Computer forensics training

In San Diego County, California, forensic experts examined a laptop computer for evidence of notes used in the robbery of several local banks--a university professor later would plead guilty to bank robbery charges and receive 9 years in prison, even though the laptop contained no saved notes. (1) In another case, a Navy enlisted man faced a dishonorable discharge and time in the brig for possession of child pornography after the discovery of floppy disks in a backpack he inadvertently left on a dock at muster. These cases and many more, handled by computer forensic examiners every day, have convicted scores of criminals who committed or stored information pertaining to their crimes with computers and other digital devices. (2) Such criminal acts now transcend traditional business crimes.

[ILLUSTRATION OMITTED]

Criminals commit few crimes today without involving a computing device of some type. This puts a strain on computer forensic examiners who have the training, skills, and abilities to properly handle digital evidence. Law enforcement agencies take different avenues of addressing this increasing load of computer evidence that requires examination to close cases. Many train a few of their law enforcement officers. Some train professional support technicians. Increasingly, agencies send their work to local or regional computer forensic laboratories. Regardless, an understanding of the proper evidentiary foundations for admission of computer-related evidence proves necessary for the courts to have confidence in the material ultimately presented.

Uniqueness of Computer Digital Evidence

In 1948, well-known mathematician Dr. Claude Shannon outlined mathematical formulas that reduced communication processes to binary code and calculated ways to send them through communications lines. (3) Since then, computers and other digital computing devices have used encoding methods based on the binary numbering system.

Computers allow criminals to remain relatively anonymous and to invade the privacy and confidentiality of individuals and companies in ways not possible prior to the advent of the computer age. "Evidence of these crimes is neither physical nor human, but, if it exists, is little more than electronic impulses and programming codes." (4) This evidence can take the form of data digitally stored as text files, graphics files, sounds, motion pictures, data-bases, temporary files, erased files, and ambient computer data dumped on the storage device by the operating system or application program. If someone opened a digital storage device, they would see no letters, numbers, or pictures on it. Therefore, "understanding how a computer stores data is basic to understanding how sensitive that data is to inadvertent contamination and how important a chain of custody becomes when testifying to the 'originality' of the evidence." (5)

[ILLUSTRATION OMITTED]

Storage of Data

"Digital electronics involves circuits and systems in which there are only two possible states. The states are represented by two different voltage levels: a high or a low level. The two-state number system (base 2) is called binary, and its two digits are 0 and 1. A binary digit is called a bit." (6) Because reading strings of zeros and ones severely limits the number of people capable of reading a digital device and to accommodate letters, punctuation, and special characters, another decimal numbering system began--the hexadecimal, or base 16, (7) system. The hexadecimal numbers express the binary values stored on a device. At a minimum, a truly readable alphanumeric code must represent 10 decimal digits and 26 letters, or 36 items. However, the inclusion of punctuation, symbols, and computer control codes requires a seven-bit code (2X2X2X2X2X2X2) yielding 128 combinations, or [2.sup.7]=128. The complete expression of binary information encompasses eight bits, with one sign bit and seven magnitude bits, (8) giving 256 possible combinations. This eight-bit binary number represents one byte. Of the alphanumeric codes, the American Standard Code for Information Interchange (ASCII) serves as the most widely used.

Although more complicated, hexadecimal numbering provides a way to input data into the computer that makes sense to the average person. After entry, computers write and read data to digital media by a "read-write" head controlled by the microprocessor. For example, a computer may store data as minute magnetized regions along a track of a floppy disk. Other storage devices exist that store data in a different fashion, but all read the binary data as a zero or a one.

Computer evidence has both a physical component (the storage media) and a nonphysical component (electronic impulses and magnetic orientation). By its nature, digital evidence proves susceptible to alteration, either inadvertently or purposely. "It is a product of the data stored, the application used to create and store it, and the computer system that directs these activities." (9)

Preservation of Computer Forensic Evidence

Computer forensic science encompasses four key elements: identification, preservation, analysis, and presentation. (10) Manual handling, processing, and authenticity issues serve as the basis of the preservation aspect. Safeguards and methodologies used by computer forensic examiners must ensure the preservation of digital evidence to withstand judicial scrutiny should the matter go to trial. (11) In this regard, computer forensic examiners seek to use copies of images of original digital media for their investigations. This premise finds its basis in protecting original digital evidence from accidental damage or unintentional alteration, leaving it in the best possible state for authentication purposes. (12)

When duplicating evidence, the original needs forensically sound handling from its initial seizure until its final disposition. This requires a chain of custody to assure proper handling by qualified individuals. Also, the duplication must produce an accurate reproduction of the original. Failure to authenticate the duplicate image or copy may invalidate any results produced. The duplication process requires the examiner to protect the original from accidental alteration and to use methods and applications that assure the duplicate image will produce output that would match output from the original. Agency standard operating procedures and policy manuals delineate methods of handling and duplicating. Failure to adhere to agency policies and procedures will cause the courts to question the accuracy and reliability of the data, the examination process, and the examiner's "intellectual rigor."

For the admissibility of the evidence, courts require proof of its authenticity. Two recent U.S. Supreme Court cases, Daubert vs. Merrell Dow Pharmaceuticals. Inc., 1993 and Khumo Tire Co. vs. Carmichael, 1997, have brought the standards of forensic science and expert testimony concerning admissibility of evidence into focus. The major factor that underlies the authenticity of duplicate evidence is data set validation.

The process of validating digital data sets proves straight-forward. Forensic examiners use an algorithm (13) to create a hexadecimal numeric value representing the data set. For example, in an MD5 (14) one-way hash (15) sum, a 16-character hexadecimal value is produced by the algorithm where there are [2.sup.128] possible values. This equates to approximately 340 billion billion billion billion probable unique numbers. Theoretically, two different data set values could prove identical, but, practically, they cannot. By comparison, in cases where DNA results have identified a subject, probability tables exclude or include an individual using probabilities of one to several billion and stand accepted as unique to an individual, or a very small population of individuals, by courts. The likelihood of two identical values happening in an MD5 algorithm proves infinitely smaller. With known and tested computer forensic tools and hash algorithms, there exists a means to duplicate and authenticate digital evidence. The duplicate's authenticity can be equated to the original.

Federal Rules of Evidence--Original Evidence

The Federal Rules of Evidence (16) (FRE) cover duplicate digital evidence and its authentication. For admissibility in court, the evidence should possess a chain of custody to show that no inadvertent or purposeful contamination occured. Preserving evidence to ensure its integrity proves important to the courts' consideration of its originality.