In San Diego County, Cali-fornia, forensic experts examined a laptop computer for evidence of notes used in the robbery of several local banks—a university professor later would plead guilty to bank robbery charges and receive 9 years in prison, even though the laptop contained no saved notes.1 In another case, a Navy enlisted man faced a dishonorable discharge and time in the brig for possession of child pornography after the discovery of floppy disks in a backpack he inadvertently left on a dock at muster. These cases and many more, handled by computer forensic examiners every day, have convicted scores of criminals who committed or stored information pertaining to their crimes with computers and other digital devices.2 Such criminal acts now transcend traditional business crimes.
Criminals commit few crimes today without involving a computing device of some type. This puts a strain on computer forensic examiners who have the training, skills, and abilities to properly handle digital evidence. Law enforcement agencies take different avenues of addressing this increasing load of computer evidence that requires examination to close cases. Many train a few of their law enforcement officers. Some train professional support technicians. Increasingly, agencies send their work to local or regional computer forensic laboratories. Regardless, an understanding of the proper evidentiary foundations for admission of computer-related evidence proves necessary for the courts to have confidence in the material ultimately presented.
Mr. Mercer serves as a computer forensic examiner with the Computer Analysis Response Team at the FBI’s San Diego, California, office.
Uniqueness of Computer Digital Evidence
In 1948, well-known mathematician Dr. Claude Shannon outlined mathematical formulas that reduced communication processes to binary code and calculated ways to send them through communications lines.3 Since then, computers and other digital computing devices have used encoding methods based on the binary numbering system.
Computers allow criminals to remain relatively anonymous and to invade the privacy and confidentiality of individuals and companies in ways not possible prior to the advent of the computer age. “Evidence of these crimes is neither physical nor human, but, if it exists, is little more than electronic impulses and programming codes.”4 This evidence can take the form of data digitally stored as text files, graphics files, sounds, motion pictures, databases, temporary files, erased files, and ambient computer data dumped on the storage device by the operating system or application program. If someone opened a digital storage device, they would see no letters, numbers, or pictures on it. Therefore, “understanding how a computer stores data is basic to understanding how sensitive that data is to inadvertent contamination and how important a chain of custody becomes when testifying to the ‘originality’ of the evidence.”5
Storage of Data
“Digital electronics involves circuits and systems in which there are only two possible states. The states are represented by two different voltage levels: a high or a low level. The two-state number system (base 2) is called binary, and its two digits are 0 and 1. A binary digit is called a bit.”6 Because reading strings of zeros and ones severely limits the number of people capable of reading a digital device and to accommodate letters, punctuation, and special characters, another decimal numbering system began—the hexadecimal, or base 16,7 system. The hexadecimal numbers express the binary values stored on a device. At a minimum, a truly readable alphanumeric code must represent 10 decimal digits and 26 letters, or 36 items. However, the inclusion of punctuation, symbols, and computer control codes requires a seven-bit code (2x2x2x2x2x2x2) yielding 128 combinations, or 27=128. The complete expression of binary information encompasses eight bits, with one sign bit and seven magnitude bits,8 giving 256 possible combinations. This eight-bit binary number represents one byte. Of the alphanumeric codes, the American Standard Code for Information Interchange (ASCII) serves as the most widely used.
Although more complicated, hexadecimal numbering provides a way to input data into the computer that makes sense to the average person. After entry, computers write and read data to digital media by a “read-write” head controlled by the microprocessor. For example, a computer may store data as minute magnetized regions along a track of a floppy disk. Other storage devices exist that store data in a different fashion, but all read the binary data as a zero or a one.
