3Forensic Science and Criminalistics

Associated Press

Learning Objectives After reading this chapter, you should be able to do the following:

▪ Define forensic science and how it contributes to a case, as well as explain the CSI Effect and the scientific method.

▪ Summarize the history of forensic science and contributors to the field.

▪ List and describe some forensic science specialties.

▪ Identify the elements of a forensic investigation, how physical evidence can be produced, and forensic analysis.

▪ Describe the work and work product of a forensic scientist.

▪ Describe the U.S. court system, and the key rulings on physical evidence admissibility through expert testimony.

▪ List and discuss major issues in forensic science today.

67

3Digital Forensics

scyther5/iStock/Thinkstock

George E. Richards, Edinboro University

Learning Outcomes After reading this chapter, you should be able to

▪ Understand why the need for digital forensics has grown over the past 2 decades.

▪ Identify the basic components and functions of a computer.

▪ Define digital forensics.

▪ Compare and contrast technological crimes.

▪ Explain the digital forensic investigative process.

▪ Understand the steps involved in finding a career in digital forensics.

© 2019 Bridgepoint Education, Inc. All rights reserved. Not for resale or redistribution.

Section 3.1Computer Basics

Introduction Marc Benioff, founder of Salesforce, an enterprise cloud computing company, stated, “The only constant in the technology industry is change” (as cited in Israel, 2013, para. 7). This has to date been proven accurate. The growth of electronic communications and the ability to store data has been exponential. In 1965 Gordon Moore, a cofounder of Intel, postulated what has since become known as Moore’s law. Moore maintained computer processing speed would double every 24 months (Intel, n.d.). This has since been reduced to 18 months. The increased rate of processing—along with the increase in computer memory—and the micron- ization of components have revolutionized how people communicate. There are now more mobile devices than there are people. Barnes (2014) held that there are in excess of 7.2 billion mobile devices globally, and this number is increasing at 5 times the rate the population is. The growth in both prevalence and complexity of digital devices has led to the increased use of these devices as tools in criminal acts.

Used in the perpetration of a crime, tools such as computers or smartphones may provide the digital criminal or cybercriminal an effective modus operandi which, in this context, means the method of perpetration. In heists and robberies in films, it is routine to have a “getaway” car. The processing speed with which digital devices can give commands provides digital criminals with a swift escape. In addition, digital devices provide perpetrators distance from the victim. With the advent of the Internet, theft no longer requires personal interaction. For example, phishing is a common digital crime that entails victims receiving e-mails from sup- posedly reputable companies that attempt to con the victims into revealing personal informa- tion such as passwords. Digital devices can be used by “phishers” to steal personal data from anyone anywhere whose personal information is stored on a device with Internet capability. Digitization has provided perpetrators with a wealth of extensive and effective modi operandi.

As technology has advanced, so have the methods for investigating technological crime, although it is increasingly challenging for law enforcement to keep up with these advances. This chapter will address those students interested in the subfields of computer security and digital forensics. However, any student interested in pursuing work in the field of criminal justice should have a grasp of the basics of investigating these devices, since they are impos- sible to avoid in today’s environment. In order to adequately lay the foundation on which to address digital crime and its investigation, we need to have a basic understanding of comput- ers and other smart devices.

3.1 Computer Basics In order to adequately discuss digital crime, it is essential that some of the basic terms asso- ciated with digital devices are explained. The first digital devices we recognized were com- puters. The earliest computers could weigh up to several tons and take up entire floors of buildings, but thanks to advancements in technology, they are now lightweight and portable, as well as more powerful. At its most basic, a computer is an electronic device that both stores and transmits data in binary code, which is a coding system expressed using series of zeros and ones. Binary commands given by the user direct device operations through the use of software that contains the binary codes. All digital devices use both hardware and software.

© 2019 Bridgepoint Education, Inc. All rights reserved. Not for resale or redistribution.

Section 3.1Computer Basics

Hardware are the parts of an information system we see. The monitor, keyboard, mouse, and motherboard are examples of a computer’s hardware. A crucial part of a device’s hardware is the hard disk drive, which is a permanent data-storage device within a computer. The hard disk drive often comes into play in forensic investigations, since it is where much of a computer’s information is stored—including, sometimes, files that the user believes have been deleted. A hard drive can be unplugged from a computer and retain all of the informa- tion that was stored on it while it was plugged in. When a hard drive is collected for evidence, an exact copy is made to be used for analysis, to avoid unintentionally changing anything on the original.

