Posted: September 17th, 2017

S3-72 Digital Evidence and Computer Crime, Ch. 4

Cite the reference provided as per APA guidelines.

Check for errors

Provide a 275-word discussion to Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet, 2e.

Provided below.

e eBook Collection


Eoghan Casey and Gary Palmer

…the law and the scientific knowledge to which it refers often serve different purposes.
Concerned with ordering men’s conduct in accordance with certain standards, values,
and societal goals, the legal system is a prescriptive and normative one dealing with the
“ought to be”. Much scientific knowledge, on the other hand, is purely descriptive; its
“laws” seek not to control or judge the phenomenon of the real world, but to describe and
explain them in neutral terms.
(Korn 1966)
The goal of any investigation is to uncover and present the truth. Although
this chapter will deal primarily with truth in the form of digital evidence, this
goal is the same for all forms of investigation whether it be in pursuit of
a murderer in the physical world or trying to track a computer intruder
online. As noted in the Introduction, when evidence is presented as truth of
an allegation it can impact on whether people are deprived of their liberties,
and potentially whether they live or die. This is reason enough to use trusted
methodology and technology to ensure that the processing, analysis, and
reporting of evidence are reliable and objective. This chapter describes such
a methodology, based on the scientific method, to help investigators uncover
truths to serve justice. This methodology is designed to assist in the development
of case management tools, Standard Operating Procedures (SOPs),
and final investigative reports. This methodology has grown out of experiences
and discussions in the field, and is believed to be complete and
sufficient in scope. However, every investigation is unique and can bring
unforeseeable challenges, so this methodology should not be viewed as an
end-point but rather as a framework or foundation upon which to build.
The investigative process is part of a larger methodology most often
associated with courts of law shown in Figure 4.1. The process of determining
if wrongdoing has occurred and if punitive measures are warranted is complex
and goes beyond investigative steps normally referred to as “forensic.”
C H A P T E R 4
Digital Evidence and Computer Crime Second Edition Copyright © 2004 Elsevier Ltd
ISBN: 0-12-163104-4 All rights of reproduction in any form reserved Copyright 2004 Elsevier, Inc. All rights reserved.
Licensed to University of Phoenix.
By forensic we mean a characteristic of evidence that satisfies its suitability
for admission as fact and its ability to persuade based upon proof (or high
statistical confidence).
The simplified methodology depicted in Figure 4.1 is provided to help
investigators see the placement of their activities relative to other necessary
events. The investigative process begins with an accusation and progresses
through evidence handling to a clear and precise explanation of facts and
techniques in expert testimony. This linear representation is useful for
structuring procedures and a final report that describes each step of an
investigation to decision makers. In practice, investigations can be non-linear,
such as performing some basic analysis in the collection stage, or returning to
the collection step when analysis leads to additional evidence. Before delving
into this investigative methodology in detail, there are some fundamental
concepts that must be understood.
Trained, experienced investigators will begin by asking themselves a series
of questions aimed at deciding if a crime or infraction has actually occurred.
The answer to these questions will help determine whether or not a full
investigation will proceed or if valuable and limited investigative resources
are better applied to other matters. For instance, when log files indicate
that an employee misused a machine but he adamantly denies it, a digital
investigator should carefully examine the logs for signs of error. Similarly,
when a large amount of data are missing on a computer and an intruder is
suspected, digital investigators should determine if the damage is more
consistent with disk corruption than an intrusion. In one case, a suicide note
Figure 4.1
Overview of case/incident
resolution process.
Accusation Seizure
Law enforcement
Closing arguments
Cross examination
Expert testimony
Case presentation
of law
of law
Copyright 2004 Elsevier, Inc. All rights reserved.
Licensed to University of Phoenix.
on a computer raised concern because it had a creation date after the victim’s
death. It transpired that the computer clock was incorrect and the note
was actually written before the suicide.
When these questions are answered affirmatively, the focus shifts toward
determining what happened, where, when, how, who was involved, and why.
The process by which digital evidence is uncovered and applied to these
issues is composed of several steps each employing strict protocols, proven
methods, and, in some cases, trusted tools. More importantly, the success of
this process depends heavily on the experience and skill of the investigators,
evidence examiners and crime scene technicians who must collaborate to
piece the evidence together and develop a convincing account of the offense.
The effectiveness of the investigative process depends upon high levels of
objectivity applied at all stages. Some cases and the nature of the evidence
uncovered (digital or otherwise) will take investigators and forensic examiners
to emotional limits, testing their resolve. Computer security professionals
in the private sector often have to investigate long-time coworkers
and cases in all sectors can involve brutal abuse of innocent victims,
inciting distraught individuals and communities to strike out at the first
available suspect. A good investigator can remain objective in the most
trying situations.
The very traits that make a good investigator or forensic examiner may
lead us to depend on experience in place of individual case-related facts,
resulting in unfounded conclusions. Individuals with inquiring minds and
an enthusiasm for apprehending offenders begin to form theories about
what may have occurred the moment they learn about an alleged crime, even
before examining available evidence. Even experienced investigators
are prone to forming such preconceived theories because they are inclined
to approach a case in the same way as they have approached past cases,
knowing that their previous work was upheld.
Hans Gross, one of this century’s preeminent criminologists, put it best in
the following quotation:
Nothing can be known if nothing has happened; and yet, while still awaiting the
discovery of the criminal, while yet only on the way to the locality of the crime, one
comes unconsciously to formulate a theory doubtless not quite void of foundation but
having only a superficial connection with the reality; you have already heard a similar
story, perhaps you have formerly seen an analogous case; you have had an idea for a
long time that things would turn out in such and such a way. This is enough; the details
of the case are no longer studied with entire freedom of mind. Or a chance suggestion
thrown out by another, a countenance which strikes one, a thousand other fortuitous
incidents, above all losing sight of the association of ideas end in a preconceived
theory, which neither rests on juridical reasoning nor is justified by actual facts.
(Gross 1924, pp. 10–12)
Copyright 2004 Elsevier, Inc. All rights reserved.
Licensed to University of Phoenix.
As experience increases and methods employed are verified, the accuracy
of these “predictions” may improve. Conjecture based upon experience has
its place in effective triage but should not be relied upon to the exclusion of
rigorous investigative measures. The investigative process demands that each
case be viewed as unique with its own set of circumstances and exhibits.
