Recovering, Examining and Presenting Computer Forensic Evidence in Court


The world is becoming a smaller place in which to live and work. A technological revolution in communications and information exchange has taken place within business, industry, and our homes. America is substantially more invested in information processing and management than manufacturing goods, and this has affected our professional and personal lives. We bank and transfer money electronically, and we are much more likely to receive an E-mail than a letter. It is estimated that the worldwide Internet population is 349 million (Commerce Net Research Council 2000).
In this information technology age, the needs of law enforcement are changing as well. Some traditional crimes, especially those concerning finance and commerce, continue to be upgraded technologically. Paper trails have become electronic trails. Crimes associated with the theft and manipulations of data are detected daily. Crimes of violence also are not immune to the effects of the information age. A serious and costly terrorist act could come from the Internet instead of a truck bomb. The diary of a serial killer may be recorded on a floppy disk or hard disk drive rather than on paper in a notebook.

Computer Forensic Science

Computer forensic science was created to address the specific and articulated needs of law enforcement to make the most of this new form of electronic evidence. Computer forensic science is the science of acquiring, preserving, retrieving, and presenting data that has been processed electronically and stored on computer media.
Rather than producing interpretative conclusions, as in many forensic disciplines, computer forensic science produces direct information and data that may have significance in a case. This type of direct data collection has wide-ranging implications for both the relationship between the investigator and the forensic scientist and the work product of the forensic computer examination.
Conversely, computer forensic science, to be effective, must be driven by information uncovered during the investigation. With the average storage capacity in a personally owned microcomputer approaching 30 gigabytes (GB; Fischer 1997), and systems readily available that have 60-GB storage capacity or more, it is likely to be impossible from a practical standpoint to completely and exhaustively examine every file stored on a seized computer system. In addition, because computers serve such wide and varied uses within an organization or household, there may be legal prohibitions against searching every file. Attorney or physician computers may contain not only evidence of fraud but probably also client and patient information that is privileged. Data centrally stored on a computer server may contain an incriminating E-mail prepared by the subject as well as E-mail of innocent third parties who would have a reasonable expectation of privacy.
As difficult as it would be to scan a directory of every file on a computer system, it would be equally difficult for law enforcement personnel to read and assimilate the amount of information contained within the files. For example, 12 GB of printed text data would create a stack of paper 24 stories high. For primarily pragmatic reasons, computer forensic science is used most effectively when only the most probative information and details of the investigation are provided to the forensic examiner. From this information, the examiner can create a list of key words to cull specific, probative, and case-related information from very large groups of files. Even though the examiner may have the legal right to search every file, time limitations and other judicial constraints may not permit it. The examination in most cases should be limited to only well-identified probative information.
However, computer forensic science, unlike some of its traditional forensic counterparts, cannot rely on receiving similar evidence in every submission. For instance, DNA from any source, once cleared of contaminants and reduced to its elemental form, is generic. From that point, the protocols for forensic DNA analysis may be applied similarly to all submissions. The criminal justice system has come to expect a valid and reliable result using those DNA protocols. For the following reasons, computer forensic science can rarely expect these same elements of standardized repetitive testing in many of its submissions:
  • Operating systems, which define what a computer is and how it works, vary among manufacturers. For example, techniques developed for a personal computer using the Disk Operating System (DOS) environment may not correspond to operating systems such as UNIX, which are multi-user environments.
  • Applications programs are unique.
  • Storage methods may be unique to both the device and the media.
Typical computer examinations must recognize the fast-changing and diverse world in which the computer forensic science examiner works.
Recovering and Discovering Information

It is now black letter law that information generated and stored on computers and in other electronic forms is discoverable. It is estimated that as much as 30 percent of the information stored on computers is never reduced to printed form. Moreover, the electronic version of a document usually contains information that simply does not appear in the printed version. As a practical matter, finding the information stored on computers is becoming an important part of the discovery process.
Many lawyers now ask for electronic evidence, especially e-mail, as a routine part of their discovery efforts. However, as a practical matter, most lawyers have little or no experience in collecting and analyzing the data they request. In this Paper we analyze some ways on how to collect the relevant data, and how to assure that data collected can be authenticated and admitted as evidence.

