[ILLUSTRATION OMITTED]
Abstract
Digital forensics experts are called on to collect and analyze digital information from electronic devices such as computer hard drives and cell phones. Electronic evidence is used in a wide variety of cases, ranging from corporate espionage to employee separation or divorce. Recent changes to the Federal Rules of Civil Procedure have legitimized the use of digital evidence in court, making this new field of forensics more relevant than ever.
Key Words: digital forencics, federal rules of civil procedure, digital evidence
**********
An increasing number of business and legal investigations include evidence extracted from digital devices such as computer hard drives, PDAs, and cell phones. When it becomes apparent that digital information must be used in the course of an investigation or discovery process, digital forensics experts must be employed to carefully gather pertinent evidence.
Digital forensics professionals are responsible for the collection, analysis, and investigation of electronic evidence from digital devices. The gathered "snapshot" of information must be collected in a detailed, methodical, and scientific manner, as any or all evidence can be used in discovery, in depositions, or in trial.
Historically, paper documents have been the mainstay of evidence production in the court system. However, a standard computer hard drive contains enough easily readable information to fill hundreds of thousands of sheets of paper, making the court's reliance on paper imprudent. Digital documents in their native formats also contain information that their paper counterparts do not, such as user access dates and editing information. This type of information, called "metadata," can offer valuable clues regarding user interaction with documents and files. For example, Microsoft Word can capture important information such as edits made using the track changes feature of the program. The production of digital documents during court proceedings is important to ensure all necessary information has been preserved.
Case Study
John Smith has a wife of 10 years and two young children and lives in the suburbs. He likes golf and the occasional fishing trip and owns his own business. And he has been cheating on his wife with an Internet girlfriend for 2 years.
They have chatted on an instant messenger at work, emailed pictures and jokes, and even planned weekend getaways to Louisiana. When she did not show up for the first trip, Smith was worried. But when she did not arrive at the prearranged hotel for the next two trips, he became suspicious. He could not imagine why someone who wrote such heartfelt emails would treat him with such disregard.
Tired of waiting for an answer, Smith hired a private investigator to identify his mystery woman. Internet searches were inconclusive, and the service provider would not give the woman's personal information without the threat of legal action and a subpoena. After striking out on all of the usual investigative avenues, the investigator told Smith that he was not finding any significant information.
[ILLUSTRATION OMITTED]
But fortunately for Smith, the private investigator had close connections with a digital forensics company that helped him identify Smith's girlfriend through email communications.
The forensics investigators began by targeting the general area where the girlfriend was sending emails by investigating the address-like information embedded in the email. All emails contain "headers" with destination and return addresses, much like envelopes. Headers also include addresses from each routing point that the email passes through on the Internet, showing the path taken to reach a destination.
Ironically, the email headers led the forensics experts to a computer in the same city as Smith--something that came as quite a surprise to him. He could not believe that he had scheduled trips out of state and spent hours chatting with someone that might be living on the same street.
Like Smith, the private investigator found the situation suspicious. Why would someone so close and invested in a relationship want to hide her location?
The forensics experts investigated all of Smith's emails and compared all email headers. Suspicious that Smith might be 'dating' someone he already knew, the investigators looked to see if any emails sent from Smith's girlfriend matched an email sent from someone else in his mailbox.
Both the forensics experts and the private investigator were correct. After making a careful comparison and double-checking the results, the forensics experts found that the girlfriend's emails were being sent from the same address as Smith's home computer. They concluded that Smith had been cheating on his wife with his wife for more than 2 years.
Smith was understandably shocked! Although forensics cannot answer all the questions that would naturally follow such a revelation, it did catch a woman who believed she was anonymous on the Internet.
Common Forensics Investigations
Two surprisingly common misconceptions are that emails cannot be traced and that chat room participants cannot be found. As a result, people often do and say things online that they would not in a face-to-face conversation. The impersonal nature of email and instant messaging can lead to problems, both personal and professional.
The majority of forensics cases involve employee separation and discrimination issues. Most often, an employee exits a company with proprietary information and uses it to establish a competing business.
Some are brazen enough to email themselves client lists, engineering specifications, and account information. Others are more discreet, preferring to burn such information to a CD or download it to a flash drive. Fortunately, forensics experts can not only examine system files to determine whether a transfer has been made to external media, but also conduct thorough examinations for email attachments.
Forensics experts are often called to examine computers from employment lawsuits, such as discrimination, sexual harassment, and wrongful termination. In these cases, the investigated computer has often been used for several months since the employee's departure, presenting challenges to forensics examiners. This is particularly true if the key information has been deleted.
Deleted Information Is Not Gone
When information is deleted from a digital device, the file itself is not erased but, rather, the computer's reference point for the file is erased. It is much like removing a card from the library's card catalogue, but not taking the book off the shelf. The computer then marks the space containing the file as available. If a large amount of data is added to the drive, there is a chance that the "deleted" file can be overwritten. However, the use of very large hard drives in most current computers makes the chance of overwriting unlikely, and fragments of documents can often be found even a year after normal computer use.
Another recent forensics case involved a wrongful termination suit brought against a construction company by a former employee. He had been fired due to cost overruns on the company's biggest project. The employee's suit claimed his superior directed the project into overruns and blamed the results on other employees. The documents produced by his lawyers included emails sent to the superior, which cited warnings of overruns and suggestions to avoid them.
Forensics experts were asked to investigate the former employee's computer for evidence of these emails, which the superior claimed never to have received. Examination of the computer showed pieces of the email text within the hard drive's "unallocated space," the areas where deleted information is sent. Yet the text did not appear in the former employee's email folders.