Letting the evidence speak for itself is particularly important when offenders
take steps to misdirect investigators by staging a crime scene or concealing
The main risk of developing full hypotheses before closely examining
available evidence is that investigators will impose their preconceptions
during evidence collection and analysis, potentially missing or misinterpreting
a critical clue simply because it does not match their notion of what
occurred. For instance, when recovering a deleted file named “_orn1yr5.gif ”
depicting a naked baby, an investigator might impose a first letter of the file
that indicates “porn1yr5.gif ” rather than “born1yr5.gif ”. Instead, if the
original file name is not recoverable, a neutral character such as “_” should be
used to indicate that the first letter is unknown.
This caveat also applies to the scientific method from which the investigative
process borrows heavily. At the foundation of both is the tenet that no
observation or analysis is free from the possibility of error. Simply trying to
validate an assertion increases the chance of error – the tendency is for the
analysis to be skewed in favor of the hypothesis. Conversely, by developing
many theories, an investigator is owned by none and by seeking evidence to
disprove each hypothesis, the likelihood of objective analysis increases
(Popper 1959). Therefore, the most effective way to counteract preconceived
theories is to employ a methodology that compels us to find flaws in our
theories, a practice known as falsification.
As an example, as an investigation progresses a prime suspect may emerge.
Although it is an investigator’s duty to champion the truth, investigators must
resist the urge to formally assert that an individual is guilty. A common
misdeed is to use a verification methodology, focusing on a likely suspect and
trying to fit the evidence around that individual. When a prime suspect has
been identified and a theory of the offense has been formed, experienced
investigators will try to prove themselves wrong. Implicating an individual is
not the job of investigators – this is for the courts to decide and unlike
scientific truth, legal truth is negotiable.
For instance, in common law countries, the standard of proof for criminal
prosecutions is beyond a reasonable doubt and for civil disputes it is the balance
of probabilities. Legal truth is influenced by ideas like fairness and justice, and
the outcome may not conform to the scientific truth. A court may convict an
individual even if the case is weak or some evidence suggests innocence.
Generally, in the
prosecutorial environment,
scientific truth is
subordinate to legal truth
and investigators must
accept the ruling of the
court. Similarly,
investigators must generally
accept an attorney’s
decision not to take a case.
However, in some instances,
investigators will face an
ethical dilemma if they feel
that a miscarriage of justice
has occurred. An
investigator may be
motivated to disclose
information to the media
or assist in a follow-up
investigation but such
choices must be made with
great care because a
repeated tendency to
disagree with the outcome
of an investigation will ruin
an investigator’s credibility
and even expose him/her to
legal action.
Copyright 2004 Elsevier, Inc. All rights reserved.
Licensed to University of Phoenix.
Most forensic scientists accept the reality that while truthful evidence derived from
scientific testing is useful for establishing justice, justice may nevertheless be negotiated.
In these negotiations, and in the just resolution of conflict under the law, truthful
evidence may be subordinated to issues of fairness, and truthful evidence may be
manipulated by forces beyond the ability of the forensic scientist to control or
perhaps even to appreciate fully. (Thornton 1997)
Galileo Galilei’s experiences provide us with an illustrative example of the
power of the scientific method in discovering the truth and the cost of ignoring
the reality that scientific truth may be subordinated to other truths. By
observing the motion of stellar objects, Galileo gathered evidence to support
Copernicus’s theory that the Earth revolved around the Sun. Although
Galileo was correct and was widely respected as a scientist and mathematician,
he was unable to dislodge the heliocentric conception of the Solar system that
had persisted since Aristotle proposed it in the fourth century B.C. It seemed
absurd to claim that the Earth was in motion when anyone could look at
the ground and see that it was still. Also, the most vehement opponents of the
idea felt that it contradicted certain passages in the Holy Scripture and
thus threatened the already wavering authority of the Catholic Church
(Sobel 1999).
The issue came to a head in 1616 when Pope Paul V appointed a panel of
theologians to decide the matter. Despite its widespread acceptance and
Galileo’s efforts to present supporting evidence, the panel concluded that
certain aspects of Copernican astronomy were heretical. In essence, scientific
truth was subordinated to a religious truth. Although Galileo was instructed
not to present his opinions about the Solar system as fact, he was not specifically
named as a heretic, one of the most grave crimes of the time. Almost
twenty years later, by claiming that he had abandoned his belief in the
Copernican model as instructed but wanted to demonstrate to the world
that he and the Church fully understood all of the scientific arguments,
Galileo obtained permission to publish his observations and theories
in Dialogue of Galileo Galilei. However, the Dialogue quickly generated outrage
and, in 1633, the book was banned and the 70-year-old Galileo was
imprisoned for heresy and compelled to formally renounce his belief that
the Earth rotated around the Sun.
There are a few valuable lessons here. The employment of a rigorous
investigative process may uncover unpopular or even unbelievable truths
subject to rejection unless properly and clearly conveyed to the intended
audience. Investigators may be faced with a difficult choice – renounce
the truth or face the consequences of holding an unpopular belief. It is the
duty of investigators to unwaveringly assert the truth even in the face of
Copyright 2004 Elsevier, Inc. All rights reserved.
Licensed to University of Phoenix.
This account of Galileo is not intended to suggest that science is infallible.
The fact is that science is still advancing and previous theories are
being replaced by better ones. For instance, DNA analysis has largely
replaced blood typing in forensic serology, and although the technique of
blood typing was valid, it was not conclusive enough to support some of the
convictions based upon evidence derived from that analysis alone. This
weakness can be shown in dramatic fashion by the existence and success of
the Innocence Project,1 which is using results of DNA analysis to overturn
wrongful convictions based on less than conclusive ABO Blood Typing and
enzyme testing.
While preparing for the final step of the investigative process (the decision
or verdict) it is important to keep in mind that discrepancies between scientific
and legal truth may arise out of lack of understanding on the part of the
decision makers. This is different from scientific peer review, where reviewers
are qualified to understand and comment on relevant facts and methods
with credibility. When technical evidence supporting a scientific truth is
presented to a set of reviewers who are not familiar with the methods used,
misunderstandings and misconceptions may result. To minimize the risk of
such misunderstandings, the investigative process and the evidence uncovered
to support prosecution must be presented clearly to the court. A clear
presentation of findings is also necessary when the investigative process is
applied to support decision makers who are in charge of civilian and military
network operations. However, investigators may find this situation easier
since decision makers in these domains often have some familiarity with
methods and tools employed in forensic investigations for computer and
network defense.
