Provide a 275-word discussion to Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet.

Cite the reference provided as per APA guidelines.

Check for errors

Provide a 275-word discussion to Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet, 2e.

Provided below.

e eBook Collection

T H E I N V E S T I G A T I V E P R O C E S S

Eoghan Casey and Gary Palmer

…the law and the scientific knowledge to which it refers often serve different purposes.

Concerned with ordering men’s conduct in accordance with certain standards, values,

and societal goals, the legal system is a prescriptive and normative one dealing with the

“ought to be”. Much scientific knowledge, on the other hand, is purely descriptive; its

“laws” seek not to control or judge the phenomenon of the real world, but to describe and

explain them in neutral terms.

(Korn 1966)

The goal of any investigation is to uncover and present the truth. Although

this chapter will deal primarily with truth in the form of digital evidence, this

goal is the same for all forms of investigation whether it be in pursuit of

a murderer in the physical world or trying to track a computer intruder

online. As noted in the Introduction, when evidence is presented as truth of

an allegation it can impact on whether people are deprived of their liberties,

and potentially whether they live or die. This is reason enough to use trusted

methodology and technology to ensure that the processing, analysis, and

reporting of evidence are reliable and objective. This chapter describes such

a methodology, based on the scientific method, to help investigators uncover

truths to serve justice. This methodology is designed to assist in the development

of case management tools, Standard Operating Procedures (SOPs),

and final investigative reports. This methodology has grown out of experiences

and discussions in the field, and is believed to be complete and

sufficient in scope. However, every investigation is unique and can bring

unforeseeable challenges, so this methodology should not be viewed as an

end-point but rather as a framework or foundation upon which to build.

The investigative process is part of a larger methodology most often

associated with courts of law shown in Figure 4.1. The process of determining

if wrongdoing has occurred and if punitive measures are warranted is complex

and goes beyond investigative steps normally referred to as “forensic.”

C H A P T E R 4

Licensed to University of Phoenix.

By forensic we mean a characteristic of evidence that satisfies its suitability

for admission as fact and its ability to persuade based upon proof (or high

statistical confidence).

The simplified methodology depicted in Figure 4.1 is provided to help

investigators see the placement of their activities relative to other necessary

events. The investigative process begins with an accusation and progresses

through evidence handling to a clear and precise explanation of facts and

techniques in expert testimony. This linear representation is useful for

structuring procedures and a final report that describes each step of an

investigation to decision makers. In practice, investigations can be non-linear,

such as performing some basic analysis in the collection stage, or returning to

the collection step when analysis leads to additional evidence. Before delving

into this investigative methodology in detail, there are some fundamental

concepts that must be understood.

Trained, experienced investigators will begin by asking themselves a series

of questions aimed at deciding if a crime or infraction has actually occurred.

The answer to these questions will help determine whether or not a full

investigation will proceed or if valuable and limited investigative resources

are better applied to other matters. For instance, when log files indicate

that an employee misused a machine but he adamantly denies it, a digital

investigator should carefully examine the logs for signs of error. Similarly,

when a large amount of data are missing on a computer and an intruder is

suspected, digital investigators should determine if the damage is more

consistent with disk corruption than an intrusion. In one case, a suicide note

92 D I G I TAL EVIDENCE AND COMPUTER CRIME

Figure 4.1

Overview of case/incident

resolution process.

Discovery/

Accusation Seizure

Preservation

Examination

Judicature

Law enforcement

Analysis

Reporting

findings

Suitability

Persuasion

Forensic

Law

Sentencing

Verdict

Closing arguments

Cross examination

Expert testimony

Case presentation

Interrogatories

Discovery

Merits

Execution

of law

Admissible

evidence

Violation

of law

Licensed to University of Phoenix.

on a computer raised concern because it had a creation date after the victim’s

death. It transpired that the computer clock was incorrect and the note

was actually written before the suicide.

When these questions are answered affirmatively, the focus shifts toward

determining what happened, where, when, how, who was involved, and why.

The process by which digital evidence is uncovered and applied to these

issues is composed of several steps each employing strict protocols, proven

methods, and, in some cases, trusted tools. More importantly, the success of

this process depends heavily on the experience and skill of the investigators,

evidence examiners and crime scene technicians who must collaborate to

piece the evidence together and develop a convincing account of the offense.

The effectiveness of the investigative process depends upon high levels of

objectivity applied at all stages. Some cases and the nature of the evidence

uncovered (digital or otherwise) will take investigators and forensic examiners

to emotional limits, testing their resolve. Computer security professionals

in the private sector often have to investigate long-time coworkers

and cases in all sectors can involve brutal abuse of innocent victims,

inciting distraught individuals and communities to strike out at the first

available suspect. A good investigator can remain objective in the most

trying situations.

The very traits that make a good investigator or forensic examiner may

lead us to depend on experience in place of individual case-related facts,

resulting in unfounded conclusions. Individuals with inquiring minds and

an enthusiasm for apprehending offenders begin to form theories about

what may have occurred the moment they learn about an alleged crime, even

before examining available evidence. Even experienced investigators

are prone to forming such preconceived theories because they are inclined

to approach a case in the same way as they have approached past cases,

knowing that their previous work was upheld.

Hans Gross, one of this century’s preeminent criminologists, put it best in

the following quotation:

Nothing can be known if nothing has happened; and yet, while still awaiting the

discovery of the criminal, while yet only on the way to the locality of the crime, one

comes unconsciously to formulate a theory doubtless not quite void of foundation but

having only a superficial connection with the reality; you have already heard a similar

story, perhaps you have formerly seen an analogous case; you have had an idea for a

long time that things would turn out in such and such a way. This is enough; the details

of the case are no longer studied with entire freedom of mind. Or a chance suggestion

thrown out by another, a countenance which strikes one, a thousand other fortuitous

incidents, above all losing sight of the association of ideas end in a preconceived

theory, which neither rests on juridical reasoning nor is justified by actual facts.

(Gross 1924, pp. 10–12)

THE INVESTIGATIVE PROCESS 93

Licensed to University of Phoenix.

As experience increases and methods employed are verified, the accuracy

of these “predictions” may improve. Conjecture based upon experience has

its place in effective triage but should not be relied upon to the exclusion of

rigorous investigative measures. The investigative process demands that each

case be viewed as unique with its own set of circumstances and exhibits.

Letting the evidence speak for itself is particularly important when offenders

take steps to misdirect investigators by staging a crime scene or concealing

evidence.

