Computer forensics: characteristics and preservation of digital evidence

FBI Law Enforcement Bulletin,The, March, 2004 by Loren D. Mercer

Computer forensic science encompasses four key elements: identification, preservation, analysis, and presentation. (10) Manual handling, processing, and authenticity issues serve as the basis of the preservation aspect. Safeguards and methodologies used by computer forensic examiners must ensure the preservation of digital evidence to withstand judicial scrutiny should the matter go to trial. (11) In this regard, computer forensic examiners seek to use copies of images of original digital media for their investigations. This premise finds its basis in protecting original digital evidence from accidental damage or unintentional alteration, leaving it in the best possible state for authentication purposes. (12)

When duplicating evidence, the original needs forensically sound handling from its initial seizure until its final disposition. This requires a chain of custody to assure proper handling by qualified individuals. Also, the duplication must produce an accurate reproduction of the original. Failure to authenticate the duplicate image or copy may invalidate any results produced. The duplication process requires the examiner to protect the original from accidental alteration and to use methods and applications that assure the duplicate image will produce output that would match output from the original. Agency standard operating procedures and policy manuals delineate methods of handling and duplicating. Failure to adhere to agency policies and procedures will cause the courts to question the accuracy and reliability of the data, the examination process, and the examiner's "intellectual rigor."

For the admissibility of the evidence, courts require proof of its authenticity. Two recent U.S. Supreme Court cases, Daubert vs. Merrell Dow Pharmaceuticals. Inc., 1993 and Khumo Tire Co. vs. Carmichael, 1997, have brought the standards of forensic science and expert testimony concerning admissibility of evidence into focus. The major factor that underlies the authenticity of duplicate evidence is data set validation.

The process of validating digital data sets proves straight-forward. Forensic examiners use an algorithm (13) to create a hexadecimal numeric value representing the data set. For example, in an MD5 (14) one-way hash (15) sum, a 16-character hexadecimal value is produced by the algorithm where there are [2.sup.128] possible values. This equates to approximately 340 billion billion billion billion probable unique numbers. Theoretically, two different data set values could prove identical, but, practically, they cannot. By comparison, in cases where DNA results have identified a subject, probability tables exclude or include an individual using probabilities of one to several billion and stand accepted as unique to an individual, or a very small population of individuals, by courts. The likelihood of two identical values happening in an MD5 algorithm proves infinitely smaller. With known and tested computer forensic tools and hash algorithms, there exists a means to duplicate and authenticate digital evidence. The duplicate's authenticity can be equated to the original.