In San Diego County, California San Diego County is a county located on the Pacific Ocean in the far southwest of the U.S. state of California, United States along its border with Mexico. According to the 2000 Census, its population was 2,813,833, making it the third largest county by population in the state and , forensic experts examined a laptop computer for evidence of notes used in the robbery of several local banks--a university professor later would plead guilty to bank robbery The examples and perspective in this article or section may not represent a worldwide view of the subject.
Please [ improve this article] or discuss the issue on the talk page.
Bank robbery is the crime of robbing a bank. charges and receive 9 years in prison, even though the laptop contained no saved notes. (1) In another case, a Navy enlisted man faced a dishonorable discharge dishonorable discharge
Discharge from the armed forces for a grave offense, such as cowardice, murder, sabotage, or espionage.
and time in the brig for possession of child pornography Child pornography is the visual representation of minors under the age of 18 engaged in sexual activity or the visual representation of minors engaging in lewd or erotic behavior designed to arouse the viewer's sexual interest. after the discovery of floppy disks in a backpack he inadvertently left on a dock at muster. These cases and many more, handled by computer forensic examiners every day, have convicted scores of criminals who committed or stored information pertaining to their crimes with computers and other digital devices. (2) Such criminal acts now transcend traditional business crimes.
Criminals commit few crimes today without involving a computing device of some type. This puts a strain on computer forensic examiners who have the training, skills, and abilities to properly handle digital evidence. Law enforcement agencies A law enforcement agency (LEA) is a term used to describe any agency which enforces the law. This may be a local or state police, federal agencies such as the Federal Bureau of Investigation (FBI) or the Drug Enforcement Administration (DEA). take different avenues of addressing this increasing load of computer evidence that requires examination to close cases. Many train a few of their law enforcement officers. Some train professional support technicians. Increasingly, agencies send their work to local or regional computer forensic laboratories. Regardless, an understanding of the proper evidentiary foundations for admission of computer-related evidence proves necessary for the courts to have confidence in the material ultimately presented.
Uniqueness of Computer Digital Evidence
In 1948, well-known mathematician Dr. Claude Shannon Noun 1. Claude Shannon - United States electrical engineer who pioneered mathematical communication theory (1916-2001)
Claude E. Shannon, Claude Elwood Shannon, Shannon outlined mathematical formulas that reduced communication processes to binary code binary code
Code used in digital computers, based on a binary number system in which there are only two possible states, off and on, usually symbolized by 0 and 1. Whereas in a decimal system, which employs 10 digits, each digit position represents a power of 10 (100, 1,000, and calculated ways to send them through communications lines. (3) Since then, computers and other digital computing devices have used encoding methods based on the binary numbering system.
Computers allow criminals to remain relatively anonymous and to invade the privacy and confidentiality of individuals and companies in ways not possible prior to the advent of the computer age. "Evidence of these crimes is neither physical nor human, but, if it exists, is little more than electronic impulses and programming codes." (4) This evidence can take the form of data digitally stored as text files, graphics files, sounds, motion pictures, data-bases, temporary files, erased files, and ambient computer data dumped on the storage device by the operating system operating system (OS)
Software that controls the operation of a computer, directs the input and output of data, keeps track of files, and controls the processing of computer programs.
or application program. If someone opened a digital storage device, they would see no letters, numbers, or pictures on it. Therefore, "understanding how a computer stores data is basic to understanding how sensitive that data is to inadvertent contamination and how important a chain of custody The movement and location of physical evidence from the time it is obtained until the time it is presented in court.
Judges in bench trials and jurors in jury trials are obligated to decide cases on the evidence that is presented to them in court.
becomes when testifying to the 'originality' of the evidence." (5)
Storage of Data
"Digital electronics involves circuits and systems in which there are only two possible states. The states are represented by two different voltage levels: a high or a low level. The two-state number system (base 2) is called binary, and its two digits are 0 and 1. A binary digit See bit. is called a bit." (6) Because reading strings of zeros and ones severely limits the number of people capable of reading a digital device and to accommodate letters, punctuation, and special characters, another decimal numbering system began--the hexadecimal See hex.
(mathematics) hexadecimal - (Or "hex" wink Base 16. A number representation using the digits 0-9, with their usual meaning, plus the letters A-F (or a-f) to represent hexadecimal digits with values of (decimal) 10 to 15. , or base 16, (7) system. The hexadecimal numbers express the binary values The following table shows the decimal value of a binary number when all bits in the binary number are 1. Just as the largest number in a group of decimal digits is all 9's, the largest number in a group of binary digits is all 1's. stored on a device. At a minimum, a truly readable alphanumeric code
You may be looking for Character encoding.