The main risk of developing full hypotheses before closely examining

available evidence is that investigators will impose their preconceptions

during evidence collection and analysis, potentially missing or misinterpreting

a critical clue simply because it does not match their notion of what

occurred. For instance, when recovering a deleted file named “_orn1yr5.gif ”

depicting a naked baby, an investigator might impose a first letter of the file

that indicates “porn1yr5.gif ” rather than “born1yr5.gif ”. Instead, if the

original file name is not recoverable, a neutral character such as “_” should be

used to indicate that the first letter is unknown.

This caveat also applies to the scientific method from which the investigative

process borrows heavily. At the foundation of both is the tenet that no

observation or analysis is free from the possibility of error. Simply trying to

validate an assertion increases the chance of error – the tendency is for the

analysis to be skewed in favor of the hypothesis. Conversely, by developing

many theories, an investigator is owned by none and by seeking evidence to

disprove each hypothesis, the likelihood of objective analysis increases

(Popper 1959). Therefore, the most effective way to counteract preconceived

theories is to employ a methodology that compels us to find flaws in our

theories, a practice known as falsification.

As an example, as an investigation progresses a prime suspect may emerge.

Although it is an investigator’s duty to champion the truth, investigators must

resist the urge to formally assert that an individual is guilty. A common

misdeed is to use a verification methodology, focusing on a likely suspect and

trying to fit the evidence around that individual. When a prime suspect has

been identified and a theory of the offense has been formed, experienced

investigators will try to prove themselves wrong. Implicating an individual is

not the job of investigators – this is for the courts to decide and unlike

scientific truth, legal truth is negotiable.

For instance, in common law countries, the standard of proof for criminal

prosecutions is beyond a reasonable doubt and for civil disputes it is the balance

of probabilities. Legal truth is influenced by ideas like fairness and justice, and

the outcome may not conform to the scientific truth. A court may convict an

individual even if the case is weak or some evidence suggests innocence.

94 D I G I TAL EVIDENCE AND COMPUTER CRIME

Generally, in the

prosecutorial environment,

scientific truth is

subordinate to legal truth

and investigators must

accept the ruling of the

court. Similarly,

investigators must generally

accept an attorney’s

decision not to take a case.

However, in some instances,

investigators will face an

ethical dilemma if they feel

that a miscarriage of justice

has occurred. An

investigator may be

motivated to disclose

information to the media

or assist in a follow-up

investigation but such

choices must be made with

great care because a

repeated tendency to

disagree with the outcome

of an investigation will ruin

an investigator’s credibility

and even expose him/her to

legal action.

Licensed to University of Phoenix.

Most forensic scientists accept the reality that while truthful evidence derived from

scientific testing is useful for establishing justice, justice may nevertheless be negotiated.

In these negotiations, and in the just resolution of conflict under the law, truthful

evidence may be subordinated to issues of fairness, and truthful evidence may be

manipulated by forces beyond the ability of the forensic scientist to control or

perhaps even to appreciate fully. (Thornton 1997)

Galileo Galilei’s experiences provide us with an illustrative example of the

power of the scientific method in discovering the truth and the cost of ignoring

the reality that scientific truth may be subordinated to other truths. By

observing the motion of stellar objects, Galileo gathered evidence to support

Copernicus’s theory that the Earth revolved around the Sun. Although

Galileo was correct and was widely respected as a scientist and mathematician,

he was unable to dislodge the heliocentric conception of the Solar system that

had persisted since Aristotle proposed it in the fourth century B.C. It seemed

absurd to claim that the Earth was in motion when anyone could look at

the ground and see that it was still. Also, the most vehement opponents of the

idea felt that it contradicted certain passages in the Holy Scripture and

thus threatened the already wavering authority of the Catholic Church

(Sobel 1999).

The issue came to a head in 1616 when Pope Paul V appointed a panel of

theologians to decide the matter. Despite its widespread acceptance and

Galileo’s efforts to present supporting evidence, the panel concluded that

certain aspects of Copernican astronomy were heretical. In essence, scientific

truth was subordinated to a religious truth. Although Galileo was instructed

not to present his opinions about the Solar system as fact, he was not specifically

named as a heretic, one of the most grave crimes of the time. Almost

twenty years later, by claiming that he had abandoned his belief in the

Copernican model as instructed but wanted to demonstrate to the world

that he and the Church fully understood all of the scientific arguments,

Galileo obtained permission to publish his observations and theories

in Dialogue of Galileo Galilei. However, the Dialogue quickly generated outrage

and, in 1633, the book was banned and the 70-year-old Galileo was

imprisoned for heresy and compelled to formally renounce his belief that

the Earth rotated around the Sun.

There are a few valuable lessons here. The employment of a rigorous

investigative process may uncover unpopular or even unbelievable truths

subject to rejection unless properly and clearly conveyed to the intended

audience. Investigators may be faced with a difficult choice – renounce

the truth or face the consequences of holding an unpopular belief. It is the

duty of investigators to unwaveringly assert the truth even in the face of

opposition.

THE INVESTIGATIVE PROCESS 95

Licensed to University of Phoenix.

This account of Galileo is not intended to suggest that science is infallible.

The fact is that science is still advancing and previous theories are

being replaced by better ones. For instance, DNA analysis has largely

replaced blood typing in forensic serology, and although the technique of

blood typing was valid, it was not conclusive enough to support some of the

convictions based upon evidence derived from that analysis alone. This

weakness can be shown in dramatic fashion by the existence and success of

the Innocence Project,1 which is using results of DNA analysis to overturn

wrongful convictions based on less than conclusive ABO Blood Typing and

enzyme testing.

While preparing for the final step of the investigative process (the decision

or verdict) it is important to keep in mind that discrepancies between scientific

and legal truth may arise out of lack of understanding on the part of the

decision makers. This is different from scientific peer review, where reviewers

are qualified to understand and comment on relevant facts and methods

with credibility. When technical evidence supporting a scientific truth is

presented to a set of reviewers who are not familiar with the methods used,

misunderstandings and misconceptions may result. To minimize the risk of

such misunderstandings, the investigative process and the evidence uncovered

to support prosecution must be presented clearly to the court. A clear

presentation of findings is also necessary when the investigative process is

applied to support decision makers who are in charge of civilian and military

network operations. However, investigators may find this situation easier

since decision makers in these domains often have some familiarity with

methods and tools employed in forensic investigations for computer and

network defense.

