Computer Forensics: Characteristics and Preservation of Digital Evidence

By Mercer, Loren D. | The FBI Law Enforcement Bulletin, March 2004 | Go to article overview

Computer Forensics: Characteristics and Preservation of Digital Evidence


Mercer, Loren D., The FBI Law Enforcement Bulletin


In San Diego County, California, forensic experts examined a laptop computer for evidence of notes used in the robbery of several local banks--a university professor later would plead guilty to bank robbery charges and receive 9 years in prison, even though the laptop contained no saved notes. (1) In another case, a Navy enlisted man faced a dishonorable discharge and time in the brig for possession of child pornography after the discovery of floppy disks in a backpack he inadvertently left on a dock at muster. These cases and many more, handled by computer forensic examiners every day, have convicted scores of criminals who committed or stored information pertaining to their crimes with computers and other digital devices. (2) Such criminal acts now transcend traditional business crimes.

[ILLUSTRATION OMITTED]

Criminals commit few crimes today without involving a computing device of some type. This puts a strain on computer forensic examiners who have the training, skills, and abilities to properly handle digital evidence. Law enforcement agencies take different avenues of addressing this increasing load of computer evidence that requires examination to close cases. Many train a few of their law enforcement officers. Some train professional support technicians. Increasingly, agencies send their work to local or regional computer forensic laboratories. Regardless, an understanding of the proper evidentiary foundations for admission of computer-related evidence proves necessary for the courts to have confidence in the material ultimately presented.

Uniqueness of Computer Digital Evidence

In 1948, well-known mathematician Dr. Claude Shannon outlined mathematical formulas that reduced communication processes to binary code and calculated ways to send them through communications lines. (3) Since then, computers and other digital computing devices have used encoding methods based on the binary numbering system.

Computers allow criminals to remain relatively anonymous and to invade the privacy and confidentiality of individuals and companies in ways not possible prior to the advent of the computer age. "Evidence of these crimes is neither physical nor human, but, if it exists, is little more than electronic impulses and programming codes." (4) This evidence can take the form of data digitally stored as text files, graphics files, sounds, motion pictures, data-bases, temporary files, erased files, and ambient computer data dumped on the storage device by the operating system or application program. If someone opened a digital storage device, they would see no letters, numbers, or pictures on it. Therefore, "understanding how a computer stores data is basic to understanding how sensitive that data is to inadvertent contamination and how important a chain of custody becomes when testifying to the 'originality' of the evidence." (5)

[ILLUSTRATION OMITTED]

Storage of Data

"Digital electronics involves circuits and systems in which there are only two possible states. The states are represented by two different voltage levels: a high or a low level. The two-state number system (base 2) is called binary, and its two digits are 0 and 1. A binary digit is called a bit." (6) Because reading strings of zeros and ones severely limits the number of people capable of reading a digital device and to accommodate letters, punctuation, and special characters, another decimal numbering system began--the hexadecimal, or base 16, (7) system. The hexadecimal numbers express the binary values stored on a device. At a minimum, a truly readable alphanumeric code must represent 10 decimal digits and 26 letters, or 36 items. However, the inclusion of punctuation, symbols, and computer control codes requires a seven-bit code (2X2X2X2X2X2X2) yielding 128 combinations, or [2.sup.7]=128. The complete expression of binary information encompasses eight bits, with one sign bit and seven magnitude bits, (8) giving 256 possible combinations. …

The rest of this article is only available to active members of Questia

Sign up now for a free, 1-day trial and receive full access to:

  • Questia's entire collection
  • Automatic bibliography creation
  • More helpful research tools like notes, citations, and highlights
  • Ad-free environment

Already a member? Log in now.

Notes for this article

Add a new note
If you are trying to select text to create highlights or citations, remember that you must now click or tap on the first word, and then click or tap on the last word.
One moment ...
Default project is now your active project.
Project items

Items saved from this article

This article has been saved
Highlights (0)
Some of your highlights are legacy items.

Highlights saved before July 30, 2012 will not be displayed on their respective source pages.

You can easily re-create the highlights by opening the book page or article, selecting the text, and clicking “Highlight.”

Citations (0)
Some of your citations are legacy items.

Any citation created before July 30, 2012 will labeled as a “Cited page.” New citations will be saved as cited passages, pages or articles.

We also added the ability to view new citations from your projects or the book or article where you created them.

Notes (0)
Bookmarks (0)

You have no saved items from this article

Project items include:
  • Saved book/article
  • Highlights
  • Quotes/citations
  • Notes
  • Bookmarks
Notes
Cite this article

Cited article

Style
Citations are available only to our active members.
Sign up now to cite pages or passages in MLA, APA and Chicago citation styles.

(Einhorn, 1992, p. 25)

(Einhorn 25)

1

1. Lois J. Einhorn, Abraham Lincoln, the Orator: Penetrating the Lincoln Legend (Westport, CT: Greenwood Press, 1992), 25, http://www.questia.com/read/27419298.

Cited article

Computer Forensics: Characteristics and Preservation of Digital Evidence
Settings

Settings

Typeface
Text size Smaller Larger Reset View mode
Search within

Search within this article

Look up

Look up a word

  • Dictionary
  • Thesaurus
Please submit a word or phrase above.
Print this page

Print this page

Why can't I print more than one page at a time?

Full screen

matching results for page

Cited passage

Style
Citations are available only to our active members.
Sign up now to cite pages or passages in MLA, APA and Chicago citation styles.

"Portraying himself as an honest, ordinary person helped Lincoln identify with his audiences." (Einhorn, 1992, p. 25).

"Portraying himself as an honest, ordinary person helped Lincoln identify with his audiences." (Einhorn 25)

"Portraying himself as an honest, ordinary person helped Lincoln identify with his audiences."1

1. Lois J. Einhorn, Abraham Lincoln, the Orator: Penetrating the Lincoln Legend (Westport, CT: Greenwood Press, 1992), 25, http://www.questia.com/read/27419298.

Cited passage

Thanks for trying Questia!

Please continue trying out our research tools, but please note, full functionality is available only to our active members.

Your work will be lost once you leave this Web page.

For full access in an ad-free environment, sign up now for a FREE, 1-day trial.

Already a member? Log in now.