SUMMARY

Since the invention of the personal computer in 1981, new computer technologies have provided unintended benefits to criminals in the commission of both traditional crimes and computer crimes. Today computers are used in every facet of life to create messages, compute profits, transfer funds, access bank accounts, and browse the Internet for good and bad purposes. Notebook computers provide computer users with the benefits of portability as well as remote access to computer networks. Computer users today have the benefits of super computer speeds and fast Internet communications on a worldwide basis. Computers have increased productivity in business, but they also increase the likelihood of company policy abuses, government security breaches, and criminal activity.

In the past, documentary evidence was primarily limited to paper documents. Copies were made with carbon paper or through the use of a photocopy machine. Most documents today are stored on computer hard disk drives, floppy diskettes, zip disks, and other types of removable computer storage media. This is where potential computer evidence may reside and it is up to the computer forensics specialist to find it using sophisticated computer forensics tools and computer-evidence-processing methodologies. Paper documents are no longer considered the best evidence.

Computer evidence is quite unique when compared with other forms of documentary evidence. Unlike paper documentation, computer evidence is fragile and a copy of a document stored in a computer file is identical to the original. The legal ‘best evidence’ rules change when it comes to the processing of computer evidence. Another unique aspect of computer evidence is the potential for unauthorized copies to be made of important computer files without leaving behind a trace that the copy was made. This situation creates problems concerning the investigation of the theft of trade secrets (client lists, research materials, computer-aided design files, formulas, and proprietary software).

Industrial espionage is alive and well in the cyber age and the computer forensics specialist relies on computer evidence to prove the theft of trade secrets. Sometimes the unauthorized copying of proprietary files can also be documented through the analysis of ambient computer data. The existence of this type of computer evidence is typically not known to the computer user and the element of surprise can provide the computer forensics investigator with the advantage in the interview of suspects in such cases. Because of the unique features associated with computer evidence, special knowledge is required by the computer forensics specialist and the lawyers, who may be relying on the computer evidence to support their position in civil or criminal litigation.

Computer evidence is relied on more and more in criminal and civil litigation actions. It was computer evidence that helped identify the now infamous Blue Dress in the Clinton impeachment hearings. Oliver North got into some of his trouble with the U. S. Congress when erased computer files were recovered as computer evidence. Computer evidence is also used to identify Internet account abuses. In the past, much wasted government and company staff time was attributed to the playing of the Windows Solitaire game on company time. Thanks to the popularity of the Internet, Windows Solitaire has taken a backseat to unauthorized Internet browsing by employees of pornography Web sites. Internet access by employees has also created new problems associated with employees operating side businesses through the unauthorized use of company and government Internet accounts. These types of problems are becoming more frequent as more businesses and government agencies provide employees with Internet accounts. Computer forensics tools and methodologies are used to identify and document computer evidence associated with these types of computer abuses and activities.

Computer evidence is unique in other ways as well. Most individuals think that computer evidence is limited to data stored just in computer files. Most of the relevant computer evidence is found in unusual locations that are usually unknown to the computer users. Computer evidence can exist in many forms. On Microsoft Windows and Windows NT-based computer systems, large quantities of evidence can be found in the Windows swap file. In Windows NT-based computer systems, the files are called Page Files and the file is named PAGEFILE.SYS by the operating system.

Computer evidence can also be found in file slack and in unallocated file space. These unique forms of computer data fall into a category of data called ambient computer data. As much as 50% of the computer hard disk drive may contain such data types in the form of e-mail fragments, word processing fragments, directory tree snapshots, and potentially almost anything that has occurred in past work sessions on the subject computer. Ambient computer data can be a valuable source of computer evidence because of the potentially large volume of data involved and because of the transparent nature of its creation to the computer user.

Timelines of computer usage and file accesses can be valuable sources of computer evidence. The times and dates when files were created, last accessed, and/or modified can make or break a case.

Now let’s look at some of the more common conclusions that computer forensics technology can hope to answer. The following conclusions are not exhaustive, nor is the order significant.

Conclusions Drawn from Types of Computer Forensics Technology

• As previously explained, the term Computer Forensics was coined back in 1991 in the first training session held by the International Association of Computer Specialists (IACIS) in Portland, Oregon. Since then, computer forensics has become a popular topic in computer security circles and in the legal community.

• Like any other forensic science, computer forensics deals with the application of law to a science. In this case, the science involved is computer science and some refer to it as Forensic Computer Science.

• Computer forensics has also been described as the autopsy of a computer hard disk drive because specialized software tools and techniques are required to analyze the various levels at which computer data is stored after the fact.

• Computer Forensics deals with the preservation, identification, extraction and documentation of computer evidence. The field is relatively new to the private sector but it has been the mainstay of technology-related investigations and intelligence gathering in law enforcement and military agencies since the mid-1980’s.

• Like any other forensic science, computer forensics involves the use sophisticated technology tools and procedures which must be followed to guarantee the accuracy of the preservation of evidence and the accuracy of results concerning computer evidence processing.