4.1 THE ROLE OF DIGITAL EVIDENCE

One of the main goals in an investigation is to attribute the crime to its

perpetrator by uncovering compelling links between the offender, victim, and

crime scene. Witnesses may identify a suspect but evidence of an individual’s

involvement is usually more compelling and reliable. According to Locard’s

Exchange Principle, anyone, or anything, entering a crime scene takes something

of the scene with them, and leaves something of themselves behind

when they leave. In the physical world, an offender might inadvertently leave

fingerprints or hair at the scene and take a fiber from the scene. For instance,

in a homicide case the offender may attempt to misdirect investigators by

creating a suicide note on the victim’s computer, and in the process leave

fingerprints on the keyboard. With one such piece of evidence, investigators

can demonstrate the strong possibility that the offender was at the crime

96 D I G I TAL EVIDENCE AND COMPUTER CRIME

1https://www.innocenceproject.

org

Licensed to University of Phoenix.

scene. With two pieces of evidence the link between the offender and crime

scene becomes stronger and easier to demonstrate (Figure 4.2).

This type of exchange produces evidence belonging in one of two general

categories: (i) evidence with attributes that fit in the group called class

characteristics, and (ii) exhibits with attributes that fall in the category called

individual characteristics. As detailed in Chapter 9, class characteristics are

common traits in similar items whereas individual characteristics are more

unique and can be linked to a specific person or activity with greater certainty.

Consider the physical world example from Chapter 1 of a shoe print left under

a window at a crime scene. Forensic analysis of those impressions might only

reveal the make and model of the shoe, placing it in the class of all shoes with

the same make and model. Therefore, if a suspect were found to be in possession

of a pair with the same manufacturer and model, a tenuous circumstantial

link can be made between the suspect and the wrongdoing. If forensic analysis

uncovers detailed wear patterns in the shoe prints and finds identical wear

of the suspect’s soles, a much stronger link is possible. The margin of error has

just been significantly reduced by the discovery of an individual characteristic

making the link much less circumstantial and harder to refute.

In the digital realm, we move into a more virtual and less tangible space.

The very notion of individual identity is almost at odds with the philosophy

of openness and anonymity associated with many communities using the

Internet. However, similar exchanges of evidence occur in the digital realm,

such as data from an offender’s computer recorded by a server or data

from servers stored on the offender’s computer. Such links have been used

to demonstrate that a specific individual was involved. When all of this

evidentiary material does not conclusively link a suspect with the computer,

the evidence is still individual relative to the computer.

Browsing the Web provides another example of Locard’s Exchange

Principle in the digital realm. If an individual sends a threatening message

via a Web-based e-mail service such as Hotmail, his/her browser stores files,

links, and other information on the hard disk along with date–time related

information. Investigators can find an abundance of information relating

to the sent message on the offender’s hard drive including the original

message. Additionally, investigators can find related information on the

THE INVESTIGATIVE PROCESS 97

Figure 4.2

Locard’s Exchange Principle.

Victim

Crime scene

Suspect

Physical evidence

Licensed to University of Phoenix.

Web server used to send the message including access logs, e-mail logs,

IP addresses, browser version, and possibly the entire message in the Sent

mail folder of the offender’s e-mail account.

Akin to categories of evidence in the “traditional” forensic sense, digital

equipment and their attributes can be categorized into class and individual

groups. Scanners, printers, and all-in-one office devices may exhibit or leave

discernible artifacts that lead to common class characteristics allowing the

identification of an Epson, Canon, or Lexmark device. The more conclusive

individual characteristics are more rare but not impossible to identify

through detailed analysis. Unique marks on a digitized photograph might

be used to demonstrate that the suspect’s scanner or digital camera was

involved. Similarly, a specific floppy drive may make unique magnetic impressions

on a floppy disk, helping establish a link between a given floppy disk

and the suspect’s computer.

These are examples of the more desirable category of evidence because of

their strong association with an individual source. Generally, however, the

amount of work required to ascertain this level of information is significant

and may be for naught, especially if a proven method for its recovery has not

been researched and accepted in the community and used to establish

precedent in the courts. This risk coupled with the fact that the objects of

analysis change in design and complexity at such a rapid pace, makes it

difficult to remain current.

Class characteristics can enable investigators to determine that an Apache

Web server was used, a particular e-mail encapsulation scheme (e.g. MIME)

was employed, or that a certain manufacturer’s network interface card was the

source. Categorization of characteristics from various types of digital components

has yet to be approached in any formal way but the value of this type of

information cannot be underestimated. Class characteristics can be used

collectively to determine a probability of involvement and the preponderance

of this type of evidence can be a factor in reaching conclusions about guilt or

innocence.

The value of class physical evidence lies in its ability to provide corroboration of events

with data that are, as nearly as possible, free of human error and bias. It is the thread

that binds together other investigative findings that are more dependent on human

judgements and, therefore, more prone to human failings. (Saferstein 1998)

To better appreciate the utility of Locard’s Exchange Principle, class

characteristics, and individual characteristics in the digital realm, consider a

computer intrusion. When an intruder gains unauthorized access to a UNIX

system from his/her personal computer using a stolen Internet dial-up

account, and uploads various tools to the UNIX machine via FTP (file

98 D I G I TAL EVIDENCE AND COMPUTER CRIME

Preview (Chapter 9):

Interestingly, the MD5

computation is an example

of a derived attribute that

can be useful as a class or

individual characteristic

depending on its

application. For instance,

the MD5 value of a

common component of

the Windows 2000

operating system (e.g.

kernel32.dll) places a file in

a group of all other similar

components on all

Windows 2000 installations

but does not indicate that

the file came from a

specific machine. On the

other hand, when the MD5

computation is computed

for data that are or seem

to be unique, such as an

image containing child

pornography or suspect

steganographic data, the

hash value becomes an

individual characteristic

due to the very low

probability that any other

data (other than an exact

copy) will compute to the

same hash value.

Therefore, MD5 values are

more trustworthy than

filenames or file sizes in

the comparison of data.

Licensed to University of Phoenix.

transfer protocol), the tools are now located on both the Windows and

UNIX systems. Certain characteristics of these tools will be the same on both

systems, including some of the date–time stamps and MD5 hash values

(described in Chapter 9).

The Windows application used to connect to the UNIX system (e.g. Telnet,

SecureCRT, SSH) may have a record of the target IP address/hostname.

Directory listings from the UNIX system may be found on the intruder’s

hard drive if they were swapped to the disk while being displayed on screen

by Telnet, SecureCRT, SSH, or another program as shown in Figure 4.3. The

stolen account and password is probably stored somewhere on the intruder’s

system, possibly in a sniffer log or in a list of stolen accounts from various

systems. The FTP client used (e.g. WS_FTP) may create a log of the transfer

of tools to the server.

