Buzz
Paul Howell/Getty Images Picture the number of files retrieved from the computers on Enron's trading floor. Explore more computer-related images.When Enron filed for bankruptcy in December 2001, numerous employees were left unemployed while some executives appeared to gain from the company's downfall. The U.S. Congress launched an investigation after receiving reports of corporate wrongdoing. A significant portion of this investigation relied on computer files as evidence. A specialized team of investigators began combing through the computers of Enron employees using digital forensics.
The goal of digital forensics is to examine, secure, and analyze data stored on computer systems to uncover potential trial evidence. While many traditional crime scene techniques have digital equivalents, there are also distinct factors involved in digital investigations.
For instance, simply accessing a computer file alters it—the system logs the exact time and date the file was accessed. If detectives seize a computer and begin opening files, it's impossible to confirm that nothing was altered in the process. Lawyers may challenge the integrity of the evidence when the case reaches court.
Some argue that relying on digital data as evidence is problematic. If computer information can be easily altered, how can it be trusted as solid proof? While many nations accept digital evidence in court, this could change if such evidence is found unreliable in future trials.
As computers continue to grow in power, the field of digital forensics must adapt. In the early days, a single investigator could sift through files due to limited storage capacity. Today, with hard drives storing gigabytes and even terabytes of data, the task has become overwhelming. Investigators must innovate to search for evidence efficiently without overextending resources.
What are the fundamental concepts of digital forensics? What should investigators search for, and where should they begin? Find out in the next section.
Vincent Liu, an expert in computer security, used to create anti-forensic tools—not to obscure his actions or hinder investigators, but to show that computer data can be unreliable and shouldn't serve as courtroom evidence. Liu argues that digital forensics tools aren't perfect, and relying on digital evidence could lead to mistakes [source: CSO].
Introduction to Computer Forensics
What's going on in this lab? Digital forensics.
©iStockphoto/James SteidlThe field of digital forensics is still relatively new. In the early stages of computing, courts treated evidence from computers just like any other form of evidence. However, as computers grew more advanced, courts began to realize that computer evidence could easily be altered, corrupted, or destroyed.
Investigators recognized the need to create specialized tools and methods to examine computers for evidence without tampering with the data. Detectives collaborated with computer scientists to determine the best procedures and tools for retrieving evidence from computers. Over time, these methods formed the foundation of the digital forensics field.
Typically, detectives must obtain a warrant to search a suspect's computer for evidence. The warrant must specify where the search is allowed to take place and what type of evidence the detectives are authorized to look for. In other words, a detective cannot simply execute a warrant and search any area or for anything suspicious. Furthermore, the warrant cannot be overly broad. Judges generally require that detectives be as specific as possible when requesting a warrant.
For this reason, it is crucial for detectives to conduct thorough research on a suspect before applying for a warrant. For example, if a detective obtains a warrant to search a suspect's laptop, but upon arriving at the suspect's residence discovers a desktop PC, the detective is not legally permitted to search the desktop since it was not included in the original warrant.
Every computer investigation is unique in its own way. Some may take just a week to complete, while others might span several months. Here are a few factors that can influence the duration of an investigation:
- The skills and experience of the detectives
- The number of computers being examined
- The volume of data the detectives must sift through (hard drives, CDs, DVDs, and USB drives)
- Whether the suspect tried to conceal or erase data
- The existence of encrypted files or files protected by passwords
What are the steps involved in gathering evidence from a computer? Keep reading to find out.
The plain view doctrine grants investigators the right to seize any evidence that is clearly visible during a search. If, for example, a detective spots evidence of a crime on the screen of the suspect's desktop PC, the detective can use that as evidence against the suspect and proceed to search the PC, even if it was not listed in the original warrant. However, if the PC is turned off, the detective cannot search it and must leave it undisturbed.
Stages of a Digital Forensics Investigation
Judd Robbins, a renowned computer scientist and leading authority in the field of computer forensics, outlines the following steps investigators should take to recover computer evidence:
- Secure the computer system to protect both the equipment and the data. This requires detectives to ensure no unauthorized access is possible, and if the system is connected to the Internet, the connection must be terminated.
