← Back

Examining Computer Evidence

Forensic Science Guide: Examining Computer Evidence

Here is a guide on examining criminal evidence from computers involving time and date stamps on e-mails, photo images, logon-logoff registrations, and hundreds more similar bits of computer data.  This type of information can help law enforcement agencies decipher the crimes and criminals in their research.  Please refer to our other useful information regarding different topics on forensic science as you continue your studies in the field.

The use of computer data as evidence has special concerns that are at odds with traditional crime forensics. Computer forensics requires adherence to evidence procedures but the procedures must be flexible according to the situation. Computer forensics approaches evidence in a different way that must be acknowledged when creating and using evidence. And computer forensic people and procedures must be more concerned with civil rights of people not part of an investigation.

With the invention of computers and electronic technology, the use of this technology to find and apprehend criminals was close behind.  This use of technology was applied in several ways. Some technology, like cell phones, is used by criminals just like law-abiding people. Other applications, like phishing e-mails or computer hacking, are criminals’ use of computers for deliberately illegal acts. Of course, these uses of computers in crimes has come on slowly, always lagging behind the actual invention and usually the adoption of the technology. Computers, software, and other technologies are created with at least one use in mind. So, much like using a cell phone as a note pad, calendar, and rolodex took some time and thinking, using technologies for crimes can take some time to realize and apply to that potential. But once the technology is applied to crime, law enforcement must catch up. Which is not to say that law enforcement does not try to anticipate and stay ahead of the use of technology in crimes, but it is always a matter of adaptation; law enforcement agencies cannot think of every possible use and block that use any more than they can anticipate a crime before it happens and arrest the criminal before he or she has committed a crime.

But as technologies have become common, law enforcement has made use of them when they can, even creating tools specifically for law enforcement applications. And they take note of what technologies criminals use and how they use them in an effort to use the tools against them. To this end computer forensics have been created. Criminals make phone calls, send texts and e-mails, and surf the web. Computer forensics can find these calls, texts, e-mails, and websites and see what these things can tell law enforcement about the criminals, any associates, and their activities. While computer forensics was once done on a technically savvy police officer’s desk, there are now specialists and entire labs dedicated to this work. Ironically, as the technology advances, some if not much of the work in computer forensics is moving back to the individual officer’s desk, or car, or even pocket. For some computer forensics work an officer no longer has to send a computer or cell phone to a lab and wait for a report. Portable hardware and inexpensive software can help an officer to bypass password security on a suspect’s phone or computer and to quickly scan heretofore daunting amounts of data and find relevant information in less time than sending the technology to a lab, especially as computer forensics labs become more important to more investigations and their resources are stretched. But as technology changes and improves, and criminals apply that technology to crimes, law enforcement has several more problems than just keeping up with the criminals and the new use of technology. For starters, law enforcement must recognize that computer forensics is different from traditional forensics.

Traditional forensics include collecting fingerprints, collecting blood samples or other tissues left at crime scenes or on objects associated with the crime, tracing something associated with a crime like gun powder residue back to a suspect, or any other things that can link a criminal to a crime. This is anything that does not rely on witnesses. The difference between computer forensics and traditional forensics is in the similarity of the evidence.  Fingerprints, for example, no matter who made them, are all collected in approximately the same way: a special dust is applied to an area to bring out the oils that are the outline of a persons fingerprint, a brush is used to smooth the application of dust and remove extra, and a piece of something similar to tape is applied over the dusted fingerprint, which makes the dust on the fingerprint transfer to the tape, taking the image of the fingerprint with it. With computer evidence, there is no such uniformity of the evidence. One concern is about what type of hardware is involved. A desktop is different from a laptop, which is different from a mainframe, which is different from a PDA, which is different from a cell phone. The list is almost endless when you add flashdrives, DVDs, iPods, and just about anything you can think of that can store information. And this list of hardware variables leads to the software side.

Computer forensics experts must consider what operating system the computer is running that holds the evidence: PC, Mac, UNIX, or a couple of lesser operating systems are options. If the evidence is on a cell phone, there are more operating systems for those. There could be a partitioned system or a removable SIMM card. And this is just one layer of software. There is a question of what is the application that holds the evidence. If the application is Word or Excel, that is less of a problem, but fewer law enforcement agents are probably familiar with using a SQL Server or Oracle database system. If a criminal actually wants to hide evidence, an old or esoteric computer program might be as effective, legally, as password protection.  And there is the problem of built-in security. Passwords with programming to lock the system or even destroy data if the password is entered incorrectly. The electronic damage or destruction of data is something like shredding documents. In some instances data can be recovered but there is less certainty about all the data gathered. Better to not have to recover the data, if possible.  And these are some of the broad descriptions of the problems facing a computer forensic expert. Think of the problems involved in using a computer that is supposed to be compliant and then think what problems there might be if someone wants to take away even that compliance. This leads to another problem in computer forensics, procedure.

Many professionals rely on procedure to help prevent simple errors or errors in complicated processes. Airline pilots have checklists; doctors have procedures for illnesses and symptoms; and law enforcement has procedures and patterns to protect crime scenes and evidence. Computer forensics is still relatively new in many law enforcement fields, and there are procedures being developed and used, but this relatively new field may not have encountered most of the problems, both legal and technical, yet.  Computers used to be just another piece of evidence, but getting valuable information from a bullet case would not follow the same process as getting valuable information from a protected computer system. Computers cover such a range of types, hardware and software, that getting information from any two computers is not like getting information from, say, any two bullets. Like fingerprints, bullets are more like each other than unlike. Even a jacketed rifle bullet and a lead pistol bullet are still more alike than any two random computers. Computers must be treated much more individually than almost any other form of evidence. Like a blood sample and a hair sample require different tests, all computer hardware and software combinations cannot be treated the same way an expected to provide all the data they contain.

