Computer forensics integrates the fields of computer science and law to investigate crime. For digital evidence to be legally admissible in court, investigators must follow proper legal procedures when recovering and analyzing data from computer systems. Unfortunately, laws written before the era of computer forensics are often outdated and cannot adequately assess the techniques used in a computer system search. The inability of the law to keep pace with technological advancements may ultimately limit the use of computer forensics evidence in court. Privacy advocates are growing especially concerned that computer searches may be a breach of a suspect’s human rights. Furthermore, as methods for encryption and anonymity grow more advanced, technology may be abused by helping criminals hide their actions. Ultimately, the role of technology in computer forensics may not reach its full potential due to legal boundaries and potential malicious intentions.
Computer forensics has been indispensable in the conviction of many well-known criminals, including terrorists, sexual predators, and murderers. Terrorist organizations may use the Internet to recruit members, and sexual predators may use social networking sites to stalk potential victims. However, most criminals fail to cover their tracks when using technology to implement their crimes. They fail to realize that computer files and data remain on their hard drive even when deleted, allowing investigators to track their criminal activity. Even if criminals delete their incriminating files, the data remains in a binary format due to “data remanence” or the residual representation of data (1). File deletion merely renames the file and hides it from the user; the original file can still be recovered (2).
Eventually, data may be overwritten and lost due to the volatile nature of memory, a storage area for used data. A random access memory chip (RAM) retrieves data from memory to help programs to run more efficiently. However, each time a computer is switched on, the RAM loses some of its stored data. Therefore, RAM is referred to as volatile memory, while data preserved in a hard drive is known as persistent memory. The RAM is constantly swapping seldom used data to the hard drive to open up space in memory for newer data. Over time, though, the contents in the swap file may also be overwritten. Thus, investigators may lose more evidence the longer they wait since computer data does not persist indefinitely. Fortunately, computer scientists have engineered equipment that can copy the computer’s contents without turning on the machine. The contents can then be safely used by lawyers and detectives for analysis (2).
Global Position System (GPS) software embedded in smartphones and satellite navigation (satnav) systems can also aid prosecutors by tracking the whereabouts of a suspect. Since companies that develop software for computer forensics also develop products for satellite navigators, they are well-equipped with the tools and technology necessary for acquiring GPS evidence.
However, the evidence that can be recovered from GPS software is limited to only a list of addresses. Current GPS software does not record the time when the address was archived, whether the address was inputted by a person or automatically recorded, or whether the owner’s intent for entering the address was associated with the crime. Despite these limitations, GPS evidence has still been crucial to the success of many prosecutions. In one famous example, four armed suspects accused of robbing a bank in the United Kingdom were convicted because each suspect owned a vehicle whose satnav held incriminating evidence, including the bank’s address and the addresses of the other three suspects. The Scottish National High-Tech Crime Unit searched a suspect’s TomTom, a GPS device, to obtain thousands of addresses that the vehicle passed by. Many of the addresses turned out to be the scenes of criminal offenses (3). In 2011, U.S. forces successfully found the Pakistani compound where Osama bin Laden was killed by tracking satellite phone calls made by his bodyguard (4).
While GPS evidence on its own may not be enough to establish a motive, GPS evidence can still provide invaluable leads or confirm a hunch. For example, contact lists, language preferences, and settings all may be used to establish a suspect’s identity or identify accomplices. Evidence from GPS software and mobile devices can be a valuable supplement to other forms of evidence (3).
Some criminals have grown more cautious by hiding incriminating data through encryption techniques. However, according to Andy Spruill, senior director of risk management for Guidance Software, most criminals “don’t have the knowledge or patience to implement [encryption software] on a continued-use basis.” The minority of criminals who do encrypt their files may only use partial encryption. If only a few files on a hard drive are encrypted, investigators can analyze unencrypted copies found elsewhere on the device to find the information they are seeking. Furthermore, since most computer users tend to reuse passwords, investigators can locate passwords in more easily decipherable formats to gain access to protected files. Computer data are also oftentimes redundant – Microsoft Word makes copies each time a document is modified so that deleting the document may not permanently remove it from the hard drive. With so many forms of back-up, it is difficult for criminals to completely delete incriminating computer evidence (5).