The UNIX system may have login records and FTP transfer logs showing

the connection and file transfers. Additionally, some of the transferred files

may carry characteristics from the source computer (e.g. TAR files contain

user and group information from UNIX systems). These types of digital

evidence transfer can be used to establish the continuity of offense in a

connect-the-dots manner. In the threatening e-mail example above, the

information on the sender’s hard disk along with the date and time it was

created can be compared with data on the server and the message received

by the target to demonstrate the continuity of the offense. To establish

continuity of offense investigators should seek the sources, conduits, and

THE INVESTIGATIVE PROCESS 99

Figure 4.3

Remnants of a directory listing

from a UNIX system found on a

Windows computer using the grep

feature in EnCase to search for the

pattern “[d\-][rwx\-][rwx\-][rwx\-]

[rwx\-][rwx\-][rwx\-][rwx\-]

[rwx\-][rwx\-](space).”

Licensed to University of Phoenix.

100 D I G I TAL EVIDENCE AND COMPUTER CRIME

Suspect’s

Computer

File date-time

stamps, modem &

WS_FTP logs

Dial-up

Server

FTP

Server

Router

TACACS logs

& ANI records

NetFlow

logs

Logon &

transfer logs

98.11.12 19:53 A C:\download\image12.jpg ,<– 192.168.1.45 /home/johnh image12.jpg

Figure 4.4

Potential sources of evidence useful

for establishing continuity of

offense.

targets of an offense. Each of these three areas can have multiple sources of

digital evidence and can be used to establish the continuity of offense.

Additional systems may be peripherally involved in an offense (e.g. for

storage, communication, or information retrieval) and may contain related

evidence. For instance, in a computer intrusion investigation, there may be

related digital evidence on intrusion detection system, NetFlow logs, and

other intermediate systems discussed in later chapters.

The more corroborating evidence that investigators can obtain, the

greater weight the evidence will be given in court and the more certainty they

can have in their conclusions. In this way, investigators can develop a

reconstruction of the crime and determine who was involved. The addition

of a mechanism or taxonomy to categorize digital evidence as described

would benefit the investigator by allowing them to present the relative merits

of the evidence and help them maintain the objectivity called for by the

investigative process.

As another example, take a case of downloading child pornography from an

FTP server on the Internet via a dial-up connection as depicted in Figure 4.4.

The date–time stamps of the offending files on the suspect’s personal computer

show when the files were downloaded. Additionally, logs created by the FTP

client may show when each file was downloaded and from where. The following

log entry created by WS_FTP shows an image being downloaded from an FTP

server with IP address 192.168.1.45 on November 12, 1998, at 1953 hours from

a remote directory on the FTP server named “/home/johnh”.

Modem logs on the computer may show that the computer was connected to

the Internet at the time in question.

Dial-up server logs at the suspect’s Internet Service Provider (ISP) may show

that a specific IP address was assigned to the suspect’s user account at the time.

Licensed to University of Phoenix.

The ISP may also have Automatic Number Identification (ANI) logs –

effectively Caller-ID – connecting the suspect’s home telephone number to the

dial-up activity. Routers connecting the suspect’s computer to the Internet may

have associated NetFlow logs containing additional information about the

suspect’s connection to the FTP server.

Logs on the FTP server may confirm that files were downloaded to the

suspect’s IP address at the time in question. For instance, the following FTP

server transfer log entry shows a file with the same name and size as that

found on the suspect’s computer being downloaded to the IP address that

was assigned to the suspect’s account at the time in question.

THE INVESTIGATIVE PROCESS 101

Nov 12 19:53:23 1998 15 216.58.30.131 780800 /home/johnh/image12.jpg a _ o r user

CASE EXAMPLE (UNITED STATES v. HILTON 1997):

In United States v. Hilton, the forensic examiner was asked to justify transport charges

by explaining his conclusion that pornographic images on the suspect’s computer had

been downloaded from the Internet. The examiner explained that the files were

located in a directory named MIRC (the name of an Internet chat client) and that the

date–time stamps of the files coincided with the time periods when the defendant

was connected to the Internet. The court was satisfied with this explanation and

accepted that the files were downloaded from the Internet.

These examples describe suspected offenses and allude to types and

locations of potential evidentiary material. This section also introduced the

established forensic concepts of class and individual characteristics and how

to apply them to digital evidence, helping investigators and prosecutors

assess the suitability and persuasive strength of the evidence. These are

essential elements of any investigation but only represent the highlights of

the structured process detailed in the following sections.

4.2 INVESTIGATIVE METHODOLOGY

The investigative process, depicted as a sequence of ascending stairs in

Figure 4.5, is structured to encourage a complete, rigorous investigation,

ensure proper evidence handling, and reduce the chance of mistakes created

by preconceived theories and other potential pitfalls. This process applies to

criminal investigations as well as military and corporate inquiries dealing

with policy violations or system compromise.

The categories in Figure 4.5 are intended to be as generic as possible. The

unique methods and tools employed in each category tie the investigative

process to a particular forensic domain. The terms located on the riser

of each step are those more closely associated with the law enforcement

Licensed to University of Phoenix.

perspective. To the right of each term is a more general descriptor that may

help to express the essence of each step of the process.

Investigators and examiners work together to scale these steps from bottom

to top in a systematic, determined manner in an effort to present a compelling

story after reaching the landing (persuasion/testimony). There they

will pass their hard work on to prosecutors or other decision makers who

scrutinize the findings and decide whether to continue or refocus resources

to solving other matters. In the case of the courts, investigators will present

their findings to the trier-of-fact who will decide if the merits of the evidence

make a strong enough case to proceed to trial. In civilian and military operational

communities, facts are presented to resource managers who will rely on

the confidence and accuracy of the information before taking corrective

action. Often, in this operational environment the mission or business objectives

are of primary concern with possible prosecution left as a secondary

consideration.

Two items of particular note and special importance stand out in our

depiction. First, Case Management plays a vital role and spans across all the

steps in the process model. It provides stability and enables investigators

effectively to tie all relevant information together, allowing the story to be told

clearly. In many cases the mechanisms used to structure, organize, and record

pertinent details about all events and physical exhibits associated with a

particular investigation is just as important as the information presented.

Second, the term analysis is used rather loosely in many implementations of

the investigative process. Our intent is to attach a more precise definition to

this term so that it can be properly placed within the steps of our model. The

102 D I G I TAL EVIDENCE AND COMPUTER CRIME

Figure 4.5

Categories of the Investigative

Process Model (depicted as a flight

of stairs).