1. Send a preservation of evidence letter.

 Because the information stored on computers changes every time a user saves a file, loads a new program, or does almost anything else on a computer, it is critical that you put all parties on notice that you will be seeking electronic evidence through discovery. The sooner the notice is sent the better. The notice should identify, as specifically as possible, the types of information to be preserved and explain the possible places that information may exist.3 If necessary, obtain a protective order requiring all parties to preserve electronic evidence and setting out specific protocols for doing so.

2. Include definitions, instructions, and specific questions about electronic evidence in your written discovery. This is a continuing process, with three objectives to accomplish:

First, use a series of interrogatories to get an overview of the target computer system. These interrogatories will be followed up by a 30(b) (6) deposition of the information systems department.
Second, all requests for production should make clear that you are requesting electronic documents as well as paper. You can do this through defining documents to include items such as data compilations, e-mail, and electronically stored data. You should also draft requests that specifically ask for different types of computer-based evidence such as diskettes, e-mail, and backup tapes.
Finally, if necessary, include a request for inspection so you can examine the computer system first hand and retrieve any relevant data.

3. Take a 30(b) (6) deposition.

 This is the single best tool for finding out the types of electronic information that exists in your opponent’s computer systems.

Checklist for System Discovery

 -The layout of the computer system, including the number and types of computers, and the types of
Operating systems and application software packages used. When asking about any types of software, make
 sure to ask for the software maker, program name, and version of each program (e.g., Corel, WordPerfect,
Version 6.0).
- The structure of any electronic mail system, including software used, the number of users, the location of
Mail files, and password usage.
-The structure of any network, including the configuration of network servers and workstations, and the
Brand and version number of the network operating system in use.
-Specific software used. This includes software applications for things such as calendars, project
Management, accounting, word-processing, and database management. It also includes industry-specific
Programs, proprietary programs, encryption software, and utility programs. When asking about software,
Inquire when software was installed and when it was upgraded.

-The personnel responsible for the ongoing operation, maintenance, expansion, and
Upkeep of the network.
-The personnel responsible for administering the e-mail system.
- The personnel responsible for maintenance of computer-generated records and the
 Manner in which such records are organized and accessed.
-Backup procedures used on all computer systems in the organization. This should
 include descriptions of all devices (e.g., tape drives) and software used to create backups,
the personnel responsible for conducting the backups, what information is backed up,
Backup schedules, and tape rotation schedules.
- The process for archiving and retrieving backup media both on and off site.

- The procedures used by system users to log on to computers and into the network. This
includes use of passwords, audit trails, and other security measures used to identify data created, modified, or otherwise accessed by particular users.
-Whether and how access to particular files is controlled. Information such as an access
control list identifies which users have access to which files.
-How shared files are structured and named on the system.
-Routines for archiving and purging different types of data.

4. Collect backup tapes. One of the most fertile sources of evidence is the routine

Backup created to protect data in case of disaster. This information is normally stored on high-capacity tapes, but may exist on virtually any type of media. Backup tapes normally contain all an organization’s data, including e-mail, as of a certain date. Common backup procedures call for full backups to be made weekly, with the last backup of the month saved as a monthly backup. While weekly backups are normally rotated, monthly backups are saved anywhere from six months to several years. It is not unheard of for an organization to have kept all its backup tapes from the inception of its computer systems.
When collecting backup tapes in discovery, make sure to also gather information on how the tapes were made. This inquiry must include both the procedures followed, and the specific hardware and software used to make the backups. Because, over time, hundreds of different backup programs and equipment have been used, in some cases, it may be impossible to restore backups without using the same software and/or hardware used to create them.

5. Collect removable media.

 Data selectively saved by users to diskettes or other portable media is another fertile, but often overlooked, source of evidence. Users save data to diskettes for any number of reasons. Users create “ad hoc backups” of key documents or files to use in case an important document or file is lost. Users may also copy e-mail files to

Diskette to prevent them from being deleted in automatic purging routines. Finally, users will use diskettes to save data they do not want to keep on company computers.
The users that create them save diskettes indefinitely. It is not unusual to find a number of diskettes in witness’s desks. Collecting and examining all diskettes created by key witnesses is an essential step in a thorough examination of all electronic evidence.
6. Ask every witness about computer usage.

In addition to the discovery directed at the computer system, every witness must be questioned about his or her computer use. Individual users’ sophistication varies widely. Knowing how each witness uses his or her computer, and organizes and stores data, may lead to sources of data not revealed by the discovery directed at general system usage. This discovery should also focus on the secretaries and other people assisting key witnesses. Often, documents drafted by the key witness are stored on his or her assistant’s computer.