While investigators can exploit computer system glitches to obtain evidence, technological limitations can often compromise a computer search. A common protocol for handling a mobile device found at a crime scene is to turn the power off. Investigators want to preserve the battery and prevent an outside source from using the remote wipe feature on the phone’s contents. When the phone is turned off, the phone cannot receive text messages and other data that may overwrite the evidence currently stored in the device. However, turning off the device has its own consequences, potentially causing data to be lost and downloaded files to be corrupted (1).
To solve such problems, computer engineers have developed technology for shielding a device from connecting to a cellular carrier’s network. Computer forensic scientists no longer need to turn off the device to isolate it. For example, radio frequency (RF) shielded test enclosure boxes help keep signals from entering or leaving the device. A Faraday bag, used in conjunction with conductive mesh, can also isolate a mobile device. Using these techniques, investigators can safely transport mobile devices to the lab while the device is turned on (1).
However, GPS software and Faraday bags are not foolproof. A cell phone isolated in a Faraday bag may adamantly search for a signal, depleting the phone’s battery power. When searching for a network, cell phones are also losing data (1).
Radio frequency bag with iPhone inside for reducing data loss. These bags keep radio signals from entering or leaving the device. Courtesy of Wikimedia.
According to Professor David Last of University of Bangor, Wales, errors in locating signals may range up to 300 meters when obstructions are present. While “95 percent of [GPS] measurements fall within 5 metres of the true position” in clear and open areas, large geographical barriers and skyscrapers may severely block and reflect satellite signals. Interference from solar weather may also disrupt signals. Criminals even purposely use jammers to disrupt tracking systems. Investigators must carefully audit communications channels and monitoring systems used in tracking systems. In doing so, they can better avoid skepticism from the jury by being able to give a clearer and more precise estimate of the amount of error afflicting GPS measurements. Otherwise, the defense can suppress the GPS evidence if the measurements are significantly faulty and unreliable (3).
While the Fourth and Fifth Amendments were written long before the era of computers, both concepts still apply to the practice of computer forensics. The amendments serve to protect basic human rights by preventing unreasonable search and seizure and self-incrimination. In the case of United States v. Finley, the defendant claimed that ”a cell phone was analogous to a closed container,” suggesting that investigators should exercise the same restraint and caution in searching cell phones as they would in a bag or a private home. Generally, investigators must first obtain a search warrant, which is typically given by the court in order to obtain and preserve evidence that can be easily destroyed (1). However, exceptions to the rule have been observed in United States v. Ortiz; investigators legally retrieved telephone numbers of “finite memory” from a suspect’s pager without a warrant because the contents of the pager can be easily altered when incoming messages overwrite currently stored data. Searches without a warrant “incident to arrest” are permissible because they help to prevent fragile data of evidentiary value from being lost (6). They consist mostly of scanning the device’s contents using the keyboard and menu options. More advanced searches incident to arrest may include the use of a mobile lab, which allows for the immediate download of cellular phone data (7). However, according to United States v. Curry, searches “incident to arrest” can only be conducted “substantially contemporaneous with the arrest” (1). If investigators want to conduct further post-arrest forensic analysis, proper legal authorization must first be obtained (7).
Proper legal procedures are often vague and burdensome for investigators, especially since laws may vary from state to state. Some states may have a stricter policy regarding warrantless searches. In United States v. Park, the court ruled that since cell phones can hold a greater quantity of data than pagers, its contents are less likely to be lost; a warrantless cell phone search is thus unnecessary and unjustified. Similarly, in United States v. Wall, the court decided that “searching through information stored on a cell phone is analogous to a search of a sealed letter” (6). Even if investigators manage to obtain a search warrant, the evidence they find may still be suppressed if their forensic procedures fail to follow legal procedures. For example, looking through unopened mail and unread texts or not carefully documenting the chain of custody may constitute an improper search (1). With so many boundaries and inconsistencies in the legal system, it is often difficult for investigators to successfully perform their jobs.
