Digital Evidence
Computer Crime:
1950s-1960s: computer crime in its infancy
1973: Equity Funding Insurance Company
IBM704 mainframe- “Big Iron”
Advance (fictitous) sales entries (1964)
“always thinking ahead”- fictitous polices
This facilitated more paper in crime
Documents were easier to copy and produce
And change
And counterfeit
80% of all crimes involved document evidence
law enforcement was slow to react to digital
Through 70s/ 80s forensic computer experts were mostly hobbyists who worked for law enforcement
Data storage was the first area to be noticed":
1984 FBI launched the Magnet Media Program
Represnts the dawning of understnding that documentation was no longer on paper
Methods for tracking hackers were developed in the private sector
The watershed moment occurred in 1986 when Cliff Stoll, a UNIX administrator at Lawrence Berkeley National Laboratory tried to figure out a $0.75 accounting error
He found a hacker selling data to the KGB
Digital Forensics:
Cyber crime: Any crime act dealing with computers or digital devices
Computer crime: Illegal act of which knowledge of computer technology is essential for the perpetration, investigation or prosecution
Digital forensics: is the application of science and technology to the identification, recovery, transportation, and storage of digital evidence
Problem:
Jurisdiction: the area where the crime had been committed and any area over which or through which the suspect passed going to or leaving the scene of the crime
Law
Many laws have only been passed since 1980s
These were enacted at the federal and state level
Crimes were decided in both criminal and civil court
Crime Scene differences:
Criminal law: Federal and state
Many of these at the state and federal levels have been passed to deal with and allow the prosecution of cyber crime
Children’s Online Protection Act
Identity theft and Assumption Deterrence Act
Computer Fraud and Abuse Act
Wire Fraud Act
National Information Infrastructure Protection Act
Some other crimes similar to previously encountered crimes, copyright infringement, software ownership, drugs and narcotics, privacy are being handled
New crimes: Unauthorized access, exceeding authorized access, Child pornography, Fraud, viruses, sabotage, terrorism, embezzlement, espionage all as virtual crimes needed new laws
In the 90s and the 00 there was a boom in digital forensics due to child pornography and the wars in Afghanistan and Iraq
First the wars
U.S. troops often ended up capturing the laptops and phone of enemy insurgents and hand to extract useful intelligence from them
Sexual Exploitation Act of 1977, made it a crime knowingly to use a minor under 16 years old in obscene depictions of sexually explicit conduct
Images and videos had to be traded in person or via the mail
Communication between pedophiles was through contacts or via advertisement
Now enter Tim Berners-Lee. A scientist at CERN
In April of 1993 he created the world wide web
People could not communicate and trace images anonymously\
As law enforcement became better the criminals did too
Steganography was born
Hiding images in images
Steganography works by replacing bits of useless or unused data in regular computer files (such as graphics, sound, text, HTML, or even floppy disk) with bits of different, invisible information. This hidden information can be plain text, cipher text, or even images.
