S. G. R. MacMillan For the defence of serious criminal cases
  Vancouver                                         Toronto

120 Adelaide Street West, Suite 2110, Toronto, Ontario M5H 1T1
(416) 363-0100

355 Burrard Street, Suite 1300, Vancouver, British Columbia V6C 2G8
Toll Free in North America: 1-877-363-0100

 

 

LSE Computer Security Research Centre

Forensic Computing

CSRC Research Project

Further Information

Copyright Notice Although this material is being made available via this server, it is nevertheless copyright (c) Peter Sommer, 1995 and may only be republished in any form, electronic or otherwise, by the express permission of the copyright holder. Contact

Project Aims

The aim of the project is to catalogue and evaluate the various methods of collecting computer-derived evidence and bringing it before the courts. As well as looking at the practical techniques, issues of the admissibility of evidence in various jurisdictions are also being examined as well as the problems of actual court presentation. However the matters raised go far beyond that of litigation; almost all software that has to operate in a commercial context ought to be able to create robust evidence; many well-known packages have a high potential for failure. Issues are also raised about the future training of law enforcement officers and possible changes in the substantive law.

Back to Contents List

Outline history of computer-derived evidence

Computers have appeared in the course of litigation for over twenty-five years. In 1977, according to Colin Tapper there were 291 US federal cases and 246 state cases in which the word "computer" appears and which were sufficiently important to be noted in the Lexis database. In the UK there were only 20. However as early as 1968 the computer's existence was considered sufficiently important for special provisions to be made in the English Civil Evidence Act.

The following description is designed to give a flavour of the issues rather than attempt to give a complete guide.

As far as one can tell, for non-contentious cases tend not to be reported, the arrival of computers in commercial disputes and in criminal cases did not create immediate difficulties; judges sought to allow computer-based evidence on the basis that it was no different from forms of evidence with which they were already familiar - documents, business books, weighing machines, calculating machines, film and audio tape. This is not to say that such cases were without difficulty; however no completely new principles were required. Quite soon, though, it became apparent that many new situations were arising and that analogies with more traditional evidential material were beginning to break down. Some of these were tackled in legislation, as with the English 1968 Act and the US Federal Rules of Evidence 1976, but many were addressed in a series of court cases. Not all of the key cases deal directly with computers but have a bearing on them as they relate to matters which are characteristic of computer-originated evidence, for example that it is not immediately readable by a human being, that the information has been gathered by a mechanical counting or weighing instrument, or that a calculation was performed by a mechanical or electronic device.

The focus of most of this legislation and judicial activity was determining the admissibility of the evidence. This single concept conceals four others:

  • authenticity
  • reliability
  • completeness
  • conformity with common law and legislative rules

The first three of these go to the weight of the evidence; essentially they are questions of fact which must be tested before the court, often before a jury. These will be examined in more detail later.

The last is purely legal in nature and calls for some explanation now. The common law and legislative rules are those that have arisen as a result of judicial decision and specific law; they extend beyond mere guidance. They are rules which a court must follow; the thought behind these rules may have been to impose standards and uniformity in helping a court test authenticity, reliability and completeness, nevertheless they have acquired a status of their own and in some cases prevent a court from making ad hoc common sense decisions about the quality of evidence. The usual effect is that, once a judge has declared evidence inadmissible (that is, failing to conform with the rules), the evidence is never put to a jury. For a variety of reasons that will become apparent shortly, it is not wholly possible for some-one interested in the practical aspects of computer forensics - that is the issues of demonstrating authenticity, reliability, completeness or lack thereof - to separate out the legal tests.

Back to Contents List

Legal Tests

The actual rules vary from legislation to legislation but one can give a broad outline of what happens in those countries with a common law tradition - the UK, USA, and the so-called "old" Commonwealth.

The law makes distinctions between real evidence, testimonial evidence and hearsay. Real evidence is that which comes from an inanimate object which can be examined by the court, testimonial evidence is that which a live witness has seen and upon which s/he can be cross-examined; "the hearsay rule operates to exclude assertions made other than by the witness who is testifying as evidence of the truth of what is being asserted". The pure hearsay rule is extremely restrictive and has been extensively modified by various statutory provisions. Thus there are rules about the "proving" of documents and business books. Bankers Books have separate legislation. Some of the rules apply explicitly to computers but many do not, though they can - and have been - interpreted to cover many situations in which computers are involved.

