13-05-2011, 12:50 PM
[attachment=13760]
[attachment=13761]
[attachment=13762]
[attachment=13763]
[attachment=13764]
1. INTRODUCTION
Digital forensics (sometimes Digital forensic science) is a branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime. The term was originally used as a synonym for computer forensics but has expanded to cover other devices capable of storing digital data. The discipline evolved in a haphazard manner during the 1990s and it was not until the early 2000s that national policies were created.
Investigations often take one of three forms; forensic analysis (where evidence is recovered to support or oppose a hypothesis before a criminal court), eDiscovery (a form of discovery related to civil litigation) or intrusion investigation (which is a specialist investigation into the nature and extent of an unauthorized network intrusion). The science of digital forensics is divided into several sub-branches; computer forensics, network forensics, database forensics and mobile device forensics.
As well as identifying direct evidence of a crime, digital forensics can be used to attribute evidence to specific suspects, confirm alibis(An alibi is a type of defense found in legal proceedings by demonstrating that the defendant was not in the place where an alleged offence was committed.) or statements, determine intent, identify sources (for example, in copyright cases) or authenticate documents. Investigations are much broader in scope than other areas of forensic analysis (where the usual aim is to provide answers to a series of simpler questions) often involving complex time-lines or hypothesis.
2. HISTORY
Prior to the 1980s crimes involving computers were dealt with using existing laws. The first computer crimes were recognized in the 1978 Florida Computer Crimes Act which included legislation against the unauthorized modification or deletion of data on a computer system. Over the next few years the range of computer crimes being committed increased, and laws were passed to deal with issues of copyright, privacy/harassment (e.g., cyber bullying, cyber stalking, and online predators) and child pornography. It was not until the 1980s that federal laws began to incorporate computer crime. Canada was the first country to pass legislation in 1983. This was followed by the US Federal Computer Fraud and Abuse Act in 1986, Australian amendments to their crimes acts in 1989 and the British Computer Abuse Act in 1990. More recently, concern over cyber warfare and cyber terrorism has become an important issue. A February 2010 report by the U.S. Joint Forces Command concluded:
Through cyberspace, enemies will target industry, academia, government, as well as the military in the air, land, maritime, and space domains. In much the same way that airpower transformed the battlefield of World War II, cyberspace has fractured the physical barriers that shield a nation from attacks on its commerce and communication.
In response to the growth in computer crime during the 1980s and 1990s law enforcement agencies began to establish specialized investigative groups, usually at the national level. Throughout the 1990s there was high demand for the these resources, leading to the creation of regional and even local units. During this period the science of digital forensics grew out of ad-hoc tools and techniques developed by practitioners. This is in contrast to other forensics disciplines, developed from work by the scientific community. The rapid development of the discipline resulted in a lack of standardization and training. In his 1995 book, "High-Technology Crime: Investigating Cases Involving Computers", K Rosenblatt writes:
Seizing, preserving, and analyzing evidence stored on a computer is the greatest forensic challenge facing law enforcement in the 1990s. Although most forensic tests, such as fingerprinting and DNA testing, are performed by specially trained experts the task of collecting and analyzing computer evidence is often assigned to patrol officers and detectives
In 2002, in response to this need, the Scientific Working Group on Digital Evidence (SWGDE) published its "Best practices for Computer Forensics". A subsequent 2005 ISO standard (ISO 17025 General requirements for the competence of testing and calibration laboratories) was published and commercial companies began to offer certification and training programs.
2.1 Investigative Tools
During the 1980s very few specialized digital forensic tools existed and investigators often performed live analysis on media, examining computers from within the operating system using existing sysadmin tools to extract evidence. In the early 1990s a number of tools (such as Safe Back and DIBS) were created to allow investigations to take place without the risk of altering data. As demand for digital evidence grew more advanced commercial tools (Encase, FTK, etc.) were developed.
More recently the same progression of tool development has occurred for mobile devices; initially investigators accessed data directly on the device, these were soon replaced with specialist tools (such as XRY or Radio Tactics Aceso).
3. USES
The main use of digital forensics is to recover evidence of a crime. However the diverse range of data held in digital devices can help with other areas of investigation.
3.1 Attribution
Meta data and other logs can be used to attribute actions to an individual. For example, personal documents on a computer drive might identify its owner.
3.2 Alibis and Statements
Information provided by those involved can be cross checked with digital evidence. For example, during the investigation into the Soham murders, the offenders alibi was disproven when mobile phone records of the person he claimed to be with showed she was out of town at the time.
3.3 Intent
As well as finding objective evidence of a crime being committed, investigations can also be used to prove the intent (known by the legal term mens rea). For example, the Internet history of convicted killer Neil Entwistle included references to a site discussing How to kill people.
3.4 Evaluation of Source
File artifacts and meta-data can be used to identify the origin of a particular piece of data; for example, older versions of Microsoft Word embedded a Global Unique Identifer into files which identified the computer it had been created on. Proving whether a file was produced on the digital device being examined or obtained from elsewhere (e.g., the Internet) can be very important.
3.5 Document Authentication
Related to "Evaluation of Source", meta data associated with digital documents can be easily modified (for example, by changing the computer clock you can affect the created date of a file). Document authentication relates to detecting and identifying falsification of such details.
4. DIGITAL EVIDENCE
Digital evidence or electronic evidence is any probative information stored or transmitted in digital form that a party to a court case may use at trial. Before accepting digital evidence a court will determine if the evidence is relevant, whether it is authentic, if it is hearsay and whether a copy is acceptable or the original is required.
The use of digital evidence has increased in the past few decades as courts have allowed the use of e-mails, digital photographs, ATM transaction logs, word processing documents, instant message histories, files saved from accounting programs, spreadsheets, internet browser histories, databases, the contents of computer memory, computer backups, computer printouts, Global Positioning System tracks, logs from a hotel’s electronic door locks, and digital video or audio files.
Fig 4.1: Occurrence Of Digital Evidence
Many courts in the United States have applied the Federal Rules of Evidence to digital evidence in a similar way to traditional documents, although some have noted important differences. For example, that digital evidence tends to be more voluminous, more difficult to destroy, easily modified, easily duplicated, potentially more expressive, and more readily available. As such, some courts have sometimes treated digital evidence differently for purposes of authentication, hearsay, the best evidence rule, and privilege. In December 2006, strict new rules were enacted within the Federal Rules of Civil Procedure requiring the preservation and disclosure of electronically stored evidence. Digital evidence is often attacked for its authenticity due to the ease with which it can be modified, although courts are beginning to reject this argument without proof of tampering.
4.1 Admissibility
Digital evidence is often ruled inadmissible by courts because it was obtained without authorization. In most jurisdictions a warrant is required to seize and investigate digital devices. In a digital investigation this can present problems where, for example, evidence of other crimes are identified while investigating another. During a 1999 investigation into online harassment by Keith Schroeder investigators found pornographic images of children on his computer. A second warrant had to be obtained before the evidence could be used to charge Schroeder.
