1.2 Increasing Awareness of Digital Evidence

By now it is well known that attorneys and police are encountering progressively more digital evidence in their work. Less obviously, computer security professionals and military decision makers are concerned with digital evidence. An increasing number of organizations are faced with the necessity of collecting evidence on their networks in response to incidents such as computer intrusions, fraud, intellectual property theft, child pornography, stalking, sexual harassment, and even violent crimes.

More organizations are considering legal remedies when criminals target them and are giving more attention to handling digital evidence in a way that will hold up in court. Also, by processing digital evidence properly, organizations are protecting themselves against liabilities such as invasion of privacy and unfair dismissal claims. As a result, there are rising expectations that computer security professionals have training and knowledge related to digital evidence handling.

System administrators who find child pornography on computers in their workplace are in a perilous position. Simply deleting the contraband material and not reporting the problem may be viewed as criminally negligent. A system administrator who did not muster his employer's support before calling the police to report child pornography placed on a server by another employee was disavowed by his employer, had to hire his own lawyer, testify in his own time, and ultimately find a new job. Well meaning attempts to investigate child pornography complaints have resulted in the system administrator being prosecuted for downloading and possessing illegal materials themselves. Therefore, in addition to being technically prepared for such incidents, it is important for organizations and system administrators to have clear policies and procedures for responding to these problems.

In addition to handling evidence properly, corporations and military operations need to respond to and recover from incidents rapidly to minimize the losses caused by an incident. Many computer security professionals deal with hundreds of petty crimes each month and there is not enough time or resources to open a full investigation for each incident. Therefore, computer security professionals attempt to limit the damage and close each investigation as quickly as possible. There are three significant drawbacks to this approach. First, each unreported incident robs attorneys and law enforcement personnel of an opportunity to learn about the basics of computer-related crime. Instead, they are only involved when the stakes are high and the cases are complicated. Second, computer security professionals develop loose evidence processing habits that can make it more difficult for law enforcement personnel and attorneys to prosecute an offender. Third, this approach results in underreporting of criminal activity, deflating statistics that are used to allocate corporate and government spending on combating computer-related crime.

Balancing thoroughness with haste is a demanding challenge. Tools that are designed for detecting malicious activity on computer networks are rarely designed with evidence collection in mind. Some organizations are attempting to address this disparity by retrofitting their existing systems to address authentication issues that arise in court. Other organizations are implementing additional systems specifically designed to secure digital evidence, popularly called Network Forensic Analysis Tools (NFATs). Both approaches have shortcomings that will be addressed gradually as software designers become more familiar with issues relating to digital evidence.

Government agencies are also interested in using digital evidence to detect terrorist activities and prevent future attacks. As a result, data mining technologies that were previously used to detect and investigate criminal activity that occurred in the past are now being adapted to identify suspicious, but not necessarily criminal, activities. Understandably, the possibility of the government freely sifting through every citizen's personal data for anything that looks suspicious is a privacy advocate's worst nightmare. There is certainly a risk that these pre-crime systems will do more harm than the problems they aim to address.

Ultimately, these systems will not achieve their intended goal because of inadequate training data sets, inaccurate data, high numbers of false positives, and information overload. With detailed knowledge of only several thousand known terrorists and ignoring the fact that terrorists regularly change their behavior to evade detection, it is statistically impossible to develop data mining methods that can reliably distinguish between normal and suspicious activity. The resulting inaccurate data mining methods would result in false positives that could ruin the lives of thousands, perhaps millions, of innocent individuals. Considering the amount of junk mail that is incorrectly addressed to Mr Eogliam Casey, Mr Bogan Caseui, and Ms Eileen Casey, it is likely that erroneous data in the underlying databases will increase the number of false positives in data mining. Even if data mining stumbled upon one actual terrorist, this lead would probably be lost among the false positives and bureaucracy created by the data mining process. Let us just hope that careless efforts to utilize these powerful data mining technologies do not cause too much damage and inhibit our ability to use them to investigate crimes.

Keep in mind that criminals are also concerned with digital evidence and will attempt to manipulate computer systems to avoid apprehension. Therefore, digital investigators cannot simply rely on what is written in this book to process digital evidence and must extend the lessons to new situations. With this in mind, in addition to presenting specific techniques and examples, this text provides general concepts and methodologies that can be applied to new situations with some thought and research on the part of the reader.