4.1 The Role of Digital Evidence


4.1 The Role of Digital Evidence

One of the main goals in an investigation is to attribute the crime to its perpetrator by uncovering compelling links between the offender, victim, and crime scene. Witnesses may identify a suspect but evidence of an individual's involvement is usually more compelling and reliable. According to Locard's Exchange Principle, anyone, or anything, entering a crime scene takes something of the scene with them, and leaves something of themselves behind when they leave. In the physical world, an offender might inadvertently leave fingerprints or hair at the scene and take a fiber from the scene. For instance, in a homicide case the offender may attempt to misdirect investigators by creating a suicide note on the victim's computer, and in the process leave fingerprints on the keyboard. With one such piece of evidence, investigators can demonstrate the strong possibility that the offender was at the crime scene. With two pieces of evidence the link between the offender and crime scene becomes stronger and easier to demonstrate (Figure 4.2).

click to expand
Figure 4.2: Locard's Exchange Principle.

This type of exchange produces evidence belonging in one of two general categories: (i) evidence with attributes that fit in the group called class characteristics, and (ii) exhibits with attributes that fall in the category called individual characteristics. As detailed in Chapter 9, class characteristics are common traits in similar items whereas individual characteristics are more unique and can be linked to a specific person or activity with greater certainty. Consider the physical world example from Chapter 1 of a shoe print left under a window at a crime scene. Forensic analysis of those impressions might only reveal the make and model of the shoe, placing it in the class of all shoes with the same make and model. Therefore, if a suspect were found to be in possession of a pair with the same manufacturer and model, a tenuous circumstantial link can be made between the suspect and the wrongdoing. If forensic analysis uncovers detailed wear patterns in the shoe prints and finds identical wear of the suspect's soles, a much stronger link is possible. The margin of error has just been significantly reduced by the discovery of an individual characteristic making the link much less circumstantial and harder to refute.

In the digital realm, we move into a more virtual and less tangible space. The very notion of individual identity is almost at odds with the philosophy of openness and anonymity associated with many communities using the Internet. However, similar exchanges of evidence occur in the digital realm, such as data from an offender's computer recorded by a server or data from servers stored on the offender's computer. Such links have been used to demonstrate that a specific individual was involved. When all of this evidentiary material does not conclusively link a suspect with the computer, the evidence is still individual relative to the computer.

Browsing the Web provides another example of Locard's Exchange Principle in the digital realm. If an individual sends a threatening message via a Web-based e-mail service such as Hotmail, his/her browser stores files, links, and other information on the hard disk along with date-time related information. Investigators can find an abundance of information relating to the sent message on the offender's hard drive including the original message. Additionally, investigators can find related information on the Web server used to send the message including access logs, e-mail logs, IP addresses, browser version, and possibly the entire message in the Sent mail folder of the offender's e-mail account.

Akin to categories of evidence in the "traditional" forensic sense, digital equipment and their attributes can be categorized into class and individual groups. Scanners, printers, and all-in-one office devices may exhibit or leave discernible artifacts that lead to common class characteristics allowing the identification of an Epson, Canon, or Lexmark device. The more conclusive individual characteristics are more rare but not impossible to identify through detailed analysis. Unique marks on a digitized photograph might be used to demonstrate that the suspect's scanner or digital camera was involved. Similarly, a specific floppy drive may make unique magnetic impressions on a floppy disk, helping establish a link between a given floppy disk and the suspect's computer.

start sidebar

Preview (Chapter 9): Interestingly, the MD5 computation is an example of a derived attribute that can be useful as a class or individual characteristic depending on its application. For instance, the MD5 value of a common component of the Windows 2000 operating system (e.g. kernel32.dll) places a file in a group of all other similar components on all Windows 2000 installations but does not indicate that the file came from a specific machine. On the other hand, when the MD5 computation is computed for data that are or seem to be unique, such as an image containing child pornography or suspect steganographic data, the hash value becomes an individual characteristic due to the very low probability that any other data (other than an exact copy) will compute to the same hash value. Therefore, MD5 values are more trustworthy than filenames or file sizes in the comparison of data.

end sidebar

These are examples of the more desirable category of evidence because of their strong association with an individual source. Generally, however, the amount of work required to ascertain this level of information is significant and may be for naught, especially if a proven method for its recovery has not been researched and accepted in the community and used to establish precedent in the courts. This risk coupled with the fact that the objects of analysis change in design and complexity at such a rapid pace, makes it difficult to remain current.

Class characteristics can enable investigators to determine that an Apache Web server was used, a particular e-mail encapsulation scheme (e.g. MIME) was employed, or that a certain manufacturer's network interface card was the source. Categorization of characteristics from various types of digital components has yet to be approached in any formal way but the value of this type of information cannot be underestimated. Class characteristics can be used collectively to determine a probability of involvement and the preponderance of this type of evidence can be a factor in reaching conclusions about guilt or innocence.

