Book Image

Practical Digital Forensics

By : Richard Boddington
Book Image

Practical Digital Forensics

By: Richard Boddington

Overview of this book

Digital Forensics is a methodology which includes using various tools, techniques, and programming language. This book will get you started with digital forensics and then follow on to preparing investigation plan and preparing toolkit for investigation. In this book you will explore new and promising forensic processes and tools based on ‘disruptive technology’ that offer experienced and budding practitioners the means to regain control of their caseloads. During the course of the book, you will get to know about the technical side of digital forensics and various tools that are needed to perform digital forensics. This book will begin with giving a quick insight into the nature of digital evidence, where it is located and how it can be recovered and forensically examined to assist investigators. This book will take you through a series of chapters that look at the nature and circumstances of digital forensic examinations and explains the processes of evidence recovery and preservation from a range of digital devices, including mobile phones, and other media. This book has a range of case studies and simulations will allow you to apply the knowledge of the theory gained to real-life situations. By the end of this book you will have gained a sound insight into digital forensics and its key components.
Table of Contents (18 chapters)
Practical Digital Forensics
Credits
About the Author
Acknowledgment
About the Reviewer
www.PacktPub.com
Preface
Index

Understanding the history and purpose of forensics – specifically, digital forensics


Forensic evidence is used in courts of law or in legal adjudication, although some purists do not see forensics as a science. The term could be misleading but may be applied to the technologies related to specific sciences rather than the science itself. There are areas of specialization in forensics, such as questioned expert, forensic dentist, civil engineer, auto crash investigator, entomologist, fingerprint expert, and crime scene reconstruction expert.

The origin of forensics

In 1879, Paris police clerk Alphonse Bertillon introduced a process of documenting crime scenes by photographing corpses and other evidence left behind at the scene. Bertillon's novel photographic records of crime scenes and his precise cataloging and measurement of corpses provided the foundation for the forensic science relating to sudden deaths and homicides. It assisted in the identification of the deceased and provided important information during postmortems to assist in determining the circumstances of the events leading up to the death of the deceased.

Bertillon espoused a radical notion in criminal investigation at the time, positing that science and logic should be used to investigate and solve crime. His scientific work greatly influenced one of his followers, Edmond Locard.

Locard's exchange principle

Locard's exchange principle is a fundamental forensic tenet based on the common exchange of physical traces at a crime scene. For example, fingerprints or DNA traces may be left at the scene, or gunpowder residue from a gunshot may spread onto an attacker's clothes. Although circumstantial by nature, these traces help reconstruct what occurred at the crime scene and may identify those present. We will see how this principle also applies to digital forensics throughout the book.

Within the following quotation is found an oft-cited principle: "A criminal action of an individual cannot occur without leaving a mark," or, more succinctly, "Every contact leaves a trace." Inman and Rudin (2001, p. 44) more meaningfully assert that no one can act with the force that the criminal act requires without leaving behind numerous signs of it: either the wrongdoer has left signs at the scene of the crime or, on the other hand, has taken away with him—on his person or clothes—indications of where he has been or what he has done.

Although forensic analysis has developed considerably since the time of Bertillon and Locard, they introduced three core concepts that were major advancements in criminal justice and assist investigators—notably, crime scene documentation, suspect identification, and the discipline of trace analysis.

Unless there is some actual evidence, no hypothesis is of any use and it is as if there had been no crime. Unless a perpetrator may be identified through some valid process and placed at the crime scene via unadulterated evidence, the case cannot ultimately be solved. These principles are foremost in forensics and, of course, apply just as importantly to digital forensic examinations.

The evolution of fingerprint evidence

The next milestone in forensic science relates to fingerprint evidence. Fingerprints have been used on Chinese legal documents for centuries as a proof of identity and the authenticity of the documents. However, it was not until the end of the nineteenth century that Edward Henry devised a workable classification system and implemented it in India in 1897, publishing his book, Classification and Uses of Fingerprints, in 1900. The following year, Henry's classification was introduced to the London Metropolitan Police; later that year, it was fully functional at the Fingerprint Office at New Scotland Yard, with the first court conviction by fingerprint evidence being obtained in 1902.