Perhaps the most overlooked source of electronic evidence is the home computer. Data usually ends up on home computers in one of two ways. First, data can be transferred to and from the workplace on diskettes or other portable media. Second, an employee may be able to log on to the company network from home. In this situation, the home computer acts just like the employee’s office workstation. Regardless of how data is transferred, the critical point is to find out whether the witness works from home and how data is transferred to and from that home computer.
Palmtop devices and notebook computers are another good source of evidence. Palmtop devices include electronic address books as well as more powerful devices such as 3Com’s Palm Pilot and Apple’s Newton. In addition to storing calendar and contact information, many of these devices allow users to make notes and use e-mail. Further up the scale, there are notebook computers. Notebook computers are often shared among a number of users. While the notebook computer may not be a witness’s primary workstation, it still may contain important pieces of information. Again, the critical point is to ask how palmtop devices and notebook computers are used and what data they may contain.
7. Make image copies.

 It is no secret that deleted files and other “residual” data may be recovered from hard drives and floppy disks. How do you make sure that you capture this data? Answering this question first requires a brief explanation of why “residual” data exists.

When working with computers, the term “deleted” does not mean destroyed. Rather, when a file is deleted, the computer makes the space occupied by that file available for new data. Reference to the “deleted” file is removed from directory listings and from the file allocation table, but the bits and bytes that make up the file remain on the hard drive until

they are overwritten by new data or “wiped” through use of utility software. The result is a file appears to have been deleted, but may still be recovered from the disk surface.
Residual data includes “deleted” files, fragments of deleted files, and other data that is still extant on the disk surface. To assure that this residual data is captured, you must make an image copy of the target drive. An image copy duplicates the disk surface sector-by-sector, thereby creating a mirror image of the target drive. In contrast, a file-by-file copy (what is made when you simply select the files you want copied) captures only the data contained in the specific files selected. Even if all files are selected, a file-by-file copy will not capture any residual data.4

8. Write-protect and virus check all media.

Now that you have obtained the data, how do you look at it? You likely have a mix of
image copies, backup tapes, diskettes, CDs, and other media. Before doing anything else, you must maintain the integrity of the media you have received. The two key steps in doing this are write-protection and virus checking.
Write-protecting media prevents data from being added to that media. Write-protecting the media produced guarantees that the evidence you gather is not altered or erased when you are working with it. You should write-protect all media before doing anything else with it. The process for write-protecting media varies, but is usually simple.
Virus checking, likewise, prevents evidence from being altered and is the second thing you should do with all media. The key is using up-to-date virus checking software. If a virus is detected, record all information about the virus detected and immediately notify the party producing the media. Do not take steps to clean the media, because doing so would change the evidence that was produced to you.

9. Preserve the chain of custody.

 A chain of custody tracks evidence from its original source to what is offered as evidence in court. With electronic evidence, a chain of custody is critical because electronically stored data can be altered relatively easily, and proving the chain is the primary tool in authenticating electronic evidence.

A good benchmark is whether the software is used and relied on by law enforcement agencies. Second, the copies made must be capable of independent verification. In short, your opponent and the court must be able to satisfy themselves that your copies are accurate. Third, the copies created must be tamper proof.
Securing the media simply assures that your original copies are preserved. Just as you would make working copies of any documents produced, you should create working copies of data.
When you work with data restored from the media you collected, make sure you can track individual files and documents back to their original source. The checklist below sets out one way of doing this.

Checklist For Electronic Media Examination

-Assign a unique number to each piece of media. (The number series used for numbering electronic media should be distinct from that used for paper documents.)

-Write-protect all media.

- Virus checks all media. Record any viruses discovered and immediately notify the producing party.

-Print directory listings for each piece of media. Make sure the listing has the media number printed on it.
-Virus check the drive that you are restoring the data to and make sure the drive is free from any other data. (Restoration should be to a distinct drive, dedicated to a single case.)
-Restore each piece of media to a file with a name that corresponds to the number assigned to the media being restored (e.g., a diskette numbered 123 should be restored to a file named “Disk 123”).
- Verify that all files on the directory listing appear in the copy restored.
- Secure the source media.
-When printing a particular document, insert a distinct header or footer that gives the full directory listing for document printed (e.g., Disk 123\corr\smokinggun.txt).