One of the main goals in an investigation is to attribute the crime to its
perpetrator by uncovering compelling links between the offender, victim, and
crime scene. Witnesses may identify a suspect but evidence of an individual’s
involvement is usually more compelling and reliable. According to Locard’s
Exchange Principle, anyone, or anything, entering a crime scene takes something
of the scene with them, and leaves something of themselves behind
when they leave. In the physical world, an offender might inadvertently leave
fingerprints or hair at the scene and take a fiber from the scene. For instance,
in a homicide case the offender may attempt to misdirect investigators by
creating a suicide note on the victim’s computer, and in the process leave
fingerprints on the keyboard. With one such piece of evidence, investigators
can demonstrate the strong possibility that the offender was at the crime
Copyright 2004 Elsevier, Inc. All rights reserved.
Licensed to University of Phoenix.
scene. With two pieces of evidence the link between the offender and crime
scene becomes stronger and easier to demonstrate (Figure 4.2).
This type of exchange produces evidence belonging in one of two general
categories: (i) evidence with attributes that fit in the group called class
characteristics, and (ii) exhibits with attributes that fall in the category called
individual characteristics. As detailed in Chapter 9, class characteristics are
common traits in similar items whereas individual characteristics are more
unique and can be linked to a specific person or activity with greater certainty.
Consider the physical world example from Chapter 1 of a shoe print left under
a window at a crime scene. Forensic analysis of those impressions might only
reveal the make and model of the shoe, placing it in the class of all shoes with
the same make and model. Therefore, if a suspect were found to be in possession
of a pair with the same manufacturer and model, a tenuous circumstantial
link can be made between the suspect and the wrongdoing. If forensic analysis
uncovers detailed wear patterns in the shoe prints and finds identical wear
of the suspect’s soles, a much stronger link is possible. The margin of error has
just been significantly reduced by the discovery of an individual characteristic
making the link much less circumstantial and harder to refute.
In the digital realm, we move into a more virtual and less tangible space.
The very notion of individual identity is almost at odds with the philosophy
of openness and anonymity associated with many communities using the
Internet. However, similar exchanges of evidence occur in the digital realm,
such as data from an offender’s computer recorded by a server or data
from servers stored on the offender’s computer. Such links have been used
to demonstrate that a specific individual was involved. When all of this
evidentiary material does not conclusively link a suspect with the computer,
the evidence is still individual relative to the computer.
Browsing the Web provides another example of Locard’s Exchange
Principle in the digital realm. If an individual sends a threatening message
via a Web-based e-mail service such as Hotmail, his/her browser stores files,
links, and other information on the hard disk along with date–time related
information. Investigators can find an abundance of information relating
to the sent message on the offender’s hard drive including the original
message. Additionally, investigators can find related information on the
Figure 4.2
Locard’s Exchange Principle.
Crime scene
Physical evidence
Copyright 2004 Elsevier, Inc. All rights reserved.
Licensed to University of Phoenix.
Web server used to send the message including access logs, e-mail logs,
IP addresses, browser version, and possibly the entire message in the Sent
mail folder of the offender’s e-mail account.
Akin to categories of evidence in the “traditional” forensic sense, digital
equipment and their attributes can be categorized into class and individual
groups. Scanners, printers, and all-in-one office devices may exhibit or leave
discernible artifacts that lead to common class characteristics allowing the
identification of an Epson, Canon, or Lexmark device. The more conclusive
individual characteristics are more rare but not impossible to identify
through detailed analysis. Unique marks on a digitized photograph might
be used to demonstrate that the suspect’s scanner or digital camera was
involved. Similarly, a specific floppy drive may make unique magnetic impressions
on a floppy disk, helping establish a link between a given floppy disk
and the suspect’s computer.
These are examples of the more desirable category of evidence because of
their strong association with an individual source. Generally, however, the
amount of work required to ascertain this level of information is significant
and may be for naught, especially if a proven method for its recovery has not
been researched and accepted in the community and used to establish
precedent in the courts. This risk coupled with the fact that the objects of
analysis change in design and complexity at such a rapid pace, makes it
difficult to remain current.
Class characteristics can enable investigators to determine that an Apache
Web server was used, a particular e-mail encapsulation scheme (e.g. MIME)
was employed, or that a certain manufacturer’s network interface card was the
source. Categorization of characteristics from various types of digital components
has yet to be approached in any formal way but the value of this type of
information cannot be underestimated. Class characteristics can be used
collectively to determine a probability of involvement and the preponderance
of this type of evidence can be a factor in reaching conclusions about guilt or
The value of class physical evidence lies in its ability to provide corroboration of events
with data that are, as nearly as possible, free of human error and bias. It is the thread
that binds together other investigative findings that are more dependent on human
judgements and, therefore, more prone to human failings. (Saferstein 1998)
To better appreciate the utility of Locard’s Exchange Principle, class
characteristics, and individual characteristics in the digital realm, consider a
computer intrusion. When an intruder gains unauthorized access to a UNIX
system from his/her personal computer using a stolen Internet dial-up
account, and uploads various tools to the UNIX machine via FTP (file
Preview (Chapter 9):
Interestingly, the MD5
computation is an example
of a derived attribute that
can be useful as a class or
individual characteristic
depending on its
application. For instance,
the MD5 value of a
common component of
the Windows 2000
operating system (e.g.
kernel32.dll) places a file in
a group of all other similar
components on all
Windows 2000 installations
but does not indicate that
the file came from a
specific machine. On the
other hand, when the MD5
computation is computed
for data that are or seem
to be unique, such as an
image containing child
pornography or suspect
steganographic data, the
hash value becomes an
individual characteristic
due to the very low
probability that any other
data (other than an exact
copy) will compute to the
same hash value.
Therefore, MD5 values are
more trustworthy than
filenames or file sizes in
the comparison of data.
Copyright 2004 Elsevier, Inc. All rights reserved.
Licensed to University of Phoenix.
transfer protocol), the tools are now located on both the Windows and
UNIX systems. Certain characteristics of these tools will be the same on both
systems, including some of the date–time stamps and MD5 hash values
(described in Chapter 9).
The Windows application used to connect to the UNIX system (e.g. Telnet,
SecureCRT, SSH) may have a record of the target IP address/hostname.