Separate from the hard drive is a computer’s RAM, or random access memory. RAM is a quickly retrievable type of computer memory that temporarily stores the information your computer immediately requires while you’re using it. Examples of RAM data would be the details of a web page you’re viewing and any user name/password you used to log in to that web page. Unlike the hard drive, when a computer is off, the RAM is empty.

Working in tandem with hardware, software is the binary instruction for specific computer processes that are implemented thorough the hardware. These are the programs a computer uses to carry out a specific task. For example, Microsoft Office is a software package that allows you to create and edit documents. Information systems are combinations of hardware and software used to collect, store, and share data. An example of this would be a geographic information system that manages and analyzes geographic data.

Another important facet of computers today is the IP address. An IP address is a string of numbers used to identify a computer so that it can access the Internet. Its function is similar to that of a return address on an envelope. Anyone who accesses the Internet does so via a third party, often a commercial Internet provider. This provider grants your computer access to the Internet based on your computer’s IP address. The IP address is attached to all online activity you complete, a fact that is very useful in digital forensic investigations. However, an analyst can’t tell who made a certain request online, only which computer the request was made on.

Up to this point, we have been discussing computers only, but digital forensics encompasses a wide range of digital devices, including

• smartphones, • smart watches, • voice assistants, • cameras, • tablets, • e-readers, and • automobiles.

The full list is extensive and constantly expanding. Society is more dependent on technology today than at any point in human history, and the trend shows no signs of waning. Without the ability to store information, digital devices would serve little purpose to the investigator. The rudimentary and limited memory that characterized early computer hard drives became more complex as information storage became portable and fluid. The early, malleable 5.25- inch floppy drives were replaced by 3.5-inch disks, which were supplanted by USB drives.

© 2019 Bridgepoint Education, Inc. All rights reserved. Not for resale or redistribution.

Section 3.1Computer Basics

These drives, also known as thumb drives, weigh less than 1 ounce and may provide from 8 megabytes to 1 terabyte of storage capacity. USB drives capable of storing 2 terabytes of data are currently in development.

The information stored on the devices discussed above is referred to as data. There are two types of data that influence computer operations: visible data and latent data. Visible data is employed by the operating system and can be accessed by the user. For the investigator, it can describe any type of operational data such as documents, spreadsheets, databases, and audio and video files. Latent data, also known as ambient data, encompasses the informa- tion in computer storage not included in file-allocation tables. It is not easily viewed through the operating system, so most users do not know that it is there. Latent data is used in digital forensic investigations to uncover evidence and recover deleted files.

Data is not static. Karie and Venter (2015) describe data, and electronic evidence in general, as fragile. Any use of a digital device has the potential to damage or destroy data. This may be accidental or intentional. It may be as mundane an act as turning the device on or power- ing it down. Power surges, changes in temperature, or rough handling of the device may also destroy data. Because of this, analysts muse use a lot of care and caution when examining devices for evidence.

E-mail E-mail messages are messages distributed from one electronic device user to one or more recipients via a network such as the Internet or an organization’s intranet. As you have no doubt experienced, it is an almost instantaneous transaction. While many organizations host their own e-mail servers for employees, it is estimated there are over 1 billion web-based e-mail accounts for personal use (Magnet Forensics, 2014) with over 100 trillion e-mails sent each year (Global Digital Forensics, n.d.). Among the most popular of these are Gmail and Yahoo! Mail. A suspect’s e-mail is often searched for evidence of communications related to a crime. Perpetrators, especially novice ones, often believe deleting an e-mail permanently removes any record of it. This is not always the case.

Web-based e-mail is dependent on the use of a browser. Thus, e-mail evidence consists of browser artifacts within the cache, history, and cookies. The history and cookies provide the dates and locations visited by the user. The greatest source of evidence is to be found in the cache, where some e-mails read by the user are stored. The location of the cache within the operating system and browser may vary, depending on the browser used. Although evidence may be recovered from e-mail transmissions, the sheer number of e-mail accounts that may be used and the large number of e-mails sent also add to the time commitment of an investi- gator (Magnet Forensics, 2014).

Cloud Storage Cloud storage of data has also grown in use and adds another piece to the puzzle of digital forensic expertise. Cloud storage houses data across multiple servers and multiple locations. Cloud storage is typically owned by a third-party hosting company that is responsible for the maintenance and protection of client data. Space is not bought in a cloud but is leased. Clients are seldom aware of the actual physical location of their data.

© 2019 Bridgepoint Education, Inc. All rights reserved. Not for resale or redistribution.