In general, in computing, an alphanumeric code is a series of letters and numbers (hence the name) which are written in a form that can be processed by a computer.
must represent 10 decimal digits and 26 letters, or 36 items. However, the inclusion of punctuation, symbols, and computer control codes requires a seven-bit code (2X2X2X2X2X2X2) yielding 128 combinations, or [2.sup.7]=128. The complete expression of binary information encompasses eight bits, with one sign bit and seven magnitude bits, ( cool giving 256 possible combinations. This eight-bit binary number represents one byte. Of the alphanumeric codes, the American Standard Code for Information Interchange American Standard Code for Information Interchange: see Envy Sleekbook m6-k012dx computer review ASCII.
American Standard Code for Information Interchange - The basis of character sets used in almost all present-day computers. (ASCII ASCII or American Standard Code for Information Interchange, a set of codes used to represent letters, numbers, a few symbols, and control characters. Originally designed for teletype operations, it has found wide application in computers. ) serves as the most widely used.
Although more complicated, hexadecimal numbering provides a way to input data into the computer that makes sense to the average person. After entry, computers write and read data to digital media by a "read-write\" head controlled by the microprocessor. For example, a computer may store data as minute magnetized regions along a track of a floppy disk. Other storage devices exist that store data in a different fashion, but all read the binary data binary data - binary file as a zero or a one.
Computer evidence has both a physical component (the storage media) and a nonphysical component (electronic impulses and magnetic orientation). By its nature, digital evidence proves susceptible to alteration, either inadvertently or purposely. "It is a product of the data stored, the application used to create and store it, and the computer system that directs these activities." (9)
Preservation of Computer Forensic Evidence
Computer forensic science The application of scientific knowledge and methodology to legal problems and criminal investigations.
Sometimes called simply forensics, forensic science encompasses many different fields of science, including anthropology, biology, chemistry, engineering, genetics, encompasses four key elements: identification, preservation, analysis, and presentation. (10) Manual handling, processing, and authenticity issues serve as the basis of the preservation aspect. Safeguards and methodologies used by computer forensic examiners must ensure the preservation of digital evidence to withstand judicial scrutiny should the matter go to trial. (11) In this regard, computer forensic examiners seek to use copies of images of original digital media for their investigations. This premise finds its basis in protecting original digital evidence from accidental damage or unintentional alteration, leaving it in the best possible state for authentication purposes. (12)
When duplicating evidence, the original needs forensically sound handling from its initial seizure until its final disposition. This requires a chain of custody to assure proper handling by qualified individuals. Also, the duplication must produce an accurate reproduction of the original. Failure to authenticate the duplicate image or copy may invalidate any results produced. The duplication process requires the examiner to protect the original from accidental alteration and to use methods and applications that assure the duplicate image will produce output that would match output from the original. Agency standard operating procedures standard operating procedure Medtalk A technique, method or therapy performed 'by the book,' using a standard protocol meeting internally or externally defined criteria; a formal, written procedure that describes how specific lab operations are to be performed. and policy manuals delineate methods of handling and duplicating. Failure to adhere to adhere to
verb 1. follow, keep, maintain, respect, observe, be true, fulfil, obey, heed, keep to, abide by, be loyal, mind, be constant, be faithful
2. agency policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental will cause the courts to question the accuracy and reliability of the data, the examination process, and the examiner's "intellectual rigor rigor /rig·or/ (rig´er) [L.] chill; rigidity.
rigor mor´tis the stiffening of a dead body accompanying depletion of adenosine triphosphate in the muscle fibers. ."
For the admissibility of the evidence, courts require proof of its authenticity. Two recent U.S. Supreme Court cases, Daubert vs. Merrell Dow Pharmaceuticals. Inc., 1993 and Khumo Tire Co. vs. Carmichael, 1997, have brought the standards of forensic science and expert testimony Testimony about a scientific, technical, or professional issue given by a person qualified to testify because of familiarity with the subject or special training in the field. concerning admissibility of evidence into focus. The major factor that underlies the authenticity of duplicate evidence is data set validation.
