Chapter 9: Applying Forensic Science to Computers

Overview

Like a detective, the archaeologist searches for clues in order to discover and reconstruct something that happened. Like the detective, the archaeologist finds no clues too small or insignificant. And like the detective, the archaeologist must usually work with fragmentary and often confusing information. Finally, the detective and the archaeologist have as their goal the completion of a report, based on a study of their clues, that not only tells what happened but proves it.

(Meighan 1966)

Digital evidence examination is analogous to diamond cutting. By removing the unnecessary rough material, the clear crystal beneath is revealed. The diamond is then carved and polished to enable others to appreciate its facets. Similarly, digital evidence examiners extract valuable bits from large masses of data and present them in ways that decision makers can comprehend. Flaws in the underlying material or the way it is processed reduce the value of the final product.^[1]

Stretching the analogy, digging rough diamonds from the earth requires one set of skills, whereas a diamond cutter requires another set of skills entirely. A jeweler who examines gems closely to assess their worth and combines them to create a larger piece requires yet another set of skills. Digital investigators often perform all of the requisite tasks from collecting, documenting, and preserving digital evidence to extracting useful data and combining them to create an increasingly clearer picture of the crime as a whole. Digital investigators need a methodology to help them perform all of these tasks properly, find the scientific truth, and ultimately have the evidence admitted in court.

This is where forensic science is useful, offering carefully tested methods for processing and analyzing evidence and reaching conclusions that are reproducible and free from distortion or bias. Concepts from forensic science can also help digital investigators take advantage of digital evidence in ways that would otherwise not be possible. For example, scientific techniques such as comparing features of digital evidence with exemplars can be used to discern minor details that would escape the naked eye.

This chapter applies the methodologies covered in Chapter 4 (Investigative Process) and Chapter 5 (Investigative Reconstruction) to single, non-networked computers. These methodologies incorporate principles and techniques from forensic science, including comparison, classification, individualization, and evaluation of source. Each stage of the process is detailed in the following sections.

• Authorization and Preparation.

• Identification.

• Documentation, Collection (Seizure), and Preservation.

• Examination and Analysis.

• Reconstruction.

• Reporting Results.

These stages service the ultimate goals of discovering the truth (based upon proof or high statistical confidence) and presenting evidence in a way that helps decision makers reach a verdict.

^[1]Digital evidence examination is also analogous to an autopsy in that some skill is required to operate on the system and determine what occurred.