READ: Computer Evidence

Data Storage in Computers

Data Storage in Computers

We live in a digital society in which most people have access to at least one computer or device capable of storing data. Think about the devices you have in your home or are using to access this material right now; whether it is a Smartphone, tablet, laptop or personal computer, it all counts! Because so many people rely on their devices for daily tasks such as scheduling appointments or email, as well as more sensitive documentation such as medical or legal paperwork, computer devices have become an important component of forensic investigations.

Computer Parts Interactivity

Social Media

 An important area of Computer Forensics outside of basic data storage is that of social media. Think of all of the things that you may have posted on a social media site such as Facebook, Snapchat or Twitter in the past year. That information never truly goes away and can be obtained and used by law enforcement when investigating a crime. A picture and post of a person bragging about a crime they just committed can be used against them as has happened numerous times in recent years! On the flip side of that, sometimes social media can be used in more positive ways such as broadcasting amber alerts for kidnapped children or missing persons. Social media in recent years has demonstrated the enormous impact that it has in many facets of society including that of crime and criminal behavior.

Social networks are also used for specifically criminal purposes such as phishing, fraud, scams, as a way for child predators to find new victims, and cyber bullying. Phishing is a technique in which a person attempts to extract personal information, such as login details for a bank account, for the purpose of identity theft. This is often done by email or links on social networking sites in which you are taken to a different site that may look identical to your actual login site, but is at a different web address as set up by the phisher. Once you "log in" on the fake site, the phisher has your personal information and can log in as you on the authentic bank site!

While you are probably familiar with child predators and scams such as email forwards stating you won unbelievable prizes, you may not know as much about cyber bullying. Cyber bullying is a growing concern among young people in your age group. Cyber bullying is when a child, preteen or teen is tormented, threatened, harassed, humiliated, embarrassed or otherwise targeted by another child, preteen or teen using the Internet, interactive and digital technologies or mobile phones.

What should you do if you or someone you know is a victim of cyber bullying?

1. Do not delete, forward or respond to messages of cyber bullying.

2. Save evidence of the incident with dates, times, screenshots, pictures, emails, texts etc. Document the incidents as well as possible.

3. Block the person.

4. Report the person to the administrator of the website or to the internet service provider. There is often a specific clause in user agreements about abusive practices not being tolerated on the site.

5. If it concerns something occurring at school; you and your parents may need to speak with school officials about the issue.

6. Know when to call law enforcement such as in these cases:

a. Threats of violence

b. Child pornography or sexually explicit content is involved

c. Photos or videos made in some place where a person would expect privacy

d. Stalking issues

e. Hate crimes

Georgia Virtual, Handwriting Analysis and Computer Forensics, CC BY-NC-SA 3.0

Processing an Electronic Crime Scene

Processing the Electronic Crime Scene

Basic computer and device knowledge is now critical in many investigations and thus is a part of all forensic investigator training. This is so that when computer evidence is seized from a crime scene or suspect, that it is collected and preserved in a manner such that data can be recovered and remain admissible to court as evidence.

When entering a crime scene where electronic or computer evidence is going to be collected, it is important that the investigator have some specialized equipment to properly handle and collect the evidence. Some specialty tools needed include anti-static bags to prevent static discharges which can cause damage in some computer components, nonmagnetic tools to avoid erasing or disturbing sensitive data stored on the computer with magnetic components and special radio frequency shielding material to block incoming calls, texts or emails that may disturb or alter the device and evidence.

Once at the scene, the investigators should follow typical electronic evidence guidelines such as:

• Secure all devices and ensure that they are blocked from radio frequency signals that could alter evidence.

• Make sure that the evidence is kept secure so that no one has unauthorized access to the equipment.

• Investigators should never accept help from any unauthorized person when securing electronic equipment. It could be someone connected to the crime trying to delete or alter evidence!

• Make sure that nothing on the device is altered while you are securing it. Even the smallest alterations can render evidence unusable.

• If the device is off, leave it off!

• If the device is on, check the computer for commands to get rid of data such as deleting, formatting, wiping, copying, and uploading.

• Check to be sure that the computer isn't being controlled remotely by another device and that the webcam isn't activated!

• Next, investigators will need to obtain as much information as possible about who had access to the computer including things such as all usernames and passwords, and security programs on the computer.

• Investigators must document all locations and identifying information such as serial numbers in the the crime scene report documents, and photos or video. A photo should be made of the screen of the device if it is on to show what was on the screen when it was found.

• Electronic devices, once secured and documented can be packed in paper, cardboard or anti-static packages. They should not be packed in plastic because of the risk of static and condensation from any fluids (such as blood) that may be present on the device.

Steps in obtaining forensic evidence from a device:

1. The investigator first makes a copy of the hard drive, all files, and all parts of the device in which he or she intends to search for evidence. An investigator ALWAYS works from a copy of the device rather than the device itself to avoid losing or altering valuable data and evidence!

2. The investigator will try to recover deleted data from the files using special applications for this purpose.

3. The investigator will use other applications to uncover hidden files and decrypt encrypted files.

4. The investigator must document every step and application used when conducting an electronic analysis investigation. The evidence collected may not go to court for years, so it is important to have an accurate, written record to both review and present.

While computers and devices can provide clues to crimes that occur in our surrounding environment, crimes can also occur within the digital world! Common types of computer or electronic crime include digital piracy, website hacking, and cyber bullying.

 Digital piracy is downloading to copy and share material that is protected by copyright. Examples of this include illegally downloading music or movie content or "ripping" content from DVDs or CDs. While it is common, it is also acrime that is investigated in forensic science! Piracy can be detected by examining a computer or device for signs of an illegal copy of content. Copies of the illegal content may have a digital watermark. A digital watermark is a pattern of data inserted into a digital image, audio or video file that identifies the owner of the copyright for the content as well as the rights to use the content. It is generally imperceptible to the user of the content and is only detected by a special program that specifically extracts digital watermarks.

Website hacking is the use of a computer to gain unauthorized access to data in a system. It is a concern of nearly everyone; all from the average person with an email account to the administrators of the most secure websites worry that the security of their online information will be vulnerable to an attack.

It is such a concern that the Secret Service along with the FBI, Department of Homeland Security and all state law enforcement agencies have departments specifically assigned to address hacking groups such as the famous hacker group called "Anonymous"! This is a big problem without any easy answers. Hackers have many methods, but one of the more common is accessing the information on a computer through the "backdoor". The backdoor is a hole in the security of a computer system deliberately left in place by authorized programmers or repair personnel, but these can also be left behind by malicious intruders to get back into a system after having breached it once. It is synonymous to a trap door, which is a hidden software or hardware apparatus used to circumvent security mechanisms. Those who work to catch hackers often use a security measure known as a "honeypot". A honeypot is a lure set up to trap hackers and users with malicious intent as they attempt to gain entry into a computer system.

Georgia Virtual, Handwriting Analysis and Computer Forensics, CC BY-NC-SA 3.0