Directory listings from the UNIX system may be found on the intruder’s
hard drive if they were swapped to the disk while being displayed on screen
by Telnet, SecureCRT, SSH, or another program as shown in Figure 4.3. The
stolen account and password is probably stored somewhere on the intruder’s
system, possibly in a sniffer log or in a list of stolen accounts from various
systems. The FTP client used (e.g. WS_FTP) may create a log of the transfer
of tools to the server.
The UNIX system may have login records and FTP transfer logs showing
the connection and file transfers. Additionally, some of the transferred files
may carry characteristics from the source computer (e.g. TAR files contain
user and group information from UNIX systems). These types of digital
evidence transfer can be used to establish the continuity of offense in a
connect-the-dots manner. In the threatening e-mail example above, the
information on the sender’s hard disk along with the date and time it was
created can be compared with data on the server and the message received
by the target to demonstrate the continuity of the offense. To establish
continuity of offense investigators should seek the sources, conduits, and
Figure 4.3
Remnants of a directory listing
from a UNIX system found on a
Windows computer using the grep
feature in EnCase to search for the
pattern “[d-][rwx-][rwx-][rwx-]
Copyright 2004 Elsevier, Inc. All rights reserved.
Licensed to University of Phoenix.
File date-time
stamps, modem &
WS_FTP logs
& ANI records
Logon &
transfer logs
98.11.12 19:53 A C:downloadimage12.jpg ,<– /home/johnh image12.jpg
Figure 4.4
Potential sources of evidence useful
for establishing continuity of
targets of an offense. Each of these three areas can have multiple sources of
digital evidence and can be used to establish the continuity of offense.
Additional systems may be peripherally involved in an offense (e.g. for
storage, communication, or information retrieval) and may contain related
evidence. For instance, in a computer intrusion investigation, there may be
related digital evidence on intrusion detection system, NetFlow logs, and
other intermediate systems discussed in later chapters.
The more corroborating evidence that investigators can obtain, the
greater weight the evidence will be given in court and the more certainty they
can have in their conclusions. In this way, investigators can develop a
reconstruction of the crime and determine who was involved. The addition
of a mechanism or taxonomy to categorize digital evidence as described
would benefit the investigator by allowing them to present the relative merits
of the evidence and help them maintain the objectivity called for by the
investigative process.
As another example, take a case of downloading child pornography from an
FTP server on the Internet via a dial-up connection as depicted in Figure 4.4.
The date–time stamps of the offending files on the suspect’s personal computer
show when the files were downloaded. Additionally, logs created by the FTP
client may show when each file was downloaded and from where. The following
log entry created by WS_FTP shows an image being downloaded from an FTP
server with IP address on November 12, 1998, at 1953 hours from
a remote directory on the FTP server named “/home/johnh”.
Modem logs on the computer may show that the computer was connected to
the Internet at the time in question.
Dial-up server logs at the suspect’s Internet Service Provider (ISP) may show
that a specific IP address was assigned to the suspect’s user account at the time.
Copyright 2004 Elsevier, Inc. All rights reserved.
Licensed to University of Phoenix.
The ISP may also have Automatic Number Identification (ANI) logs –
effectively Caller-ID – connecting the suspect’s home telephone number to the
dial-up activity. Routers connecting the suspect’s computer to the Internet may
have associated NetFlow logs containing additional information about the
suspect’s connection to the FTP server.
Logs on the FTP server may confirm that files were downloaded to the
suspect’s IP address at the time in question. For instance, the following FTP
server transfer log entry shows a file with the same name and size as that
found on the suspect’s computer being downloaded to the IP address that
was assigned to the suspect’s account at the time in question.
Nov 12 19:53:23 1998 15 780800 /home/johnh/image12.jpg a _ o r user
In United States v. Hilton, the forensic examiner was asked to justify transport charges
by explaining his conclusion that pornographic images on the suspect’s computer had
been downloaded from the Internet. The examiner explained that the files were
located in a directory named MIRC (the name of an Internet chat client) and that the
date–time stamps of the files coincided with the time periods when the defendant
was connected to the Internet. The court was satisfied with this explanation and
accepted that the files were downloaded from the Internet.
These examples describe suspected offenses and allude to types and
locations of potential evidentiary material. This section also introduced the
established forensic concepts of class and individual characteristics and how
to apply them to digital evidence, helping investigators and prosecutors
assess the suitability and persuasive strength of the evidence. These are
essential elements of any investigation but only represent the highlights of
the structured process detailed in the following sections.
The investigative process, depicted as a sequence of ascending stairs in
Figure 4.5, is structured to encourage a complete, rigorous investigation,
ensure proper evidence handling, and reduce the chance of mistakes created
by preconceived theories and other potential pitfalls. This process applies to
criminal investigations as well as military and corporate inquiries dealing
with policy violations or system compromise.
The categories in Figure 4.5 are intended to be as generic as possible. The
unique methods and tools employed in each category tie the investigative
process to a particular forensic domain. The terms located on the riser
of each step are those more closely associated with the law enforcement
Copyright 2004 Elsevier, Inc. All rights reserved.
Licensed to University of Phoenix.
perspective. To the right of each term is a more general descriptor that may
help to express the essence of each step of the process.
Investigators and examiners work together to scale these steps from bottom
to top in a systematic, determined manner in an effort to present a compelling
story after reaching the landing (persuasion/testimony). There they
will pass their hard work on to prosecutors or other decision makers who
scrutinize the findings and decide whether to continue or refocus resources
to solving other matters. In the case of the courts, investigators will present
their findings to the trier-of-fact who will decide if the merits of the evidence
make a strong enough case to proceed to trial. In civilian and military operational
communities, facts are presented to resource managers who will rely on
the confidence and accuracy of the information before taking corrective
action. Often, in this operational environment the mission or business objectives
are of primary concern with possible prosecution left as a secondary
Two items of particular note and special importance stand out in our
depiction. First, Case Management plays a vital role and spans across all the
steps in the process model. It provides stability and enables investigators
effectively to tie all relevant information together, allowing the story to be told
clearly. In many cases the mechanisms used to structure, organize, and record
pertinent details about all events and physical exhibits associated with a
particular investigation is just as important as the information presented.
Second, the term analysis is used rather loosely in many implementations of
the investigative process. Our intent is to attach a more precise definition to
this term so that it can be properly placed within the steps of our model. The
Figure 4.5
Categories of the Investigative
Process Model (depicted as a flight
of stairs).
