Showing papers on "Digital evidence published in 2002"

Error, Uncertainty, and Loss in Digital Evidence

Abstract: Despite the potentially grave ramifications of relying on faulty information in the investigative or probabitive stages, the uncertainty in digital evidence is not being evaluated at present, thus making it difficult to assess the reliability of evidence stored on and transmitted using computer networks. As scientists, forensic examiners have a responsibility to reverse this trend and address formally the uncertainty in any evidence they rely on to reach conclusions. This paper discusses inherent uncertainties in network related evidence that can be compounded by data corruption, loss, tampering, or errors in interpretation and analysis. Methods of estimating and categorizing uncertainty in digital data are introduced and examples are presented.

An Historical Perspective of Digital Evidence: A Forensic Scientist's View

Abstract: Author’s Comments During my tenure as director of the Postal Inspection Headquarters Laboratory (1988-1992), a Postal Inspector submitted a computer to examine for the presence of specific evidence he had enumerated in the letter of request. The evidence technician logged in the computer, assigned it a case number, and brought the request to me, inquiring “What should we do with this?” That was the beginning of an odyssey that I still pursue. The Inspection Service Laboratory had a Questioned Document Section. Since a computer seemed to be an obvious evolution of paper documents, I called the manager of that section, Drew Somerford, and asked him to take the case. He was reluctant to sign for the evidence. Even though there might have been “documents” on the hard drive, it was outside his expertise. How do you secure and preserve the evidence? How do you collect it without changing it? What are the accepted practices related to computer evidence that would stand the scrutiny of court? What are the examination protocols? It was technology that we did not know how to handle in the crime laboratory. We submitted the computer evidence to the Federal Bureau of Investigation (FBI). The FBI Laboratory had a unit for computer evidence, and they worked the case. The Postal Inspection Service had a team of inspectors who were trained to work computer crime cases, but the laboratory was not equipped to assist them in processing evidence at that time.

Proving the Integrity of Digital Evidence with Time

Abstract: During the latter half of the 20 century, a dramatic move from paper to bits occurred. Our use of digital communication methods such as the world-wide-web and e-mail have dramatically increased the amount of information that is routinely stored in only a digital form. On October 1, 2000 the Electronic Signatures in National and Global Commerce Act was enacted, allowing transactions signed electronically to be enforceable in a court of law. (Longley) The dramatic move from paper to bits combined with the ability and necessity to bring digital data to court, however, creates a critical question. How do we prove the integrity of this new form of information known as “digital evidence”?

Digital evidence

Abstract: T hose of you concerned with privacy issues and identity theft will be familiar with the concept of dumpster diving. Trash often reveals the dealings of an individual or a corporation. The risks of revealing private information through the trash has led to a boom in the sale of paper shredders (and awareness of the risks of reassembling shredded documents). However, how many of us take the same diligent steps with our digital information? The recovery of digital documents in the Enron case and the use of email in the Microsoft antitrust case have brought these concerns to the fore. For example, we are all more aware of the risks inherent in the efficient (" lazy ") method of deleting files used by modern operating systems, where files are forgotten about rather than actually removed from the drive. There will certainly be an increase in the sales of " wiper " software following this increased awareness, but that's not the end of the story. Overwriting data merely raises the bar on the sophistication required of the forensic examiner. To ensure reliable data storage, the tracks on hard-drive platters are wider than the influence of the heads, with a gap (albeit small) between tracks. Thus, even after wiper software has been applied, there may still be ghosts of the original data, just partially obscured. So, what more can we do? Clearly we are in a tradeoff between the cost to the user and the cost to the investigator. To take the far extreme, we would take a hammer to the drive and melt down the resulting fragments, but this is not feasible without a large budget for disks. One could booby-trap the computer, such that if a certain action isn't taken at boot time, the disk is harmed in some way. Forensics investigators are mindful of this, however, and take care to examine disks in a manner that does not tamper with the evidence. If we're open to custom drives, we could push the booby trap into the drive hardware, causing it to fail when hooked up to investigative hardware (or, more cunningly, produce a false image of a file system containing merely innocent data). Another approach is to consider file recovery as a fait accompli and ensure the recovered data is not available as evidence. Encryption clearly has a role to play here. An encrypting file system built into your …

Practical Approaches to Recovering Encrypted Digital Evidence

Abstract: The threat [of encryption] is manifest in four ways: failure to get evidence needed for convictions, failure to get intelligence vital to criminal investigations, failure to avert catastrophic or harmful attacks, and failure to get foreign intelligence vital to national security. Encryption can also delay investigations, increase their costs, and necessitate the use of investigative methods which are more dangerous or invasive of privacy. (Demming, Baugh, 1997a)

Packaging evidence for long term validation

Abstract: A method for packaging digital evidence for long term validation comprises forming a package of a digital document (10), an electronic signature (12) for the document (10), together with evidence (16) of the authority of the signature in the document and a time stamp (20) indicating when the document was digitally signed All of the pieces form parts of the packaged evidence

An Historical Perspective of Digital Evidence.

Abstract: A method of operating a computing machine for reducing speckle noise in video images, particularly radar images, utilizes a complementary hulling technique on vertical pixel grids of the array. The vertical pixel contours which are subjected to the complementary hulling are derived from intersections of vertical grids with conceptual superposed gray-scale surfaces which have front end values corresponding to the gray-scale pixel values. The invention provides the significant advantages of decaying small image features, such as speckle noise at a significantly faster rate than large image features, such as target returns.

Digital Evidence: The Moral Challenge.

Abstract: www.ijde.org 1 Digital Evidence: The Moral Challenge Tom Talleur, Managing Director, KPMG LLP’s Forensic Practice My colleagues, co-founders, and I, are fortunate to have this opportunity to characterize a framework for discourse on the topic of digital evidence in this initial edition of the International Journal of Digital Evidence (IJDE). In this respect, we have an opportunity to identify, prioritize, and focus upon some of the most important aspects of this issue, free of irrelevant influences.

Study and Design of Computer Forensics

Abstract: Firstly, this article introduces the purpose of the research of the computer forensics, then analyzes several required techniques of computer forensics according to the characteristic of digital evidence, and finally, on the basis of several years experience of study and research, the paper puts forward a research model for computer forensics. ;;;;

Legally Authorized and Unauthorized Digital Evidence

Abstract: With the electronic signature law and related laws now being put into effect, evidence-making based on digital signatures is about to come into widespread use in society. Methods for making digital evidence have not been established, however, for several important areas such as long-term maintenance of digital evidence. The authors believe that evidence can be basically classified into that which is legally authorized and that which is not, and that making a clear distinction between them will help to accelerate research and development of digital evidence-making systems.

Cyber-Forensic Research Experimentation and Test Environment (CREATE)

Abstract: : The objective of this effort was to develop methodologies and standards for cyber forensics methods and tools. The current cyber forensic certification/validation efforts are described along with a best practices model. The potential for an Information Analysis Center (lAC) in computer forensics was explored. Finally, the International Journal of Digital Evidence, an online journal, was established to report the research findings in these areas as well as other cyber forensics research.