Digital Evidence & Forensics

“Digital evidence is widely regarded by judges, juries and law enforcement as valuable, accurate and impartial” (Kessler (2009)).

Locard’s Exchange Principle (1910) states that “every exchange leaves a trace” and is a founding statement of forensic science, digital or otherwise. Forensic evidence to secure criminal a conviction has become commonplace in the last twenty years or so and the science has developed processes over many years to guarantee that its findings are accurate. As a result those that are responsible for international law enforcement and rulings in courts (judges, juries and legal professionals) recognise the evidence as trustworthy.

With the advent of cybercrime Locard’s principle remains true in the majority of cases in technology, most computer based operations leave a trace be it the recording of an email’s source and server route, the ability to recover deleted data (even if seemingly irrecoverable) on a hard disk or the ability to trace user actions across global networks; the possibilities are endless.

Forensic processes are similar in the digital world to those in traditional forensic science (such as chemistry, fingerprinting, DNA testing, record auditing, dental records, medical procedures, physics and firearms ballistics) in that they must, in terms of data, identify, collect, preserve, examine, analyse and report (Kessler (2009)) for without this process there is no framework for acceptance of the science by those who seek to reply upon it. Without reliability, integrity and veracity, those not involved in the science itself are highly unlikely to accept it as a trustworthy source of evidence. This need for acceptance is made even more crucial when considering that the legal process has to accept the evidence produced by its procedures when a court can rule inadmissible as evidence anything that has not been collected in a legally approved way.

Digital forensic processes differ from traditional forensic processes. Traditional forensic methods are largely ones of comparison whereas digital methods are usually about finding new information. For example, DNA has existed for millions of years and having obtained a forensic DNA sample, it can be compared against a database of (or a suspect’s) DNA to check for a match, however looking for evidence of stolen credit card data or child pornography on a PC has no basis of comparison. In addition digital forensics is a relatively new science and is based on ever changing technology and techniques requiring that the computing professionals responsible consistently evolve their processes and tools whereas traditional forensics need only concentrate on the science aspect, i.e. the DNA makeup doesn’t change, only the science used to analyse it. It is therefore extremely difficult to have a formally fixed and legally approved set of tools and processes in digital forensics and “digital evidence has proven more difficult to analyze than physical evidence” (Allen (2005)).

A court approved method of evidence gathering cannot change quickly enough to allow the computing professional to adapt to the changing pace of technology so largely certain characteristics of the forensic process have been adopted into the digital science however enough flexibility is allowed to maintain the ability to provide meaningful evidence. However this flexibility can cause issues of interpretation and misrepresentation in legal terms so formalised processes are still emerging but will inevitably change as technology changes. Many people outside the computing profession are not sufficiently up to date with the processes that can be used to falsify digital evidence, logs, dates, emails and any other data bar imaging (which is considered to be the only digital forensic science, according to Kessler (2009)) can be manipulated to present distorted evidence without tight process controls and independent analysis.

In the UK, seizure of evidence is governed by The Police and Criminal Evidence Act (1984) which was amended to include electronic and computerised information in 2003. This act requires that any digital evidence may be seized if the person conducting the search, who must be an official law enforcement person (police, customs, etc.) acting under proper authority (suspicion or, for the avoidance of doubt with a search warrant issued by a court) has “reasonable grounds for believing that the item it has been obtained in consequence of the commission of an offence and that it is necessary to seize the item in order to prevent it being concealed, lost, damaged, altered or destroyed”. In terms of computer data, if it is to be used in evidence then an exact copy of the system state must be taken which would allow independent analysis to form materially similar reports to preserve the legality of any professional opinions offered in legal cases. The digital investigation itself is an onerous task and requires considerable skill in determining which processes within the system may or may not allow or prevent useful evidence gathering, especially in cases where sophisticated software techniques can be used to hide, change or destroy incriminating evidence.
In conclusion, despite the widespread acceptance of the importance and value of digital evidence, the forensic processes to guarantee reliability, integrity and veracity, as required by law, have not been fully developed and approved, nor can they be in such a fast changing environment. Tools and processes are being constantly developed to aid in the reliance framework however we need to see many years of development and use, as with traditional forensic techniques, before we will have a fully working system.

References

Adams & McGrindle (2008) Pandora’s Box: Social & Professional Issues of the Information Age. University of Reading: Wiley.

Allen, W. (2005) Computer Forensics. Florida Institute of Technology published by The IEEE Computer Society. Available via University of Liverpool Online Library (Accessed 17 Mar 2010).

Carrier, B.D. (2006) Basic digital forensic investigation concepts [Online]. Available at http://www.digital-evidence.org/di_basics.html (Accessed 17 Mar 2010).

Kessler, G. (2009) The Acceptability, Usefulness, and Challenges of Digital Forensic Evidence [Online]. Available at http://electronics.wesrch.com/paper_details/pdf/EL11TZ7OSJAIK/challenges_of_digital_forensic_evidence (Accessed 17 Mar 2010).

Office of Public Sector Information (Part of the National Archives) (1984) The Police and Criminal Evidence Act 1984 [Online]. Available at http://www.opsi.gov.uk/RevisedStatutes/Acts/ukpga/1984/cukpga_19840060_en_4#pt2-pb3-l1g19 (Accessed 17 Mar 2010).

Rowlingson, R. (2004) International Journal of Digital Evidence: A Ten Step Process for Forensic Readiness [Online]. Available via University of Liverpool Online Library (Accessed 17 Mar 2010).