Computer forensics: characteristics and preservation of digital evidence

FBI Law Enforcement Bulletin,The, March, 2004 by Loren D. Mercer

In San Diego County, California, forensic experts examined a laptop computer for evidence of notes used in the robbery of several local banks--a university professor later would plead guilty to bank robbery charges and receive 9 years in prison, even though the laptop contained no saved notes. (1) In another case, a Navy enlisted man faced a dishonorable discharge and time in the brig for possession of child pornography after the discovery of floppy disks in a backpack he inadvertently left on a dock at muster. These cases and many more, handled by computer forensic examiners every day, have convicted scores of criminals who committed or stored information pertaining to their crimes with computers and other digital devices. (2) Such criminal acts now transcend traditional business crimes.

[ILLUSTRATION OMITTED]

Criminals commit few crimes today without involving a computing device of some type. This puts a strain on computer forensic examiners who have the training, skills, and abilities to properly handle digital evidence. Law enforcement agencies take different avenues of addressing this increasing load of computer evidence that requires examination to close cases. Many train a few of their law enforcement officers. Some train professional support technicians. Increasingly, agencies send their work to local or regional computer forensic laboratories. Regardless, an understanding of the proper evidentiary foundations for admission of computer-related evidence proves necessary for the courts to have confidence in the material ultimately presented.

Uniqueness of Computer Digital Evidence

In 1948, well-known mathematician Dr. Claude Shannon outlined mathematical formulas that reduced communication processes to binary code and calculated ways to send them through communications lines. (3) Since then, computers and other digital computing devices have used encoding methods based on the binary numbering system.

Computers allow criminals to remain relatively anonymous and to invade the privacy and confidentiality of individuals and companies in ways not possible prior to the advent of the computer age. "Evidence of these crimes is neither physical nor human, but, if it exists, is little more than electronic impulses and programming codes." (4) This evidence can take the form of data digitally stored as text files, graphics files, sounds, motion pictures, data-bases, temporary files, erased files, and ambient computer data dumped on the storage device by the operating system or application program. If someone opened a digital storage device, they would see no letters, numbers, or pictures on it. Therefore, "understanding how a computer stores data is basic to understanding how sensitive that data is to inadvertent contamination and how important a chain of custody becomes when testifying to the 'originality' of the evidence." (5)

[ILLUSTRATION OMITTED]

Storage of Data

"Digital electronics involves circuits and systems in which there are only two possible states. The states are represented by two different voltage levels: a high or a low level. The two-state number system (base 2) is called binary, and its two digits are 0 and 1. A binary digit is called a bit." (6) Because reading strings of zeros and ones severely limits the number of people capable of reading a digital device and to accommodate letters, punctuation, and special characters, another decimal numbering system began--the hexadecimal, or base 16, (7) system. The hexadecimal numbers express the binary values stored on a device. At a minimum, a truly readable alphanumeric code must represent 10 decimal digits and 26 letters, or 36 items. However, the inclusion of punctuation, symbols, and computer control codes requires a seven-bit code (2X2X2X2X2X2X2) yielding 128 combinations, or [2.sup.7]=128. The complete expression of binary information encompasses eight bits, with one sign bit and seven magnitude bits, (8) giving 256 possible combinations. This eight-bit binary number represents one byte. Of the alphanumeric codes, the American Standard Code for Information Interchange (ASCII) serves as the most widely used.

Although more complicated, hexadecimal numbering provides a way to input data into the computer that makes sense to the average person. After entry, computers write and read data to digital media by a "read-write" head controlled by the microprocessor. For example, a computer may store data as minute magnetized regions along a track of a floppy disk. Other storage devices exist that store data in a different fashion, but all read the binary data as a zero or a one.

Computer evidence has both a physical component (the storage media) and a nonphysical component (electronic impulses and magnetic orientation). By its nature, digital evidence proves susceptible to alteration, either inadvertently or purposely. "It is a product of the data stored, the application used to create and store it, and the computer system that directs these activities." (9)

Preservation of Computer Forensic Evidence