20.3 Identifying and Processing Digital Evidence

20.3 Identifying and Processing Digital Evidence

As computers, digital cameras, and the Internet become more integrated into the average person's life, the role of the digital evidence examiners becomes clearly essential. In Europe, investigators are finding an increasing number of mobile phones with digital cameras being used to create and exchange child pornography. The increasing trend of mobile phones being involved in criminal activities is a clear demonstration of how pervasive digital evidence has become. Although digital evidence could be overlooked and mishandled in the past without serious repercussions, overlooking or mishandling this kind of evidence now may amount to malfeasance. It is essential for investigators to identify sources of evidence and process them methodically as detailed throughout this text. Failure to do so allows a defense attorney to attack a case on technical grounds, rather than the actual merits of the evidence itself.

The importance of crime scene protocols and evidence handling procedures in this type of investigation cannot be overstated. The basic precaution of wearing surgical gloves is often neglected, despite the fact that sex offenses often involve potentially infectious body fluids that pose a health risk to first responders and must be processed as evidence. First responders have reported that protective plastic covers they find on some offenders' computer keyboards smell of semen. Without adequate procedures, important digital evidence may be missed, particularly when dealing with offenders who have taken steps to conceal their activities. In several cases, an offender has made a telephone call while in custody to instruct someone to destroy digital evidence. In other cases, suspects have shot at investigators and/or killed themselves when a search warrant was being executed on their homes. Therefore, investigators must take precautions when serving warrants in computer-related offenses just as they would with any other crime.

The role of a computer in the sex offense investigation will determine the types of evidence that exist and where they are located. For instance, when an offender uses a computer to communicate with victims, the Information as Evidence category described in Chapter 2 is applicable and an associated Standard Operating Procedure (SOP) can be implemented to process digital evidence from computers and connected networks. For instance, when the home of alleged serial killer John Robinson was searched, five computers were collected as evidence (McClintock 2001). However, when a computer is used to manufacture and disseminate child pornography, the Hardware as Instrumentality, Information as Contraband, and Information as Evidence categories may all be applicable, making it necessary to search for and collect a larger range and amount of evidence, including digital cameras, scanners, removable media, hiding places, and online activities as depicted in Figure 20.1.

Figure 20.1: Possible sources of evidence in a sex offense investigation.

It can be a major undertaking to locate all computers and Internet accounts used by the victim or offender, involving extended searches (e.g. automobile, workplace, storage facilities, properties belonging to parents, and significant others of both victim and offender), interviews (e.g. suspect, victim, family, friends, and co-workers), and analysis of credit card bills, telephone records, and online activities. Also, a search warrant may be needed to obtain a victim's computers if consent is not forthcoming.

When dealing with online sexual offenders, it is particularly important to take advantage of the Internet as a source of evidence. An offender's online communications may reveal other offenders or victims. Logs from various systems on the Internet can provide a more complete picture of the offender's activities, sometimes leading to other sources of digital evidence such as a hidden laptop, computers at work, a public library terminal, or an Internet cafe. Therefore, investigators should call the victim and offender's Internet Service Providers immediately to explain the situation and should follow-up with a preservation letter detailing the information that is needed to ensure that information is not lost while a search warrant or other court order is obtained.

Searching the Internet for related information can also generate useful leads. Some sex offenders participate in special interest newsgroups (e.g. alt.sex.incest, alt.pedophilia, alt.support.boy-lovers), online discussion boards such as BoyLinks and GirlLove Garden, and organizations like the Danish Pedophile Association and North American Man/Boy Love Association (NAMBLA). Similar support groups exist on IRC (#fathersdaughtersex). Some offenders even participate in victim support groups such as alt.abuse.recovery because of the high concentration of victims of past abuse. It may even be possible to find online witnesses who observed interactions between the offender and victim in areas they frequented. Digital evidence on private networks can also help generate new leads, establish the Continuity of Offense, and corroborate other evidence.