The value of class physical evidence lies in its ability to provide corroboration of events with data that are, as nearly as possible, free of human error and bias. It is the thread that binds together other investigative findings that are more dependent on human judgements and, therefore, more prone to human failings. (Saferstein 1998)

To better appreciate the utility of Locard's Exchange Principle, class characteristics, and individual characteristics in the digital realm, consider a computer intrusion. When an intruder gains unauthorized access to a UNIX system from his/her personal computer using a stolen Internet dial-up account, and uploads various tools to the UNIX machine via FTP (file transfer protocol), the tools are now located on both the Windows and UNIX systems. Certain characteristics of these tools will be the same on both systems, including some of the date-time stamps and MD5 hash values (described in Chapter 9).

The Windows application used to connect to the UNIX system (e.g. Telnet, SecureCRT, SSH) may have a record of the target IP address/hostname. Directory listings from the UNIX system may be found on the intruder's hard drive if they were swapped to the disk while being displayed on screen by Telnet, SecureCRT, SSH, or another program as shown in Figure 4.3. The stolen account and password is probably stored somewhere on the intruder's system, possibly in a sniffer log or in a list of stolen accounts from various systems. The FTP client used (e.g. WS_FTP) may create a log of the transfer of tools to the server.

click to expand
Figure 4.3: Remnants of a directory listing from a UNIX system found on a Windows computer using the grep feature in EnCase to search for the pattern "[d\-][rwx\-][rwx\-][rwx\-][rwx\-][rwx\-][rwx\-][rwx\-][rwx\-][rwx\-](space)."

The UNIX system may have login records and FTP transfer logs showing the connection and file transfers. Additionally, some of the transferred files may carry characteristics from the source computer (e.g. TAR files contain user and group information from UNIX systems). These types of digital evidence transfer can be used to establish the continuity of offense in a connect-the-dots manner. In the threatening e-mail example above, the information on the sender's hard disk along with the date and time it was created can be compared with data on the server and the message received by the target to demonstrate the continuity of the offense. To establish continuity of offense investigators should seek the sources, conduits, and targets of an offense. Each of these three areas can have multiple sources of digital evidence and can be used to establish the continuity of offense. Additional systems may be peripherally involved in an offense (e.g. for storage, communication, or information retrieval) and may contain related evidence. For instance, in a computer intrusion investigation, there may be related digital evidence on intrusion detection system, NetFlow logs, and other intermediate systems discussed in later chapters.

The more corroborating evidence that investigators can obtain, the greater weight the evidence will be given in court and the more certainty they can have in their conclusions. In this way, investigators can develop a reconstruction of the crime and determine who was involved. The addition of a mechanism or taxonomy to categorize digital evidence as described would benefit the investigator by allowing them to present the relative merits of the evidence and help them maintain the objectivity called for by the investigative process.

As another example, take a case of downloading child pornography from an FTP server on the Internet via a dial-up connection as depicted in Figure 4.4. The date-time stamps of the offending files on the suspect's personal computer show when the files were downloaded. Additionally, logs created by the FTP client may show when each file was downloaded and from where. The following log entry created by WS_FTP shows an image being downloaded from an FTP server with IP address 192.168.1.45 on November 12, 1998, at 1953 hours from a remote directory on the FTP server named "/home/johnh".

click to expand
Figure 4.4: Potential sources of evidence useful for establishing continuity of offense.

98.11.12 19:53 A C:\download\image12.jpg ,<-- 192.168.1.45 /home/johnh image12.jpg

Modem logs on the computer may show that the computer was connected to the Internet at the time in question.

Dial-up server logs at the suspect's Internet Service Provider (ISP) may show that a specific IP address was assigned to the suspect's user account at the time. The ISP may also have Automatic Number Identification (ANI) logs - effectively Caller-ID - connecting the suspect's home telephone number to the dial-up activity. Routers connecting the suspect's computer to the Internet may have associated NetFlow logs containing additional information about the suspect's connection to the FTP server.

Logs on the FTP server may confirm that files were downloaded to the suspect's IP address at the time in question. For instance, the following FTP server transfer log entry shows a file with the same name and size as that found on the suspect's computer being downloaded to the IP address that was assigned to the suspect's account at the time in question.

Nov 12 19:53:23 1998 15 216.58.30.131 780800 /home/johnh/image12.jpg a _ o r user

CASE EXAMPLE (UNITED STATES v. HILTON 1997):

start example

In United States v. Hilton, the forensic examiner was asked to justify transport charges by explaining his conclusion that pornographic images on the suspect's computer had been downloaded from the Internet. The examiner explained that the files were located in a directory named MIRC (the name of an Internet chat client) and that the date-time stamps of the files coincided with the time periods when the defendant was connected to the Internet. The court was satisfied with this explanation and accepted that the files were downloaded from the Internet.

end example

These examples describe suspected offenses and allude to types and locations of potential evidentiary material. This section also introduced the established forensic concepts of class and individual characteristics and how to apply them to digital evidence, helping investigators and prosecutors assess the suitability and persuasive strength of the evidence. These are essential elements of any investigation but only represent the highlights of the structured process detailed in the following sections.




Digital Evidence and Computer Crime
Digital Evidence and Computer Crime, Second Edition
ISBN: 0121631044
EAN: 2147483647
Year: 2003
Pages: 279

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net