Computer Forensics: Computer Crime Scene Investigation (With CD-ROM) (Networking Series) - page 24

 < Day Day Up > 


Computers have appeared in the course of litigation for over 25 years. In 1977, there were 291 U.S. federal cases and 246 state cases in which the word computer appeared and which were sufficiently important to be noted in the Lexis database. In the UK, there were only 20. However, as early as 1968, the computer’s existence was considered sufficiently important for special provisions to be made in the English Civil Evidence Act.

The following description is designed to give a summary of the issues rather than attempt to give a complete guide. As far as one can tell, noncontentious cases tend not to be reported, and the arrival of computers in commercial disputes and in criminal cases did not create immediate difficulties. Judges sought to allow computer-based evidence on the basis that it was no different from forms of evidence with which they were already familiar: documents, business books, weighing machines, calculating machines, films, and audio tapes. This is not to say that such cases were without difficulty; however, no completely new principles were required. Quite soon, though, it became apparent that many new situations were arising and that analogies with more traditional evidential material were beginning to break down. Some of these were tackled in legislation, as with the English 1968 Act and the U.S. Federal Rules of Evidence in 1976. But many were addressed in a series of court cases. Not all of the key cases deal directly with computers. But they do have a bearing on them as they relate to matters that are characteristic of computer-originated evidence. For example, computer-originated evidence or information that is not immediately readable by a human being, is usually gathered by a mechanical counting or weighing instrument. The calculation could also be performed by a mechanical or electronic device.

The focus of most of this legislation and judicial activity was determining the admissibility of the evidence. The common law and legislative rules are those that have arisen as a result of judicial decisions and specific law. They extend beyond mere guidance. They are rules that a court must follow; the thought behind these rules may have been to impose standards and uniformity in helping a court test authenticity, reliability, and completeness. Nevertheless, they have acquired a status of their own and in some cases prevent a court from making ad hoc common sense decisions about the quality of evidence. The usual effect is that once a judge has declared evidence inadmissible (that is, failing to conform to the rules), the evidence is never put to a jury; for a variety of reasons that will become apparent shortly. It is not wholly possible for someone interested in the practical aspects of computer forensics (that is, the issues of demonstrating authenticity, reliability, completeness, or lack thereof) to separate out the legal tests.

Now let’s look at some of the more common questions that computer forensics can hope to answer. The following conclusions are not exhaustive, nor is the order significant.

Conclusions Drawn from Computer Forensics Situations

  • Documents: To prove authenticity; alternatively, to demonstrate a forgery. This is the direct analogy to proving a print-based document

  • Reports: Computer generated from human input. This is the situation where a series of original events or transactions are input by human beings, but where after regular computer processing, a large number of reports, both via print-out and on-screen can be generated. Examples would include the order/sales/ inventory applications used by many commercial organizations and retail banking.

  • Real evidence: Machine-readable measurements and the like (weighing, counting, or otherwise recording events); the reading of the contents of magnetic stripes and bar codes and smart cards

  • Reports generated from machine-readable measurements, and the like: Items that have been counted, weighed, and so on, and the results then processed and collated.

  • Electronic transactions: To prove that a transaction took place, or to demonstrate a presumption that had taken place was incorrect. Typical examples would include money transfers, ATM transactions, securities settlement, and EDIs.

  • Conclusions reached by search programs: These are programs that have searched documents, reports, and so on, for names and patterns. Typical users of such programs are auditors and investigators.

  • Event reconstruction: To show a sequence of events or transactions passing through a complex computer system. This is related to the proving of electronic transactions, but with more pro-active means of investigation event reconstruction—to show how a computer installation or process dependent on a computer may have failed. Typical examples include computer contract disputes (when a computer failed to deliver acceptable levels of service and blame must be apportioned), disaster investigations, and failed trade situations in securities dealing systems.

  • Liability in a situation: This is where CAD designs have relied on autocompletion or filling-in by a program (in other respects, a CAD design is a straightforward computer-held document). Liability in a situation is also where a computer program has made a decision (or recommendation) based on the application of rules and formulae; where the legal issue is the quality and reliability of the application program, and the rules with which it has been fed.

The following occasions could arise in any of a number of forms of litigation:

  • Civil matters

  • Breach of contract

  • Asset recovery

  • Tort, including negligence

  • Breach of confidence

  • Defamation

  • Breach of securities industry legislation and regulation and/or Companies Acts

  • Employee disputes

  • Copyright and other intellectual property disputes

  • Consumer protection law obligations (and other examples of no-fault liability)

  • Data protection law legislation

  • Criminal matters such as:

    • Theft acts, including deception

    • Criminal Damage

    • Demanding money with menaces

    • Companies law, Securities industry, and banking offenses

    • Criminal offenses concerned with copyright and intellectual property

    • Drug offenses

    • Trading standards offenses

    • Official secrets

    • Computer Misuse Act offenses

    • Pornography offenses

As mentioned earlier, the most likely situations are that computer-based evidence makes a contribution to an investigation or to litigation and is not the whole of it.

An Agenda for Action in Computer Forensics Methods

The following is a provisional list of actions for some of the principle forensic methods. The order is not significant; however, these are the activities for which the research would want to provide a detailed description of procedures, review, and assessment for ease of use and admissibility. A number of these methods have been mentioned in passing already:

  1. Safe seizure of computer systems and files, to avoid contamination and/ or interference

  2. Safe collection of data and software

  3. Safe and noncontaminating copying of disks and other data media

  4. Reviewing and reporting on data media

  5. Sourcing and reviewing of back-up and archived files

  6. Recovery/reconstruction of deleted files—logical methods

  7. Recovery of material from swap and cache files

  8. Recovery of deleted/damaged files—physical methods

  9. Core-dump: collecting an image of the contents of the active memory of a computer at a particular time

  10. Estimating if files have been used to generate forged output

  11. Reviewing of single computers for proper working during relevant period, including service logs, fault records, and the like

  12. Proving/testing of reports produced by complex client/server applications

  13. Reviewing of complex computer systems and networks for proper working during relevant period, including service logs, fault records, and the like

  14. Review of system/program documentation for: design methods, testing, audit, revisions, and operations management

  15. Reviewing of applications programs for proper working during relevant period, including service logs, fault records, and the like

  16. Identification and examination of audit trails

  17. Identification and review of monitoring logs

  18. Telecoms call path tracing (PTTs or path-tracing telecoms and telecoms utilities companies only)

  19. Reviewing of access control services—quality and resilience of facilities (hardware and software, identification/authentication services)

  20. Reviewing and assessment of access control services—quality of security management

  21. Reviewing and assessment of encryption methods—resilience and implementation

  22. Setting up of proactive monitoring to detect unauthorized or suspect activity within application programs and operating systems, and across local area and wide area networks

  23. Monitoring of e-mail

  24. Use of special alarm or trace programs

  25. Use of honey pots

  26. Interaction with third parties (suppliers, emergency response teams, and law enforcement agencies)

  27. Reviewing and assessment of measuring devices and other sources of real evidence, including service logs, fault records, and the like

  28. Use of routine search programs to examine the contents of a file

  29. Use of purpose-written search programs to examine the contents of a file

  30. Reconciliation of multisource files

  31. Examination of telecoms devices, location of associated activity logs and other records perhaps held by third parties

  32. Event reconstruction

  33. Complex computer intrusion

  34. Complex fraud

  35. System failure

  36. Disaster affecting computer-driven machinery or process

  37. Review of expert or rule-based systems

  38. Reverse compilation of suspect code

  39. Use of computer programs that purport to provide simulations or animations of events: review of accuracy, reliability, and quality

 < Day Day Up >