Examining Computer Evidence

Computer evidence represented by physical items such as chips, boards, central processing units, storage media, monitors, and printers can be described easily and correctly as a unique form of physical evidence. Although forensic laboratories are very good at ensuring the integrity of the physical items in their control, computer forensics also requires methods to ensure the integrity of the information contained within those physical items. The challenge to computer forensic science is to develop methods and techniques that provide valid and reliable results while protecting the real evidence—the information—from harm
Computer forensic science issues must also be addressed in the context of an emerging and rapidly changing environment. However, even as the environment changes, both national and international law enforcement agencies recognize the need for common technical approaches and are calling for standards (Pollitt 1998
As an overall example, a laboratory may require that examinations be conducted, if possible and practical, on copies of the original evidence. This requirement is a principle of examination. It represents a logical approach taken by the computer forensic science community as a whole, and it is based on the tenet of protecting the original evidence from accidental or unintentional damage or alteration. This principle is predicated on the fact that digital evidence can be duplicated exactly to create a copy that is true and accurate.
Creating the copy and ensuring that it is true and accurate involves a subset of the principle, that is, policy and practice. Each agency and examiner must make a decision as to how to implement this principle on a case-by-case basis.
CRC and MD are computer algorithms that produce unique mathematical representations of the data. They are calculated for both the original and the copy and then compared for identity. The selection of tools must be based on the character of the evidence rather than simply laboratory policy. It is likely that examiners will need several options available to them to perform this one function.
An examiner responsible for duplicating evidence must first decide an appropriate level of verification to weigh time constraints against large file types. The mathematical precision and discriminating power of these algorithms are usually directly proportional to the amount of time necessary to calculate them. If there were 1 million files to be duplicated, each less than 1 kilobyte in size, time and computational constraints would likely be a major determining factor. This circumstance would probably result in a decision to use a faster, but less precise and discriminating, data integrity algorithm.
Having decided how best to ensure the copy process will be complete and accurate, the next step is the actual task. This is a subset of the policy and practice, that is, procedures and techniques. These most closely represent the standard cookbook approach to protocol development. They are complete and contain required detailed steps that may be used to copy the data, verify that the operation was complete, and ensure that a true and accurate copy has been produce
Forensic Software Available
These are some of the most used software’s in computer forensics
6.      ForixNT
8.      SMART Extractor
9.      And many more

Authentication of Digital Evidence

Authentication of Evidence

Authentication is the process by which the reliability of evidence is established. The party leading the evidence in court must show that it has not been altered since it was collected and that the location, date, and time of collection can be proven. That is accomplished using standardized evidence-handling procedures and chain-of-custody records and relies primarily on physical security measures.
Digital evidence offers new challenges for authentication and, at the same time, new opportunities to significantly strengthen the proofs of reliability. It has been argued that digital images may require that special care be given to document the collection and analysis procedures and chain of custody to ensure admissibility (Berg 2000). Those concerns can be extrapolated to digital evidence of all forms. As binary data on (usually) magnetic media, digital evidence is potentially more susceptible to post collection alteration, or the accusation thereof by a defense attorney, than is analog evidence. To offset that vulnerability, digital evidence is also amenable to the many information-assurance methods that have been developed for Internet applications and electronic commerce. This part of the paper explores the potential for applying information assurance to authentication of digital evidence in general and discusses a prototype application to digital video in particular.
The purpose of this paper is to stimulate dialog on the utility and requirements for information-assurance enhancements to current evidence handling and chain-of-custody documentation procedures.