Computer evidence has both a physical component (the storage media) and a nonphysical component (electronic impulses and magnetic orientation). By its nature, digital evidence proves susceptible to alteration, either inadvertently or purposely. “It is a product of the data stored, the application used to create and store it, and the computer system that directs these activities.”9
Preservation of Computer Forensic Evidence
Computer forensic science encompasses four key elements: identification, preservation, analysis, and presentation.10 Manual handling, processing, and authenticity issues serve as the basis of the preservation aspect. Safeguards and methodologies used by computer forensic examiners must ensure the preservation of digital evidence to withstand judicial scrutiny should the matter go to trial.11 In this regard, computer forensic examiners seek to use copies of images of original digital media for their investigations. This premise finds its basis in protecting original digital evidence from accidental damage or unintentional alteration, leaving it in the best possible state for authentication purposes.12 When duplicating evidence, the original needs forensically sound handling from its initial seizure until its final disposition. This requires a chain of custody to assure proper handling by qualified individuals. Also, the duplication must produce an accurate reproduction of the original. Failure to authenticate the duplicate image or copy may invalidate any results produced. The duplication process requires the examiner to protect the original from accidental alteration and to use methods and applications that assure the duplicate image will produce output that would match output from the original. Agency standard operating procedures and policy manuals delineate methods of handling and duplicating. Failure to adhere to agency policies and procedures will cause the courts to question the accuracy and reliability of the data, the examination process, and the examiner’s “intellectual rigor.” For the admissibility of the evidence, courts require proof of its authenticity. Two recent U.S. Supreme Court cases, Daubert vs. Merrell Dow Pharmaceuticals, Inc., 1993 and Khumo Tire Co. vs. Carmichael, 1997, have brought the standards of forensic science and expert testimony concerning admissibility of evidence into focus. The major factor that underlies the authenticity of duplicate evidence is data set validation.
The process of validating digital data sets proves straightforward. Forensic examiners use an algorithm13 to create a hexadecimal numeric value representing the data set. For example, in an MD514 one-way hash15 sum, a 16-character hexadecimal value is produced by the algorithm where there are 2128 possible values. This equates to approximately 340 billion billion billion billion probable unique numbers. Theoretically, two different data set values could prove identical, but, practically, they cannot. By comparison, in cases where DNA results have identified a subject, probability tables exclude or include an individual using probabilities of one to several billion and stand accepted as unique to an individual, or a very small population of individuals, by courts. The likelihood of two identical values happening in an MD5 algorithm proves infinitely smaller. With known and tested computer forensic tools and hash algorithms, there exists a means to duplicate and authenticate digital evidence. The duplicate’s authenticity can be equated to the original.
Federal Rules of Evidence –Original Evidence
The Federal Rules of Evidence16 (FRE) cover duplicate digital evidence and its authentication. For admissibility in court, the evidence should possess a chain of custody to show that no inadvertent or purposeful contamination occured. Preserving evidence to ensure its integrity proves important to the courts’ consideration of its originality.
These rules define original electronic documents. FRE 1001 (1) defines writings and recordings to include magnetic, mechanical, and electronic methods of setting down letters, words, numbers, and their equivalents. FRE 1001 (3) states, “If data are stored in a computer or similar device, any printout or other output readable by sight, shown to reflect accurately, is an ‘original.’”17 FRE 1003 provides that “a duplicate is admissible to the same extent as an original unless (1) a genuine question is raised as to the authenticity of the original or (2) in the circumstances it would be unfair to admit the duplicate in lieu of the original.”18 FRE 1001 (4) defines duplicate as “a counterpart produced by the same impression as the original… by mechanical or electronic rerecording…or by other equivalent techniques which accurately reproduces the original.”19 FRE 901 (a) provides that “the requirement of authentication or identification as a condition precedent to admissibility is satisfied by evidence sufficient to support a finding that the matter in question is what its proponent claims.”20 Example 9 of FRE 901 (b) states, “Process or system. Evidence describing a process or system used to produce a result and showing that the process or system produces an accurate result.”21 Title 42 U.S. Code, Section 2000aa-7, covers digital evidence under definition (a), “documentary materials,” which states, “materials upon which information is recorded, and includes, but is not limited to…other mechanically, magnetically, or electronically recorded cards, tapes, or discs….”22 Original evidence or a derivative of the original, either electronic or printed, therefore, proves admissible if the handling, duplication, and authenticity provides assurance to courts that the evidence is as claimed.
