Text, numerals, sound, or images (both moving and still) that are either stored or transmitted in a binary form and have potential use as evidence to prove a circumstance or event in a court of law. Binary refers to the electronic code made up of ones and zeroes that defines all the digital information. A unit of information is assigned one of two states, either 1 or 0 (that is, on and off). Thes two digits used in groups of 8 with varying sequences, for example, define the alphabet. See also: Criminalistics
At a crime scene, investigators look for clues and motives among many items, including papers and documents such as daily appointment calendars, address books, letters, business records, checkbooks, and notes. Today, investigators are likely to find this information recorded on electronic media. Just like paper records, digital information found on computers, personal organizers, answering machines, and cellular phones represents potentially latent (hidden) evidence that is important in investigations. For example, latent fingerprints are made visible after chemically treating surfaces. Likewise, latent evidence on computers and other digital devices is identified using computer hardware and software. Digital evidence on a cell phone may include an address book with names and telephone numbers, as well as a log of calls received, missed, made, and the times of these calls. On a personal computer, the log of Internet sites visited and e-mail sent and received might be important evidence in an investigation. See also: Data communications; Digital computer; Electronic mail; Internet; Software
Computer forensics has come to mean the identification, preservation, extraction, documentation, and interpretation of digital evidence on computers or other electronic media for evidentiary purposes.
Forensic scientists are trained to consider evidence from both a scientific and legal perspective. When a scene is processed for evidence, several legal principles must be followed. For instance, the potential evidence must be identified, collected, transported, examined, and stored in a manner that does not change it. At the time the evidence is collected, it must be marked to identify who collected it, the date and time of collection, and where it was collected to preserve the chain of custody for acceptance in a court of law.
The law requires that the “best evidence” be used for legal purposes. In the case of a paper document, the original is preferred, although a copy can be used if the original is not available. Exact copies of digital evidence can be made from the original evidence. At a crime scene, the data on hard drives, disks, or other electronic media are copied and examined to find any evidence they might contain. The Scientific Working Group on Digital Evidence (SWGDE) has drafted the following definitions to describe the various attributes of digital evidence. See also: Computer storage technology
Acquisition of digital evidence: the process that begins when information or physical items are collected or stored for examination purposes. Applying the term “evidence” to these items implies that the manner in which they were collected is recognized by the courts; that is, the collection process was appropriate according to the rules of evidence in a given locality. A data object or physical item becomes evidence only when so deemed by a law enforcement official or designee.
Data objects: objects or information associated with physical items. Data objects may occur in different formats without altering the original information. Data objects include logical files, slack (unused) space, or perhaps a physical sector located on the physical item.
Physical item: an item on which data objects or information is stored or through which data objects are transferred.
Original digital evidence: physical items and the data objects associated with such items at the time of acquisition or seizure.
Duplicate digital evidence: an accurate digital reproduction of all data objects contained on an original physical item.
Generally, the copy of a suspect's hard drive taken at the crime scene is the best evidence, and is stored in the evidence room as “the copy.” Duplicates are made from this copy for forensic scientists and law enforcement to work from, with all work done on a dedicated forensic computer that is not connected to the Internet. This computer workstation is dedicated for forensic examination and is used in a controlled environment. The task for the forensic examiner is to locate documents or phrases that will assist the criminal investigator. For example, if a bomb was sent through the mail using a computer-printed address label, the copy of the suspect's hard drive would be examined for evidence of the address. In this case, the forensic examiner would do a keyword search and look for the words in the address. Forensic tools are software specifically designed for forensic examinations such as imaging (copying the hard drive) and restoring deleted files. Comprehensive suites of software tools are used for most forensic examinations.
Digital evidence may be obvious to an investigator or hidden. For example, obvious evidence might be a letter stored as a document on a hard drive, while less obvious evidence might be a word or fragment of a word that was deleted from a document but still exists on the unused space of the hard drive. Special software tools, some public and others restricted, assist forensic examiners to find this evidence. There are also forensic tools for determining when data have been deliberately hidden.
Encryption is one way of actively hiding data. In encryption, data are encoded using an algorithm (mathematical formula), obscuring it from anyone who does not have a “secret key” to unscramble it. Once data have been encrypted, a single- or double-key decryption program is needed to read it, or else the code must be “cracked.” Single-key decryption is similar to using one key to lock and unlock your home. Double-key decryption requires both a public key and a private key, where one or more people may have the public key, but only one person has the private key. Code cracking ranges from a very easy process to one that is computationally infeasible depending on the sophistication of the encryption. See also: Algorithm; Cryptography
Hiding data in text, image, or audio files is called steganography. For example, a text file can be hidden in a digital picture. There are statistical analysis techniques to find such data, but they take time and effort. Commercial tools are available to detect these types of files.
A mathematical method known as hashing is used to verify the authenticity of data copied from a hard drive, disk, or file. A hash is a small mathematical summary of a data file or message. Changing one character in a file will change the numerical value of the hash. If there has been any change in the file during transmission or from tampering, the hash number will change. A hash of the hard drive is done before copying it. The hash value of a hard drive and the copy should be exactly the same number.
To ensure chain of custody, forensic scientists must sign their name to evidence. In the case of digital evidence, an authentic digital signature or a regular physical signature is required. Creating a digital signature is a simple process for verifying the integrity and originator of a message, whereby the signer calculates the hash value of the message, and then encrypts the hash value with his or her own private key. The resultant message “digest” is the digital signature. Appending it to the original message qualifies the object as being digitally signed.
As technology changes, the nature and handling of digital evidence will remain a challenge for forensic scientists. The wireless Web will allow for “virtual evidence rooms” where evidence is stored and secured through encryption. The chain of custody will be maintained through digital signatures, and the evidence will be checked out of the virtual evidence room with a time stamp from a digital clock synchronized with the atomic clock run by the National Institute of Standards and Technology (NIST).