Information-Assurance Services

The Information Assurance Technical Framework (National Security Agency 2002) captures information-assurance guidance reflecting the state-of-practice in the U.S. Department of Defense, federal government, and industry information-assurance community. It describes the following five primary security services relevant to information and information processing systems: access control, confidentiality, integrity, availability, and non-repudiation. Those five somewhat interdependent services are summarized here.
Access control is comprised of measures that prevent unauthorized user access to networked hardware, software, and data. It is accomplished by four functions:
  • Identification and authentication determines the identity of a person who seeks access to a resource or data. Information-assurance terminology uses authentication in the sense of the reliability of identity credentials, which is similar to but more specialized than evidentiary usage.
  • Authorization determines the access rights of a person (or process) given a valid identity.
  • Decision determines whether a person's access rights are sufficient for the access requested and grants or denies access accordingly.
  • Enforcement imposes the access-control decision.
Access control, as described in the Information Assurance Technical Framework, The confidentiality security service is defined as the protection of data from unauthorized disclosure. The data may be in storage or in transmission. This overlaps with access control but is sufficiently important to the information-assurance community to merit separate treatment in the Information Assurance Technical Framework.
The integrity security service includes any or all of the following: protecting data from modifications, detecting modifications, and recording modifications. Identification and authentication is an essential aspect of integrity as observed in the Information Assurance Technical Framework.
Note that integrity protection is of no value unless it is combined with a mechanism that provides authentication of the source. Without source authentication, anyone could tamper with the original data and then just reapply an integrity mechanism.
Availability is concerned with ensuring that network data and services are provided to users with a specified quality of service, when the network is subject to normal loads, failures, and outright attacks.
No repudiation services provide proofs that participating parties were involved in a communication (e.g., an electronic commerce exchange). The objective is to render it infeasible for a person to deny having had access to information or information-processing resources or engaging in specific activities with regard to said information and resources.

Information Assurance Applied to Digital Evidence

The confidentiality and availability services have no apparent bearing on authentication of digital evidence. Confidentiality does not apply because all evidence must be disclosed during discovery, whereas availability is primarily a network issue. Those services will not be discussed further.
The physical security implicit in normal evidence-handling procedures provides a significant measure of access control. The information-assurance version of access control would serve to enhance that in some situations. For example, when some medium containing original digital evidence is connected to a computer for copying or analysis, information-assurance considerations would include the following:
  • Is that computer connected to a local area network?
  • Who has access to the local network?
  • Is everyone with access to the local network authorized to access the evidence?
  • How is the local network protected from other networks?
  • Who has access to the computer during duty and off-duty hours?
  • Is the computer free from unauthorized applications?
  • Are all access attempts automatically logged?
  • How are access restrictions enforced?
Those and potentially other questions are highly relevant to establishing a complete picture of access control for the evidence and should be addressed in the evidence-handling procedures.
To put these generalities in context, the next section describes a system that addresses access control, integrity, and no repudiation for a particular application.

Digital Video Evidence System

A prototype system is currently under development for the U.S. Postal Inspection Service that applies information-assurance methods to authenticate digital video (Baser et al. 2003). The following describes how the information-assurance services discussed above are manifested in a digital video evidence system.
The U.S. Postal Inspection Service desires to preempt any challenge to the admissibility of digital video evidence collected during surveillance operations, where such a challenge might be made on the grounds that digital video can be easily edited. The developmental system addresses access control, integrity, and no repudiation through the application of digital signatures in a government off-the-shelf public key infrastructure.
The components of the overall system are shown in Figure 1. Consider a collection-to-court sequence of events for a specimen of digital video evidence. Beginning on the lower left of the figure, a postal inspector reports to the public key infrastructure local registration authority and is given a security token (e.g., a smart card). The token is initialized with a cryptographic key pair and an identity certificate. The identity certificate is an electronic document containing the inspector's name, date and time, and the public key of the key pair. The local registration authority serves as witness to the identity of the inspector and key-generation process. The public key infrastructure certificate authority digitally signs the identity certificate. The identity certificate constitutes the inspector's electronic credentials that others can trust because of the certificate authority signature. This certificate-generation process is expected to take a few minutes for an inspector who has been preregistered. Registration with the public key infrastructure serves, as access control because only authorized users will be able to register. Public key infrastructures have been described in more detail elsewhere (Lyons-Burke 2000) and will not be discussed further here.
The key pair enables the inspector to generate digital signatures on the security token using the private key of the pair, whereas the public key will enable anyone to verify those signatures. Refer to Appendix B for a description of digital signatures and the roles of public and private keys.
Figure 1. Digital Video Evidence System
Next, the inspector takes the security token, a digital camcorder, and the special-purpose digital video authenticator to the field to collect evidence. This step is illustrated on the lower right. The digital video authenticator is depicted as a laptop, which was used for the proof-of-principle prototype. A picture of the prototype is shown in Figure 2. The field prototype, currently under development, will be a smaller form factor. The digital video authenticator is connected to the camcorder by the IEEE-1394 Fire wire interface. The inspector turns on the unit, which will wait for the user to connect a security token and enter a personal identification number to access the token. It will not operate without an inserted token. This feature provides for no repudiation for subsequent steps.