- Identify every file on the system, including encrypted, password-protected, hidden, or deleted files that haven’t been overwritten. Investigators should create copies of all the files on the system, whether from the hard drive or other storage devices. Since accessing a file can alter it, working from copies ensures that the original system remains intact and unchanged.
- Recover deleted data with software designed to detect and retrieve it.
- Use tools to uncover hidden files and reveal any concealed data.
- Decrypt and access files that are protected by encryption.
- Examine specialized areas of the computer’s storage, including those that are typically inaccessible. This includes unallocated space on the hard drive, which may contain fragments of files relevant to the investigation.
- Record every action taken during the process. Proper documentation is crucial for proving that the investigation preserved the system’s data without altering or damaging it. Since trials may occur long after an investigation, failing to document the procedure may render the evidence inadmissible. Robbins recommends that the documentation should include a report on the system’s layout, detailing any encryption or hidden files.
- Prepare to provide expert testimony in court on computer forensics. Even after completing an investigation, detectives may need to testify as expert witnesses [source: Robbins].
While each of these steps is critical, the first one is paramount. Without proof that the computer system was secured, any evidence found may be deemed inadmissible. Additionally, the job has grown more complex over time. In the past, an investigation might have involved a PC and a few floppy disks, but today’s systems may involve multiple computers, external drives, thumb drives, peripherals, and even Web servers.
Some criminals have devised methods to complicate the investigation process. They use programs called anti-forensics to make it more difficult for detectives to retrieve data from their systems. Investigators must be aware of these tools and know how to disable them to gain access to the information.
What exactly are anti-forensics, and how do they work? Stay tuned to learn more in the next section.
When a file is deleted, the computer simply moves it to a different directory. Once the recycle bin is emptied, the computer marks the space where the file was stored as available for use. However, the file remains intact until new data overwrites it. With the appropriate software, deleted files can be recovered as long as they haven’t been overwritten yet.
Anti-Forensics
In some cases, if the anti-forensic tactics used are severe enough, investigators might never be able to access the computer system.Anti-forensics can pose a significant challenge for computer investigators. These tools are intentionally created by programmers to complicate or even prevent data retrieval during an investigation. Simply put, anti-forensics encompasses any method, device, or software that disrupts a computer forensics inquiry.
There are numerous techniques for concealing information. Some programs can manipulate file headers, which are usually invisible to users but crucial for identification by the system. A file's header indicates its type, even if the file's name is changed. For example, renaming an mp3 file to have a .gif extension doesn’t change its true format, as the header still shows it’s an mp3. Certain tools allow modifications to these headers, causing the computer to misidentify the file. Detectives searching for specific file formats could overlook critical evidence because it appears irrelevant due to the altered header information.
Some programs can fragment files into small sections and scatter them across different files. Files often contain unused spaces, known as slack space. With the appropriate software, it’s possible to hide files within this slack space. Recovering and reconstructing the hidden data is an exceptionally difficult task.
It’s also possible to embed one file within another. Executable files – files recognized by computers as programs – can be especially tricky. Tools known as packers are capable of embedding executable files into different file types, while binders can combine multiple executable files into one.
Encryption serves as another method of concealing data. This involves applying a set of complex rules, called an algorithm, to render the data unreadable. For example, an algorithm might transform a readable text file into an incomprehensible string of numbers and symbols. To access the original data, one would need an encryption key, which reverses the process and decodes the symbols into readable text. Without the key, investigators must rely on specialized software to break the encryption. The more advanced the encryption algorithm, the longer it will take to crack it.
Certain anti-forensic tools can manipulate the metadata attached to files. Metadata includes details such as when a file was created or last modified. Typically, this information is fixed, but some software allows users to modify metadata. For instance, a file’s metadata might falsely show that it will not exist for another few years, or that it was last accessed centuries ago. When metadata is tampered with, it complicates the ability to trust the evidence as reliable.
Some software programs are designed to wipe data if an unauthorized attempt is made to access the system. Developers have studied how computer forensics tools function and created applications aimed at blocking or sabotaging these programs. When forensics experts encounter such threats, they must apply creativity and caution to retrieve the data.
Some individuals utilize anti-forensics to highlight the inherent vulnerability and unreliability of digital evidence. If it's unclear when a file was created, accessed, or even if it ever existed, how can one trust computer evidence in court? While this is a legitimate concern, many countries do accept computer evidence in legal proceedings, though the specific criteria for admissibility differ from one country to the next.
