[An edited version of this paper was posted at the OFFICERS.com Web site in January 2006.]
Examples of the analysis of computer evidence are abundant today in the popular media, particularly in television shows ranging from the Law & Order franchise to Court TV's Forensic Files. And, as we have come to expect from television, there is a grain of truth in the oversimplification (or gross distortion) of the facts.
Forensics, of course, is the use of science to investigate and establish facts in a criminal or civil court. Physical evidence (e.g., tire tracks and bullets) and medical evidence (e.g., blood and DNA) are well accepted in courts as well as the hearts and minds of the law enforcement community and the public. Less well known and much less well understood is the role of computer forensics and digital investigations.
Computer forensics is the acquisition, examination, and reporting of information found on computers and networks that pertain to a criminal or civil investigation, although the same processes and methods are applied to corporate and other "private" investigations. Nearly everything that someone does on a computer or a network leaves traces from deleted files and registry entries to the Internet history cache and automatic Word backup files. E-mail headers and instant messaging logs give clues as to the intermediate servers through which information has traversed. Server logs provide information about every computer system accessing a Web site.
Cyberforensics is increasing in importance for the law enforcement community for a number of reasons, not the least of which is that computers and the Internet represent the fastest growing technology tools used by criminals... and this trend will continue for the foreseeable future. Cybercrimes and white collar crimes are particularly lucrative because they are generally non-violent crimes, yield high profits (a recent report suggested that cybercrime in the U.S. yielded more income than the illegal drug trade), have relatively low risk of capture, and, if caught and convicted, usually result in relatively short prison sentences judges and juries seem to have a "romantic" view of cybercriminals as intelligent, misguided individuals rather than as the cyberthugs that they are.
The Internet, of course, is a significant problem for legal investigations. The biggest issue is jurisdiction. With crimes such as identity theft, Nigerian 409 (and other) scams,1 phishing,2 fraud, and other acts enabled by the global Internet, it is now possible for a criminal in one country to perpetrate a crime against a person in another country, all the while using servers located in a third country. The exchange of child pornography, largely shut down in the U.S. by the postal service, is rampant on the Internet. Luring, traveling, cyberstalking, and other child sexual exploitation activities have been dramatically enabled because of the global reach of the Net. And laws vary from country to country, so that a felony is one country might not even be illegal in another.
The Internet is totally changing crime scene investigation. Due to the dynamic nature of the 'Net, a site on the Internet used to perpetrate a crime one day may be different or absent the next day. Access to the Internet is nearly ubiquitous in the industrialized countries so that a criminal can gain access from a different computer at a different location every time they logon; while it may be easy to show a particular computer was used to access a given server at a given date and time, it may be very hard to prove whose fingers were on the keyboard. And Internet access and storage devices are becoming smaller, cheaper, faster, and more mobile every day. Gone is the era of securing a crime scene by throwing yellow police tape around it!
Computers can yield evidence of a wide range of criminal and other unlawful activities; criminals engaged in network-based crimes are not the only ones who store information on computers! Many criminals engaged in murder, kidnapping, sexual assault, extortion, drug dealing, auto theft, espionage and terrorism, gun dealing, robbery/burglary, gambling, economic crimes, confidence games, and criminal hacking (e.g., Web defacements and theft of computer files) maintain files with incriminating evidence on their computer. Sometimes the information on the computer is key to identifying a suspect and sometimes the computer yields the most damning evidence.
Consider, for example, the case of a pipe bomb murder that occurred in 1998 in the sleepy town of Fair Haven, Vermont. In this case, a 17-year old named Chris Marquis was selling CB radios on the Internet. The problem was that he didn't actually have radios to sell and was scamming the buyers. One of his victims was 35-year-old Chris Dean from Pierceton, Indiana, who was conned for several hundred dollars. After realizing what had happened, Dean attempted unsuccessfully to contact Marquis, even sending several threatening e-mails. On March 19, a pipe bomb arrived at Marquis' house by UPS; when it exploded, it killed Marquis and badly injured his mother. Examination of the crime scene yielded pieces of the package and the UPS shipping label that led the FBI and local authorities to Dean. Having found the threatening e-mails from Dean on Marquis' computer, investigators searched Dean's computer and found the e-mails there, as well, in addition to an electronic version of the mailing label of the package containing the pipe bomb. That information was key in convicting Dean, who is currently serving a 20-to-life sentence in federal prison.
More recently, the examination of a single computer file provided a key piece of information in the arrest of the BTK killer in Wichita, Kansas, in March 2005. The BTK killer's 30-year serial murder spree was brought to an end by a mere oversight on his part. As was his habit, the BTK killer sent a letter to a Wichita television station about his exploits, in this case via e-mail. Police examined the file and found the first name of the author (Dennis) and the organization name (Christ Lutheran Church) in the metadata (properties) of the document. A search of the church's Web site showed that a Dennis Rader was the church president. Police went to the church with a warrant to search the computers and found a floppy disk that Rader had given to the church pastor with the agenda for an upcoming church council meeting; the disk also contained the BTK letter. Up until this time, Dennis Rader's name had come up in the investigation only as part of a list of thousands of names of students and he was never a suspect.
Computers may also contain important information for intelligence-gathering purposes. Although the application of the Fourth Amendment is somewhat different when gathering evidence rather than criminal or anti-terrorist intelligence, the digital investigation process and tools are the same.
A basic level understanding of computer forensics, at the very least, is an essential knowledge area for all law enforcement officers. Investigators need to know when information on a computer might have a nexus to a crime, how to write an appropriate warrant to seize and search a computer, and how to gather and search cyberevidence. Prosecutors and judges need to better understand the role of digital evidence and the laborious task of a proper and thorough computer forensics exam. High technology crime task forces have already been formed in the larger metropolitan areas where this is a particularly serious problem, but the problem is actually far more widespread than just the big cities. Even a patrol officer who is not involved in computer crimes needs to know what actions to take when a computer is discovered at a crime or arrest scene.
Computer forensics and digital investigations have become an integral part of police work in the new millennium. Computers are now as much a part of the modern law enforcement officer's daily routine as the baton, sidearm, two-way radio, or handcuffs.
1) These are the infamous letters asking you to help some person who has access to millions but needs to secret the money to a U.S. bank and they will, of course, share the proceeds with you.
2) These are the e-mails directing you to authentic looking, yet bogus, Web sites asking you to enter personal identifying and financial information.
Gary C. Kessler is an Associate Professor and director of the Computer & Digital Forensics and Information Security programs at Champlain College in Burlington, VT. Champlain College offered one of the first undergraduate degree programs in digital forensics and cybercrime in the U.S. and the first such program to be offered completely online; Gary's current research is in making cybercrime training available in an instructor-led, online format. Gary is a member of the High Technology Crime Investigation Association (HTCIA) and frequent speaker at HTCIA events; he is also a technical consultant to the Vermont Internet Crimes Against Children (ICAC) Task Force, a member of the editorial board of the Journal of Digital Forensic Practice, and a principle in GKS Digital Services, LLC.