Persuasion and testimony Translate and explain
Reporting Detailed record
Validation Organization and search
Identification or seizure
Incident/Crime scene protocols
Assessment of worth
Incident alerts or accusation
Filter – eliminate
Get it ALL – hidden/deleted
Data about data
Integrity – modification free
Recognition and proper packaging
Actions at scene – real/virtual
Prioritize – choose
Crime or policy violation
Case management
Copyright 2004 Elsevier, Inc. All rights reserved.
Licensed to University of Phoenix.
analysis phase of the investigative process borrows heavily on the long-standing
scientific method, beginning with fact gathering and validation, proceeding to
hypothesis formation and testing, actively seeking evidence that disproves the
hypothesis, and revising conclusions as new evidence emerges.
In general, this model affords investigators and examiners a logical flow of
events that, taken together, seek to provide:
1 Acceptance – the steps and methods have earned professional consensus.
2 Reliability – the methods employed can be proven (trusted) to support findings.
3 Repeatability – the process can be applied by all, independent of time and place.
4 Integrity – the state of evidence is proven (trusted) to be unaltered.
5 Cause and effect – logical connection between suspected individuals, events, and
6 Documentation – recordings essential for testimonial evidence (expert testimony).
All six tenets have a common purpose – to form the most persuasive argument
possible based upon facts, not supposition, and to do so considering
the legal criteria for admissibility.
As noted at the beginning of this chapter, although depicted as a linear
progression of events in Figure 4.5, the stages in this process are often intertwined
and those professionals who participate may find the need to revisit
steps after it was thought to be complete. This “feedback” cannot be avoided
nor should it be. It is often essential to make improvements and enhancements
to methods and tools used in each step. Also, most steps are not only “digital
forensic” in nature – many parts of the process function by applying and
integrating methods and techniques in police science and criminalistics as
aids. Finally, as with most processes, there is a relationship between successive
steps. That relationship can often be described by the input and output
expected at each stage, with products of one step feeding into the steps that
With that said, let us take a closer look at each step along with details of
the processing required in each and the associated inputs and outputs.
Every process has a starting point – a place, event, or for lack of a better
term, a “shot from a starting gun” that signals the race has begun. This step
can be signaled by an alarm from an intrusion detection system, a system
administrator reviewing firewall logs, curious log entries on a server, or
some combination of indicators from multiple security sensors installed on
networks and hosts. This initial step can also be triggered by events in more
Copyright 2004 Elsevier, Inc. All rights reserved.
Licensed to University of Phoenix.
traditional law enforcement settings. Citizens reporting possible criminal
activity will lead to investigative personnel being dispatched to a physical
scene. That scene will likely contain exhibits of which some may be
electronic, requiring part of the investigation to take a digital path. The
prevalence of computers makes it increasingly likely that even traditional
crimes will have related information derived from digital sources that
require close scrutiny.
When presented with an accusation or automated incident alert, it is
necessary to consider the source and reliability of the information. An
individual making a harassment complaint because of repeated offensive
messages appearing on her screen might actually be dealing with a computer
worm/virus. An intrusion detection system alert may only indicate an
attempted, unsuccessful intrusion or might be a false alarm. Therefore, it is
necessary to weigh the strengths, weakness, and other known nuances
related to the sources and include human factors as well as digital.
In addition, thoroughly to assessing an accusation or alert, some initial fact
gathering is usually necessary before launching a full-blown investigation. Even
technically proficient individuals sometimes misidentify normal system activity
as a computer intrusion. Initial interviews and fact checking can correct such
misunderstandings, clarify what happened, and help develop an appropriate
response. To perform this fact gathering and initial assessment, it is usually necessary
to enter a crime scene and scan or very carefully sift through a variety of
data sources looking for items that may contain relevant information.
This is a very delicate stage in an investigation because every action in the
crime scene may alter evidence. Additionally, delving into an investigation
prematurely, without proper authorization or protocols, can undermine the
entire process. Therefore, an effort should be made to perform only the
minimum actions necessary to determine if further investigation is warranted.
Although an individual investigator’s experience or expertise may
assist in forming internal conclusions that may have associated confidence
levels, at this stage few firm, evidence-based conclusions are being drawn
about whether a crime or an offence was actually committed.
Those involved in investigative activities are usually busy with multiple cases or
have competing duties that require their attention. Given that investigative
resources are limited, they must be applied where they are needed most. How
this step in the process is handled varies with the associated investigative
environment. Applied in law enforcement environments, all suspected criminal
activity must be investigated. In civil, business, and military operations,
Copyright 2004 Elsevier, Inc. All rights reserved.
Licensed to University of Phoenix.
suspicious activity will be investigated but policy and continuity of operations
often replaces legalities as the primary concern. Regardless of environment,
a form of triage is performed at this step in the process. Questions are asked
that try to focus vital resources on the most severe problems or where they are
most effective.
Factors that contribute to the severity of a problem include threats of
physical injury, potential for significant losses, and risk of wider system
compromise or disruption. If a problem can be contained quickly, if there is
little or no damage, and if there are no exacerbating factors, a full investigation
may not be warranted. The output of this step in the investigative process is
a decision that will fit into two basic categories.
■ No further action is required – suspicion proved unwarranted. Available data and
information are sufficient to indicate no wrongdoing. Document decision with
detailed justification, report, and reassign resources.
■ Continue to apply investigative resources based upon the merits of evidence examined
to this point with priority based on initial available information. All incidents
or accusations deserve detailed initial investigation. This category aims to inform
about discernment based on practical as well as legal precedent coupled with the
informed experience of the investigative team.
Expertise from a combination of on-the-job and certified training plays
a tremendous role in effective triage.
When a full investigation is warranted the first challenge is to retain and
document the state and integrity of items (digital or otherwise) at the crime
scene. Protocols, practices, and procedures are employed at this critical
juncture to minimize the chance of errors, oversights, or injuries. Whoever is
responsible for securing a crime scene, whether first responders or digital
evidence examiners, should be trained to follow accepted protocols. These
protocols should address issues such as health and safety (limiting exposure
to hazardous materials such as chemicals in drug labs or potentially infectious
body fluids), what other authorities are informed, and what must be
done to secure the scene.
