Tyler Watson
CSC540
April 26, 2012
Dr. Lyle and Dr. Pilgrim
Digital Forensics and Legalities
With technology evolving and computers becoming much more accessible, law
enforcement has had to adapt to changes in order to solve crimes and uphold the law. Digital
forensics is vital to helping catch criminals and solving cases. There have been numerous
situations in which digital evidence was necessary to convict or acquit people accused of crimes.
But what is digital forensics? How is it used today? What cases were solved through the use of
it? Let us delve into the heart of digital forensics, answering these questions and more.
One of the more well-known cases regarding digital forensics is that of the BTK (which
stands for bind, torture, kill) killer, who is infamous for killing ten people in the Wichita, Kansas
area over a period of about thirty years. Police were unable to solve these crimes for many years
and the case went cold. In 2004, the BTK killer sent a letter to the police stating that one of the
murders was not attributed to him. Police continued to communicate with the BTK killer via
mail, eventually gaining his trust. After many weeks of correspondence, BTK sent a floppy disk
to the police department which contained a key piece of evidence into bursting the case wide
open. (Collins)
Nothing on the disk contained anything incriminating. However, with the help of a digital
forensic tool called EnCase Forensic, police were able to discover a deleted file on the drive. The
recovered file was a word document containing metadata – information about data such as the
creator’s name, the computer’s details, time created and more. Using this metadata, police were
able to link a name to the BTK killer: Rader. In addition, they also uncovered the name of a
church: Christ Lutheran Church. Although the document itself contained nothing of interest, the
metadata provided police with more than enough information to start pursuing new leads. (The
Associated Press)
A simple search online revealed that Dennis Rader was the head of Christ Lutheran
Church. With this information in hand, the police were able to link many other pieces of
evidence back to Rader, leading to a conviction. All it took was the fragments of a deleted file to
put a serial killer behind bars for the rest of his life.
Today’s digital forensics has become much more complex as criminals have started using
sophisticated ways to hide data. For example, investigators now need to know how to handle
encryption, proper techniques for handling evidence, and many of the legal processes to ensure
their investigations will stand up in court. In many ways, working with digital evidence is a lot
like working with traditional evidence.
The number one rule of digital investigations is to always preserve the evidence. If the
evidence is not handled correctly, the case may be damaged permanently and never be solved.
Therefore it is vital that the original copy of the data never be modified. Investigators must
always work with copies of the evidence. Depending on the type of evidence being handled,
different techniques may need to be applied. For example if you are working with a desktop hard
drive, you will want to use a blank hard drive of the same brand, capacity and speed. Ideally it
would be the exact model of the drive containing the evidence but many times this is not
necessary.
In other situations you may be working with evidence contained on a mobile phone or
flash drive. It may be more beneficial to create an image of the evidence which is basically a
single file containing all of the data on that phone’s memory or the flash drive. Whatever the
case may be, it is vital that not a single bit of the data on the original drive be modified. This may
prove to be difficult because modern operating systems often change data when the machine is
loaded. To prevent this from happening, an investigator can use what is called a “write blocker”.
A write blocker is physically connected to a drive, such as a hard disk, and will prevent
any modifications from being made to it. They are smart enough to send a signal back to the
operating system stating that the changes requested were made when in reality nothing has been
modified on the drive. In other words, it fools the operating system into thinking the boot-up
process successfully completed. This prevents any errors and allows the investigator to access
the drive like normal.
An investigator may find it difficult to confirm that the data on a drive has not been
modified due to an investigation. To solve this problem, hashes are used to check the data for
changes. A hash is a unique identifier which is calculated from a set of data. In digital forensics,
this is used at the beginning of an investigation and several times during the course of the
investigation. If at any point during the investigation the hash does not match the original value
then something has changed the data on the drive and it will probably no longer stand up in
court.
Many different tools exist to aid in a digital forensic investigation. Law enforcement
primarily uses EnCase Forensic which was developed by Guidance Software. Other tools can be
used as well, but EnCase has been used in real legal cases and is proven to stand up in court. This
gives an advantage to law enforcement because they can be reassured that the entire investigation
will not fall apart due to non-standard tools being used to recover data.
