In a two-part article, Ian Kennedy lifts the lid a little on this relatively unknown speciality and aims to describe some of the processes followed in conducting the electronic autopsy.

The popularity of TV shows such as CSI and true crime shows that portray forensic science in action have long held a fascination for audiences for the simply amazing conclusions that can be drawn from what seems so little evidence.

Little wonder then that the relatively new field of digital forensics holds and equal, if not greater attraction to people owing to the huge integration digital devices have with our own daily lives.

Digital forensics is a relatively new speciality within the field of forensic science. It is so new in fact that there is some debate as to what it should even be called. A quick browse of the internet or a well stocked book shop will reveal names such as cyberforensics, computer forensics, Windows forensics and intrusion forensics. These are just a few of the most common.

The Oxford English dictionary derives the term forensic from the Latin, forensis meaning 'before the forum'. It goes on to define it as meaning, 'of, pertaining to, or used in a court of law, now specifically in relation to the detection of crime'.

Expanding on this, the term computer forensics places the context of both the crime and the investigation specifically on a computer. Retired FBI Special Agent Mark Pollitt defined this term, in his book: 'Computer Forensics - an approach to evidence in cyberspace, as application of science and engineering to the legal problem of digital evidence'.

Increasingly though, digital devices other than personal computers are either the target of a crime or are being used to assist in the commission of a crime.

Mobile phones, digital cameras, personal data assistants (PDAs) and even iPods are currently the gadgets of choice for the technically savvy criminal. Digital forensics therefore, encompasses such devices and of course the internet along with computers.

How a digital device becomes involved in a crime

Crimes committed using a digital device essentially employ a hi-tech method to carry out what is usually a traditional crime. Thus, crimes such as blackmail which traditionally evoke images of newspaper cuttings collaged together to create the archetypal ransom note nowadays employ computers to produce the ransom note, be it a printed document or an email.

Examples of other traditional crimes where a digital device has been applied include instant messaging, which can used to commit harassment; email, which is applied to commit fraud though 'phishing' scams; mobile phones to record assaults in what has come to be known as 'happy slapping' and then there are the peer to peer file sharing programs such as Limewire and Kazaa which have been used extensively to download and distribute pictures portraying paedophilia.

The list, it seems, is endless and so is the workload on any hi-tech crime unit to deal with such cases.

Not all crimes committed using a digital device use it as a means to an end. Hacking a computer system without authority is a crime targeted at the computer system itself. So to is a denial of service (DOS) attack on a websites or the intentionally distribution of a virus.

Stages of a forensic examination

From a prosecution point of view a forensic examination of a digital device is generally considered to be conducted in four primary stages. These being the acquisition, identification, evaluation and presentation.

The acquisition is concerned with the forensically sound capture of the data. A digital device involved in a crime is effectively a crime scene in its own right, which needs to be secured just as much as a murder scene.

Like fingerprint and DNA evidence, digital evidence is fragile and easily lost if appropriate precautions are not followed. Horror stories of over zealous police officers switching on digital cameras to look for evidence or conducting virus scans on floppy discs prior to submitting them for a forensic examination still haunt those of us working in the field.

The location the exhibit was found and seized is also an important factor to record, as it can reveal a great deal about the intent of the suspected offender. Was the wireless device hidden beneath floorboards or was it in an open access area like a living room?

One of the most important aspects of the acquisition stage is the process of forensically copying the data off the digital device.

The accepted best practice to achieve this is to use a hardware write-blocking device. This is a device that sits between the evidence disk and the forensic workstation. It is designed to stop all write signals being passed from the computer to the disk, hence preserving the data contained on the disk.

The identification recognises that a single exhibit can be interpreted from a number of perspectives.

A computer with two hard disks, for example, can be initially considered at a physical level in terms of a base unit, disk 1 and disk 2. Examples of the properties that are of interest from this perspective are the system date and time on the base unit, the number of sectors on both disks and whether any hidden sectors reside on either disk.

At a logical level, the partitions present, the type and structure of the file system are also of interest and can reveal a lot about the knowledge of the owner. Finally, the identification stage considers the context within which any evidence is found.

A good example of this is when a credit card number that is sought is found in the area of a hard disk where files once resided, known as unallocated clusters. Here, ghosts of former files reside in part or even in full and identifying their original context (eg: was the card number in the content of an email?) is crucial if the evidence is to be exhibited for use in Court.

The evaluation is where a decision on the relevance of the find is made. To do this an understanding of how the data was produced, when and by whom must be made. It is at this stage that the common defence of Trojans and pop-ups in internet browsing related offences can be discounted.

The presentation is where the interpretation of the raw data and the reconstruction of events that occurred on the exhibit prior to its seizure are undertaken.

The report must be both technically concise and written for the lay person if it is to be understood by the Court. The author of the report must be prepared to be questioned and perhaps even defend their findings in a Court of Law.

Best practice principles

The Association of Chief Police Offices (ACPO) of England, Wales and Northern Ireland published a Good Practice Guide for the recovery of computer-based evidence. In this document they identify four primary guidelines:

Principle 1: No action taken that would change data held on an exhibit

Principle 2: Where a person finds it necessary to access original data held on an exhibit that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.

Principle 3: An audit trail of all processes applied to an exhibit should be created and preserved. This should be repeatable to an independent third party.

Principle 4: The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to.

These principles influence many of the procedures followed when examining a digital device. Some of these procedures are explored in part 2 of this article.

What next?

Part 2 of this article looks at what traces of activity can be found on the average Windows PC. What needs to be demonstrated to a Court of Law to prove a crime was committed is also discussed.

Ian Kennedy MBCS CITP CEng is forensic computer analyst for Kent Police.