Section 3.1Computer Basics

Clouds pose certain challenges to forensic investigation. “There is no foolproof, universal method for extracting evidence in an admissible fashion from cloud-based applications, and, in some cases, very little evidence is available to extract” (as cited in Barbara, 2009, para. 6). First, the ability to access data from anywhere using any device that can accept commands and be linked to the Internet poses problems for the integrity and protection of data. It is hard to verify that data stored in the cloud is secure, even when password protected, and there are opportunities for digital-facilitated crime through the corruption or theft of data. Human error in configuring a cloud server in 2017, for instance, led to the leak of the data of 6 million Verizon users online (Larson, 2017). Intentional criminal activity can be even more dangerous.

Requirements for the storage of data and the steps required for investigators to access the information legally differ between jurisdictions. Similar to physical evidence, whether these regulations are followed during an investigation can impact whether evidence is admitted in court.

Voice Assistants A type of electronic device first released in 2015 and growing in popularity is the virtual or smart assistant, more com- monly known as the voice assistant. Among the most popular of these are Amazon’s Alexa and Echo and Google’s Google Home. Assisting is what these devices were literally designed to do. Acti- vated, depending on device, through voice recognition, text messaging, or uploading pictures, virtual assistants help simplify the management of one’s life through quick exchanges between the user and the device. These can relay news, weather, sports scores, and music. Bank accounts may be accessed and thermostats set.

Recently, it was discovered that these too can be hacked. Through “voice squatting,” these devices may be used to eavesdrop or to open malicious apps. Another type of virtual assistant hack, DolphinAttack, utilizes commands inside ultrasound frequencies inaudible to human hearing to assume control of the device. According to researchers at the University of Virginia and the Chinese Academy of Sciences, the possibilities of this type of phishing for the manipu- lation and theft of personal information are significant. Home security codes, bank account and credit card numbers, and other personal information can be obtained with relative ease (Wycislik-Wilson, n.d.)

Voice assistants are another example of how digital crime poses a challenge to forensic analysts and investigators in maintaining a currency of knowledge regarding technological advances and the necessity of doing so. Although security precautions are constantly being developed for digital devices, it has consistently shown that these can be overcome by deter- mined and talented perpetrators.

Frank Duenzl/picture-alliance/dpa/AP Images Digital criminals can target virtual assistants to gain access to sensitive information, such as credit card and bank account numbers.

© 2019 Bridgepoint Education, Inc. All rights reserved. Not for resale or redistribution.

Section 3.2What Is Digital Forensics?

3.2 What Is Digital Forensics? As you may remember from Chapter 1, Dr. Edmond Locard postulated that anytime individu- als come into contact with someone or something or enter a specific area, they will make physical contact and leave a trace (Forensics Library, n.d.). The Locard exchange principle is also applicable in the electronic or digital realm, even though the person may be thousands of miles away from the “scene.” People leave user-specific information behind when they visit a website, send an e-mail, or do any number of things on an electronic device. This information is known as a digital fingerprint, and it can often be traced back to an individual. This could be as simple as the type of font used, or it could be complicated metadata.

We noted in Chapter 1 that forensics is not a proper term for forensic science. However, it has become so ingrained in people’s minds by popular media that its use is probably inevitable now. The terms computer forensics and digital forensics are often used synonymously. This is understandable but not entirely accurate. In the 1980s computer forensics would have been an appropriate term, but due to the rise in digital devices such as smartphones that are not considered computers, digital forensics is the correct term. With mobile devices that can be carried on the user’s person and can transmit data within seconds globally, the requirements for investigations of these devices has changed along with the terminology.

Digital forensics encompasses the investigation of all manner of devices that require the manipulation of binary code to operate. There are two types of digital forensic investigations: digitally based and digitally facilitated. A digitally based crime is one in which the com- puter is used to commit the act; for example, a phishing e-mail meant to con someone into sending his or her bank account information. Digitally facilitated crimes are those in which the digital device is the target of what are traditionally referred to as computer criminals or cybercriminals. For example, an identity thief who steals bank account information from a victim’s cell phone would be the perpetrator of a digitally facilitated crime.

Digital forensic analysts may collect evidence from a variety of mechanisms, including com- puter systems, networks, and removable media such as USB drives and external hard drives. Even though devices may differ, digital forensic practitioners must all abide by certain legal requirements. The successful prosecution of a digital crime is dependent on the investiga- tor’s ability to collect electronic evidence in a manner that satisfies the requirements for admissibility in court (Resendez, Martinez, & Abraham, 2012). As discussed in the Chapter 2 section on the fourth amendment, the requirements for acquiring digital evidence are still evolving through litigation. The Supreme Court recently decided that a warrant is needed to place a GPS tracker on a person or a vehicle and also to gather location data from a person’s cell phone.