The forensics company recommended a review of the company's email servers through which the emails would have passed if they had been sent. No evidence of the emails was found.
Later, evidence of a forgery was discovered on the employee's new office computer. He had used an engineering tool to fabricate documents to look like the printout of an email. The presentation of this evidence was the turning point in the case, which was summarily dismissed.
Recent Changes to the Rules of Civil Procedure
Both law makers and policymakers at the national level recognize the involvement of digital devices in modern-day litigation. Recent changes to the Federal Rules of Civil Procedure indicate that the court system is recognizing the crucial importance of electronic information in the process of investigation and litigation. While the Federal Rules of Civil Procedure have changed the production of electronic information, most decisions related to its evidentiary value are defined under the Federal Rules of Evidence. These rules apply to both civil and criminal proceedings, but most challenges and decisions related to digital evidence have been made in criminal courts.
In particular, the new rules indicate that digital documents are given the same weight and status as paper documents in terms of production. These rule changes underscore the fundamental shift of modern litigation toward the inclusion of electronic information in the legal process. Although the implications of these rule changes will not be clear until they are tested in the courts, it is expected that demand will increase for properly performed data collection and digital forensics investigations. As always, the admission of digital forensics evidence into cases will continue to be governed by the Daubert rules.
Licensing Requirements
Licensing requirements for forensic examiners have yet to be standardized on a national level, but most states require some level of certification to handle evidence and perform investigations. In the majority of states, digital forensics professionals are required to obtain a private investigator license; however, three states (Alabama, Alaska, and Wyoming) have licensing requirements only in certain cities, and others (Colorado, Idaho, and South Dakota) have no licensing requirements whatsoever. Given that this is a relatively recently established field, it is likely that a national certification for digital forensics examiners is on the horizon, particularly with Federal Rule changes that all but mandate the use of such experts to handle digital information.
[ILLUSTRATION OMITTED]
Most licensing organizations impose both penalties and fines if examiners do not follow the proper evidentiary handling rules. The specific injunctions vary by state but typically include both financial sanctions and the revocation of licenses. It is important to investigate the certifications required by your state when seeking a digital forensics examiner. Knowingly hiring an unlicensed person can be punished through sanctions, fines, or worse: inadmissible evidence.
As digital devices become more pervasive in the modern world, the amount of electronic information processed into the legal landscape will continue to increase. Although many attorneys and investigators have yet to use the services of digital forensics experts, digital information can assist in almost any case. The complexity of such devices and the changeable nature of such information necessitates the establishment of digital forensics examiners as a crucial addition to the forensics field.
This article is approved by the following for continuing education credit:
(ACFEI) The American College of Forensic Examiners International provides this continuing education credit for Diplomates.
(CFC) The American College of Forensic Examiners International provides this continuing education credit for Certified Forensic Consultants.
References
Arkfeld, M. (2003). Electronic discovery and evidence. Phoenix, AZ: Law Partner Publishing.
Daubert v. Merrell Dow Pharmaceuticals, 509 U.S. 579 (1993).
Mac Avoy, J., & Eng, G. (2006, June 19). Litigation: Forging ahead on e-discovery [special issue]. New York Law Journal.
Ryan, D. J., & Shpantzer, G. (2005). Legal aspects of digital forensics. Retrieved April 12, 2007, from http:// www-danjryan.com/Legal%20Issues.doc
Zubulake v. UBS Warburg (S.D.N.Y. 2002-2005).
[ILLUSTRATION OMITTED]
Steps Taken by Computer Forensics Specialists
1. Protect the subject computer system during the examination
2. Discover all the files on the subject system
3. Recover all deleted files
4. Reveal hidden or temporary files
5. Access protected or encrypted files
6. Analyze all relevant data
7. Print out an overall analysis of the examination
8. Provide expert consultation and/or testimony
Robbins, J. (no date). An explanation of computer forensics. Retrieved Sept. 5, 2007, from www.computerforensics.net/forensics.htm
Investigating Digital Devices
[ILLUSTRATION OMITTED]
(Handout/MCT 2007)
Digital communications seem anonymous, but quite the opposite is true. Experts are able to investigate user activity through such applications as email, instant messaging, text messaging, and even Internet telephone conversations. Some commonly investigated devices by digital forensics experts are as follows:
* computers
* Blackberries
* iPods
* automobiles
* cell phones
Gavin W. Manes, PhD, brings extensive knowledge in the field of digital forensics to his position of president of Oklahoma Digital Forensics Professionals Inc. Manes received his doctorate in computer science from the University of Tulsa (TU), where he now works as a research assistant professor. Since 1996, Manes has specialized in the fields of information assurance, computer security, and digital forensics at the Center for Information Security at TU. He has also published papers and journal articles and delivered congressional testimony in the areas of information assurance, digital forensics and telecommunications security.
Manes has briefed the White House National Security Council, and the Pentagon. For the last 2 years, he has given presentations on digital forensics at the ACFEI National Conference. In addition, he has all five National Information Assurance Education and Training Program federal information assurance certifications from the Committee on National Security Systems and the National Security Telecommunications and Information Systems Security Instruction. Manes has also worked closely with many local, state, and federal law enforcement agencies.
Manes maintains memberships in the High Tech Crime Investigation Association, Digital Forensics Working Group, Association of Computing Machinery, Oklahoma Infragard, Information Systems Security Association, and the American College of Forensic Examiners Institute. For additional information, please visit www.okdfp.com.
Комментариев нет:
Отправить комментарий