Persuasion and testimony Translate and explain

Reporting Detailed record

Analysis

Assessment

Experiment

Fusion

Correlation

Validation Organization and search

Reduction

Recovery

Harvesting

Preservation

Identification or seizure

Incident/Crime scene protocols

Assessment of worth

Incident alerts or accusation

Scrutinize

Focus

Filter – eliminate

Get it ALL – hidden/deleted

Data about data

Integrity – modification free

Recognition and proper packaging

Actions at scene – real/virtual

Prioritize – choose

Crime or policy violation

Case management

Licensed to University of Phoenix.

analysis phase of the investigative process borrows heavily on the long-standing

scientific method, beginning with fact gathering and validation, proceeding to

hypothesis formation and testing, actively seeking evidence that disproves the

hypothesis, and revising conclusions as new evidence emerges.

In general, this model affords investigators and examiners a logical flow of

events that, taken together, seek to provide:

1 Acceptance – the steps and methods have earned professional consensus.

2 Reliability – the methods employed can be proven (trusted) to support findings.

3 Repeatability – the process can be applied by all, independent of time and place.

4 Integrity – the state of evidence is proven (trusted) to be unaltered.

5 Cause and effect – logical connection between suspected individuals, events, and

exhibits.

6 Documentation – recordings essential for testimonial evidence (expert testimony).

All six tenets have a common purpose – to form the most persuasive argument

possible based upon facts, not supposition, and to do so considering

the legal criteria for admissibility.

As noted at the beginning of this chapter, although depicted as a linear

progression of events in Figure 4.5, the stages in this process are often intertwined

and those professionals who participate may find the need to revisit

steps after it was thought to be complete. This “feedback” cannot be avoided

nor should it be. It is often essential to make improvements and enhancements

to methods and tools used in each step. Also, most steps are not only “digital

forensic” in nature – many parts of the process function by applying and

integrating methods and techniques in police science and criminalistics as

aids. Finally, as with most processes, there is a relationship between successive

steps. That relationship can often be described by the input and output

expected at each stage, with products of one step feeding into the steps that

follow.

With that said, let us take a closer look at each step along with details of

the processing required in each and the associated inputs and outputs.

4.2.1 ACCUSATION OR INCIDENT ALERT

Every process has a starting point – a place, event, or for lack of a better

term, a “shot from a starting gun” that signals the race has begun. This step

can be signaled by an alarm from an intrusion detection system, a system

administrator reviewing firewall logs, curious log entries on a server, or

some combination of indicators from multiple security sensors installed on

networks and hosts. This initial step can also be triggered by events in more

THE INVESTIGATIVE PROCESS 103

Licensed to University of Phoenix.

traditional law enforcement settings. Citizens reporting possible criminal

activity will lead to investigative personnel being dispatched to a physical

scene. That scene will likely contain exhibits of which some may be

electronic, requiring part of the investigation to take a digital path. The

prevalence of computers makes it increasingly likely that even traditional

crimes will have related information derived from digital sources that

require close scrutiny.

When presented with an accusation or automated incident alert, it is

necessary to consider the source and reliability of the information. An

individual making a harassment complaint because of repeated offensive

messages appearing on her screen might actually be dealing with a computer

worm/virus. An intrusion detection system alert may only indicate an

attempted, unsuccessful intrusion or might be a false alarm. Therefore, it is

necessary to weigh the strengths, weakness, and other known nuances

related to the sources and include human factors as well as digital.

In addition, thoroughly to assessing an accusation or alert, some initial fact

gathering is usually necessary before launching a full-blown investigation. Even

technically proficient individuals sometimes misidentify normal system activity

as a computer intrusion. Initial interviews and fact checking can correct such

misunderstandings, clarify what happened, and help develop an appropriate

response. To perform this fact gathering and initial assessment, it is usually necessary

to enter a crime scene and scan or very carefully sift through a variety of

data sources looking for items that may contain relevant information.

This is a very delicate stage in an investigation because every action in the

crime scene may alter evidence. Additionally, delving into an investigation

prematurely, without proper authorization or protocols, can undermine the

entire process. Therefore, an effort should be made to perform only the

minimum actions necessary to determine if further investigation is warranted.

Although an individual investigator’s experience or expertise may

assist in forming internal conclusions that may have associated confidence

levels, at this stage few firm, evidence-based conclusions are being drawn

about whether a crime or an offence was actually committed.

4.2.2 ASSESSMENT OF WORTH

Those involved in investigative activities are usually busy with multiple cases or

have competing duties that require their attention. Given that investigative

resources are limited, they must be applied where they are needed most. How

this step in the process is handled varies with the associated investigative

environment. Applied in law enforcement environments, all suspected criminal

activity must be investigated. In civil, business, and military operations,

104 D I G I TAL EVIDENCE AND COMPUTER CRIME

Licensed to University of Phoenix.

suspicious activity will be investigated but policy and continuity of operations

often replaces legalities as the primary concern. Regardless of environment,

a form of triage is performed at this step in the process. Questions are asked

that try to focus vital resources on the most severe problems or where they are

most effective.

Factors that contribute to the severity of a problem include threats of

physical injury, potential for significant losses, and risk of wider system

compromise or disruption. If a problem can be contained quickly, if there is

little or no damage, and if there are no exacerbating factors, a full investigation

may not be warranted. The output of this step in the investigative process is

a decision that will fit into two basic categories.

■ No further action is required – suspicion proved unwarranted. Available data and

information are sufficient to indicate no wrongdoing. Document decision with

detailed justification, report, and reassign resources.

■ Continue to apply investigative resources based upon the merits of evidence examined

to this point with priority based on initial available information. All incidents

or accusations deserve detailed initial investigation. This category aims to inform

about discernment based on practical as well as legal precedent coupled with the

informed experience of the investigative team.

Expertise from a combination of on-the-job and certified training plays

a tremendous role in effective triage.

4.2.3 INCIDENT/CRIME SCENE PROTOCOLS

When a full investigation is warranted the first challenge is to retain and

document the state and integrity of items (digital or otherwise) at the crime

scene. Protocols, practices, and procedures are employed at this critical

juncture to minimize the chance of errors, oversights, or injuries. Whoever is

responsible for securing a crime scene, whether first responders or digital

evidence examiners, should be trained to follow accepted protocols. These

protocols should address issues such as health and safety (limiting exposure

to hazardous materials such as chemicals in drug labs or potentially infectious

body fluids), what other authorities are informed, and what must be

done to secure the scene.

Preventing people from disturbing a single computer or room is relatively

straightforward but, when networks are involved, a crime scene may include

sources of evidence in several physically distant locations. Assuming investigators

can determine where these locations are, they may not be able to

reach them to isolate and preserve associated evidence. This raises the

issues of evidence collection on a network, which are discussed in Part 3

of this book.