• Typically, computer forensic tools exist in the form of computer software.

• Computer forensic specialists guarantee accuracy of evidence processing results through the use of time-tested evidence-processing procedures and through the use of multiple software tools developed by separate and independent developers.

• The use of different tools that have been developed independently to validate results is important to avoid inaccuracies introduced by potential software design flaws and software bugs.

• It is a serious mistake for a computer forensics specialist to put all of their eggs in one basket by using just one tool to preserve, identify, extract, and validate the computer evidence.

• Cross-validation through the use of multiple tools and techniques is standard in all forensic sciences. When this procedure is not used, it creates advantages for defense lawyers who may challenge the accuracy of the software tool used and, thus, the integrity of the results.

• Validation through the use of multiple software tools, computer specialists, and procedures, eliminates the potential for the destruction of forensic evidence.

• The introduction of the personal computer in 1981 and the resulting popularity came with a mixed blessing.

• Society in general benefited but so did criminals who use personal computers in the commission of crimes.

• Today, personal computers are used in every facet of society to create and share messages, compute financial results, transfer funds, purchase stocks, make airline reservations, access bank accounts, and a wealth of worldwide information on essentially any topic.

• Computer forensics is used to identify evidence when personal computers are used in the commission of crimes or in the abuse of company policies.

• Computer forensic tools and procedures are also used to identify computer security weaknesses and the leakage of sensitive computer data.

• In the past, documentary evidence was typically stored on paper and copies were made with carbon paper or photocopy machines.

• Most documents are now stored on computer hard disk drives, floppy diskettes, zip disks, and other forms of removable computer storage media.

• Computer forensics deals with finding, extracting, and documenting this form of ‘electronic’ documentary evidence.

An Agenda for Action in Types of Computer Forensics Technology

The following is a provisional list of actions for some of the principle types of computer forensic technology. The order is not significant; however these are the activities for which the research would want to provide a detailed description of procedures, review, and assessment for ease of use and admissibility. A number of these technologies have been mentioned in passing already:

1. Documentary evidence has quickly moved from the printed or typewritten page to computer data stored on floppy diskettes, zip disks, CDs, and computer hard disk drives.

2. A new type of virtual evidence has been created as a result of e-commerce transactions and e-mail communications over the Internet.

3. The sharing of computer files over the Internet, when tied to the commission of a crime, creates a new and novel twist to the rules of evidence and legal jurisdiction.

4. Keep in mind that when criminal activities involve the use of the Internet, venue can be in different cities, counties, states, and/or countries. The evidence needed to prove such computer-related crimes potentially resides on one or more computer hard disk drives in various geographic locations.

5. The computer hard disk drives may also be the property of criminals as well as innocent third parties (Internet Service Providers). Such evidence is commonly referred to as computer evidence, but it is not limited to cases involving computer crimes.

6. Computer crimes are specifically defined by federal and/or state statutes. However, many computer investigations rely on computer evidence that is not connected to a computer crime (traditional crimes that are committed using one or more computers as tools in the commission of a crime).

7. Computer evidence can reside on computer storage media as bytes of data in the form of computer files and ambient data.

8. Ambient data is usually beyond the awareness of most computer users and such data can potentially provide the computer forensics investigator with the element of surprise when computer users are interviewed. For example, a computer user who believes that he or she destroyed the computer evidence may confess when confronted with part or all of the evidence extracted from ambient data sources.

9. Computer investigations rely on evidence stored as data and the timeline of dates and times that files were created, modified, and/or last accessed by the computer user.

10. Timelines of activity can be especially helpful when multiple computers and individuals are involved in the commission of a crime.

11. The computer forensics investigator should always consider timelines of computer usage in all computer-related investigations. The same is true in computer security reviews concerning potential access to sensitive and/or trade secret information stored in the form of computer files.

12. Computer investigations play an important role in cases involving the theft of company trade secrets.

13. More and more, intellectual property lawyers rely on computer evidence and computer investigations in such cases. The same is true concerning criminal litigation involving stock frauds, financial frauds, and embezzlements. Much of the evidence related to these types of crimes will be in computer data form.

14. In the past, documentary evidence used to prove these crimes was exclusively in paper form. However, many computer-related communications and transactions are now conducted without paper documents ever being created.

15. Financial fraud investigators have been forced to change the way they do business.

16. Computer-related investigations can involve the review of Internet log files to determine Internet account abuses in businesses or government agencies.

17. Computer investigations can also involve the analysis of the Windows swap file.

18. Using computer forensics procedures, processes, and tools, the computer forensics specialist can identify passwords, network log-ons, Internet activity, and fragments of e-mail messages that were dumped from computer memory during past Windows work sessions. When such leads are identified, they can be perfected through the use of computer forensics text search programs.

19. Other computer forensics software tools are used to document the computer evidence once it has been preserved, identified, and extracted.