Computer Evidence Processing

Good Documentation Is Essential

by Michael R. Anderson

Technical evidence has become more important in proving criminal and civil cases. Its importance is tied, in part, to advances in science and computer technology. However, trials like the O. J. Simpson murder trial have called public attention to potential weaknesses in cases that rely upon technology to prove a case. In the past, expert testimony tied to science and technology was accepted without question by the courts, juries and by defense attorneys. Because of heightened public awareness, things have changed and technical evidence processing techniques and methodologies are subject to challenge. Forensic computer expert witnesses are now frequently required to defend their findings. Consequently, computer evidence processing methods, tools and techniques are being challenged as well. Therefore, it is extremely important that computer evidence processing be done correctly in criminal cases. An essential part of any evidence processing is the documentation of what was done. This is important so that memories can be refreshed as to the steps taken and the results of processing can be duplicated. This is especially true concerning the processing of computer evidence.

In past articles, I have stressed that the preservation of computer evidence is the most important element of computer evidence processing. I haven't changed my mind and that advice still stands. However, the proper documentation of the steps taken during the evidence processing ranks right up there as a top priority. Good documentation tied to sound processing procedures is essential for success in computer crime cases. Without the ability to reconstruct accurately what has been done, crucial evidence may be subject to question. More importantly, the qualifications of the expert witness can become an issue if the computer evidence processing was done haphazardly. Shortcuts should be avoided at all costs. Adequate funding for the purchase of proper computer hardware, storage media and software should not be an obstacle when it comes to law enforcement computer evidence processing.

Computer crime cases rarely go to trial in the United States. Such cases have typically resulted in negotiated guilty pleas in the past because computer evidence has been thought to be irrefutable. Previously, defense attorneys did not understand computer evidence issues and therefore did not question the evidence or the qualifications of the expert witness. Most experienced forensic law enforcement computer specialists will admit that they have not had to testify in court. This has been the norm for years but things are changing. Many computer cases now go to trial and the potential exists for the computer evidence to be subjected to close legal scrutiny by the defense counsel, the court and even the jury. Computer evidence issues may be extremely complex to a jury and it is the job of the forensic computer specialist to make complex technical computer issues seem simple. Typically, juries in the United States consist of individuals who represent a cross section of the population. It is doubtful that the jury will consist of twelve computer experts. As a result, complex computer issues need to be conveyed to the court in clear and easily understood terms. Often such testimony will be given several months or even years after the computer evidence was processed. Good documentation, tied to sound and consistently applied processing methods, acts as a memory refresher for the computer specialist and can make the difference between success and failure.

Over the last ten years, I am proud to have trained numerous law enforcement computer specialists. Some of those individuals now head major computer crime units in federal, state, county and municipal law enforcement agencies throughout the world. Since my retirement from federal law enforcement, I have also had the privilege of training numerous computer specialists from Fortune 500 corporations, government agencies, military agencies and Big 6 accounting firms. In all of my training sessions, I have always stressed the importance of consistently following good processing methodologies. I have also stressed the importance of good documentation. It is rewarding when I hear from former students who tell me that good procedures and documentation have been their keys to success when their cases have gone to trial. Based on these successes, the following information has been provided in hopes of helping you should your computer related case go to trial:

1. Computer Time and Date Settings

The time and date that files were created can be important in cases involving computer evidence. However, the accuracy of the time and date stamps on files is directly tied to the accuracy of the time and date stored in the CMOS chip of the computer. Consequently, documenting the accuracy of these settings on the seized computer is important. Without such information, it will be all but impossible to validate the accuracy of the times and dates associated with relevant computer files. As a result, I recommend that the current time and date be compared with the same information stored in the computer. The current time can be obtained from the telephone company or from the Internet at . File dates and times are particularly important in documenting the backdating of computer files. When the settings on the computer are inaccurate, the times and dates associated with relevant files can be interpolated by the computer specialist. Before running the computer or checking the time and date, making a bit stream backup of the computer hard disk drive is important. This topic has been covered in another article. Also, free software is available for download from this site that aids in the documentation of the system time and date settings.

2. Hard Disk Partitions

The potential for hidden or missing data exists when computer hard disk drives are involved. As a result, it is important to document the make, model and size of all hard disk drives contained in the seized computers. This is accomplished by conducting a physical examination of the hard disk drive. The factory information recorded on the outside of the hard disk drive should be documented. Furthermore, a program like DOS FDISK or PartInfo should be used to document the number and size of partitions. It is important that hidden partitions and data are found and documented. The PartInfo program comes with Partition Magic Software and can be purchased at most computer stores.