THE INVESTIGATIVE PROCESS 105

Licensed to University of Phoenix.

The product or output of this stage is a secure scene where all the contents

are mapped and recorded, with accompanying photographs and basic

diagrams to document important areas and items. The evidence is, in

essence, frozen in place. This pristine environment is the foundation for all

successive steps and provides the “ground truth” for all activities to follow.

Items discovered in this initial phase remain an ever present and unchanging

part of the case ahead. Steps that follow will serve to add items as well as the

attributes of detail, connection, and validation so vital in building event

reconstruction, timelines, and motive.

Importantly, the information gathered during this step regarding the state

of a crime scene is at the highest level. This means that potential elements of

a crime or incident are usually being scrutinized at the macro level. For the

most part, investigators are observing “surface details” of potential evidence

that may be indicative but are rarely conclusive.

4.2.4 IDENTIFICATION OR SEIZURE

Once the scene is secured, potential evidence of an alleged crime or incident

must be seized. Clear procedures and understanding of necessary legal

criteria are essential before activity can proceed successfully. The goal here

for trained and experienced investigators is not to seize everything at a scene

(physical or virtual) but to make informed, reasoned decisions about just

what to seize and be prepared to document and justify the action.

Documentation permeates all steps of the investigative process but is

particularly important in the digital evidence seizure step. It is necessary to

record details about each piece of seized evidence to help establish its

authenticity and initiate chain of custody. For instance, numbering items,

photographing them from various angles, recording serial numbers, and

documenting who handled the evidence helps keep track of where each piece

of evidence came from and where it went after collection. Standard forms and

procedures help in maintaining this documentation, and experienced investigators

and examiners keep detailed notes to help them recall important

details. Any notebook that is used for this purpose should be solidly bound

and have page numbers that will indicate if a page has been removed.

In a traditional investigative context, seizure implies “to confiscate” or “to

take possession of ” material, physical items for detailed scrutiny of the items’

state and character at some later time in a controlled facility by proven,

prescribed means. In the digital realm, unlike most of the traditional forensic

disciplines, the seizure of material items occur but all or part of the state

and character of some material evidence may be lost almost immediately

upon seizure by virtue of the volatility of electronic devices and their design.

106 D I G I TAL EVIDENCE AND COMPUTER CRIME

Licensed to University of Phoenix.

Many modern computers have large amounts of Random Access Memory

(RAM) where process context information, network state information, and

much more are maintained. Once a system is powered down the immediate

contents of that memory is lost and can never be completely recovered.

So, when dealing with a crime or incidents involving digital evidence, it may

be necessary to perform operations on a system that contains evidence,

especially in network connected environments.

The output of this phase follows clearly from the triage stage. Inventories,

not only of physical electronic components but also attributes of those

components that indicate possible networking between local and remote

devices and other locations should be cataloged. This recognition is vital

because it will allow investigators the opportunity to capture important state

and character information before power down and seizure are accomplished.

Therefore, even if the investigation warrants the seizure of electronic

components, methods and techniques that allow “confiscation” of certain

volatile system and network information, even in part, should be considered.

At this step, properly trained first responders might be instructed to find

and physically seize evidence for later processing by a digital evidence examiner.

Two useful documents outlining effective practices for seizing digital

evidence are mentioned here briefly and details of this process are presented

in later chapters. This information can be adapted to conform to an organization’s

policies and should be used to create memory aids for investigators

and examiners such as procedures, checklists, and forms.

The Good Practices Guide for Computer Based Electronic Evidence, published by

the Association of Chief Police Officers in the United Kingdom (NHCTU

2003), provides a starting point for the discussion of the initial step of digital

evidence handling. This guide is designed to cover the most common types of

computers: electronic organizers and IBM compatible laptops or desktops

with a modem. In addition to practical advice, this guide provides the following

four overarching principles that are useful for anyone handling digital

evidence.

Principle 1: No action taken by the police or their agents should change data held on

a computer or other media that may subsequently be relied upon in court.

Principle 2: In exceptional circumstances where a person finds it necessary to access

original data held on a target computer that person must be competent to do so and

to give evidence explaining the relevance and the implications of their actions.

Principle 3: An audit trail or other record of all processes applied to computer-based

evidence should be created and preserved. An independent third party should be

able to examine those processes and achieve the same result.

Principle 4: The officer in charge of the case is responsible for ensuring that the law

and these principles are adhered to. This applies to the possession of and access to

THE INVESTIGATIVE PROCESS 107

Licensed to University of Phoenix.

information contained in a computer. They must be satisfied that anyone accessing

the computer, or any use of a copying device, complies with these laws and principles.

The US Department of Justice created a useful guide called Electronic Crime

Scene Investigation: A Guide for First Responders (USDOJ 2001). This guide

discusses various sources of digital evidence, providing photographs to help

first responders recognize them, and describes how they should be handled.

These documents are useful for developing a standard operating procedure

(SOP) that covers simple investigations involving a few computers. An SOP is

necessary to avoid mistakes, ensure that the best available methods are used,

and increase the probability that two forensic examiners will reach the same

conclusions when they examine the evidence.

Keep in mind that digital evidence comes in many forms including audit

trails, application logs, badge reader logs, biometrics data, application

metadata, Internet service provider logs, intrusion detection system reports,

firewall logs, network traffic, and database contents and transaction records

(i.e. Oracle NET8 or 9 logs). Given this variety, identifying and seizing all of

the available digital evidence are challenging tasks. More technically involved

procedures are required to deal with large servers or evidence spread over

a network. Also, situations will arise that are not covered by any procedure.

This is why it is important to develop a solid understanding of forensic

science and to learn to apply general principles creatively. Initial interviews

should be performed to determine who is involved, what people know, what

is not known, and what other information needs to be gathered.

4.2.5 PRESERVATION

Working from the known inventory of confiscated or seized components

investigators must act to make sure that potentially volatile items remain

unchanged. Another way to put it is that proper actions must be taken to

ensure the integrity of potential evidence, physical and digital. The methods

and tools employed to ensure integrity are key here. Their accuracy and

reliability as well as professional acceptance may be subject to question by

opposing council if the case is prosecuted. These same criteria will give

decision makers outside of court the necessary confidence to proceed on

recommendations from their investigators.

To many practitioners in our field this is where digital forensics begins. It

is generally the first stage in the process that employees commonly used tools

of a particular type. The output of this stage is usually a set of duplicate

copies of all sources of digital data. This output provides investigators with

two categories of exhibits. First, the original material is cataloged and stored

in a proper environmentally controlled location, in an unmodified state.

108 D I G I TAL EVIDENCE AND COMPUTER CRIME

Licensed to University of Phoenix.