So, what exactly defines the standards of evidence? We'll explore this in the following section.
Standards of Computer Evidence
In the United States, there are detailed guidelines governing the seizure and use of computer evidence. The U.S. Department of Justice publishes a manual titled "Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations." This document outlines the criteria for when investigators can include computers in a search, what types of information are admissible, how the rules of hearsay apply to digital data, and the procedures for conducting a search.
If investigators determine that the computer is merely functioning as a storage device, they are typically not permitted to seize the hardware itself. This restricts evidence collection to what is found in the field. However, if the investigators believe the hardware is itself evidence, they can seize the hardware and remove it for further investigation. For instance, if the computer is suspected to be stolen, the investigators can confiscate the hardware.
For computer evidence to be admissible in court, the prosecution must authenticate it. This means they need to prove that the data presented as evidence came from the defendant's computer and has not been tampered with.
Although it's widely recognized that altering computer data is both feasible and relatively simple, U.S. courts haven't outright rejected computer evidence. Instead, the courts demand proof or indications of tampering before dismissing such evidence.
Another key factor considered by the courts when dealing with computer evidence is hearsay. Hearsay refers to statements made outside of a courtroom, which are typically inadmissible. However, the courts have ruled that information found on a computer is generally not considered hearsay and can be used as evidence. If the computer records contain statements made by individuals, like those found in e-mail messages, the court must assess their reliability before allowing them to be used as evidence. This evaluation is done on a case-by-case basis.
Computer forensics specialists rely on a variety of fascinating tools and applications during their investigations. Discover more about them in the following section.
One significant challenge faced by computer investigators is that while cybercrimes have no geographical boundaries, legal systems do. What may be illegal in one country could be perfectly acceptable in another. Additionally, there are no universally agreed-upon international guidelines for collecting digital evidence. Some nations are working towards establishing these guidelines. The G8, which includes the United States, Canada, France, Germany, Great Britain, Japan, Italy, and Russia, has outlined six key principles for computer forensics. These principles focus on maintaining the integrity of evidence.
Computer Forensics Tools
Even with a limited budget, no reputable investigator would resort to forcibly opening a computer to uncover evidence.Many developers have built a range of computer forensics tools. For most police departments, the selection of these tools largely depends on available funding and the technical proficiency of the staff.
Below are several computer forensics tools and programs that facilitate investigations into digital evidence:
- Disk imaging software captures both the structure and contents of a hard drive. It enables investigators not just to copy the data, but to preserve the organization of files and their interrelations.
- Write tools (both software and hardware) allow for the bit-by-bit duplication of hard drives, ensuring no data is altered. In some cases, investigators must remove the hard drive from the suspect's machine before proceeding with copying.
- Hashing tools generate unique identifiers for hard drives. When comparing an original and a copied drive, if their hash values match, it confirms that the copy is a perfect duplicate.
- File recovery tools help investigators locate and restore data marked for deletion but not yet overwritten. The recovered data may be incomplete, presenting additional challenges for analysis.
- There are various tools designed to preserve data in a computer's random access memory (RAM), as data in RAM is lost once the computer is turned off. Without the appropriate tools, this data can be easily lost.
- Analysis software scans the entire hard drive to locate specific files. Searching large volumes of data manually is time-consuming and impractical. Some tools, for instance, examine Internet cookies to gain insight into the suspect's online activities, while others search for targeted content within the system.
- Encryption decoding and password cracking software are critical in bypassing security measures to access protected data.
These tools can only serve their purpose if investigators adhere to proper procedures. Otherwise, a skilled defense attorney could argue that any evidence obtained during a computer investigation lacks credibility. Some anti-forensics specialists even claim that no computer evidence can ever be fully reliable.
The future of computer evidence in the courts remains uncertain. Anti-forensics experts believe that it's only a matter of time before someone proves in court that it's possible and feasible to manipulate computer data without detection. If that happens, courts may face challenges in justifying the acceptance of computer evidence in legal proceedings.
Cell phones hold a wealth of valuable information. Since a cell phone is essentially a compact computer, several computer forensics companies have developed devices capable of copying all the data stored on a cell phone and generating detailed reports. These tools can retrieve everything from text messages to ringtones.
