The corpus delicti, or body of the crime, refers to those essential facts that show a crime has taken place. If these basic facts do not exist, it cannot be reliably established that there was indeed a crime. For example, to establish that a computer intrusion has taken place, investigators should look for evidence such as a point of entry, programs left behind by the criminal, destroyed or altered files, and any other indication of unauthorized access to a computer. Even if investigators can establish that a crime has been committed, it may become clear that there is not enough evidence to identify suspects, link suspects to the victim, link suspects to the crime scene, link similar cases to the same perpetrator, and/or disprove or support witness testimony. In extreme situations, there may not even be enough evidence to generate leads sufficient to engine the investigation forward. Such cases are rare, and present the investigator with the prospect of a case growing cold. When this occurs, investigators must bear down and re-investigate each piece of evidence collected until it is an exhausted possibility.
Equivocal refers to anything that can be interpreted in more than one way or where the interpretation is open to question. An equivocal forensic analysis is one in which the conclusions regarding the physical and digital evidence are still open to interpretation.
Before relying on evidence gathered by others, it is imperative to assess its reliability and significance. Witness statements may be inaccurate or contradictory, evidence may have been overlooked or processed incorrectly, or there may be other complexities that only become apparent upon closer inspection. Equivocal forensic analysis is the process of objectively evaluating available evidence, independent of the interpretations of others, to determine its true meaning. The goal is to identify any errors or oversights that may have already been made.
Difficult as it may be, it is critical to examine incoming evidence as objectively as possible, questioning everything and assuming nothing. In many situations, evidence will be presented to an investigator along with an interpretation (e.g. this is the evidence of a computer intrusion or death threat). Investigators should not accept another person's interpretation without question but should instead verify the origins and meanings of the available evidence themselves to develop their own hypotheses and opinions.
From one perspective, an equivocal forensic analysis is necessary for self-preservation. When investigators render opinions in a case, they are staking their reputations on the veracity of these opinions. An investigator who does not base his/her conclusions on sound evidence will have a short career.
From a less selfish perspective, investigators should want to be sure that everything they assert is accurate because it will be used to determine an individual's innocence or guilt and deprive them of their liberty or, in extreme cases, their life.
In essence, an equivocal forensic analysis is somewhat of a repetition of the investigative process detailed in Chapter 4. The reason for this repetition is that several people with varying degrees of expertise may have investigated different aspects of the crime at different times (e.g. first responders, system administrators) and a full analysis of the evidence is required to ensure that prior investigations were complete and sound. If digital evidence was overlooked, altered, processed inadequately, or misunderstood, this may become apparent when viewed by a critical mind in the context of other evidence. A side benefit of an equivocal forensic analysis is that the investigator becomes familiar with the entire body of evidence in a case.
In addition to physical and digital evidence, an equivocal forensic analysis should include information sources such as suspect, victim and witness statements, other investigators' reports, and crime scene documentation. A sample of the information sources that are used at this stage to establish a solid basis of fact is provided here:
known facts and their sources;
suspect, victim and witness statements, including information technology staff with knowledge of the crime or systems involved;
first responder and investigator reports, and interviews with everyone who handled evidence;
crime scene documentation, including photos or video of the crime scene;
original media for re-examination;
network map, network logs, backup tapes;
usage and ownership history of computer systems;
results of Internet searches for related information;
badge/biometric sensors, cameras;
traditional physical evidence;
fingerprints, DNA, fibers, etc.
Basic goals of an equivocal forensic analysis involving a computer should include addressing fundamental issues such as, where the computer came from, who used it in the past, how was it used and what data it contained, and whether a password was required. If a computer was handed down from father to son, transferred from one employee to another, or used by multiple individuals, this can make a difference when attempting to attribute activities. Failure to establish any of these circumstances should seriously reduce the confidence of any theories regarding the corpus delicti and subsequent offender identity. Similarly, in an apparent intrusion investigation, interviews with system administrators may reveal that one of their co-workers was fired recently and threatened to damage the system. Close examination of a network map or statements made by network administrators may reveal another potential source of digital evidence that was previously overlooked.
As the following quotation explains, evidence that is used to reconstruct crimes falls into three categories: relational, functional, and temporal.