Preventing people from disturbing a single computer or room is relatively
straightforward but, when networks are involved, a crime scene may include
sources of evidence in several physically distant locations. Assuming investigators
can determine where these locations are, they may not be able to
reach them to isolate and preserve associated evidence. This raises the
issues of evidence collection on a network, which are discussed in Part 3
of this book.
Copyright 2004 Elsevier, Inc. All rights reserved.
Licensed to University of Phoenix.
The product or output of this stage is a secure scene where all the contents
are mapped and recorded, with accompanying photographs and basic
diagrams to document important areas and items. The evidence is, in
essence, frozen in place. This pristine environment is the foundation for all
successive steps and provides the “ground truth” for all activities to follow.
Items discovered in this initial phase remain an ever present and unchanging
part of the case ahead. Steps that follow will serve to add items as well as the
attributes of detail, connection, and validation so vital in building event
reconstruction, timelines, and motive.
Importantly, the information gathered during this step regarding the state
of a crime scene is at the highest level. This means that potential elements of
a crime or incident are usually being scrutinized at the macro level. For the
most part, investigators are observing “surface details” of potential evidence
that may be indicative but are rarely conclusive.
Once the scene is secured, potential evidence of an alleged crime or incident
must be seized. Clear procedures and understanding of necessary legal
criteria are essential before activity can proceed successfully. The goal here
for trained and experienced investigators is not to seize everything at a scene
(physical or virtual) but to make informed, reasoned decisions about just
what to seize and be prepared to document and justify the action.
Documentation permeates all steps of the investigative process but is
particularly important in the digital evidence seizure step. It is necessary to
record details about each piece of seized evidence to help establish its
authenticity and initiate chain of custody. For instance, numbering items,
photographing them from various angles, recording serial numbers, and
documenting who handled the evidence helps keep track of where each piece
of evidence came from and where it went after collection. Standard forms and
procedures help in maintaining this documentation, and experienced investigators
and examiners keep detailed notes to help them recall important
details. Any notebook that is used for this purpose should be solidly bound
and have page numbers that will indicate if a page has been removed.
In a traditional investigative context, seizure implies “to confiscate” or “to
take possession of ” material, physical items for detailed scrutiny of the items’
state and character at some later time in a controlled facility by proven,
prescribed means. In the digital realm, unlike most of the traditional forensic
disciplines, the seizure of material items occur but all or part of the state
and character of some material evidence may be lost almost immediately
upon seizure by virtue of the volatility of electronic devices and their design.
Copyright 2004 Elsevier, Inc. All rights reserved.
Licensed to University of Phoenix.
Many modern computers have large amounts of Random Access Memory
(RAM) where process context information, network state information, and
much more are maintained. Once a system is powered down the immediate
contents of that memory is lost and can never be completely recovered.
So, when dealing with a crime or incidents involving digital evidence, it may
be necessary to perform operations on a system that contains evidence,
especially in network connected environments.
The output of this phase follows clearly from the triage stage. Inventories,
not only of physical electronic components but also attributes of those
components that indicate possible networking between local and remote
devices and other locations should be cataloged. This recognition is vital
because it will allow investigators the opportunity to capture important state
and character information before power down and seizure are accomplished.
Therefore, even if the investigation warrants the seizure of electronic
components, methods and techniques that allow “confiscation” of certain
volatile system and network information, even in part, should be considered.
At this step, properly trained first responders might be instructed to find
and physically seize evidence for later processing by a digital evidence examiner.
Two useful documents outlining effective practices for seizing digital
evidence are mentioned here briefly and details of this process are presented
in later chapters. This information can be adapted to conform to an organization’s
policies and should be used to create memory aids for investigators
and examiners such as procedures, checklists, and forms.
The Good Practices Guide for Computer Based Electronic Evidence, published by
the Association of Chief Police Officers in the United Kingdom (NHCTU
2003), provides a starting point for the discussion of the initial step of digital
evidence handling. This guide is designed to cover the most common types of
computers: electronic organizers and IBM compatible laptops or desktops
with a modem. In addition to practical advice, this guide provides the following
four overarching principles that are useful for anyone handling digital
Principle 1: No action taken by the police or their agents should change data held on
a computer or other media that may subsequently be relied upon in court.
Principle 2: In exceptional circumstances where a person finds it necessary to access
original data held on a target computer that person must be competent to do so and
to give evidence explaining the relevance and the implications of their actions.
Principle 3: An audit trail or other record of all processes applied to computer-based
evidence should be created and preserved. An independent third party should be
able to examine those processes and achieve the same result.
Principle 4: The officer in charge of the case is responsible for ensuring that the law
and these principles are adhered to. This applies to the possession of and access to
Copyright 2004 Elsevier, Inc. All rights reserved.
Licensed to University of Phoenix.
information contained in a computer. They must be satisfied that anyone accessing
the computer, or any use of a copying device, complies with these laws and principles.
The US Department of Justice created a useful guide called Electronic Crime
Scene Investigation: A Guide for First Responders (USDOJ 2001). This guide
discusses various sources of digital evidence, providing photographs to help
first responders recognize them, and describes how they should be handled.
These documents are useful for developing a standard operating procedure
(SOP) that covers simple investigations involving a few computers. An SOP is
necessary to avoid mistakes, ensure that the best available methods are used,
and increase the probability that two forensic examiners will reach the same
conclusions when they examine the evidence.
Keep in mind that digital evidence comes in many forms including audit
trails, application logs, badge reader logs, biometrics data, application
metadata, Internet service provider logs, intrusion detection system reports,
firewall logs, network traffic, and database contents and transaction records
(i.e. Oracle NET8 or 9 logs). Given this variety, identifying and seizing all of
the available digital evidence are challenging tasks. More technically involved
procedures are required to deal with large servers or evidence spread over
a network. Also, situations will arise that are not covered by any procedure.
This is why it is important to develop a solid understanding of forensic
science and to learn to apply general principles creatively. Initial interviews
should be performed to determine who is involved, what people know, what
is not known, and what other information needs to be gathered.
Working from the known inventory of confiscated or seized components
investigators must act to make sure that potentially volatile items remain
unchanged. Another way to put it is that proper actions must be taken to
ensure the integrity of potential evidence, physical and digital. The methods
and tools employed to ensure integrity are key here. Their accuracy and
reliability as well as professional acceptance may be subject to question by
opposing council if the case is prosecuted. These same criteria will give
decision makers outside of court the necessary confidence to proceed on
recommendations from their investigators.