CASE EXAMPLE (CONNECTICUT 1998):

Yale geology professor Anthony Lasaga admitted to possessing tens of thousands of images of children engaging in sexual acts with adults, animals, and other children. Many of these images were downloaded from the Internet (e.g. Supernews.com) onto a computer in the geology department and then viewed on Lasaga's desktop computer. A system administrator in the geology department came across the child pornography on the server in the course of his work. The system administrator observed Lasaga accessing the materials on the server from his desktop and reported the incident to law enforcement. Given the severity of the crime and the involvement of several systems, it was necessary to secure and search the entire geology building and network for related evidence.

Because of his success in attributing the illegal activities to Lasaga, the system administrator was accused by the defense of acting as an agent of law enforcement. Although the system administrator was ultimately exonerated of any wrongdoing, his employers did not provide legal support and he was compelled to hire an attorney to defend himself against the accusations. Notably, Lasaga also admitted to creating a videocassette of a young boy engaging in sexual acts. The tape involved a 13-year-old boy whom Lasaga met through a New Haven child-mentoring program. The tape was shot on the Yale campus, one in the professor's geology classroom and the other in the Saybrook master's house (Diskant 2002).

Log files and other remnants of a victim's network activities should also be examined. The importance of this information is most evident when offenders instruct victims to wipe their hard drive before coming to a meeting. In such cases, the Internet and telephone networks may be the only available source of digital evidence that can lead investigators to the offender and missing victim. However, even when useful digital evidence is found on the victim's computer, the Internet and other networks can provide corroborating evidence and may even help develop new leads.

One challenge occasionally arising during the investigation of a sex offense is that digital evidence was not preserved properly or at all. Victims sometimes destroy key evidence because they are embarrassed by it; corporate security professionals might copy data from important systems or logs ignorant of proper evidence handling concepts; or poorly trained police officers may overlook important items. A related problem is that supporting documentation may be inadequate for forensic purposes. In such situations, investigators and examiners should work together to determine if evidence was overlooked and gathering details about the context, origin, and chain of possession of the evidence. Without basic background details (e.g. where a computer came from, what was on it originally, how it was used, who used it, whether access to the computer was restricted, who had access to it), it may not be possible to authenticate digital evidence on the system.

A further challenge is that some online sexual offenders use various concealment techniques to make it more difficult for investigators to identify them and find evidence. Some offenders physically hide removable media and other incriminating evidence in their homes, at work, and rented storage space. For instance, when investigators searched the home of New York Law School professor Edward Samuels, they found evidence hidden in a crawl space in the ceiling. When Moscow police searched the apartment of notorious child pornographer, Vsevolod Solntsev-Elbe, they found innocuous looking, shrink-wrapped videos in boxes for National Geographic nature films, with pictures of rhinos, giraffes, and pandas on the covers. The beginning of each tape contained a clip from nature documentaries but the remainder of the tape contained child pornography (Reuters 2002).

Increasingly, online sex offenders are using encryption, steganography, and other methods of digitally concealing evidence. The following message from one offender who was not apprehended provides insight into the concealment techniques that criminals use on the Internet.

I use a proxy but not an anon proxy: it works like this: I have an account in one jurisdiction but use their proxy in their branch office of another jurisdiction to connect with the main server. Of course my server logs my accesses as well as the servers I access logging the accessing server. But who is the person doing the accessing. Let's look through the millions of hits going through the main server of the big company I subscribe to and spend ages trying to link my account to the access which is made hugely difficult when a person accesses a foreign server. The law in which my account is based is different to the law where I reside using the proxy ... Then having downloaded images of the seven wonders of the world, I back up to an external file, BC Wipe, Window Wash and Evidence Eliminate, activex, cookies and java disabled and Encase given a run to see if anything was left. (Anonymous)

Given the potential for concealment in this type of case, it is important to examine all digital evidence carefully rather than simply searching for obvious items such as images that are not hidden. The analysis guidelines in Chapter 24 provide a methodology for performing a thorough examination.