However, the reliability of fingerprint evidence has recently been challenged in a number of jurisdictions, with concerns over the lack of valid standards for evaluating whether two prints match. No uniform process exists for determining a sound basis for confirming identification based on fingerprint examinations. Some examiners rely on counting the number of similar ridge characteristics on the prints, but there is no fixed requirement about the number of points of similarity, and this varies significantly in different jurisdictions. Some courts in the USA have gone as far as to state that fingerprint identification is not based on sound forensic science principles. Similar criticism about the lack of standardization and scientific research has been directed at digital forensics, a far newer discipline.

DNA evidence

Through recent scientific developments, Deoxyribonucleic Acid (DNA), is used for determining the inherited characteristics of each person. DNA evidence can be extracted from a range of samples, such as saliva, used postage stamps and envelopes, dental floss, used razors, hair, clothing, and, more recently, fingerprints. This form of evidence has gained much publicity, with DNA samples recovered from a crime scene being compared with a sample from a suspect to establish a reliable and compelling match between the two. DNA evidence was first used to secure a conviction by matching samples recovered from the scene and obtained from the suspect in Oregon in 1987. Since then, it has brought to account many transgressors who might have otherwise remained beyond the reach of the law. It has also been used in "cold cases", proving the innocence of many wrongly convicted persons.

Because of the complexity of DNA evidence, juries were at first hesitant to accept DNA evidence as conclusive. As the discipline evolved, DNA evidence became more readily accepted in court. More recently, courts have been confronted with challenges to DNA evidence. Defense lawyers have claimed that DNA was planted at the scene to implicate the defendant or that the forensic collection or examination of the sample contaminated the evidence, rendering it inadmissible.

The probability of a sound match between the suspect and the crime scene sample has been questioned by the phenomenon of touch DNA, which are genetic markers left behind on many surfaces. It is common for the transfer of an innocent party's DNA involving a handshake with the offender's hand to be later inadvertently transferred to the murder weapon. Through this form of contamination, up to 85% of swabs have recovered traces of persons who never handled the weapons in question.

The onus is now squarely placed on the practitioner to determine the relevance of recovered samples and the history of how they got onto the artifacts recovered from the crime scene. It is also incumbent on practitioners to assist in determining the antecedents of recovered DNA to ensure the evidence does not implicate innocent parties. Evidence only tells part of the story. The fact that DNA is found at a location and/or on an implement only tells us that that is where DNA was found. It tells little else. It does not always tell when the person was there, nor does it guarantee that the person was there—only that their DNA was found to be there. It does not tell us what they were doing if it is established that they were in fact present. All too often, evidence is just evidence and we interpret the results to meet our expectations or achieve our desired outcomes. The problems created because of cross-contamination of evidence in the context of digital forensics is discussed in greater detail in Chapter 4, Recovering and Preserving Digital Evidence.

The basic stages of forensic examination

Some order is required when commencing any type of investigation, and forensic science has some key objectives that must be met. Preserving the crime scene is the primary objective because if the evidence is contaminated, lost, or simply not identified and overlooked, then all that follows may be of limited value to the investigators putting together the case evidence.

Recognizing the evidence and identifying where it is located and knowing just where to look can only enhance the outcome of an examination. This requires practitioner skills, knowledge, and experience. Once located, evidence needs to be collated and classified. This brings order to the examination and makes it easier for practitioners to ensure that nothing is overlooked and that the inclusion of recovered artifacts is correctly classified as relevant evidence.

Evidence cannot be viewed in isolation and should be compared with other evidence, and corroborating evidence should be identified. Then it should be described in scientific terms that can highlight the evidence with clarity so that a helpful reconstruction of the events may be presented.

Digital forensics is still in its infancy, and non-standardized processes are common in some civil and criminal investigation agencies. Standards, if they do exist, vary significantly in different jurisdictions. Various digital forensic investigation models are in use, showing slightly different stages in the examination process; however, there is no universal standard model used by practitioners.

Injustices based on faulty or mischievous forensic evidence are not a recent phenomenon. In the United Kingdom, during the past 30 years, for example, some high-profile injustices occurred, including the cases of the Birmingham Six, the Guildford Four, and the Sally Clark case, based on the ineptitude of the expert. Background information on the Clark case may be accessed at http://netk.net.au/UK/SallyClark1.asp.

These and similar cases that resulted in the conviction of innocent persons cast serious questions on the credibility and authority of forensic practitioners and their expert evidence. Forensic issues surrounding the Azaria Chamberlain case at Ayres Rock, more than 30 years ago, had profound implications on the quality of forensic practices here in Australia and had repercussions in other jurisdictions.