Most evidence is collected with the thought that it will be used for identification purposes, or its ownership property. Fingerprints, DNA, bullets, casing, drugs, fibers, and safe insulation are examples of evidence used for establishing source or ownership. These are the types of evidence that are brought to the laboratory for analysis to establish the identification of the object and/or its source. The same evidence at the crime scene may be the evidence used for reconstruction. We use the evidence to sequence events, determine locations and paths, establish direction or establish time and/or duration of the action. Some of the clues that are utilized in these determinations are relational, that is, where an object is in relation to the other objects or to the crime; functional, the way something works or how it was used or temporal, things based on the passage of time. (Chisum, in Turvey 2002)
Even within the limitations already discussed, digital evidence is a rich and often unexplored source of information. It can establish action, position, origin, associations, function, sequence, and more enabling an investigator to create an incredibly detailed picture of events surrounding a crime. Log files are a particularly rich source of behavioral evidence because they record so many actions. Piecing together the information from various log files, it is often possible to determine what an individual did or was trying to achieve with a high degree of detail.
Temporal aspects of evidence, or when events occurred, are obviously important. Since computers often note the time of specific events, such as the time a file was created or the time a person logged on using a private password, digital evidence can be very useful for reconstructing the sequence of events. Less obviously, the position of digital evidence in relation to other objects can be very informative. For instance, the geographic location of computers in relation to suspects and victims, or the locations of files or programs on a computer can be important. Determining where a computer intruder hides files can help reconstruct a crime and can help investigators of similar crimes discover similar hiding places.
Missing items are also important but the presence must be inferred from other events. For example, if there is evidence that a certain program was used but the program cannot be found, it can be inferred that the program was removed after use. This could have significant implications in the context of a crime, since covering behavior is very revealing about criminals, as is what they want to hide. The functionality of a piece of digital evidence can shed light on what happened. Of course, knowing what a program does is crucial for reconstruction, but if a computer program has options that determine what it does, then the options that are selected to commit a crime are also very telling, potentially revealing skill level, intent, and concealment behavior.
Individual pieces of digital data might not be useful on their own, but patterns may emerge when they are combined. If a victim checks e-mail at a specific time or frequents a particular area on the Internet, a disruption in this pattern could be an indication of an unusual event. An offender might only strike on weekends, at a certain location, or in a unique way. With this in mind, there are three forms of reconstruction that should be performed when analyzing evidence to develop a clearer picture of the crime and see gaps or discrepancies (Figure 5.1):
Temporal (when): helps identify sequences and patterns in time of events;
Relational (who, what, where): components of crime, their positions and interactions;
Functional (how): What was possible and impossible.
Figure 5.1: Conceptual view of timeline and relational reconstructions.
Creating a chronological list of events can help an investigator gain insight into what happened and the people involved in a crime. Such a timeline of events can help an investigator identify patterns and anomalies, shedding light on a crime and leading to other sources of evidence. For instance, a computer log file with a large gap or entries that are out of sequence may be an indication that the log was tampered with.
There are other approaches to analyzing temporal information and identifying patterns. Creating a histogram of times can reveal a period of high activity that deserves closer inspection. Arranging times in a grid with days on the horizontal axis and hours on the vertical axis can highlight repeated patterns and deviations from those regular events. Examples of these and other temporal analysis techniques are provided in Chapter 9 and subsequent chapters.
Determining where an object or person was in relation to other objects or people is very useful when investigating crimes involving networked computers. In large computer fraud cases, thousands of people and computers can be involved, making it difficult to keep track of the many relationships between objects. Creating a diagram depicting the associations between the people and computers can clarify what had occurred. Similarly, when dealing with large telephone call records or network traffic logs, creating a diagram of connections can reveal patterns as discussed in Chapter 15.
Take a simple computer intrusion scenario for example. Suppose a computer intruder obtained unauthorized access to a computer behind an organization's firewall and then broke into their accounting system. However, to obtain access to the accounting system, the intruder had to know a password that is only available to a few employees. A simple relational reconstruction of the computers and individuals involved is provided in Figure 5.2. This diagram can also be useful for locating potential sources of digital evidence such as firewall, intrusion detection, and router error logs. Firewall and intrusion detection system logs show that the intruder initially scanned the network for vulnerabilities. Although the firewall and intrusion detection system do not contain any other relevant data, network traffic logs show the intruder targeting one system on the network. Deleted log files recovered from that system confirm that the intruder gained unauthorized access using a method designed to bypass the intrusion detection system. Network traffic logs also show connections between the compromised machine and the accounting server.
