Lecture 10. Investigative Reconstruction and Digital Forensics

Lecture Objectives

• Introduce fundamentals of investigative reconstruction.

• Discuss different types of analyses performed by DF investigators.

• Explain the difference between “direct evidence” and “circumstantial evidence”.

Investigative Reconstruction

• Reconstruction is the systematic process of bringing together fragmented clues (evidence) to gain a better understanding of what happened between the victim and the offender in relation to a crime.

  • This process is complex due to:

    • Limited amount of evidence left behind.

    • Evidence may be damaged or camouflaged.

    • Crimes are not easy to decipher; reconstructing events from the evidence is like assembling a jigsaw puzzle.

Locard’s Exchange Principle

• Locard’s Exchange Principle applied to DF (digital) and (physical).

  Example: E‐mail harassment case.

  • A threatening email sent via Gmail produces evidence in different places.

    • Web browser stores files, links, and other information on the sender’s hard drive with date/time information.

    • Gmail (Google) web server contains access logs, IP addresses, and possibly the original message.

    • The victim’s machine possibly contains the threatening email received.

Modus Operandi (MO)

• Digital evidence left by an offender at a particular crime scene contains behavioral imprints.

• A connected series of behavioral imprints can be used to establish an offender’s modus operandi (how the offender operates).

  Reconstruction of the Crime

• Reconstruction of the crime using available evidence is a CRUCIAL STAGE of an investigation, performed throughout to develop leads and determine where additional sources of evidence can be found.

• The investigator should be careful to remain objective and not be driven by patterns, preconceived theories, stereotypes, or influences.

Uses of Reconstruction

• Establish the “big picture.”

• Focus the investigation.

• Locate concealed evidence.

• Anticipate actions & assess potential escalation.

• Link related crimes with the same Modus Operandi.

• Prioritize investigation of suspects.

• Guide suspect interview or offender contact.

• Improve case presentation in court.

Equivocal Forensic Analysis

• Equivocal forensic analysis is the process of objectively evaluating available evidence, independent of the interpretation of others, to determine its true meaning.

• From the evidence, the investigator has to identify facts that show a crime has taken place: Facts that show a crime has taken place are collectively referred to as the corpus delicti (body of the crime).

• Equivocal forensic analysis should consider (1) other investigators’ reports, (2) crime scene documentation, (3)usage and ownership of devices, (4)original media, (5 ) suspect & witness statements, (6) network map, and logs.

Three Categories of Equivocal Forensic Analysis

• Temporal: When

• Relational: Who, What, Where

• Functional: How

(1) Temporal Analysis

• Aims to establish the chronological order of events (timeline) involved in a crime. (can be done using line charts, histograms & grids)

• Useful to:

  • Identify patterns (e.g., recurring events).

  • Identify anomalies (e.g., out of sequence events indicating activities such as log tampering; deviations from regular events).

  • Identify periods of intense activities that deserve closer inspection.

• Timestamps are essential, and geographic location is equally important due to time zone differences.

• As crime complexity grows, reconstructing a timeline of events involving different time zones becomes a challenge

• Accuracy of BIOS clock (computers),synchronisation with mobile provider

(2) Relational Analysis

• Aims to establish the relations/associations between entities (e.g., objects and subjects).

• Uses Scenario diagrams (E.g., a diagram showing steps performed by an offender through a network to reach a target; it might indicate sources of evidence such as logs, and relevant people involved) & Link Analysis (to represent connections between people, between computer or other devices; e.g., a map of social relations may uncover the role performed by members of a gang (and its structure of authority and command)

• Useful to:

  • Reveal who the players are and their relations, establishing the chain of command or communication network.

  • Clarify what has occurred.

  • Locate potential sources of digital evidence (e.g., firewall, router, intrusion detection logs) which become visible through the relational analysis.

• Challenges

  • Creating a relational reconstruction works best for a small number of entities

  • As the number of entities and links increase, it becomes increasingly hard to identify which are the important connections

  • Some tools provide features to allow the assignment of weight to connections in a relational diagram

(3) Functional Analysis

• Aims to establish the relations / associations between different entities (eg objects and subjects testing conditions and possibly raise questions about evidence.

• Functional analysis aims at testing such conditions and possibly raise questions about an evidence

• The purpose is to consider all possible explanations for a given set of circumstances.

• Aims to establish how something has happened, given a set of circumstances (based on evidence collected).

• Useful for 2 main purposes:

  • 1.Brainstorming hypotheses to direct investigations.

  • 2.Check if something could have happened in a certain way – i.e., validate the how.

Conclusions on Equivocal Forensic Analysis

• During this phase, potential patterns of behaviour may begin to emerge and gaps in evidence may appear

• Evidence should start to fit together into a coherent whole like pieces of a jigsaw puzzle

• The big picture(and the holes in this picture/puzzle) should become more apparent although it is unlikely the picture will ever become crystal clear

• Reconstruction provides a methodology for gaining a better understanding of a crime and focusing an investigation

  – Investigators must remain objective throughout

• The use of reconstruction may point towards an offender or suspected offender

  – Investigators’ job is to present the facts, not to judge

  – Statements judging individual suspects, compromise an investigator objectivity and reputation →therefore, should be avoided at all means!

Direct vs. Circumstantial Evidence

• Direct evidence establishes a fact.

• Circumstantial evidence suggests a fact.

• Direct evidence examples:

  • Eyewitness account

  • Confession

  • A direct link between someone and an alleged misconduct.

• Circumstantial evidence:

  • Indirect evidence that requires inference to imply a fact.

Attribution in Cybercrimes

• Attribution is the primary issue in most cybercrimes - Who was at the computer at that time?

• Proof will almost depend on a number of circumstantial evidence indicating.

  • 1.Access: Evidence showing the suspect had physical or digital ability to reach the system, file, or network involved in the incident.

  • 2.Knowledge: Indicators that the suspect possessed the technical skills or information necessary to carry out the activity in question.

  • 3.Opportunity: Proof that the suspect was present or active at the relevant time when the incident occurred.

  • 4.Motive: Circumstantial context suggesting the suspect had a reason or incentive (e.g., revenge, profit, curiosity) to commit the act.

  • 5.State of Mind: Evidence reflecting the suspect’s intent, attitude, or awareness, such as deleted logs, hidden files, or attempts to cover tracks.

    Variety of sources of circumstantial evidence

    • Traditional evidence (from old‐fashioned detective work) can corroborate with digital evidence, e.g.:

  • – Suspect and witness interviews

  • – Physical evidence

  • – Physical surveillance

    Let’s not forget

    • Circumstantial evidence and, in particular, a number of digital evidence can indicate that something has happened in a certain way

    ... but can also indicate that something has not happen in a certain way

    → digital forensic investigators need to have an open mind to find and report on all relevant evident either way

    Conclusion

    It is important to distinguish direct from circumstantial evidence to understand the value of the evidence collected

    – Direct evidence has higher value compared to circumstantial evidence

    – Therefore, investigators have to collect enough circumstantial evidence in the absence of direct evidence to make a strong case