Forensics and Digital Evidence
Forensics is a discipline which uses standardized techniques to pull apart an event, analyze what happened, and find a more accurate conclusion to the data analysis than just witness testimony. For centuries, lacking even rudimentary techniques like fingerprinting or blood type analysis, the legal system relied on confessions and witness testimony. We may turn to Ancient Greece for one of the first recorded examples of a type of forensic inquiry. In the anecdote of Archimedes, the scholar was asked by the King to determine if a crown made for him was pure gold or contained silver. It seems the King had supplied pure gold, but suspected the goldsmith of being dishonest. Archimedes had noticed that while bathing the level of the water in the tub rose. He surmised that different objects displace different levels of water. Using a mathematical calculation he determined during his famous "Eureka" moment that silver had actually been mixed in and the goldsmith punished (Archimedes' Principle, 2004).
As science improved, so did the use of forensic evidence within the Court system. Science, in fact, attempts to find answers and thus, over time, techniques evolve and are tested. These new techniques may be controversial at the time, but once they are subjected to scientific inquiry and go through the process of peer reviewed journals and testing, they become validated. Fingerprinting, for instance, was at one time considered unusable and inaccurate, and then became the standard technique for crime scene analysis. Similarly, DNA evidence required higher levels of accuracy and reliability and is now a global tool in fighting crime. Each succeeding general will use the technology that is standard and available to find the best answers within the legal system, particularly those that use a scientific approach to collection, experimentation and dissemination of evidence (Quinche and Margot, 2010).
Particularly when new techniques are involved, it is vital that the standard scientific method, an agreed upon approach of testing, data collection, replication and dissemination of results, be used. When techniques change, like introducing DNA or Digital evidence, forensic science must have a way to compare issues, findings from the scene of the crime, laboratory testing, and robust analysis of the materials to prove to the Courts that detection methods were done in such a way that there is evidence "beyond the shadow of a reasonable doubt" to present to the Court. The basic paradigms of "What happened?" "Why did it happen?" "How did it and how?" are thus appropriate for the methodology and the types of questions a forensic specialist addresses when searching for the truth. This is important to forensics as we introduce digital evidence in crime scene management, methodology, and reporting information to the Court. Overall, this consists of: 1) Formulation of a hypothesis or using a hypothesis to explain an event or phenomena; 2) Use of the hypothesis to predict the existence of other phenomena, or to predict quantitatively the results of new observations; 3) Performance of experimental tests of the predictions by several independent experimenters; 4) Test the evidence in peer review and prove its worth (technique or result) to the Court (Young, 2010)
As technologies have changed, so has the type of evidence that is used within a forensics model. In general, digital or electronic evidence is any evidence that is probative stored or transmitted in electronic or digital form. This is, however, more complicated that simply replacing paper evidence with digital evidence, since the digital evidence is usually something filmed, photographed, or attained that may be challenged in a Court of Law. Therefore, before accepting digital evidence, individual Courts tend to determine if it is authentic and relevant, how...
Simply out of convenience in storage, professionality in tone, and accurate, Court have allowed more of the use of emails, digital photography, ATM transaction logs, word processing documents, texts or instant message histories, computer memory (backups, printouts, etc.), GPS data and logs, logs from door locks, and digital/video files (Casey, 2010).
Different legal systems have established different rules for digital evidnece. In the United States, Courts have applied the Federal Rules of Evidence to electronic evidnece similarly as they have to tradictional documentation. New technologies and more secure ways of storage mean that digital evidence tends to be more difficult to modify or destroy if kept in secure locations, yet it is more readily available, can be more expensive, and, with the right tools, more easily duplicated or modified. Because of this, Courts often take extra steps to authenticate the evidence, as well as prove best evidence and privledge. In 2006, for instance, digital evidence was attacked with the notion that it could be modified easily, however Courts are leaning towards rejecting the tampering argument due to techniques that log file changes, keep certain data secure, and even firewalls that protect documents from even being modified (Ryan & Shpantzer, 2009).