Figure 5.2: Diagram depicting intruder gaining access to accounting server.
In a cyberstalking case, a link analysis may reveal how the offender is obtaining information about the victim (e.g. by accessing the victim's computer or through a friend). Investigators might use this knowledge to prevent the offender from obtaining additional information to protect the victim, feed the offender false information in an effort to identify him, or simply monitor the connection to gather evidence.
Be warned that, with enough information, anything can appear to be connected. It is possible that the suspect went to school with the victim's brother-in-law but this may be coincidence. Investigators must decide how much weight to give to any relationships that they find. Creating a relational reconstruction works best for a small number of entities. As the number of entities and links increase, it becomes increasingly harder to identify important connections. To address this issue, some software tools have a facility to assign weights to each connection in a relational reconstruction diagram. Additionally, techniques are being developed to perform relational analyses on large amounts of digital evidence using sophisticated computer algorithms.
When reconstructing a crime, it is often useful to consider what conditions were necessary for certain aspects of the crime to be possible. For instance, it is sometimes useful to perform some functional testing of the original hardware to ensure that the system was capable of performing basic actions, such as a floppy drive's ability to write and to read from a given evidentiary diskette.
It is critical to answer any questions on the stand from the defense regarding the capabilities of the system available to the suspect. The defense attorney could inquire how you know the suspected file or picture on the disk or CD you found could even be read or created on the computer. If you have not verified drive operation, especially for external drives, you could leave a hole in your testimony large enough to create that "reasonable doubt" that could lead to a weakening of the case. (Flusche 2001)
Similarly, it is useful to perform functional testing to determine if the suspect's computer was capable of downloading and displaying the graphics files that are presented as incriminating evidence.
Keep in mind that the purpose of functional reconstruction is to consider all possible explanations for a given set of circumstances, not simply to answer the question as asked. For instance, when asked if a defendant's computer could download a group of incriminating files in one minute as indicated by their date-time stamps, an examiner might determine that the modem was too slow to download the files so quickly. However, the examiner should not be satisfied with this answer and should determine how the files were placed on the computer. Further testing and analysis may reveal that the files were copied from a compact disk, which begs the questions, where did that compact disk come from and where can it be found.
If a firewall was configured to block direct access to a server from the Internet, such as the accounting server in Figure 5.2, it was functionally impossible to connect directly from the Internet and, therefore, investigators must determine how the intruder actually gained access to the server. This realization may lead investigators to other sources of evidence such as the internal system that the intruder initially compromised and used to launch an attack against the accounting server.
It may also be necessary to determine how a program or computer was configured to gain a better understanding of a crime or a piece of digital evidence. For instance, if a password was required to access a certain computer or program, this functional detail should be noted. Knowing that an e-mail client was configured to automatically check for new messages every 15 minutes can help investigators differentiate human acts from automated acts. If a program was purposefully created to destroy evidence, this can be used to prove willfulness on the part of the offender to conceal his activities. This is especially the case when dealing with computer intrusions - the tools used to break into a computer deserve close study.
Even in comparatively non-technical cases, determining how a given computer or application functions can shed light on available digital evidence and can help investigators assess the reliability and meaning of the digital evidence. For instance, if an examination of a computer shows that the system time drifts significantly, losing 2 minutes every hour, this should be taken into account when developing the temporal reconstruction in a case.
If the computer has been reconfigured since the crime or a software configuration file is not available, a direct examination might not be possible. However, it might still be possible to make an educated guess based on associated evidence. For instance, if a log file shows that the e-mail client checked for new messages precisely every 15 minutes for an entire day, an educated guess is that it was automated as opposed to manual.
During an equivocal forensic analysis, potential patterns of behavior may begin to emerge and gaps in the evidence may appear. The hope is that evidence will begin to fit together into a coherent whole, like pieces of a jigsaw puzzle combining to form a more complete picture and holes in this picture will become more evident. Realistically, investigators can never get the entire picture of what occurred at a crime. Forensic analysis and reconstruction only includes evidence that was left at a crime scene and is intrinsically limited.