Sunday, January 18, 2009

The Science and Art of Computer Forensics Part 2

If you missed The Science and Art of Computer Forensics - Part 1, you should read it first of course.
At this point I am going to backtrack a bit and talk some more about how a computer forensics investigation works.
If you need some background on what computer forensics is, please see my previous post,  What is digital forensics?
Once a computer or other data storage evidence has been collected, it must be forensically copied and then analyzed.  There are specific steps that must be taken in every case to ensure that the evidence is properly handled, stored, and analyzed.
Now that the computer is in the hands of the computer forensics analyst in the lab, the analysis can begin in earnest.
What the analyst can search for on the computer has already been determined in the search warrant for the evidence.  Based on the parameters of the warrant, the investigating detective or the prosecutor may ask for the analyst to search for specific keywords that may be relevant to the case.  These keywords are normally developed out of the investigation, either from other evidence or from witness statements.  They may also ask that the analyst focus on specific time periods surrounding the commission of the crime.
Items that normally come into play in many investigations are Internet history, keyword searches performed on the computer, email, documents, pictures and financial records to name a few.  This is not meant to be an exhaustive list.
With the parameters of the investigation in hand, the analyst will open a new case in whatever software he or she uses for forensic analysis.  It will most likely be Encase by Guidance Software since they have the vast majority of the forensic software market world wide.
(Note that I am skipping all of the copying, verification, hashing and other technical details that are not really needed for this article.)
Once the analyst creates a new case in the forensic software program, he or she will add the evidence to the case.  This puts everything into the forensic software program so it can be analyzed and creates storage for the results of the analysis in the case specific storage locations used by the lab.
All of this so far is still science.  No art involved.
The analyst will perform the searches and data recovery needed to find items relevant to the case, compile those facts into a report and present them to the investigating detective.  The detective at that point will present those findings to the prosecutor assigned to the case for review. 
It may not happen exactly like that or in that order, but it will happen, as that information becomes part of the story that will be told to a jury.
What happens subsequent to that process is where the art comes in.  The prosecution will interpret those facts and include them in their version of what happened.  Not always, but in many cases, those facts will be used in a context that is favorable to the prosecution, independent of whether or not the context correctly supports the facts.
What did I just say? Did that make any sense?  Let me illustrate:
In a capital murder case I worked several years ago, a woman was accused of conspiring with her paramour to murder her husband.  In this case, a search was performed on the key phrase, "body bag."  This was used in the case to show that search hits for the phrase "body bag" came up over thirty times. (I don't remember the exact number at this point.)
Now that sounds pretty ominous if left alone.  However, the search hits all came from a single E-Bay page.  Over thirty hits, but only one page, and only one search.  With no evidence that anything was purchased from those pages.  Couple that with the fact that the accused was a collector of medical curiosities and regularly searched on E-bay for old medical devices; Is that a relevant fact or a red herring?  It all depends on how you tell the story, and whether, as Paul Harvey would opine, you heard "The rest of the story."
What about more common terms like murder?  Have you ever searched for something that in your mind is completely benign until you begin to look at it from the standpoint of being accused of a crime?
Ever search for terrorism?  How IEDs are made?  Choking?  Ever searched on Google for information on a particular drug?  What about kidnapping?  Knot tying techniques?
All of those can be just something you want to know about and mean nothing more, unless you are suspected of a crime. Then they can become an electronic witness against you.  Unless of course, they are put into the right context.
How could you put something like that into the proper context?  By following your trail to the end and not just stopping when you see the tracks.  That is what an expert should do; Make sure that the whole trail is followed to its logical conclusion so that facts can be presented in the correct context.  After all, two stories may ring of truth, but only one can really be the truth.

No comments:

Post a Comment

I have moderated my comments due to spam.