To many practitioners in our field this is where digital forensics begins. It
is generally the first stage in the process that employees commonly used tools
of a particular type. The output of this stage is usually a set of duplicate
copies of all sources of digital data. This output provides investigators with
two categories of exhibits. First, the original material is cataloged and stored
in a proper environmentally controlled location, in an unmodified state.
Copyright 2004 Elsevier, Inc. All rights reserved.
Licensed to University of Phoenix.
Second, an exact copy of the original material that will be scrutinized as the
investigation continues.
Prior to performing a full analysis of preserved sources of digital evidence, it
is necessary to extract data that have been deleted, hidden, camouflaged, or
that are otherwise unavailable for viewing using the native operating system
and resident file system. In some instances, it may also be necessary to
reconstitute data fragments to recover an item. Whenever feasible, this
process is performed on copies of original digital evidence from the preservation
step – this may not be possible in the case of embedded systems.
At this step in the process the focus is on the recovery of all unavailable data
whether or not they may be germane to the case or incident. The objective is
to identify, and if possible make visible, all data that can be recognized
as belonging to a particular data type. The output provides the maximum
available content for the investigators and enables them to move to the next
phase of the process. It provides the most complete data timeline and may
provide insight into the motives of an offender if concrete proof of purposeful
obfuscation is found and recorded.
By the start of this phase all the potential digital evidence associated with
a case or incident is available for investigation. Activities designed to gather
data and metadata (data about data) about all objects of interest may now
proceed. This stage in the process is where the actual reasoned scrutiny
begins, where concrete facts begin to take shape that support or falsify
hypotheses built by the investigative team. Working from the preserved,
recovered source material the investigation proceeds to gather descriptive
material about the contents. This gathering will typically proceed with little
or no discretion related to the data content, its context, or interpretation.
Rather, the investigator will look for categories of data that can be harvested
for later analysis – groupings of data with certain class characteristics that,
from experience or training, seem or are known to be related to the major
facts of the case or incident known to this point in the investigation.
For example, an accusation related to child pornography requires visual
digital evidence most likely rendered in a standard computer graphics
format like GIF or JPEG. Therefore, the investigators would likely be looking
for the existence of files exhibiting characteristics from these graphic
formats. That would include surface observables like the objects file type
(expressed as a three-character alphanumeric designator in MS Windows
Copyright 2004 Elsevier, Inc. All rights reserved.
Licensed to University of Phoenix.
based file systems) or more accurately a header and trailer unique to a
specific graphical format. In the case of incidents related to hacking investigators
might focus some attention on the collection of files or objects associated
with particular rootkits or sets of executables, scripts, and interpreted
code that are known to aid crackers in successfully compromising systems as
discussed in Chapter 19.
A familiarity with the technologies and tools used, coupled with an understanding
of the underlying mechanisms and technical principles involved are
of more importance in this step. The general output expected here are large
organized sets of digital data that have the potential for evidence. It is the
first layer organizational structure that the investigators and examiners will
start to decompose in steps that follow.
This step involves activities that help eliminate or target specific items in the
collected data as potentially germane to an investigation. This process is
analogous to separating the wheat from the chaff. The decision to eliminate
or retain is made based on external data attributes such as hashing or checksums,
type of data (after type is verified), etc. In addition, material facts associated
with the case or incidents are also brought to bear to help eliminate
data as potential evidence. This phase remains focused primarily on the overall
structure of the object and very likely does not consider content or context
apart from examination of fixed formatted internal data related to
standards (like headers and trailers). The result (output) of the work in this
stage of the investigative process is the smallest set of digital information that
has the highest potential for containing data of probative value. This is the
answer to the question: “Where’s the beef ?” The criteria used to eliminate
certain data are very important and might possibly be questioned by judge,
jury, or any other authorized decision maker.
To facilitate a thorough analysis, it is advisable to organize the reduced set of
material from the previous step, grouping, tagging, or otherwise placing them
into meaningful units. At this stage it may be advantageous to actually group
certain files physically to accelerate the analysis stage. They may be placed
in groups using folders or separate media storage or in some instances a
database system may be employed to simply point to the cataloged file system
objects for easy, accurate reference without having to use rudimentary search
capability offered by most host operating systems.
The primary purpose of this activity is to make it easier for the investigator
to find and identify data during the analysis step and allow them to reference
these data in a meaningful way in final reports and testimony. This activity
Copyright 2004 Elsevier, Inc. All rights reserved.
Licensed to University of Phoenix.
may incorporate different levels of search technology to assist investigators in
locating potential evidence. A searchable index of the data can be created to
enable efficient review of the materials to help identify relevant, irrelevant,
and privileged material. Any tools or technology used in this regard should be
understood fully and the operation should follow as many accepted standards
as exist. The results of this stage are data organization attributes that enable
repeatability and accuracy of analysis activities to follow.
This step involves the detailed scrutiny of data identified by the preceding
activities. The techniques employed here will tend to involve review and study
of specific, internal attributes of the data such as text and narrative meaning
of readable data, or the specific format of binary audio and video data items.
Additionally, class and individual characteristics found in this step are used to
establish links, determine the source of items, and ultimately locate the
offender. Generally, analysis includes these subcategories (including but not
limited to):
■ Assessment (content and context) – Human readable (or viewable) digital data objects
have content or substance that can be perceived. That substance will be scrutinized
to try to determine factors such as means, motivation, opportunity.
■ Experimentation – A very general term but applied here to mean that unorthodox or
previously untried methods and techniques might be called for during investigations.
All proven methodologies began as experiments so this should come as no
surprise especially when applying the scientific method. What remains crucial is
that all experimentation be documented rigorously so that the community, as well
as the courts, have the opportunity to test it. Eventually, experimentation leads to
falsification or general acceptance.
■ Fusion and correlation – These terms are subtly distinct. During the course of the
investigation, data (information) have been collected from many sources (digital
and non-digital). The likelihood is that digital evidence alone will not tell the full
tale. The converse is also true. The data must be fused or brought together to
populate structures needed to tell the full story. An example of Fusion would be
the event timeline associated with a particular case or incident. Each crime or
incident has a chronological component where event or actions fill time slices.
This typically answers the questions where, when, and sometimes how? Time slices
representing all activities will likely be fused from a variety of sources such as digital
data, telephone company records, e-mail transcripts, suspect and witness statements.