Figure 2. Proof-of-Principle Digital Video Authenticator with Camcorder
After the token handshake, the digital video authenticator generates another cryptographic key pair. The private key of this pair is used in the unit to generate digital signatures for the digital video. The public key is concatenated with optional, user-supplied session information and is digitally signed by the security token to produce an integrity certificate. Both the identity certificate and integrity certificate are written to removable media in the digital video authenticator. The integrity certificate provides for no repudiation regarding the identity of the inspector who generated the associated keys.
During videotaping, the digital video authenticator receives the compressed video data stream (Society of Motion Picture and Television Engineers 1999) from the camcorder over the Fire wire simultaneously as the camcorder records. The authenticator delineates the stream into frames and then further parses the frames into segments for video, audio, and control data. Each segment is digitally signed in a pipeline process that matches the 30-frames-per-second throughput of the camcorder. Those signatures are the core data used in subsequent analysis to verify the integrity of the video.
After the recording session, the inspector terminates digital video authenticator operation. The unit automatically destroys the private key used for signing the video. Destruction of that critical private key is a strong form of access control. The key existed only during a single recording session while it was in custody of a known user. No further signatures can be generated that are compatible with the public key in the integrity certificate.
The collected video, identity and integrity certificates, and digital signatures are submitted to the evidence storage facility in accordance with standard operating procedures. Working copies can be made as needed. An option to be exercised by the U.S. Postal Inspection Service is to return to the local registration authority, surrender the security token, and destroy the key pair resident on that device. The intent is to alleviate the need for the inspector to carry a security token at all times. One advantage of keeping the token is that the inspector would not need to complete the token initialization step every time digital signatures were to be generated.
The fourth step in the digital video evidence system in Figure 1 is to verify the integrity of any video clip of evidentiary interest. This might be done routinely or only when a clip is challenged. In any event, the digital video certificates and signatures and public key from the public key infrastructure certificate authority will be provided to the analyst. That analyst will use software tools to be provided in a digital video verification workstation to assess the integrity of the video clip.
Integrity verification is a multipart process. The analyst must first establish the validity of the various public keys involved. That is accomplished by the chaining of certificates. The public key from the public key infrastructure certificate authority, which is trusted and independently verifiable, is used to verify the inspector's identity certificate. The public key from the inspector's identity certificate is used to verify the integrity certificate. The public key from the integrity certificate is used with the digital signatures to verify the audio, video, and control portions of each frame. Therefore, trust in the integrity of each frame segment can be unequivocally traced back to trust in the public key infrastructure, which must meet federal standards for access control, confidentiality, and integrity of its keys.
Once the keys are validated, the analysts will perform automated, frame-level integrity verification. Not all video frames will pass the integrity verification. Tape defects, recording or playback noise from dirty heads, and variability in error detection and correction capability among playback equipment will cause frames to fail verification. The analyst may be able to deduce the cause of failure in some cases (e.g., unreadable audio data are replaced by a square-wave output in some systems). Furthermore, the digital video authenticator is a soft real-time system, meaning; it will fail to generate signatures on a fraction of the frames (roughly 1 in 9,700 for the prototype). Those and other factors will be taken into account in a final assessment of authenticity.
The investigative analysis of the evidence will have the advantage of the authenticity report, as indicated in the upper, central portion of Figure 1. The analysts will be confident that they can rely on the admissibility of the video clip or even a specific frame of interest. To be conservative, failed frames can be excluded from consideration for presentation in court.