So computer forensics needs procedures for the same reason other experts use procedures, to prevent simple errors or errors in complicated processes. But with the range of problems in uncovering evidence from computers these procedures must be flexible, which is part of the reason the procedures were not easily created when computers were first introduced and it became apparent police would have to treat them as evidence. Another part of the procedure problem is how computer forensics experts get data as evidence.  Traditional forensics experts have to analyze the evidence they collect to associate it with a crime or criminal. This is because our fingerprints do not cooperate and have our name and social security number on them. So fingerprint experts compare the swirls and loops (through a computer system and national database now, but by eye until recently) and make an assertion to some percentage, based on how much of a fingerprint and how many fingerprints they found, that the fingerprints are from John Smith and then they can look up his other information. The same analysis is done with paint residue and DNA samples. For example, DNA can be discerned to within a couple of people out of millions, but there is frequently a question of blood relations or twins or other possibilities that make identifying a person by DNA very strong but not absolutely certain. This is why the process of matching a blood sample to a person or a paint scratch to a car is called analysis, because there is no utter certainty.

Computer forensics is unlike this. Information from a computer system: laptop, mainframe, cell phone, is not analyzed. Commonly, no analysis is done. The information is information. Cell numbers, texts, spreadsheets, e-mails, documents of any kind are extracted from the computer and that is usually the end of the computer forensic expert’s involvement. The computer or cell phone might be treated as evidence in another way, fingerprinted or as an item bought with a credit card, to associate it with a suspect and then the data gathered from the computer is applied against him or her in a court of law.  One possible way a computer forensics expert might be called on to analyze is to help prove software was created by a suspect. Like writing experts can associate a writer with his or her writing through analysis of what kinds of words and punctuation, their writing style, a computer forensics expert, assuming he or she is a computer programming expert, which is not a foregone conclusion, but if he or she is, then the computer forensics expert might be able to associate a programmer with a program he or she wrote through the syntax and other styles of programming. But like associating a person with a program through less than direct evidence, like fingerprints, the computer forensics expert, like all law enforcement, must pay attention to protect the civil rights of both the suspect and other citizens.

In searching for evidence of a crime or connection to a crime, a computer forensics expert has a responsibility to not associate information from people who have nothing to do with the suspect. In fact, a warrant allowing a computer forensics expert to look into a cell phone or computer or mainframe will specify something to the effect that only a certain information relating a specified suspect or suspects is to be considered and reviewed. Other information, say on a company’s mainframe or a small company’s computer is not allowable and if evidence of another crime is found that evidence will be inadmissible in a court because it was found without a legal warrant. This is the line a computer forensics expert must stay on. Information relating to the crime or suspect must be reviewed and collected, but none of the information not relating to what is listed on the warrant.

This is particularly difficult because in many small businesses or household computers many people have personal or work-related files. At his or her best, a computer forensics expert should act like a traditional forensic expert who is supposed to note all the fingerprints of people in a crime scene and then eliminate those who cannot be subjects, or who are not the established suspect. So a computer forensics expert might be allowed to review all the material to find only the information pertinent to the investigation; however, this is similar to police investigations that go out and look into the backgrounds of people whose fingerprints are found at a scene. In the instance that police are following leads from a crime scene, they might uncover some unrelated but embarrassing or even illegal activities. This sort of unwarranted (literally) investigation is always a question of a person’s civil rights and a concerning move towards just investigating people at random to see if they are guilty of something.

In the case of computer forensics the questions of civil rights are even sharper and more troubling. Computer forensics not only finds leads or suggests lines of inquiry, but it finds whole files and documents of illegal activities. It finds the proof that someone, a user of a computer, mainframe, laptop, or cell phone, has been doing something illegal. There is less opportunity for police to realize that the person they are investigating is not a suspect in their case before they uncover evidence that forces them to continue investigating or even arrest the person, regardless of his or her involvement, or lack, in the case they began investigating. Child pornography is an example of something random that might be on a computer that would force police to acknowledge it and arrest anyone associated with the computer being reviewed. Even if the pornography had nothing to do with an embezzlement case they were checking into and the person who had the pornography had no involvement in the embezzlement.   So much information is instantly available when someone’s computer system is opened for public viewing. This is why the civil rights of those who are only associated with a computer system have to be considered and respected. Otherwise, a suspect of one crime becomes tantamount to legal authority to see what anyone who is connected to a computer or computer system is involved in, whether it has any bearing on the crime in question or not.

These topics we have covered are the problems and top concerns of computer forensics experts. Computer forensics experts and associated law enforcement officials must realize the differences in the kinds of information retrieved from computer forensics versus traditional forensics; computers provide much more data in a blink than mere fingerprints do. Computer forensics and the experts must have procedures to protect evidence and legally prove the guilt of a suspect, but the complexity of available computer systems mean that the procedures must be flexible to allow for necessary changes to actually obtain the data, rather than destroy it in a vain effort to merely follow protocol. Law enforcement must realize that computer forensics approach evidence collection in a much different way than traditional forensics; computer forensics has no need to associate information with a suspect or any person; it is only a matter of getting the data out of a computer system and comprehensible and correct for people. Finally, computer forensics experts and other law enforcement personnel must protect the rights of anyone who has data on a computer system under investigation, because the amount of detail computer data provides, a lack of respect for privacy in unrelated matters can turn an investigation of one crime into many.

  • How to collect computer evidence
  • Office of Justice Programs discusses computer forensics
  • A computer forensics company explains the processes of computer forensics
  • Some legal details of seizing computer evidence, for law enforcement but civilians as well
  • How to become a computer forensics expert
  • Article on careers as a computer forensics expert
  • Jobs for computer forensics experts

Image source: http://commons.wikimedia.org