Computer Forensics: Characteristics and Preservation of Digital Evidence
Mercer, Loren D., The FBI Law Enforcement Bulletin
In San Diego County, California, forensic experts examined a laptop computer for evidence of notes used in the robbery of several local banks--a university professor later would plead guilty to bank robbery charges and receive 9 years in prison, even though the laptop contained no saved notes. (1) In another case, a Navy enlisted man faced a dishonorable discharge and time in the brig for possession of child pornography after the discovery of floppy disks in a backpack he inadvertently left on a dock at muster. These cases and many more, handled by computer forensic examiners every day, have convicted scores of criminals who committed or stored information pertaining to their crimes with computers and other digital devices. (2) Such criminal acts now transcend traditional business crimes.
Criminals commit few crimes today without involving a computing device of some type. This puts a strain on computer forensic examiners who have the training, skills, and abilities to properly handle digital evidence. Law enforcement agencies take different avenues of addressing this increasing load of computer evidence that requires examination to close cases. Many train a few of their law enforcement officers. Some train professional support technicians. Increasingly, agencies send their work to local or regional computer forensic laboratories. Regardless, an understanding of the proper evidentiary foundations for admission of computer-related evidence proves necessary for the courts to have confidence in the material ultimately presented.
Uniqueness of Computer Digital Evidence
In 1948, well-known mathematician Dr. Claude Shannon outlined mathematical formulas that reduced communication processes to binary code and calculated ways to send them through communications lines. (3) Since then, computers and other digital computing devices have used encoding methods based on the binary numbering system.
Computers allow criminals to remain relatively anonymous and to invade the privacy and confidentiality of individuals and companies in ways not possible prior to the advent of the computer age. "Evidence of these crimes is neither physical nor human, but, if it exists, is little more than electronic impulses and programming codes." (4) This evidence can take the form of data digitally stored as text files, graphics files, sounds, motion pictures, data-bases, temporary files, erased files, and ambient computer data dumped on the storage device by the operating system or application program. If someone opened a digital storage device, they would see no letters, numbers, or pictures on it. Therefore, "understanding how a computer stores data is basic to understanding how sensitive that data is to inadvertent contamination and how important a chain of custody becomes when testifying to the 'originality' of the evidence." (5)
Storage of Data
"Digital electronics involves circuits and systems in which there are only two possible states. The states are represented by two different voltage levels: a high or a low level. The two-state number system (base 2) is called binary, and its two digits are 0 and 1. A binary digit is called a bit." (6) Because reading strings of zeros and ones severely limits the number of people capable of reading a digital device and to accommodate letters, punctuation, and special characters, another decimal numbering system began--the hexadecimal, or base 16, (7) system. The hexadecimal numbers express the binary values stored on a device. At a minimum, a truly readable alphanumeric code must represent 10 decimal digits and 26 letters, or 36 items. However, the inclusion of punctuation, symbols, and computer control codes requires a seven-bit code (2X2X2X2X2X2X2) yielding 128 combinations, or [2.sup.7]=128. The complete expression of binary information encompasses eight bits, with one sign bit and seven magnitude bits, (8) giving 256 possible combinations. …