The process of validating digital data sets proves straight-forward. Forensic 17-j160nr laptop examiners use an algorithm (13) to create a hexadecimal numeric value representing the data set. For example, in an MD5 (14) one-way hash (15) sum, a 16-character hexadecimal value is produced by the algorithm where there are [2.sup.128] possible values. This equates to approximately 340 billion billion billion billion probable unique numbers. Theoretically, two different data set values could prove identical, but, practically, they cannot. By comparison, in cases where DNA DNA: see nucleic acid.
or deoxyribonucleic acid
One of two types of nucleic acid (the other is RNA); a complex organic compound found in all living cells and many viruses. There tend to be an excellent quantity of chocies in order to ponder when getting a new personal computer. Therefore, we now have provided some great info to suit the needs to make your own choice easier.It is the chemical substance of genes. results have identified a subject, probability tables exclude or include an individual using probabilities of one to several billion and stand accepted as unique to an individual, or a very small population of individuals, by courts. The likelihood of two identical values happening in an MD5 algorithm proves infinitely smaller. With known and tested computer forensic tools and hash algorithms, there exists a means to duplicate and authenticate digital evidence. The duplicate's authenticity can be equated to the original.
Federal Rules of Evidence--Original Evidence
The Federal Rules of Evidence The Federal Rules of Evidence generally govern civil and criminal proceedings in the courts of the United States and proceedings before U.S. Bankruptcy judges and U.S. magistrates, to the extent and with the exceptions stated in the rules. Promulgated by the U.S. (16) (FRE FRE French
FRE Freddie Mac (stock symbol)
FRE Federal Rules of Evidence
FRE Freedom Realty Exchange
FRE Freedom Party
FRE Food and Resource Economics
FRE Free Range Eggs
FRE French Real Estate ) cover duplicate digital evidence and its authentication. For admissibility in court, the evidence should possess a chain of custody to show that no inadvertent or purposeful contamination occured. Preserving evidence to ensure its integrity proves important to the courts' consideration of its originality.
These rules define original electronic documents. FRE 1001 (1) defines writings and recordings to include magnetic, mechanical, and electronic methods of setting down letters, words, numbers, and their equivalents. FRE 1001 (3) states, "If data are stored in a computer or similar device, any printout or other output readable by sight, shown to reflect accurately, is an 'original.'" (17) FRE 1003 provides that "a duplicate is admissible to the same extent as an original unless (1) a genuine question is raised as to the authenticity of the original or (2) in the circumstances it would be unfair to admit the duplicate in lieu of the original." (1 cool FRE 1001 (4) defines duplicate as "a counterpart produced by the same impression as the original ... by mechanical or electronic rerecording ... or by other equivalent techniques which accurately reproduces the original." (19) FRE 901 (a) provides that "the requirement of authentication or identification as a condition precedent condition precedent n. 1) in a contract, an event which must take place before a party to a contract must perform or do their part. 2) in a deed to real property, an event which has to occur before the title (or other right) to the property will actually be in the to admissibility is satisfied by evidence sufficient to support a finding that the matter in question is what its proponent claims." (20) Example 9 of FRE 901 (b) states, "Process or system. Evidence describing a process or system used to produce a result and showing that the process or system produces an accurate result." (21) Title 42 U.S. Code A multivolume publication of the text of statutes enacted by Congress.
Until 1926, the positive law for federal legislation was published in one volume of the Revised Statutes of 1875, and then in each sub-sequent volume of the statutes at large. , Section 2000aa-7, covers digital evidence under definition (a), "documentary materials," which states, "materials upon which information is recorded, and includes, but is not limited to ... other mechanically, magnetically, or electronically recorded cards, tapes, or discs...." (22) Original evidence or a derivative of the original, either electronic or printed, therefore, proves admissible if the handling, duplication, and authenticity provides assurance to courts that the evidence is as claimed.
The computer age dramatically has changed how people relate to each other, but not their basic human nature. A minority of individuals who believe there exists a shortcut (1) In Windows, a shortcut is an icon that points to a program or data file. Shortcuts can be placed on the desktop or stored in other folders, and double clicking a shortcut is the same as double clicking the original file. to riches, or who invade the privacy or innocence of others, continue to carry out their criminal agendas. However, now they more likely use a computer or other digital device to store information about their actions or to commit their crimes.
Law enforcement agencies recognize that digital devices will increase in use in the commission of crimes and that human and equipment resources to examine this evidence will prove an expanding department budgetary item. Agencies that employ or use computer forensic laboratory resources must recognize that computer forensic examiners need to 1) adhere to a set of scientific standards that include a chain of custody policy encompassing the unique nature of digital evidence, 2) use standard operating procedures that assure known results from duplication and authentication, and 3) follow policies that meet standards of forensic science and expert witness testimony as promulgated prom·ul·gate
tr.v. prom·ul·gat·ed, prom·ul·gat·ing, prom·ul·gates
1. To make known (a decree, for example) by public declaration; announce officially. See Synonyms at announce.
2. by the courts.
