Obtaining digital evidence that will stand up in court requires basic rules to be meticulously observed
Television programmes such as CSI and Spooks have changed forensic science from a relatively obscure subject, of interest only to the police and scientists, to a topic for discussion by anyone and everyone. As most homes now have at least one computer and one mobile phone, people are interested in the recovery of information that has been deleted from these devices. But does the television portrayal of quick fixes and flashy results accurately show what happens in real life? Well no, no more than the inspirational solutions of Hercule Poirot or any of the many other fictional detectives we see on our television screens.
There are no free lunches in forensics. Modern forensics relies on methodical investigation and stringent procedures to ensure that accurate, repeatable results are achieved every time. This is especially true of computer forensics where, from the moment a computer is seized until the report is submitted, accurate documentation and objectivity are essential to ensure the integrity of the results. The job of a computer forensic expert is to find out whether the accused person did, or just as importantly did not, commit a criminal act.
With computers becoming ubiquitous in modern homes and businesses, criminals have wasted no time in embracing them along with mobile phones and PDAs for their nefarious activities. Crimes including fraud, theft, indecent images or threatening emails can all be perpetrated electronically, and all will leave electronic fingerprints.
Whether it is law enforcement or a corporate investigation, the first stages of seizing digital evidence correctly are vital. If at this early stage the data are altered or corrupted in any way, the integrity of further evidence is compromised. It is important before a police search that the warrant is correct. On their website Kent Police state that if a search includes digital devices, the warrant should contain the phrase “computer based electronic devices, peripherals, magnetic or optical media”. Corporate seizures should always follow company policy or seek expert advice on how to proceed with an investigation.
Don’t even look
Electronic evidence is subject to the same laws that apply to documentary evidence, namely that it is the responsibility of the prosecution to demonstrate to a court that the evidence produced has not changed since it was first taken into the possession of the police. ACPO have documented four main principles that, if adhered to, will ensure the integrity of the evidence (see panel).
It is vital, whether in law enforcement or a corporate investigation, to avoid the temptation to “just have a quick look”. If the computer to be seized is turned on, the officer in charge has to take care not to destroy vital evidence. Photographs of the screen should be taken along with notes of active programs. This will show what the user was doing when they were last at the device. The device should then be unplugged rather than shut down. The shutdown process alters files and it is not unknown for suspects to have software that will erase their activities on shutdown. Whatever decision is taken at this stage, principle 3 should be carefully adhered to. Document every move!
It is particularly tempting when mobile phones are seized to have a look at the information stored on the handset. Most people today feel confident enough to turn on a mobile phone and browse through the handset. However, as long as the handset is connected to a network it is able to receive texts and calls. Mobile phones only have limited capacity to store texts or calls, and once capacity is reached they simply overwrite the old lists with new information. Criminals have become wise to this and often bombard their mobile number with calls and texts in the hope that the phone has been left on or turned on, causing incriminating evidence to be overwritten.
Let the fun begin
The item is bagged, sealed and tagged at the scene. This is the start of the digital device’s life as an exhibit, where its every move will be documented. The exhibit label will have details about where the item was seized and by whom. From this, documentation will show who removed it and why it was removed. The chain of evidence is vital to ensure the integrity of the evidence. If holes are present in the chain of evidence, the integrity of the evidence will inevitably be compromised.
The analysis stage is where the fun begins. Remember that documentation is everything. The object of the exercise is to extract the evidence in a way that is repeatable by another examiner, while maintaining the integrity of the original exhibit.
Make a hash of it
So, there it is… the suspect device bagged and tagged in front of you. It is important to photograph the exhibit to demonstrate that the evidence bag and seals are intact at the time of examination. Let’s look at what happens if the exhibit is a computer. Once the exhibit is taken out of the evidence bag, a visual inspection of it should be done to establish the computer’s capabilities – e.g. can it connect to the internet? – and to ensure that there are no hidden disks/flash drives or passwords inside the device.
The hard drive is removed, photographed and imaged. The imaging process creates an exact copy of the suspect hard drive along with a hash of the image. A hash is essentially the drive’s digital fingerprint and is created using a large intriguing mathematical function. If a single file is changed thereafter, the hash will be computed differently and not match the original, demonstrating that something has changed. It is essential to create the hash before any analysis takes place, to physically demonstrate that the integrity of the evidence is maintained.
Individual files should also have hashes created, demonstrating once again that principle 1 is being adhered to. When this is backed up with documentation, a strong case can be presented. Once the image has been successfully created, the original exhibit can be returned to safe storage.
The image of the hard drive is then at the mercy of the examiner’s skill. Using powerful software tools he can examine it and extract any existing evidence. You’ve guessed it – document again! This time to satisfy principle 3. Once on the trail of the user it is certainly true that evidence leads to further evidence. The examiner is able to build up samples of the user’s digital movements and motives, which help in the search for more corroborative evidence of the user’s movements and motives, which aids the search for evidence.
Sift through the trash
Many people believe that once a file is deleted it has gone from the computer. However all that has been removed is the address of the file on the disk. The file on the other hand is still where it was. Recovering these deleted files is often very useful to a case. Each file type, for example images or Word documents, has specific signatures at the beginning and end of the file. By searching for these signatures it is possible to retrieve the deleted file and, depending on the file system, its created and modified times as well, all very useful to the court.
Internet usage can also provide valuable information. Websites visited by the user are saved in the user’s browser history. These sites along with their search activities make it possible to build up a picture of the user. For example, are they looking for encrypting software or disk-erasing software? Are they searching for indecent images of children or abusive sex sites? Or are they simply looking for a holiday in the Mediterranean? This area of investigation can certainly provide the examiner with answers to their hypotheses.
During the investigation the investigator can be faced with other variables. For example, what do you do if you’re investigating a financial fraud case and happen upon some indecent images of children? The correct procedure is to suspend the examination and contact the officer in charge (OIC) of the case. The OIC can then advise on how he/she wants to proceed in regard to presenting new charges to the suspect.
You certainly should be flexible during the investigation and expect the unexpected. The aim is to get evidence that can stand up in a court of law or tribunal. If the ACPO guidelines are adhered to in either case, you are well on the way to achieving this goal. Although the technologies are changing at a rapid pace, the fundamentals of seizure, chain of custody and documentation will always remain. It’s the only way of ensuring that the evidence has a chance of standing up in court.
Martin Bennett, MSc, BSc, MBCS, Integrity Forensic Services Ltd, Glasgow, t: 0845 867 2945, f: 0845 867 2972, www.integrityforensics.co.uk
THE FOUR ACPO PRINCIPLES
The Association of Chief Police Officers (ACPO) has formulated these principles to ensure the integrity of seized electronic evidence:
(1) No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court.
(2) In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
(3) An audit trail or other record of all processes applied to computer based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
(4) The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to.