In a non-law enforcement setting, many other tools exist and are often used. Some of
these include ProDiscover, Forensic Toolkit, and hex editors such as Hex Workshop. Linux
operating systems also have tools such as Autopsy, Sleuth Kit, and terminal commands such as
“DD”. ProDiscover and Forensic Toolkit work generally in the same way by automatically
recovering unmodified, hidden, and deleted files from the drive. However, they have trouble if
data hiding techniques are used. Hex editors provide the user with the ability to manually sort
through each bit of data. With a reference guide and a lot of time, an investigator is able to track
down and locate data which may be hidden on the drive. This is handy because if part of a file’s
data is corrupted or deleted, the investigator will need to carve it out from the rest of the drive so
it can be recovered. (TSM441)
The Linux tools Autopsy and Sleuth Kit work side by side. Autopsy is the actual
command-line tool whereas Sleuth Kit is a graphical user interface. Both of these are open
source and freely obtainable. The “DD” tools are also available in most, if not all, Linux
operating systems by default. These command line options are excellent for creating images of
drives, which really help when creating copies of evidence.
Even with all of these tools available at investigators’ disposal, there is an issue which is
becoming more widespread in the field of digital forensics: encryption. Encryption is the act of
hiding data using mathematical algorithms. In short, the process consists of using a key or
password and then selecting the data to be encrypted. The data is then modified into a form that
is unreadable. Decrypting the data is done in a similar way but the original key is needed to
return the data to its original form. Many commercial products exist to simplify the process of
encrypting and decrypting data. For example, Microsoft offers its program called BitLocker
which enables encryption of an entire disk.
This raises an ethical question: Should the government be allowed to force you to decrypt
your data? According to CNET, the Department of Justice can force you to decrypt the data
requested. They do not have the authority to obtain the password used, but only require the
decrypted data. Some argue that this goes against the Fifth Amendment which states that “no
person … shall be compelled in any criminal case to be a witness against himself”. (McCullagh)
On one hand, law enforcement needs to be able to perform their duties and catch
criminals but on the other hand it is difficult to say whether or not forcing someone to hand over
decrypted data falls under no self-incrimination. In any event, this situation is extremely
important for digital forensic investigators because there may come a time in which he or she
will need to decrypt data on a drive. Without the proper laws and procedures in place, the
investigator will find it incredibly difficult to do his or her job. However, as this field develops
more and grows, there will be new standards and legal methods for handling these types of
situations.
In conclusion, digital forensics is an extremely broad field with numerous aspects to it.
Many tools exist to aid the investigator in locating data on a drive, including that which is
deleted or hidden. Even though one may uncover evidence through the investigation, it may not
be permissible in court if it is not obtained in a forensically sound manner. This includes working
with only copies of the original evidence and using devices such as write blockers to prevent
changes from being made during the investigation. Finally, even though the technology has
advanced in the past few years, the law is still catching up with the changes. An investigator may
be unable to continue the investigation because of barriers such as encryption getting in the way.
However, digital forensics is of increasingly vital importance and will only become more
relevant as the years go on and criminals become more tech-savvy.
Works Cited
Collins, Dan. "Computer Trail Led To BTK Suspect." CBS News. CBS News, 04 Mar 2005.
Web. 26 Mar 2012. <http://www.cbsnews.com/stories/2005/03/04/national/main678013.s
html>.
"Computer disk may have cracked BTK case." MSNBC. The Associated Press, 03 Mar 2005.
Web. 20 Apr 2012. <http://www.msnbc.msn.com/id/6988048/ns/us_newscrime_and_courts/t/computer-disk-may-have-cracked-btk-case/>.
McCullagh, Declan. "DOJ: We can force you to decrypt that laptop." CNET. CNET News, 11 Jul
2011. Web. 20 Apr 2012. <http://news.cnet.com/8301-31921_3-20078312-281/doj-wecan-force-you-to-decrypt-that-laptop/>.
TSM441 with Dr. Bowman