The ultimate goal of law enforcement has not changed, but crimes are committed in new ways. To preserve the freedoms all Americans enjoy, evidence of criminal activity still requires preservation, examination, and analysis in a forensically sound manner to show the innocence or guilt of a suspect.
Computer Numbering Systems
Decimal Binary Hexadecimal
00 0000 0
01 0001 1
02 0010 2
03 0011 3
04 0100 4
05 0101 5
06 0110 6
07 0111 7
08 1000 8
09 1001 9
10 1010 A
11 1011 B
12 1100 C
13 1101 D
14 1110 E
15 1111 F
(1) Kathryn Balint, "Computers May Reveal Secrets Bchind Crimes": retrieved on July 23, 2003, from http://www.signonsandiego.com/news/metro/santana/20010312-9999_1n12compute.html.
(2) The author based this article largely on his research on and experience with the subject of computer forensics The investigation of a computer system believed to be involved in cybercrime. Forensic software provides a variety of tools for investigating a suspect PC. Such programs may include a function that copies the entire hard drive to another system for inspection, allowing the. Choosing a CPU for your notebook is a crucial initial step. Note that a fourth Generation Intel Core i7-4702HQ Processor based on the Haswell micro-architecture provides for a fast and fluid user experience.original to . Law enforcement agencies should refer to appropriate legal guidelines applicable to their jurisdicions.
(3) Loring Wirbel, "Comms Pioneer Claude Shannon Dead at 84": retrieved on July 23, 2003, from http://www.eetimes.com/story/OEG20010227S0045.
(4) David Carter People called David Carter include:
David O. Carter (judge) (1944- ), A United States District Court judge.
David Carter (politician) (1952- ), a New Zealand politician.
David Carter (golfer) (1972- ), an English golfer.
and Andra Katz, "Computer Crime: An Emerging Challenge for Law Enforcement": retrieved on July 23, 2003, from http://www.sgrm.com/art11.htm.
(5) Loren Mercer, "Chain of Custody Issues Regarding the Handling of Digital Evidence" (masters thesis, National University, 2001).
(6) Thomas Floyd, Digital Fundamentals (New York New York, state, United States
New York, Middle Atlantic state of the United States. It is bordered by Vermont, Massachusetts, Connecticut, and the Atlantic Ocean (E), New Jersey and Pennsylvania (S), Lakes Erie and Ontario and the Canadian province of , NY: Merrill, 1990).
(7) The term base describes the number of digits used in a particular numbering system. For instance, the decimal numbering system is a base-10 system.
( cool For further information, see http://www.geocities.com/regia_me/sig-mag.htm. accessed on July 23, 2003.
(9) Michael Noblett, Mark Pollitt, and Lawrence Presley, "Recovering and Examining Computer Forensic Evidence," Forensic Science Communications 2, no. 4 (2000): retrieved on July 23, 2003, from http://www.fbi.gov/hq/lab/fsc/backissu/oct2000/computer.htm.
(10) Rodney McKemmish, "What Is Forensic Computing," Australian Institute of Criminology--Trends and Issues in Criminal Justice (June 1999): 1-6; retrieved on July 23, 2003, from http://www.aic.gov.au/publications/tandi/til18.pdf.
(11) J. Borck, "Leave the Cybersleuthing to the Experts," InfoWorld 23, no. 54 (2001).
(12) Supra A relational DBMS from Cincom Systems, Inc., Cincinnati, OH (www.cincom.com) that runs on IBM mainframes and VAXs. It includes a query language and a program that automates the database design process. note 9.
(13) A formula or set of steps for solving a particular problem.
(14) For further information, see www.permissiontechnology.com/md_5_hash_resources.htm. accessed on July 15, 2003.
(15) For further information, see www.rsasecurity.com/rsalabs/faq/2-1-6.html, accessed on July 15, 2003.
(16) Federal Rules of Evidence; retrieved on July 23, 2003, from http://www.law.cornell.edu/rules/fre/overview.html.
(1 cool Ibid.
(22) 42 U.S.C. [section] 2000aa-7.
BY LOREN D. MERCER, M.F.S.
COPYRIGHT 2004 Federal Bureau of Investigation
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2004, Gale Group. All rights reserved. Gale Group is a Thomson Corporation Company.