Computer Numbering Systems
Decimal Binary Hexadecimal
00 0000 0
01 0001 1
02 0010 2
03 0011 3
04 0100 4
05 0101 5
06 0110 6
07 0111 7
08 1000 8
09 1001 9
10 1010 A
11 1011 B
12 1100 C
13 1101 D
14 1110 E
15 1111 F
Conclusion
The computer age dramatically has changed how people relate to each other, but not their basic human nature. A minority of individuals who believe there exists a shortcut to riches, or who invade the privacy or innocence of others, continue to carry out their criminal agendas. However, now they more likely use a computer or other digital device to store information about their actions or to commit their crimes.
Law enforcement agencies recognize that digital devices will increase in use in the commission of crimes and that human and equipment resources to examine this evidence will prove an expanding department budgetary item. Agencies that employ or use computer forensic laboratory resources must recognize that computer forensic examiners need to 1) adhere to a set of scientific standards that include a chain of custody policy encompassing the unique nature of digital evidence, 2) use standard operating procedures that assure known results from duplication and authentication, and 3) follow policies that meet standards of forensic science and expert witness testimony as promulgated by the courts.
The ultimate goal of law enforcement has not changed, but crimes are committed in new ways. To preserve the freedoms all Americans enjoy, evidence of criminal activity still requires preservation, examination, and analysis in a forensically sound manner to show the innocence or guilt of a suspect.
Endnotes
1 Kathryn Balint, “Computers May Reveal Secrets Behind Crimes”; retrieved on July 23, 2003, from https:// www.signonsandiego.com/news/metro/santana/20010312-9999_1n12compute.html.
2 The author based this article largely on his research on and experience with the subject of computer forensics. Law enforcement agencies should refer to appropriate legal guidelines applicable to their jurisdicions.
3 Loring Wirbel, “Comms Pioneer Claude Shannon Dead at 84”; retrieved on July 23, 2003, from https://www.eetimes. com/story/OEG20010227S0045.
4 David Carter and Andra Katz, “Computer Crime: An Emerging Challenge for Law Enforcement”; retrieved on July 23, 2003, from https://www.sgrm.com/ art11.htm.
5 Loren Mercer, “Chain of Custody Issues Regarding the Handling of Digital Evidence” (masters thesis, National University, 2001).
6 Thomas Floyd, Digital Fundamentals
(New York, NY: Merrill, 1990).
7 The term base describes the number of digits used in a particular numbering system. For instance, the decimal numbering system is a base-10 system.
8 For further information, see https://www.geocities.com/regia_me/sig-mag.htm, accessed on July 23, 2003.
9 Michael Noblett, Mark Pollitt, and Lawrence Presley, “Recovering and Examining Computer Forensic Evidence,” Forensic Science Communications 2, no. 4 (2000); retrieved on July 23, 2003, from https://www.fbi.gov/hq/lab/fsc/backissu/ oct2000/computer.htm.
10 Rodney McKemmish, “What Is Forensic Computing,” Australian Institute of Criminology–Trends and Issues in Criminal Justice (June 1999): 1-6; retrieved on July 23, 2003, from https://www.aic.gov.au/publications/tandi/ti118.pdf.
11 J. Borck, “Leave the Cybersleuthing to the Experts,” InfoWorld 23, no. 54 (2001).
12 Supra note 9.
13 A formula or set of steps for solving a particular problem.
14 For further information, see www.permissiontechnology.com/ md_5_hash_resources.htm, accessed on July 15, 2003.
15 For further information, see www.rsasecurity.com/rsalabs/faq/ 2-1-6.html, accessed on July 15, 2003.
16 Federal Rules of Evidence; retrieved on July 23, 2003, from https://www.law.cornell.edu/rules/fre/overview.html.
17 Ibid.
18 Ibid.
19 Ibid.
20 Ibid.
21 Ibid.
22 42 U.S.C. § 2000aa-7.