Correlation is related but has more to do with reasoned cause and effect. Do the
data relate? Not only does event B follow event A chronologically, but the substance
(e.g. narrative, persons, or background in a digital image) of the events shows with
high probability (sometimes intuition) that they are related contextually.
■ Validation – This is the output or result of the Analysis stage. It is the reasoned
findings that investigators propose to submit to jurists or other decision makers
as “proof positive” for prosecution or acquittal.
Copyright 2004 Elsevier, Inc. All rights reserved.
Licensed to University of Phoenix.
A failure objectively to assess digital evidence and to utilize experimentation,
fusion, and correlation to validate it can lead to false conclusions and
personal liability as demonstrated in the following examples.
Investigators thought they have found the killer of a 54-year-old hotel waitress
Vidalina Semino Door when they obtained a photograph of Jason Liser from an
ATM where the victim’s bank card had been used. Despite the bank manager’s
warning that there could be a discrepancy between the time indicated on the tape
and the actual time, Liser’s photograph was publicized and he was subsequently
arrested but denied any involvement in the murder. A bank statement confirmed
that Liser had been at the ATM earlier that night but that he had used his
girlfriend’s card, not the murder victim’s. Investigators made an experimental
withdrawal from the ATM and found that the time was significantly inaccurate and
that Liser had used the ATM before the murder took place. Eventually, information
relating to the use of the victim’s credit card several days after her death implicated
two other men who were convicted for the murder. Liser sued the District of
Columbia and Jeffrey Smith, the detective responsible for the mistaken arrest, for
false arrest and imprisonment, libel and slander, negligence, and providing false
information to support the arrest. The court dismissed all counts except the
negligence charge. The court felt that Smith should have made a greater effort to
determine how the bank surveillance cameras operated or consulted with someone
experienced with this type of evidence noting, “The fact that the police finally
sought to verify the information – and quickly and readily learned that it was
inaccurate – after Liser’s arrest certainly does not help their cause”. Liser’s lawsuit
against Bank of America for negligence and infliction of emotional distress due to
the inaccuracy in the timing mechanism was dismissed.
To provide a transparent view of the investigative process, final reports
should contain important details from each step, including reference to
protocols followed and methods used to seize, document, collect, preserve,
recover, reconstruct, organize, and search key evidence. The majority of the
report generally deals with the analysis leading to each conclusion and
descriptions of the supporting evidence. No conclusion should be written
without a thorough description of the supporting evidence and analysis.
Also, a report can exhibit the investigator or examiner’s objectivity by
describing any alternative theories that were eliminated because they were
contradicted or unsupported by evidence.
In some cases, it is necessary to present the findings outlined in a report and
address related questions before decision makers can reach a conclusion.
A significant amount of effort is required to prepare for questioning and to
Copyright 2004 Elsevier, Inc. All rights reserved.
Licensed to University of Phoenix.
convey technical issues in a clear manner. Therefore, this step in the process
includes techniques and methods used to help the analyst and/or domain
expert translate technological and engineering detail into understandable
narrative for discussion with decision makers.
This chapter provided a formalized process to help investigators reach
conclusions that are reliable, repeatable, well documented, as free as
possible from error, and supported by evidence. Heavy reliance on the
scientific method helps overcome preconceived theories, encouraging
investigators to validate their findings by trying to prove themselves wrong,
leading to well-founded conclusions that support expert testimony.
Fundamental concepts such as Locard’s Exchange Principle, class and
individuating characteristics, and establishing continuity of offense were
discussed. The important concepts of case management and analysis were
discussed along with each discrete step in the investigative process. The
ultimate aim of this investigative model is to help investigators and examiners
ascend a sequence of steps that are generally accepted, reliable, and
repeatable, and lead to logical, well documented conclusions of high
integrity. All six tenats have a common purpose – to form the most persuasive
argument possible based upon facts, not supposition, and to do so
considering the legal criteria for admissibility.
The success of each step of the investigative process is dependent on
preparation in the form of policies, protocols, procedures, training, and
experience. Anyone responding to an accusation or incident should already
have policies and protocols to follow and should have the requisite knowledge
and training to follow them. Similarly, anyone processing and analyzing
digital evidence should have standard operating procedures, necessary tools,
and the requisite training to implement them.
Carrier B. and Spafford E. H. (2003) “Getting Physical with the Digital Investigation
Process”, International Journal of Digital Evidence, Volume 2, Issue 2 (Available
online at
Gross H. (1924) Criminal Investigation, London: Sweet & Maxwell
Korn H. (1966) “Law, Fact, and Science in the Courts”, 66 Columbia Law Review 1080,
Copyright 2004 Elsevier, Inc. All rights reserved.
Licensed to University of Phoenix.
Popper K. R. (1959) Logic of Scientific Discovery, London: Hutchinson
Saferstein R. (1998) Criminalistics: An Introduction to Forensic Science, Sixth Edition.
Upper Saddle River, NJ: Prentice Hall
Sobel D. (1999) “Galileo’s Daughter: A Drama of Science, Faith, and Love”, London:
Fourth Estate
Thornton J. I. (1997) “The General Assumptions and Rationale of Forensic
Identification”, for David L. Faigman, David H. Kaye, Michael J. Saks, & Joseph
Sanders, Editors, Modern Scientific Evidence: The Law and Science of Expert
Testimony, Volume 2, St. Paul, MN: West Publishing Company
United Kingdom Association of Chief Police Officers (2003) “The Good Practices Guide
for Computer Based Electronic Evidence”, National High-tech Crime Unit (Available
online at Guide v3.0.pdf)
United States Department of Justice (2001) “Electronic Crime Scene Investigation: A
Guide for First Responders”, National Institute of Justice, NCJ 187736 (Available
online at
Liser v. Smith (2003) District Court, District of Colombia, Case Number 00-2325 (Available
online at
United States v. Hilton (1997) District Court, Maine, Case Number 97-78-P-C (Available
online at
Copyright 2004 Elsevier, Inc. All rights reserved.
Licensed to University of Phoenix.

Expert paper writers are just a few clicks away

Place an order in 3 easy steps. Takes less than 5 mins.

Calculate the price of your order

You will get a personal manager and a discount.
We'll send you the first draft for approval by at
Total price:
Live Chat+1-631-333-0101EmailWhatsApp

Order your paper today and save 7% with the discount code HOME7