The hardware and software necessary for the operation of digital devices differ significantly, depending on the requirements of the device and its complexity. Consequentially, investiga- tive approaches must also be adjusted for the specifics of the device in question. In their 2018 article, Barmpatsalou, Cruz, Monteiro, and Simoes referred to several subdisciplines of digital forensics, including

• computer forensics, • audio forensics, • cloud forensics,

© 2019 Bridgepoint Education, Inc. All rights reserved. Not for resale or redistribution.

Section 3.2What Is Digital Forensics?

• database forensics, • network forensics, • video forensics, and • mobile forensics.

Digital forensics then cannot be considered only an exploration of a device to see what data might be stored on it. It requires that investigators follow established protocols governed by law. These laws address specific crimes executed through the actions of those involved using a digital device in its commission. To fully understand digital forensic science, one needs to understand how the practice has evolved and is still evolving.

The Development of Digital Forensic Science The application of forensic science prac- tices to criminal investigations has evolved over centuries. The practice of digital forensic investigation is a more recent step in this progression. The active prac- tice of digital crime investigations began in the late 1970s as law enforcement began to realize the possibilities comput- ers held to assist in the perpetration of crime and storage of evidence. The first efforts at electronic forensics targeted computers that were suspected to store incriminating evidence. These early cases were primarily concerned with financial fraud. The focus of electronic investiga- tions grew in complexity as devices were networked in one facility or through an organization. The introduction of the Internet as a means of data transmission was the next step in the evolution of technological understanding for analysts.

The first training programs in digital forensics were developed in the 1980s. The Associa- tion of Certified Fraud Examiners, the National Consortium for Justice Information and Statis- tics, and the High Technology Crime Investigation Association were among the organizations that designed early digital crime curricula. In 1987 AccessData, the first company to spe- cialize in digital forensics, was founded (Information Systems Audit and Control Association [ISACA], 2015).

Both government agencies and private industry recognized the need for a means to investi- gate digital crime. The FBI’s Computer Analysis and Response Team, created in 1984, was a government pioneer in computer, and then digital, crime investigations. Other countries and government entities have also formed similar units and task forces to combat digital crime. However, some argue that without the contribution of private technological developments, effective investigations of digital crime today would be impossible. Gogolin (2010) found in a study of Michigan law enforcement that while the number of digital-related crimes had dramatically increased, the number of qualified investigators had not kept pace. Part of the

Alexpoison/iStock/Thinkstock Digital forensic analysts work with a variety of devices and technology, including computers, external storage devices, mobile devices, databases, and the cloud.

© 2019 Bridgepoint Education, Inc. All rights reserved. Not for resale or redistribution.

Section 3.3Technological Crime

reason for this disparity may be the fact that an investigator who specializes in cellular tele- phone forensics may have to invest as much as $25,000 in forensic tools. This is in addition to specialized training and certifications necessary to maintain a currency of knowledge.

The Information Systems Audit and Control Association (ISACA, 2015) credits the forensic tools available today to the open source/community-driven model which makes “tool evolu- tion modular, extensible, robust, and sustainable” (p. 3). That is, innovations by the greater technological community have helped law enforcement’s digital forensic tools keep pace with the innovation of digital criminals.

3.3 Technological Crime The intended purposes of technology, regardless of how noble the aim behind the develop- ment may have been, may be thwarted for more nefarious purposes.

The perversion of technology for criminal or deviant purposes is not limited to Nazi Germany. The original intent of the Internet was to provide a relay of networks so that during a nuclear confrontation, electronic communications used by the military would not be interrupted. This system of networks has since served as the backbone of what we have come to know as the Internet. Those early designers and analysts could not have foreseen that their work would someday be used as a vehicle for terrorism, theft, and pornography.

Case Illustration: IBM and the Nuremberg Trials In 1889 Herman Hollerith patented an electric punch-card device which could compile numerical data. The U.S. Census Bureau used his technology in the 1890 census and found that Hollerith’s device dramatically reduced the time necessary to summarize popula- tion data. Soon other countries began to lease Hollerith’s equipment, and his business grew. He eventually merged with three other corporations to form what became known as International Business Machines (IBM).

When Adolf Hitler became chancellor of Germany in 1933, the ruling Nazi Party soon implemented policies of Jewish persecution. The challenge facing the Nazis was how to effectively identify, track, and manage Germany’s Jewish population. A subsidiary of IBM, IBM Germany, marketed the Hollerith technology to the Third Reich and tailored the tabu- lation for the specific purpose of identifying Germany’s some 600,000 Jews (Black, 2001). It worked with chilling efficiency. The data collected via the use of the Hollerith device was used by the prosecution in the Nuremberg trials.

