Forensic Science Study Guide: Fire, Documents, and Digital Evidence

Fire and Arson Fundamentals

  • Combustion Basics:     * Combustion is defined as a chemical reaction between fuel and oxygen that results in the release of energy in the forms of heat and light.     * Fuel State: It is a critical principle that fuel must be in a vapor (gas) form to support burning; liquids themselves do not burn, only the gases they release.

  • Key Temperature Terms:     * Flash Point: This refers to the lowest temperature at which a liquid produces sufficient vapor to ignite briefly when exposed to a spark or flame.     * Ignition Temperature: This is the temperature at which a substance will self-ignite without the presence of an external spark or flame.     * Memory Aid: Remember that "Flash" requires an external spark, while "Ignition" requires no spark.

  • Fire Behavior Terms:     * Flammable Range: The specific concentration of vapor in the air that is capable of supporting combustion.     * Flashover: A phenomenon occurring when the temperature in a room reaches a point where every combustible item in that space ignites simultaneously.     * Spontaneous Combustion: A fire that starts naturally due to internal heat buildup within a material, requiring no external flame for initiation.

  • Signs of Arson:     * Investigators look for suspicious indicators, including:         * The presence of multiple separate starting points for the fire.         * Unusual burn patterns or trails.         * Evidence of accelerant containers left at the scene.         * Streamers: These are irregular burn paths used to lead fire from one area to another.     * The combination of several of these indicators significantly increases the suspicion of arson.

Evidence Collection and Fire Analysis Tools

  • Urgency in Evidence Collection: Investigators must move rapidly for several specific reasons:     * Accelerants are highly volatile and evaporate quickly.     * The scene is susceptible to contamination if left unsecured.     * Cleanup operations may begin shortly after the fire is extinguished.     * Evidence materials degrade naturally over time.

  • Fire Analysis Instrumentation:     * Gas Chromatography (GC): Used to separate substances within a mixture.     * GC + Mass Spectrometry (GC-MS): This combination represents the most accurate method for identifying specific accelerants used in a fire.

Questioned Documents: Handwriting and Materials

  • Handwriting and Evidence:     * Reliable handwriting comparisons require multiple known samples, referred to as exemplars.     * For the most accurate results, these exemplars should be close in chronological time to the writing that is being questioned.

  • Paper Analysis: Evaluated based on physical characteristics including:     * Color.     * Thickness.     * Weight.     * Watermarks: Specific identifiers built into the paper during manufacturing.

  • Ink Analysis Methods:     * Thin-Layer Chromatography (TLC): A chemical method used to separate the various components of ink.     * Microspectrophotometry: A technique used to analyze how ink absorbs and reflects light.

Document Alterations and Specialized Analysis

  • Types of Alterations:     * Obliteration: This occurs when something has been intentionally covered up or scribbled out to hide the original content.     * Erasure: The physical removal of writing from the document.     * Indented Writing: These are the impressions left on the sheets of paper directly underneath the page that was written upon.

  • Light-Based Techniques:     * Certain inks exhibit fluorescence under specific lighting conditions.     * Inks can absorb one type of light and emit another, which is a key method for detecting differences between seemingly identical inks.

Printing Devices and Digital Mapping

  • Printers and Machines: Key characteristics used to identify a machine's source include:     * The printing method used (e.g., laser versus inkjet).     * The chemical composition of the ink or toner.     * The type of paper used.     * The fusing method (how the toner is bonded to the paper).     * TTI (Trash Toner Image): A unique characteristic that helps forensic scientists identify the specific machine source of a document.

  • Digital Document Concepts:     * Digitizing: The process of converting a physical image into pixels so it can be stored and processed by a computer.

Computer Forensics: Data and Systems

  • Basic Definitions:     * Software: The set of instructions or programs that tell a computer how to perform tasks.     * Motherboard: The primary circuit board that connects all hardware components of the computer.

  • Data Types:     * Visible Data: Data that is easily accessible to the average computer user.     * Latent Data: Data that is hidden, deleted, or otherwise not easily accessible through normal means. Investigators prioritize latent data for the evidence it often contains.

  • Locations of Digital Evidence:     * Unallocated Space: Space on a drive that is not currently assigned to a file.     * Slack Space: Leftover storage fragments at the end of a file's clusters.     * Cache: A location for temporary data storage.     * Internet History: A record of websites visited.     * Cookies: Files used to track user activity.

Storage Hierarchy and Forensic Imaging

  • Storage Concepts:     * The primary storage device for a computer is the Hard Disk Drive (HDD).     * Hard drives are organized into a hierarchy of Tracks, Sectors, and Clusters.

  • Slack Space Types:     1. RAM slack.     2. File slack.

  • The Boot Process:     * The startup of a computer is controlled by ROM (Read-Only Memory).

  • Forensic Imaging:     * A bit-for-bit copy of a hard drive is made to:         * Preserve the original evidence.         * Avoid any alteration of original data during the investigation.     * The primary goal is to analyze data without changing anything on the original source.

Internet Evidence and Networking

  • Web-Based Evidence:     * Cookies: Used for tracking user behavior and activity.     * Cache: Stores temporary web data to speed up page loading.     * Browsing History: Provides a chronological record of visited sites.     * Note on Bookmarks/Favorites: These are considered NOT useful as evidence because they do not prove that a user actually visited or engaged with the site.

  • Digital Crimes:     * Hacking: The unauthorized access to a computer system or network.

  • IP Address Basics:     * Format: Consists of 44 numbers separated by dots (e.g., 192.168.1.1192.168.1.1).     * Range: Each of the four numbers falls within the range of 00 to 255255.     * Utility: IP addresses can be used to help identify a specific user or device on a network.

Concept Clarifiers and Memory Aids

  • True/False Concept Checklist:     * Handwriting comparisons require similar timeframes for reliability: TRUE.     * Paper analysis includes evaluating physical characteristics like weight and color: TRUE.     * Ink can be analyzed through chemical methods like chromatography: TRUE.     * A higher number of exemplars leads to better, more accurate conclusions: TRUE.     * Visible data is data accessible to the user: TRUE.     * Latent data is hidden from normal view: TRUE.     * The HDD is the primary storage device: TRUE.

  • Quick Memory Hacks:     * Gas vs. Liquid: Remember that gas burns, not liquid; fuel must vaporize to ignite.     * Flash vs. Ignition: Flash requires a spark; Ignition occurs without one.     * Indented: Think of hidden writing pushed into the layers underneath.     * Latent: Think of the data "lurking" in hidden places.     * Cookies: Think of "tracking crumbs" left behind by activity.