Second, an exact copy of the original material that will be scrutinized as the

investigation continues.

4.2.6 RECOVERY

Prior to performing a full analysis of preserved sources of digital evidence, it

is necessary to extract data that have been deleted, hidden, camouflaged, or

that are otherwise unavailable for viewing using the native operating system

and resident file system. In some instances, it may also be necessary to

reconstitute data fragments to recover an item. Whenever feasible, this

process is performed on copies of original digital evidence from the preservation

step – this may not be possible in the case of embedded systems.

At this step in the process the focus is on the recovery of all unavailable data

whether or not they may be germane to the case or incident. The objective is

to identify, and if possible make visible, all data that can be recognized

as belonging to a particular data type. The output provides the maximum

available content for the investigators and enables them to move to the next

phase of the process. It provides the most complete data timeline and may

provide insight into the motives of an offender if concrete proof of purposeful

obfuscation is found and recorded.

4.2.7 HARVESTING

By the start of this phase all the potential digital evidence associated with

a case or incident is available for investigation. Activities designed to gather

data and metadata (data about data) about all objects of interest may now

proceed. This stage in the process is where the actual reasoned scrutiny

begins, where concrete facts begin to take shape that support or falsify

hypotheses built by the investigative team. Working from the preserved,

recovered source material the investigation proceeds to gather descriptive

material about the contents. This gathering will typically proceed with little

or no discretion related to the data content, its context, or interpretation.

Rather, the investigator will look for categories of data that can be harvested

for later analysis – groupings of data with certain class characteristics that,

from experience or training, seem or are known to be related to the major

facts of the case or incident known to this point in the investigation.

For example, an accusation related to child pornography requires visual

digital evidence most likely rendered in a standard computer graphics

format like GIF or JPEG. Therefore, the investigators would likely be looking

for the existence of files exhibiting characteristics from these graphic

formats. That would include surface observables like the objects file type

(expressed as a three-character alphanumeric designator in MS Windows

THE INVESTIGATIVE PROCESS 109

Licensed to University of Phoenix.

based file systems) or more accurately a header and trailer unique to a

specific graphical format. In the case of incidents related to hacking investigators

might focus some attention on the collection of files or objects associated

with particular rootkits or sets of executables, scripts, and interpreted

code that are known to aid crackers in successfully compromising systems as

discussed in Chapter 19.

A familiarity with the technologies and tools used, coupled with an understanding

of the underlying mechanisms and technical principles involved are

of more importance in this step. The general output expected here are large

organized sets of digital data that have the potential for evidence. It is the

first layer organizational structure that the investigators and examiners will

start to decompose in steps that follow.

4.2.8 REDUCTION

This step involves activities that help eliminate or target specific items in the

collected data as potentially germane to an investigation. This process is

analogous to separating the wheat from the chaff. The decision to eliminate

or retain is made based on external data attributes such as hashing or checksums,

type of data (after type is verified), etc. In addition, material facts associated

with the case or incidents are also brought to bear to help eliminate

data as potential evidence. This phase remains focused primarily on the overall

structure of the object and very likely does not consider content or context

apart from examination of fixed formatted internal data related to

standards (like headers and trailers). The result (output) of the work in this

stage of the investigative process is the smallest set of digital information that

has the highest potential for containing data of probative value. This is the

answer to the question: “Where’s the beef ?” The criteria used to eliminate

certain data are very important and might possibly be questioned by judge,

jury, or any other authorized decision maker.

4.2.9 ORGANIZATION AND SEARCH

To facilitate a thorough analysis, it is advisable to organize the reduced set of

material from the previous step, grouping, tagging, or otherwise placing them

into meaningful units. At this stage it may be advantageous to actually group

certain files physically to accelerate the analysis stage. They may be placed

in groups using folders or separate media storage or in some instances a

database system may be employed to simply point to the cataloged file system

objects for easy, accurate reference without having to use rudimentary search

capability offered by most host operating systems.

The primary purpose of this activity is to make it easier for the investigator

to find and identify data during the analysis step and allow them to reference

these data in a meaningful way in final reports and testimony. This activity

110 D I G I TAL EVIDENCE AND COMPUTER CRIME

Licensed to University of Phoenix.

may incorporate different levels of search technology to assist investigators in

locating potential evidence. A searchable index of the data can be created to

enable efficient review of the materials to help identify relevant, irrelevant,

and privileged material. Any tools or technology used in this regard should be

understood fully and the operation should follow as many accepted standards

as exist. The results of this stage are data organization attributes that enable

repeatability and accuracy of analysis activities to follow.

4.2.10 ANALYSIS

This step involves the detailed scrutiny of data identified by the preceding

activities. The techniques employed here will tend to involve review and study

of specific, internal attributes of the data such as text and narrative meaning

of readable data, or the specific format of binary audio and video data items.

Additionally, class and individual characteristics found in this step are used to

establish links, determine the source of items, and ultimately locate the

offender. Generally, analysis includes these subcategories (including but not

limited to):

■ Assessment (content and context) – Human readable (or viewable) digital data objects

have content or substance that can be perceived. That substance will be scrutinized

to try to determine factors such as means, motivation, opportunity.

■ Experimentation – A very general term but applied here to mean that unorthodox or

previously untried methods and techniques might be called for during investigations.

All proven methodologies began as experiments so this should come as no

surprise especially when applying the scientific method. What remains crucial is

that all experimentation be documented rigorously so that the community, as well

as the courts, have the opportunity to test it. Eventually, experimentation leads to

falsification or general acceptance.

■ Fusion and correlation – These terms are subtly distinct. During the course of the

investigation, data (information) have been collected from many sources (digital

and non-digital). The likelihood is that digital evidence alone will not tell the full

tale. The converse is also true. The data must be fused or brought together to

populate structures needed to tell the full story. An example of Fusion would be

the event timeline associated with a particular case or incident. Each crime or

incident has a chronological component where event or actions fill time slices.

This typically answers the questions where, when, and sometimes how? Time slices

representing all activities will likely be fused from a variety of sources such as digital

data, telephone company records, e-mail transcripts, suspect and witness statements.

Correlation is related but has more to do with reasoned cause and effect. Do the

data relate? Not only does event B follow event A chronologically, but the substance

(e.g. narrative, persons, or background in a digital image) of the events shows with

high probability (sometimes intuition) that they are related contextually.

■ Validation – This is the output or result of the Analysis stage. It is the reasoned

findings that investigators propose to submit to jurists or other decision makers

as “proof positive” for prosecution or acquittal.

