess of practitioners and forensic tools is what is described as the Crime Scene Investigation (CSI) syndrome.
Note
In 1984, the FBI had established the Computer Analysis and Response Team (CART) to provide digital forensic support, but it did not become operational until 1991.
Research groups have since been formed to discuss computer forensic science as a discipline, including the need for a standardized approach to examinations. In the USA, these include the following:
By 2005, digital forensics still lacked standardization and process, and was understandably heavily oriented toward Windows and, to a lesser extent, standard Linux systems. Even in 2010, while the basic phases involved in digital forensics examinations were well documented, a standardized or widely accepted formal digital forensic model was still considered by some researchers as being in its infancy. To those observers, it was clearly not in the same league as other physical forensic standards such as blood analysis.
In 2008, the International Standard Organization's Joint Technical Committee (ISO/IEC JTC 1) investigated the feasibility of an international standard on digital forensic governance, but to date, there are no ISO/IEC JTC1 standards that specifically address the issue. There exists, however, an international awareness of problems associated with the variations in the inter-jurisdictional transfer of information relating to legal proceedings (ISO 2009:4).
The digital forensics discipline developed rapidly but to date has very little international standardization regarding processes, procedures, or management, yet it does require governance similar to Information Systems and Information Technology (IS and IT) governance. Recently, some researchers have expressed concern over the intersection between the highly technical digital forensic discipline and the business approach of governance, making digital forensics a highly specialized discipline. There is a feeling of misgiving that few practitioners have sufficient interdisciplinary knowledge of computer, legal, and business aspects. That is perhaps unfair criticism of the majority of practitioners who do remarkable work with limited resources and support.
A conflicting view is that the emergence of organizations such as the High Technology Criminal Investigators Association (HTCIA) and the International Association of Computer Investigative Specialists (IACIS) did lend weight to the forensic process to ensure legal acceptance of digital evidence by ensuring the data is reliable, accurate, verifiable, and complete.
Studying criminal investigations and cybercrime
In line with more established forensic disciplines, digital forensics, a comparatively new field, also involves preserving the crime scene in a digital environment. Digital forensics practitioners examine evidence recovered from the complete range of digital devices and networks. This requires some understanding of computer technology, notwithstanding the advent of more automated forensic processes and tools.
Note
Many examinations do not necessarily end in a criminal case and may become part of civil legal action or internal disciplinary procedures. The reverse, of course, is also common, when a civil case can result in criminal prosecution.
Digital forensics falls into three broad categories:
Personnel misconduct investigation requiring digital forensic examinations is an emerging category. Defense and intelligence forensic examinations are considered another category, but it is not covered in this book.
Evidence found on a computer may be presented in a court of law to support accusations of crime or civil action such as:
Typically, criminal investigations and prosecutions involve government agencies that work within the framework of criminal law. Law enforcement officers are granted search and seizure powers under relevant criminal laws that enable them to locate and capture devices suspected of being used in crimes or to facilitate them.
Outlining civil investigations and the nature of e-discovery
Private organizations are not governed by criminal law per se and usually involve litigation disputes and disciplinary investigations involving computers and network systems, which are becoming more frequent. Civil investigations may escalate and become criminal cases. Civil cases rely on civil law, torts, and process, and information may be recovered from the opposing party through civil remedies, notably, "discovery" as well as powers of search and seizure, such as those provided by Anton Piller orders or search orders.
This book looks primarily at digital forensics and, to some extent, civil investigations. However, in my experience, there is no real distinction between criminal and civil examinations when using digital forensics. Each group is looking for the same sort of evidence but arguably to different standards. The e-discovery is almost entirely a civil matter as it involves disputes between different organizations, so the concept of evidence is slightly different. I contend that the approach used in the past for e-discovery typically involved a large number of machines, and it can be applied to digital forensics with some refinements as the only way to handle large data volumes. Chapter 5, The Need for Enhanced Forensic Tools, outlines some new software tools capable of processing large datasets, offering some long-overdue support to practitioners working in both environments.
The role of digital forensic practitioners and the challenges they face
Forensic practitioners not only recover and analyze evidence, but they also present and interpret its meaning to investigators, lawyers, and, ultimately, to the jury. Being a sound analyst is of course a fundamental requirement but practitioners must also be able to communicate with clarity their findings and professional opinion to the layperson. Evidence is blind and cannot speak for itself, so it needs an interpreter to explain what it does or might mean and why it is important to the case, among other things. I spend much time on casework explaining technical matters to the legal teams and juries to ensure that they have a clear understanding of the evidence—a rewarding task when the penny eventually drops!
The unique privilege of providing expert evidence and opinion
Under normal circumstances, hearsay evidence is not permitted in courts, and the opinion of witnesses is distinctly prohibited. Expert witnesses and scientific experts, however, may provide opinion based on their extensive practice and research, provided it is restricted to the evidence presented. These privileged witnesses may share with the court any inferences they have made from the evidence they have observed, provided that it is within their sphere of expertise.
Forensic experts are expected to provide information that may help the court form its conclusion, and the expert's subjective opinion may be included. However, it is the court's obligation to form its own opinion or conclusion as to the guilt or innocence of the defendant based on the testimony provided. The forensic practitioner, when acting as a forensic expert, should do no more than provide scientific opinion about the information to help the court form judgmental opinions.
Experts must avoid providing final opinions themselves since sometimes, expert knowledge is not completely certain. Across a range of legal jurisdictions, courts expect forensic practitioners to possess sound understanding of computer technology for their testimony to have any credibility.
The United Kingdom's Civil Procedure Rules (1998) require compliance by all expert witnesses, and Part 35 stipulates that the expert (practitioner) has an overriding duty to help the court and maintain strict impartiality and not to support the engaging party. The rules stipulate that:
In 2008, the Council for the Regulation of Forensic Practitioners reiterated these stipulations and added further conditions expected of practitioners (Carroll and Notley 2005):
The United Kingdom's guidance booklet for experts, Disclosure: Experts' Evidence, Case Management and Unused Material, published in 2010 by the Crown Prosecution Service, emphasized the need for practitioners to ensure that due regard be given to any information that points away from, as well as toward, the defendant. The booklet stresses that practitioners must not give expert opinion beyond their area of expertise. The booklet also addresses the independence of the practitioner as well as reiterating the requirement to examine and share exculpatory evidence with the court and other parties.
Case prosecutors in the USA are required to disclose materials in their possession to the defense based on the Brady Rule (Brady versus Maryland, 1963). Under the Brady Rule, the prosecutor is required to disclose any evidence to the defense, including any evidence favorable to the accused (exculpatory evidence), notably "evidence that goes toward negating a defendant's guilt, that would reduce a defendant's potential sentence, or evidence going to the credibility of a witness."
