Tyler Watson CSC540 April 26, 2012 Dr. Lyle and Dr. Pilgrim Digital Forensics and Legalities With technology evolving and computers becoming much more accessible, law enforcement has had to adapt to changes in order to solve crimes and uphold the law. Digital forensics is vital to helping catch criminals and solving cases. There have been numerous situations in which digital evidence was necessary to convict or acquit people accused of crimes. But what is digital forensics? How is it used today? What cases were solved through the use of it? Let us delve into the heart of digital forensics, answering these questions and more. One of the more well-known cases regarding digital forensics is that of the BTK (which stands for bind, torture, kill) killer, who is infamous for killing ten people in the Wichita, Kansas area over a period of about thirty years. Police were unable to solve these crimes for many years and the case went cold. In 2004, the BTK killer sent a letter to the police stating that one of the murders was not attributed to him. Police continued to communicate with the BTK killer via mail, eventually gaining his trust. After many weeks of correspondence, BTK sent a floppy disk to the police department which contained a key piece of evidence into bursting the case wide open. (Collins) Nothing on the disk contained anything incriminating. However, with the help of a digital forensic tool called EnCase Forensic, police were able to discover a deleted file on the drive. The recovered file was a word document containing metadata – information about data such as the creator’s name, the computer’s details, time created and more. Using this metadata, police were able to link a name to the BTK killer: Rader. In addition, they also uncovered the name of a church: Christ Lutheran Church. Although the document itself contained nothing of interest, the metadata provided police with more than enough information to start pursuing new leads. (The Associated Press) A simple search online revealed that Dennis Rader was the head of Christ Lutheran Church. With this information in hand, the police were able to link many other pieces of evidence back to Rader, leading to a conviction. All it took was the fragments of a deleted file to put a serial killer behind bars for the rest of his life. Today’s digital forensics has become much more complex as criminals have started using sophisticated ways to hide data. For example, investigators now need to know how to handle encryption, proper techniques for handling evidence, and many of the legal processes to ensure their investigations will stand up in court. In many ways, working with digital evidence is a lot like working with traditional evidence. The number one rule of digital investigations is to always preserve the evidence. If the evidence is not handled correctly, the case may be damaged permanently and never be solved. Therefore it is vital that the original copy of the data never be modified. Investigators must always work with copies of the evidence. Depending on the type of evidence being handled, different techniques may need to be applied. For example if you are working with a desktop hard drive, you will want to use a blank hard drive of the same brand, capacity and speed. Ideally it would be the exact model of the drive containing the evidence but many times this is not necessary. In other situations you may be working with evidence contained on a mobile phone or flash drive. It may be more beneficial to create an image of the evidence which is basically a single file containing all of the data on that phone’s memory or the flash drive. Whatever the case may be, it is vital that not a single bit of the data on the original drive be modified. This may prove to be difficult because modern operating systems often change data when the machine is loaded. To prevent this from happening, an investigator can use what is called a “write blocker”. A write blocker is physically connected to a drive, such as a hard disk, and will prevent any modifications from being made to it. They are smart enough to send a signal back to the operating system stating that the changes requested were made when in reality nothing has been modified on the drive. In other words, it fools the operating system into thinking the boot-up process successfully completed. This prevents any errors and allows the investigator to access the drive like normal. An investigator may find it difficult to confirm that the data on a drive has not been modified due to an investigation. To solve this problem, hashes are used to check the data for changes. A hash is a unique identifier which is calculated from a set of data. In digital forensics, this is used at the beginning of an investigation and several times during the course of the investigation. If at any point during the investigation the hash does not match the original value then something has changed the data on the drive and it will probably no longer stand up in court. Many different tools exist to aid in a