Relect On It As we have stated previously, technology is constantly changing and the crimes associated with it change as well. Using the above example regarding the Hollerith device, how might contemporary digital technology be used to identify and target people for victimization by government? How might future technological advances be used for the same purpose?

© 2019 Bridgepoint Education, Inc. All rights reserved. Not for resale or redistribution.

Section 3.3Technological Crime

As technology has evolved, the enacting of laws addressing the criminal use of technology have sought to keep up with this ever-expanding evolution. For example, the Computer Fraud and Abuse Act of 1986 prohibits conduct that abuses or damages computer systems, particularly those that have a federal interest; these include computers that are used by or for the federal government or in commerce. In 2003, in response to the ever-growing amount of unsolicited commercial e-mail, congress passed the CAN-SPAM Act, establishing standards for the sending of commercial e-mail. Law 18 U.S.C. 1029 makes credit card (and other access device) fraud a federal crime with punishments of up to 10 years in prison. Law 18 U.S.C. 2511 prohibits the unauthorized interception, use, and disclosure of any electronic communica- tions. In 2017 President Barack Obama signed an executive order that called for the creation of a voluntary risk-based cybersecurity framework. This is another example of how the fed- eral government has recognized possible harms that may come from a cyber-based attack on public or private infrastructure (ISACA, 2015).

The specter of cyberterrorism is a growing concern for law enforcement agencies globally. Cyberterrorism is the use of digital devices and systems to orchestrate a terrorist attack on a government or entity. The recent discovery that Russian state-sponsored hackers had infiltrated American power grids following similar interference in the 2016 U.S. presidential election has emphasized the need for greater security in digital infrastructure (Sanger, 2018). The following sections outline a selection of the most common digital crimes.

Hacking Hacking is the use of a computer to gain unauthorized access to data in a system. The perpetrator is known as a hacker. Hacking can be malicious or nonmali- cious. Malicious hacking may take the form of information theft, systems sabo- tage, and vandalism. Simple intrusion, when a hacker defeats the security of a system just for the challenge, is consid- ered nonmalicious.

Hackers may employ several techniques. Through vulnerability scanning, network computers are checked for known weak- nesses. Passwords may be cracked by dis- covering them in stored data or intercept- ing them when transmitted electronically. Spoofing attacks utilize bogus websites that mimic legitimate sites and trick users into entering their user names and passwords. There have been many large hacking incidents in the past 10 years, including two massive data breaches suffered by Yahoo! in 2013 and 2014, which exposed the passwords of over a billion users (Goel & Perlroth, 2016). In 2017 hackers breached credit bureau company Equifax’s customer database, exposing almost 150 million customers’ sensitive information, including Social Security numbers and addresses (Borak & Vasel, 2018).

Alex Milan Tracy/Sipa via AP Images In 2017 hackers gained access to Equifax customer data. The breach of one of the three major credit bureaus exposed the personal information of nearly 150 million individuals.

© 2019 Bridgepoint Education, Inc. All rights reserved. Not for resale or redistribution.

Section 3.3Technological Crime

Identity Theft Identity theft is the stealing of personal information so that the criminal may impersonate the victim. Identity theft has been addressed at the federal level by 18 U.S.C. 1028A, known as the Identity Theft Penalty Enhancement Act. Identity theft is most commonly associ- ated with the perpetrator seeking financial gain. Access to a person’s Social Security number may allow an identity thief to open a credit line in the person’s name. Bank accounts may be accessed electronically and funds transferred to a perpetrator’s account. Children may be the victims of identity theft when their Social Security numbers are used to open credit lines. This can be made more complex when the perpetrator uses a fake name and a real Social Security number.

Cyberbullying Advancements in technology, especially surrounding social media and cell phones, have also been credited in contributing to bullying. Traditionally, bullying required physical intimida- tion or contact. However, the Internet and cellular technology have made these requirements obsolete. Cyberbullying, which is bullying that takes place through electronic communica- tion, allows anyone with a rudimentary knowledge of digital devices, regardless of size or age, to bully another. It most often takes place via social media, texting, instant message, and e-mail. Citing a study of American teens aged 13 to 17, Osborne (2012) wrote that 46% of “heavy” cell phone users (those who send in excess of 60 text messages per day) suffer from cyberbullying on their cell phones, compared to only 23% of “normal” users.

Case Illustration: United States v. Drew One of the first instances of cyberbullying that c