Steganography sometimes is used when encryption is not permitted
For example a pixel code contains info on position and color
Early stegging programs would replace the last digit of each pixel
These alterations would be collected by the descriptor to make a new image
Now there are thousand of image on a PC
Software exists to scan each to determine if it is the image of a child
In the current era: Digital evidence goes beyond image location
Emails, data, location, search history all have valuable information to give
Investigation Process
Collection: In which digital evidence is acquired. This often involves seizing physical assets, like computer, phones, or hard drives, care must be taken to ensure that no data is damaged or lost. Storage media may be copied or imaged at this stage in order to keep the original in a pristine state for reference
Collection adds a new problem to digital evidence that was not a part of traditional physical evidence
Evidence can be compromised remotely
So now, items must be air gapped or sealed from EM, or powered down
Examination: In which various methods are used to identify and extract data. This step can be divided into preparation, extraction and identification. Important decisions to make at this stage\
Whether to deal with a system that’s live (power up a seized laptop) or dead (connecting a seized hard drive to a lab computer). Identification means determining whether individual pieces of data are relevant to the case at hand. Particularly when warrants are involved, the information examiners are allowed to learn may be limited
Analysis: In which the data that’s been gathered is used to prove (or disprove) the case being built by examiners. For each relevant data item, examiners will answer the basic questions about it- who created it? who edited it? how was it created? when did this all happen?- and attempt to determine how it relates to the case
Reporting: In which the data and analysis are synthesized into a format that can be understood by laypeople. Being able to create such reports is an absolutely critical skill for anyone interested in digital forensic
Social media and location meta data is another complication
4th amendment- remember or discussions
Katz v United States stated that “the fourth amendment protects people, not places”. The result is that the fourth amendment continues to be deeply tied physical places
Electronic Communications Privacy Act of 1986 was enacted by the United States Congress to extend restrictions on government wires taps of telephone calls to include transmission of electronic data by computer added new provisions prohibiting access to stored electronic communications
The Stored Communication Act added so calle pen trap provisions that permit the tracing of telephone communication
Crime scene differences:
Physical scene
We have been looking at crimes where there is an actual crime scene
The location of the homicide, burglary, sexual assault, etc
Investigators have tangible evidence to collect, handle, test, and evaluate to tie an actual suspect to the scene
Virtual scene:
New since the use of computers and digital technology
The evidence can be found on a device, in the cloud, spread out among different devices in different locations, however, the same need for control of the evidence necessary
Yellow crime scene tape just isn’t going to be used for containment
Now, computer systems are the evidence. Imaging, storage, protection and storage are different
Search warrants:
Can be scene specific (as with normal crime scenes)
Same need for probable cause (why search?)
Same need for speed (prevent destruction and/ or loss of evidence)
Handling of the device to be seized (image or take with)
Are multiple warrants needed for different scene
The investigation:
If laws are broken
Identify suspects
Identify witness
Locate the suspect
Identify the type of system used and its location
Security on the system
Passwords
Probable cause
Put together the team of investigators
Obtain the search warrant
Where is device
Disable possible “traps” which could destroy evidence
Prevent any other contamination of the device or evidence
Execute the plan for the raid
Security and control
All items in the warrant and linked to the primary device
Severs, wireless networks
Videotaping
Sketching
Handheld devices
Documents
Digital Forensic:
Competency in digital forensic requires:
An in depth understanding of computers hardware and software
computer networks
Forensic science
Applicable local, state, and national laws
The ability to communicate in both verbal and written forms
Technology changes quickly:
Technologies become obsolete
New technologies are created
Significant effect upon the practice of digital forensic
“moving” target: practitioners need to constantly update their knowledge and skills
Digital Evidence:
Digital evidence is information stored or transmitted in binary form that may be relied on in court
Evidence difficult to detect, may be hidden through steganography and encryption
Anonymity for perpetrators
Multijurisdictional issues
Where can you find Digital Evidence?
Computer hard drive
mobile phone
Social media
CD
Flash card in a digital camera
Video game
GPS receiver
That leads to Social Media Forensic
Aside from the well established brands such as Facebook, LinkedIn, Twitter, Instagram, and Youtube, there are over 200 social networking sites, all active, full of all kinds of people, from introverts who only desire a small digital presence to social predators and people with oversharing tendencies
Facebook alone has over 1 billion users that post over 350 million photos each day. Social networks have a great impact on society, including providing entertainment, generating information, facilitating communication, and influence. All this while also generating lots and lots of evidence
Some are obvious: 2009, when Daniel Knight Hyden became the first person prosecuted for his post on Twitter, to more recent cases, such as when a couple was arrested in Ohio after allegedly robbing a bank and posting images with the stolen cash on Facebook
Know the Terms of Service
Usually these agreements require an investigators to get permission
Some are public
Prosecution:
Child pornography
Credit card fraud
Suspects email or mobile phone files
Might contain critical evidence regarding their intent
Their whereabouts at the time of a crime
Their relationship with other suspects
2005: a floppy disk led investigators to the BTK serial killer (Dennis Rader)
At least 10 victims, had eluded police capture since 1974