Daubert Compliance

The Daubert ruling (Daubert 1993) requires the trial judge to make an assessment of whether a methodology or technique invoked by expert testimony is scientifically valid and whether the methodology can be applied to the facts in issue. The ruling provides the following five example considerations to aid the judge in making that assessment:
  • Whether the technique can be and has been tested
  • Whether the technique has been subjected to peer review and publication
  • Known or potential rate of error
  • Existence and maintenance of standards controlling the technique
  • General acceptance in the relevant scientific community
Digital signatures have not been used to date to authenticate digital evidence in criminal court so are subject to a Daubert challenge.
That fact leads to one primary design principle for authentication systems—strict adherence to existing government and industry standards and accepted practices. The National Institute for Standards and Technology is the national standards-setting body for government and commercial cryptographic algorithms and equipment. Adherence to National Institute of Standards and Technology standards (e.g., Federal Information Processing Standards Publication 140-2) helps ensure that those facets of the system are acceptable to the information-assurance community. Similarly, using unaltered, industry-accepted data formats (e.g., SMPTE Std 314M-1999 for digital video) will facilitate acceptance by the technical community relevant to the evidence. In addition, the resulting system must be extensively tested to establish expected performance and error rates. Preliminary performance results for the digital video example have been reported (Baser et al. 2003). Excerpted from Information Assurance Technical Framework Release 3.1 (2002)
Presenting evidence in court:
When collecting computer data for evidentiary purposes, a party has a duty to “utilize the method which would yield the most complete and accurate results.” Gates Rubber Co. v. Bando Chemical Indus. Ltd., 167 F.R.D. 90, 112 (D. Colo. 1996). In Gates, the court criticized the plaintiff for failing to make image copies and for failing to properly preserve undeleted files.

See sample of determined court cases


 With the ever-growing use of computers as business and communication tools, data generated and stored electronically are becoming an increasingly important target for discovery. As with all other discovery, the goal in the discovery of electronic information is finding useful information and collecting that information in a manner that assures it can be admitted into evidence. There is no magic to accomplishing this goal—what is required is a proven, methodical approach. While technology will undoubtedly continue to change, the basic techniques for collecting electronic evidence should continue to prove effective.

Challenges of Computer Forensic:
-Being able to demonstrate the authenticity of the evidence
-Integrity and security of data are also an issue in my courts
-Acceptance of computer technology (judges, jury etc)
-Establishing the chain of custody

Why computer crime is had to prosecute:
-Lack of understanding
-Lack of physical evidence
-Lack of political impact
-Complexity of cases


American Society of Crime Laboratory Directors/Laboratory Accreditation Board (ASCLD/LAB). ASCLD/LAB Manual. American Society of Crime Laboratory Directors/Laboratory Accreditation Board, Garner, North Carolina, 1994, pp. 29–30.
CommerceNet Research Council. 2000 Industry Statistics. Available at
Fischer, L. M. I.B.M. plans to announce leap in disk-drive capacity, New York Times (December 30, 1997), p. C-2.
Noblett, M. G. Report of the Federal Bureau of Investigation on development of forensic tools and examinations for data recovery from computer evidence. In: Proceedings of the 11th INTERPOL Forensic Science Symposium, Lyon, France. The Forensic Sciences Foundation Press, Boulder, Colorado, 1995.
Pollitt, M. The Federal Bureau of Investigation report on computer evidence and forensics. In: Proceedings of the 12th INTERPOL Forensic Science Symposium, Lyon, France. The Forensic Sciences Foundation Press, Boulder, Colorado, 1998.
Pollitt, M. Computer Evidence Examinations at the FBI. Unpublished presentation at the 2nd International Law Enforcement Conference on Computer Evidence, Baltimore, Maryland, April 10,
Forensic science communications, 0ctober 2000, volume 2, number 4. October 2000   Volume
Berg, E. C. Legal ramifications of digital imaging in law enforcement, Forensic Science Communications [Online]. (October 2000). Available:
Beser, N. D., Duerr, T. E., and Staisiunas, G. P. Authentication of digital video evidence, In: SPIE Applications of Digital Image Processing XXVI, San Diego, California, August 3-8, 2003.
Daubert v. Merrell Dow Pharmaceuticals, Inc., 509 US, 579 (1993).
Lyons-Burke, K. Federal Agency Use of Public Key Technology for Digital Signatures and Authentication, National Institute of Standards Special Publication 800-25, October 2000.
National Institute of Standards and Technology. Security Requirements for Cryptographic Modules, Federal Information Processing Standards Publication 140-2, May 25, 2001.
National Security Agency Information Assurance Solutions Technical Directors. Information Assurance Technical Framework, Release 3.1, September 2002.
Society of Motion Picture and Television Engineers. Data Structure for DV-Based Audio, Data and Compressed Video — 25 and 50 Mb/s, SMPTE Std 314M-1999, July 1, 1999.
Kruse II, Heiser  “computer forensics incident response essentials” 1st edition Pearson education, Indianapolis: 2002

Pfleeger, Pflegger  “security in computing” 3rd  edition, Pearson education, New Jersey:


Popular posts from this blog

[Hack crack] Tổng hợp Google Dork

[Security] Internet blackout scheduled in protest of SOPA