Digital evidence is not a single entity that has a singular rule. For instance, photography has gone digital, and thus crime scene photos of shoe prints, tire treads, the condition of bodies, etc. are typically accepted without the need for authentication, as long as they have a clear chain of evidence. However, in most areas, a warrant is needed to seize and analyze digital evidence from a crime scene or a suspect's home or office. Then, a second "property" warrant is often needed; and in the same manner a warrant for electronic bank records, phone records, the contents of phone or device memory, etc. Indeed, as society moved even further into the digital world, it becomes even more necessary to follow procedure within legal traditions that set rules and standards for technology as a law enforcement tool, as well as part of contemporary evidence (Ami-Narh & Williams, 2008).
Digital evidence, however, almost always requires additional steps to turn the material into evidence (printing out the material, posting on a computer, etc.). Some argue that this change of format does not qualify for evidentiary procedures, but the Federal Rules of Evidence now state that, "if data are stores in a computer . . . An printout or other output readable by sight…. Is an 'original'" (U.S. Government, 2012). Similarly, there are issues surrounding the storage and maintenance of chain of custody issues with digital materials. In this case, there are now international protocols that require a certain series of procedures and techniques to ensure the integrity of the data. Storage must be in a locked area, sometimes with more than one lock, must have levels of security available, must have a means of recording access, and must have a way to legally preserve and protect the evidence for trial. This may include, in some cases, transferring the data from one device to another (e.g. downloading emails or text lists from one device to a USB device for analysis and printing into hardcopy, etc.) (ACPO, 2012).
Finally, as technology influences society, it also affects the criminal element within society. Therefore, it is vital that law enforcement also change techniques in the ability to fight crime. Thus, law enforcement agencies must use electronic forensics within their infrastructure, to train officers to collect and maintain digital evidence, and to ensure that the appropriate tools are available to investigate, analyze, store, and report digitally-based evidence (National Institute of Justice, 2010).
ACPO. (2012, March). Good Practice Guide for Digital Evidence. Retrieved from datarecoveryspecialists.co.uk: http://www.datarecoveryspecialists.co.uk/cms/ckfinder/userfiles/files/digital-evidence-2012.pdf
Ami-Narh, J., & Williams, P. (2008, May). Digital forensics and the legal system: A dilemma of our times.…
This phase is described by Carrier as the phase where we "...use the evidence that we found and determine what events occurred in the system" (Carrier, 2005). 2.2. The United States Department of Justice's (USDOJ) digital forensic analysis methodology The second methodology under review in this paper has been put forward by the United States Department of Justice. This consists of four basic phases: collection, examination, analysis and reporting (Shin, 2011).
Computer Forensics: Generally, forensics can be described as the process of using scientific knowledge in the gathering, evaluation, and presentation of evidence to the courts. Since forensics deal with the presentation of evidence to the courts, it basically deals with the analysis and recovery of hidden evidence. In this case, the hidden evidence may be in several forms including fingerprints, blood stains, and DNA evidence. On the other hand, computer forensics
Computer Forensic Tools: The use of computers in homes, schools, offices, and other places has increased in the past few years due to technological developments. As computers have become important components of modern communication, their increased use has also led to the emergence of computer crimes. Computer crimes basically involve the use of a computer system to carry out an illegal activity. In attempts to lessen the frequency and impact of
Computer Forensics The issue at hand involves the examination of a scene from an office space within Widget Corporation. We find that this is the assigned office for a Mr. Didit. The information we have at hand is digital -- a photograph taken from an approximate distance of 3 feet from the occupant's desk. Using the photograph, we find that there are a number of electronic and non-electronic devices and our
Specialized forensic tools will be necessary to retrieve and analyze deleted, renamed and encrypted data that search tools will overlook. Further, forensic tools will help with complex information correlation. For example, to construct a timeline of events it may be necessary to tie network log stamps and data together with database access and usage logs. Reporting is the final phase of forensic investigation. Here, the article is weak, only recommending
Benchmarking Keyloggers for Gathering Digital Evidence on Personal Computers Keyloggers refers to the hardware or software programs, which examine keyboard and mouse activity on a computer in a secretive manner so that the owner of the computer is not aware that their actions are monitored. The keyloggers accumulate the recorded keystrokes for later recovery or remotely convey it to the person employing them. Keyloggers aimed to serve as spyware and currently