digital forensic investigation. Law enforcement primarily uses EnCase Forensic which was developed by Guidance Software. Other tools can be used as well, but EnCase has been used in real legal cases and is proven to stand up in court. This gives an advantage to law enforcement because they can be reassured that the entire investigation will not fall apart due to non-standard tools being used to recover data. In a non-law enforcement setting, many other tools exist and are often used. Some of these include ProDiscover, Forensic Toolkit, and hex editors such as Hex Workshop. Linux operating systems also have tools such as Autopsy, Sleuth Kit, and terminal commands such as “DD”. ProDiscover and Forensic Toolkit work generally in the same way by automatically recovering unmodified, hidden, and deleted files from the drive. However, they have trouble if data hiding techniques are used. Hex editors provide the user with the ability to manually sort through each bit of data. With a reference guide and a lot of time, an investigator is able to track down and locate data which may be hidden on the drive. This is handy because if part of a file’s data is corrupted or deleted, the investigator will need to carve it out from the rest of the drive so it can be recovered. (TSM441) The Linux tools Autopsy and Sleuth Kit work side by side. Autopsy is the actual command-line tool whereas Sleuth Kit is a graphical user interface. Both of these are open source and freely obtainable. The “DD” tools are also available in most, if not all, Linux operating systems by default. These command line options are excellent for creating images of drives, which really help when creating copies of evidence. Even with all of these tools available at investigators’ disposal, there is an issue which is becoming more widespread in the field of digital forensics: encryption. Encryption is the act of hiding data using mathematical algorithms. In short, the process consists of using a key or password and then selecting the data to be encrypted. The data is then modified into a form that is unreadable. Decrypting the data is done in a similar way but the original key is needed to return the data to its original form. Many commercial products exist to simplify the process of encrypting and decrypting data. For example, Microsoft offers its program called BitLocker which enables encryption of an entire disk. This raises an ethical question: Should the government be allowed to force you to decrypt your data? According to CNET, the Department of Justice can force you to decrypt the data requested. They do not have the authority to obtain the password used, but only require the decrypted data. Some argue that this goes against the Fifth Amendment which states that “no person … shall be compelled in any criminal case to be a witness against himself”. (McCullagh) On one hand, law enforcement needs to be able to perform their duties and catch criminals but on the other hand it is difficult to say whether or not forcing someone to hand over decrypted data falls under no self-incrimination. In any event, this situation is extremely important for digital forensic investigators because there may come a time in which he or she will need to decrypt data on a drive. Without the proper laws and procedures in place, the investigator will find it incredibly difficult to do his or her job. However, as this field develops more and grows, there will be new standards and legal methods for handling these types of situations. In conclusion, digital forensics is an extremely broad field with numerous aspects to it. Many tools exist to aid the investigator in locating data on a drive, including that which is deleted or hidden. Even though one may uncover evidence through the investigation, it may not be permissible in court if it is not obtained in a forensically sound manner. This includes working with only copies of the original evidence and using devices such as write blockers to prevent changes from being made during the investigation. Finally, even though the technology has advanced in the past few years, the law is still catching up with the changes. An investigator may be unable to continue the investigation because of barriers such as encryption getting in the way. However, digital forensics is of increasingly vital importance and will only become more relevant as the years go on and criminals become more tech-savvy. Works Cited Collins, Dan. "Computer Trail Led To BTK Suspect." CBS News. CBS News, 04 Mar 2005. Web. 26 Mar 2012. <http://www.cbsnews.com/stories/2005/03/04/national/main678013.s html>. "Computer disk may have cracked BTK case." MSNBC. The Associated Press, 03 Mar 2005. Web. 20 Apr 2012. <http://www.msnbc.msn.com/id/6988048/ns/us_newscrime_and_courts/t/computer-disk-may-have-cracked-btk-case/>. McCullagh, Declan. "DOJ: We can force you to decrypt that laptop." CNET. CNET News, 11 Jul 2011. Web. 20 Apr 2012. <http://news.cnet.com/8301-31921_3-20078312-281/doj-wecan-force-you-to-decrypt-that-laptop/>. TSM441 with Dr. Bowman