3. Operating System and Version

The seized computer may rely upon one or more operating systems. The operating system(s) involved should be documented. On DOS and Windows-based computers this can be determined by examining the boot sector of each partition. It can also be determined by using a program like Norton Utilities. The results of findings should be noted and the software and version used should be documented. The versions of the software used should also be retained and stored with the documentation.

4. Data and Operating System Integrity

The accuracy of any data found will be directly tied to the integrity of the operating system, directory, FAT and data storage areas. Therefore, it is important to document the results of running a program like DOS ScanDisk and/or DOS ChkDisk. In the event errors are found, they should be documented. At the discretion of the computer specialist, errors should be corrected and/or repaired. Any such corrective actions taken should be documented and the version of the software used should be retained and stored with the documentation.

5. Computer Virus Evaluation

It is important that computer viruses are not introduced into the seized computer storage devices by the computer specialist. Consequently, all processing software should be scanned by a NIST certified virus scanning utility, e.g., Mc Afee, Norton and Dr. Solomon, etc. Ideally two separate virus scanning utilities should be used and the results of the scan should be documented. The seized computer hard disk drives and floppy diskettes should also be scanned and any viruses found should be documented. At the discretion of the computer specialist the computer virus should be removed. As with the other software used, the version of the software used should be retained and stored with the documentation pending trial. It is also important to realize that infected programs and word processing files can be stored within compressed files, e.g., zip files. Some computer virus scanning programs automatically search inside zip files, e.g., Norton Anti virus. Other programs do not evaluate the contents of zip files. This should be taken into account regarding the creation of documentation.

6. File Catalog

The files stored on the computer hard disk drive(s) and floppy diskettes should be listed and cataloged. The dates and times that the files were created and/or updated should also be recorded. Many times relevant leads can be obtained through the sorting of the files by file date and time. The combination of such information from multiple computers seized as evidence in the same case can also prove valuable for leads. Such information can be helpful in documenting a conspiracy when sorted file dates and times are evaluated. NTI's FileList Pro program is ideal for this purpose and it processes DOS, Windows, Windows 95, Windows 98, Windows NT, Windows 2000 and Windows XP systems. It also can be used to document long file names as well as all deleted files on the drive. Such output can then be sorted on creation date, last modified data and/or last accessed date. This program is unique and can be a great aid in the documentation of the content of computer hard disk drives and in computer usage patterns.

7. Software Licensing

All too often, law enforcement agencies are under funded when it comes to the purchase of computers and software. Often this translates into law enforcement computer specialists being forced to use software that they did not purchase in the processing of computer related evidence. If this practice is discovered by the defense lawyer through legal discovery or during trial, the case can be lost. Worse yet, the reputation and credibility of the law enforcement computer specialists can be tarnished forever. Such problems should be avoided at all costs. The essential software tools used in computer evidence processing are relatively inexpensive and some software companies support law enforcement agencies with free and discounted forensic software. Be sure that you are licensed to use the software and document that fact in your reports. Also, be sure to register your software with the software publisher after purchase. Smart defense lawyers will contact the software publishers involved and verify that you are a licensed user of their software.

8. Retention of Software, Input Files and Output Files

As technology moves forward most software manufacturers enhance and upgrade their software. Over the course of just one year a program will probably be upgraded several times. Therefore, it is important that you retain the exact version and copy of software used in the processing of computer evidence. It may be necessary for you to duplicate the results of your processing and without the exact version of software originally used, this task may be impossible. When processing results cannot be duplicated, it raises doubts about the accuracy of the processing. Furthermore, it also makes it difficult to rebut claims by the defense lawyer that the evidence was not tampered with by the police, etc. I always recommend to my students that the source files, text search files, output files and forensic software be archived on the same storage device until after trial. Ideally these items should be retained until all possibilities of appeal have been exhausted. The recommended storage media is a Jazz Disk (By Iomega) or another external storage divice that allows file access. This is very inexpensive insurance when it comes to the failure or success of a criminal case. Your documentation should clearly list the software used, the names of the source files, the names of the output files and the software names and version numbers. These lists should conform to the contents of your archive disk.

It is hoped that these bits of information help you in processing computer evidence. This field is just now coming into bloom and proper documentation is one key to success. NTI has plans to develop training courses dealing with documentation and expert testimony issues.