Logicube News Article

The use of computers in society has increased at an exponential rate in the past 20 years. Considering our reliance on computers and the amount of information they store, it is not surprising that digital evidence in civil and criminal proceedingshas also increased.

However, court actions like the OJ Simpson murder trial have called public attention to potential weaknesses in cases that rely upon technology as evidence. In the past, expert testimony tied to technology was accepted without question by courts, juries and defense attorneys. But, because of the public’s increased familiarity with computers, technical evidence processing techniques and methodologies are now coming under greater scrutiny.

Forensic computer expert witnesses are now frequently required to defend their findings. Therefore, it is vital that computer evidence processing be done. An essential part of any evidence processing is documentation. This is important so memories can be refreshed on the steps taken and the results can be duplicated. Without the ability to reconstruct accurately what has been done, crucial evidence may be subject to question.

More importantly, the qualifications of the expert witness can become an issue if evidence processing is done haphazardly. Avoid shortcuts. Adequate funding for computer hardware, storage media and software should not be an obstacle for law enforcement computer evidence processing. In the past, computer crime cases rarely went to trial in the United States. Such cases typically resulted in negotiated guilty pleas because computer evidence had been thought to be irrefutable. Previously defense attorneys did not understand computer evidence and therefore did not question it nor the qualifications of expert witnesses. But now many computer cases go to trial and the potential exists for computer evidence to be subjected to close legal scrutiny by defense counsels, courts and even juries.

Computer evidence may be extremely complex and it is the job of the forensic computer specialist to make it seem simple. Typically United States juries consist of individuals who represent a cross section of the population. It is doubtful a jury will consist of 12 computer experts. Complex computer issues need to be conveyed to the court in clear, easily understood terms. Often testimony will be given months, even years, after the evidence was processed. Good documentation, tied to sound, consistent processing methods, acts as a memory refresher for the computer specialist and can make the difference between success and failure.

Time and date settings

Time and date information that files automatically create can be important in cases involving computer evidence. However, the accuracy of time and date stamps is directly tied to the accuracy of the time and date stored in the CMOS chip of a computer. Consequently, documenting the accuracy of these settings on a seized computer is important. Without such information, it will be impossible to validate the accuracy of the times and dates associated with files. The current time and date should be compared with the information stored in the computer. The current time can be obtained from http://greenwichmeantime.com. File dates and times are particularly important in documenting backdating of computer files.

Hard disk partitions

The potential for hidden or missing data exists when computer hard drives are involved. Document the make, model and size of all hard disk drives of seized computers by making a physical examination of the drive. Investigators commonly use programs such as DOS FDISK or PartInfo to document the number and size of partitions. It is important hidden partitions and data are found and documented.

Operating system version

A seized computer may rely upon one or more operating systems (OS) and they should be documented. On DOS and Windows-based computers the OS can be determined by examining the boot sector of each partition. It can also be determined by using a program like Norton Utilities. Document the results of findings and the software and versions used. Data and OS integrity The accuracy of data found will be directly tied to the integrity of the OS, directory and data storage areas. Document the results of running a program like DOS ScanDisk or DOS ChkDisk. If errors are found, documente them and, at the discretion of the computer specialist, correct or repair them. Again, corrective action should be recorded and the version of the software used retained and stored with the documentation.

Computer virus evaluation

It is crucial that computer viruses are not introduced into seized computers by the computer specialist. All processing software should be scanned by a certified virus scanning utility. Ideally, two virus scanning utilities should be used and scan results recorded. Seized computer hard disk drives and floppy disks should also be scanned and viruses documented. Viruses should be removed. Infected programs and word processing files can be stored within compressed files, such as zip files. Some virus scanning programs automatically search inside zip files, others do not.

File catalog

A careful investigator will record files stored on the computer hard disk drive and on floppy disks. The date and time information from these files can be a valuable lead, particularly if crossreferenced with other seized computers from the same location.

Software licensing

Too often, law enforcement agencies are under funded for buying computers and software. This means law enforcement computer specialists are forced to use software they did not purchase. If this is discovered by a defense lawyer, through legal discovery or during trial, the case can be lost. Worse yet, the reputation and credibility of the law enforcement computer specialists can be tarnished forever. Essential software tools for computer evidence processing are relatively inexpensive and some software companies support law enforcement agencies with free and discounted forensic software. It is a vital that investigators’ software is licensed and this should be documented in the report. Often, all it takes is registering the software immediately after purchase. But if this step is overlooked, a smart defense lawyer may contact the software publishers involved and verify that you are an unlicensed user of their software.

Upgrading software

With advances in computer technology moving quickly, forensic evidence software packages are upgraded regularly. Investigators must retain the exact version and copy of software used in processing computer evidence. It may be necessary to duplicate the results of evidence processing and, without the exact version of software originally used, the task may be impossible. If results cannot be duplicated, it may raise doubts about the accuracyof the processing. Furthermore, it is then difficult to rebut claims by a defense lawyer that the evidence was not tampered with by the police or another agency. Source files, text search files, output files and forensic software should be archived on the same storage device until after trial. Ideally these items should be retained until all possibilities of appeal have been exhausted.