THE INVESTIGATIVE PROCESS 111

Licensed to University of Phoenix.

A failure objectively to assess digital evidence and to utilize experimentation,

fusion, and correlation to validate it can lead to false conclusions and

personal liability as demonstrated in the following examples.

CASE EXAMPLE (LISER v. SMITH 2003):

Investigators thought they have found the killer of a 54-year-old hotel waitress

Vidalina Semino Door when they obtained a photograph of Jason Liser from an

ATM where the victim’s bank card had been used. Despite the bank manager’s

warning that there could be a discrepancy between the time indicated on the tape

and the actual time, Liser’s photograph was publicized and he was subsequently

arrested but denied any involvement in the murder. A bank statement confirmed

that Liser had been at the ATM earlier that night but that he had used his

girlfriend’s card, not the murder victim’s. Investigators made an experimental

withdrawal from the ATM and found that the time was significantly inaccurate and

that Liser had used the ATM before the murder took place. Eventually, information

relating to the use of the victim’s credit card several days after her death implicated

two other men who were convicted for the murder. Liser sued the District of

Columbia and Jeffrey Smith, the detective responsible for the mistaken arrest, for

false arrest and imprisonment, libel and slander, negligence, and providing false

information to support the arrest. The court dismissed all counts except the

negligence charge. The court felt that Smith should have made a greater effort to

determine how the bank surveillance cameras operated or consulted with someone

experienced with this type of evidence noting, “The fact that the police finally

sought to verify the information – and quickly and readily learned that it was

inaccurate – after Liser’s arrest certainly does not help their cause”. Liser’s lawsuit

against Bank of America for negligence and infliction of emotional distress due to

the inaccuracy in the timing mechanism was dismissed.

4.2.11 REPORTING

To provide a transparent view of the investigative process, final reports

should contain important details from each step, including reference to

protocols followed and methods used to seize, document, collect, preserve,

recover, reconstruct, organize, and search key evidence. The majority of the

report generally deals with the analysis leading to each conclusion and

descriptions of the supporting evidence. No conclusion should be written

without a thorough description of the supporting evidence and analysis.

Also, a report can exhibit the investigator or examiner’s objectivity by

describing any alternative theories that were eliminated because they were

contradicted or unsupported by evidence.

4.2.12 PERSUASION AND TESTIMONY

In some cases, it is necessary to present the findings outlined in a report and

address related questions before decision makers can reach a conclusion.

A significant amount of effort is required to prepare for questioning and to

112 D I G I TAL EVIDENCE AND COMPUTER CRIME

Licensed to University of Phoenix.

convey technical issues in a clear manner. Therefore, this step in the process

includes techniques and methods used to help the analyst and/or domain

expert translate technological and engineering detail into understandable

narrative for discussion with decision makers.

4.3 SUMMARY

This chapter provided a formalized process to help investigators reach

conclusions that are reliable, repeatable, well documented, as free as

possible from error, and supported by evidence. Heavy reliance on the

scientific method helps overcome preconceived theories, encouraging

investigators to validate their findings by trying to prove themselves wrong,

leading to well-founded conclusions that support expert testimony.

Fundamental concepts such as Locard’s Exchange Principle, class and

individuating characteristics, and establishing continuity of offense were

discussed. The important concepts of case management and analysis were

discussed along with each discrete step in the investigative process. The

ultimate aim of this investigative model is to help investigators and examiners

ascend a sequence of steps that are generally accepted, reliable, and

repeatable, and lead to logical, well documented conclusions of high

integrity. All six tenats have a common purpose – to form the most persuasive

argument possible based upon facts, not supposition, and to do so

considering the legal criteria for admissibility.

The success of each step of the investigative process is dependent on

preparation in the form of policies, protocols, procedures, training, and

experience. Anyone responding to an accusation or incident should already

have policies and protocols to follow and should have the requisite knowledge

and training to follow them. Similarly, anyone processing and analyzing

digital evidence should have standard operating procedures, necessary tools,

and the requisite training to implement them.

REFERENCES

Carrier B. and Spafford E. H. (2003) “Getting Physical with the Digital Investigation

Process”, International Journal of Digital Evidence, Volume 2, Issue 2 (Available

online at https://www.ijde.org/docs/03_fall_carrier_Spa.pdf)

Gross H. (1924) Criminal Investigation, London: Sweet & Maxwell

Korn H. (1966) “Law, Fact, and Science in the Courts”, 66 Columbia Law Review 1080,

1093–94

THE INVESTIGATIVE PROCESS 113

Licensed to University of Phoenix.

Popper K. R. (1959) Logic of Scientific Discovery, London: Hutchinson

Saferstein R. (1998) Criminalistics: An Introduction to Forensic Science, Sixth Edition.

Upper Saddle River, NJ: Prentice Hall

Sobel D. (1999) “Galileo’s Daughter: A Drama of Science, Faith, and Love”, London:

Fourth Estate

Thornton J. I. (1997) “The General Assumptions and Rationale of Forensic

Identification”, for David L. Faigman, David H. Kaye, Michael J. Saks, & Joseph

Sanders, Editors, Modern Scientific Evidence: The Law and Science of Expert

Testimony, Volume 2, St. Paul, MN: West Publishing Company

United Kingdom Association of Chief Police Officers (2003) “The Good Practices Guide

for Computer Based Electronic Evidence”, National High-tech Crime Unit (Available

online at https://www.nhtcu.org/ACPO Guide v3.0.pdf)

United States Department of Justice (2001) “Electronic Crime Scene Investigation: A

Guide for First Responders”, National Institute of Justice, NCJ 187736 (Available

online at https://www.ncjrs.org/pdffiles1/nij/187736.pdf)

CASES

Liser v. Smith (2003) District Court, District of Colombia, Case Number 00-2325 (Available

online at https://www.dcd.uscourts.gov/Opinions/2003/Huvelle/00-2325.pdf)

United States v. Hilton (1997) District Court, Maine, Case Number 97-78-P-C (Available

online at https://www.med.uscourts.gov/opinions/carter/2000/gc_06302000_2-

97cr078_us_v_hilton.pdf)

114 D I G I TAL EVIDENCE AND COMPUTER CRIME

Licensed to University of Phoenix.

Last Completed Projects

topic title	academic level	Writer	delivered

Provide a 275-word discussion to Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet.

Last Completed Projects

Describe the key characteristics of a stakeholder and determine all the stakeholders within the PharmaCARE scenario.

What is the difference between a process model and a content model?Explain

Do you believe the United States is on course to achieve this Healthy People 2020 objective or improving the health of the U.S. as a whole? Why or why not?

Last Completed Projects

Related Posts