Different state and national legal systems plague computer forensics as well. When an Estonian was charged with computer crimes in 2007, Russia refused to provide legal cooperation because it had not criminalized computer crimes yet. Russia received severe Distributed Denial of Service attacks for its lack of cooperation (8).
In addition to a faulty legal system, the accessibility of advanced technology may be afflicting computer forensics. The North Atlantic Treaty Organization (NATO) defines cyber terrorism as “a cyber attack using or exploiting computer or communication networks to cause sufficient destruction to generate fear or to intimidate a society into an ideological goal” (8) As computer systems grow more powerful, criminals may also abuse computer systems to commit crimes such as software theft, terrorism, and sexual harassment (9). For example, stalkers can abuse the Tor Project, an anonymizing tool for victims of cybercrimes to safely report abuses, to instead hide their identities when they commit crimes of harassment. The technology is too advanced for the digital trail of cybercrimes to be tracked. As encryption programs grow stronger and more popular, forensic investigators may no longer be able to decode the hidden digital evidence.
For computer forensics to progress, the law must keep pace with technological advancements. Clear and consistent legal procedures regarding computer system searches must be developed so that police and investigators can be properly trained. An International Code of Ethics for Cyber Crime and Cyber Terrorism should also be established to develop protocols for “obtaining and preserving evidence, maintaining the chain of custody of that evidence across borders,” and “clear[ing] up any difference in language issues.” Following these measures may be the first steps to resolving the technological and legal limitations afflicting computer forensics. Interpol, the International Criminal Police Organization, has developed a Computer Crime Manual with “training courses” and “a rapid information exchange system” that serves as a foundation for international cooperation (8). Lastly, the criminal abuse of technology can be limited by equipping the police department with state-of-the-art training and equipment for forensic analysis. Only then is the world safely prepared to face the future of technology. As one author predicts, “the next world war will be fought with bits and bytes, not bullets and bombs” (8).
Contact Barry Chen at
1. D. Bennett, The Challenges Facing Computer Forensics Investigators in Obtaining Information from Mobile Devices for Use in Criminal Investigations (2011). Available at http://articles.forensicfocus.com/2011/08/22/the-challenges-facing-computer-forensics-investigators-in-obtaining-information-from-mobile-devices-for-use-in-criminal-investigations (29 December 2012).
2. Computer Crimes. Available at http://library.thinkquest.org/04oct/00206/cos_computer_crimes.htm (29 December 2012).
3. D. Last, Computer Analysts and Experts – Making the Most of GPS Evidence (2012). Available at http://articles.forensicfocus.com/2012/08/27/computer-analysts-and-experts-making-the-most-of-gps-evidence (29 December 2012).
4. O. Tohid, Bin Laden bodyguard’s satellite phone calls helped lead US forces to hiding place (2011). Available at http://www.csmonitor.com/World/Asia-South-Central/2011/0502/Bin-Laden-bodyguard-s-satellite-phone-calls-helped-lead-US-forces-to-hiding-place (29 December 2012).
5. A. Spruill, Digital Forensics and Encryption. Available at http://www.evidencemagazine.com/index.php?option=com_content&task=view&id=656 (29 December 2012).
6. C. Milazzo, Searching Cell Phones Incident to Arrest: 2009 Update (2009). Available at http://www.policechiefmagazine.org/magazine/index.cfm?fuseaction=display&issue_id=52009&category_ID=3 (29 December 2012).
7. D. Lewis, Examining Cellular Phones and Handheld Devices (2012). Available at www.dfinews.com/article/examining-cellular-phones-and-handheld-devices?page=0,1 (29 December 2012).
8. B. Hoyte, The need for Transnational and State-Sponsored Cyber Terrorism Laws and Code of Ethics (2012). Available at http://articles.forensicfocus.com/2012/09/28/the-need-for-transnational-and-state-sponsored-cyber-terrorism-laws-and-code-of-ethics (29 December 2012).
9. M. Chasta, Android Forensics (2012). Available at http://articles.forensicfocus.com/2012/09/12/android-forensics (29 December 2012).