In the English legal system some of the existing statutory rules are sometimes a little difficult to reconcile with one another 4 and there are separate provisions for civil matters - the 1968 Act - and for criminal - Police and Criminal Evidence Act, ss 68,69 and Criminal Justice Act, 1988, s 24. The result of this is that in many of the cases in which admissibility has been an issue, much of the argument has been about the interpretation of the various statutory rules and the precedents that have arisen from them. A number of the precedents also show some inconsistency.

The Criminal Justice Act 1988 introduced provisions for the use of computer print-outs (and other provisions appear in the Financial Services Act, 1986) ; Order 29 rule 3(1) can be used to authorise the application of computer aids and simulations to help the jury understand such events as complex frauds and complex accidents.

A short examination of certain aspects of the UK approach illustrates the foregoing. The 1968 Act lays down the following requirements (paraphrased):

that over the relevant period information was regularly supplied to the computer and in the ordinary course of activities of the kind which is relied on in the statement (e.g. print-out or screen report) offered as evidence

that the information contained in the statement reproduces or is derived from information supplied to the computer in the ordinary course of its activities

that the computer from which the statement was produced was used regularly to process information of the type now being offered as evidence

that throughout the material part of the period the computer was behaving properly or, if not, not in such a fashion as to affect the production or accuracy of the statement.

Proper behaviour or normal working can be established by a certificate from the computer's owner or his representative and once provided there is a presumption that any material drawn from that computer is reliable (as opposed to an assumption that it is unreliable and must therefore be kept away from a jury; however the other side can still challenge the reliability by reference to substantive evidence).

Similar, slightly less stringent provisions appear in the criminal equivalent though of course standards of proof for civil cases is "balance of probabilities" and for criminal "beyond all reasonable doubt") .

However, consider the following situations:

 

a fraud is alleged to have been committed by the manipulation of computer files computer-held minutes of business meetings, diary entries, or correspondence have been deleted, partially deleted or altered in order to conceal events that have taken place; however back-ups and fragments remain

a computer breakdown has occurred, possibly the result of actions by an employee, but partial activity logs / audit trails remain

a program to search through computer files is used by investigators to track down references to particular names or transactions.

The first three of these would probably fail the tests of the current English criminal procedure - the owner of a computer would be unable to issue a certificate. The last may additionally fail (depending on the precise procedures employed) under the current English civil test, as the material would not "derive from information supplied to the computer in the ordinary course of activities then being carried on."

Thus we have situations where legal rules presumably designed to help the court may in fact hinder it. The court apparently cannot admit evidence, for example, from an expert that since the actual damage to files, etc. were quite slight and that because they followed a pattern and/or because other partial files existed which tended to tell the same story, it was possible to create a plausible reconstruction (and which could then in turn be considered along with other evidence).

In practice these issues may be circumvented. For example, in a criminal case, evidence may be obtained by inadmissible methods but which then points investigators to other sources of evidence for the same sets of circumstances and which are admissible. An example of this could occur during a fraud investigation - computer search methods are often used to identify allegedly fraudulent transactions but the evidential items eventually presented in court are paper-based invoices, contract notes, dockets, or whatever. In this manner the prosecution can demonstrate to the jury the deception or breach of the Companies Act or other specific fraudulent act. Again, in civil litigation, the parties may decide to jointly accept computer-based evidence (or not to challenge it) and instead concentrate on the more substantive elements in the dispute. A defendant may prefer to have a substantive defence rather than a technical one based on inadmissibility. Or again, the legal team may not feel sufficiently competent to embark on a technical challenge.

In 1993 the English Law Commission made extensive recommendations for the abolition of the hearsay rule in civil proceedings and the effects this would have on "computer records". These now appear in the 1995 Civil Evidence Act. There are also proposals to address the similar problems in criminal proceedings.

In the United States, many practical problems exist around the actual seizure of computers containing evidence - law enforcement officers must comply with the Fourth Amendment to the US Constitution.

Back to Contents List

Subject-matter of "Computer Forensics"

A subject called "computer forensics" can thus not afford solely to concern itself with procedures and methods of handling computers, the hardware from which they are made up and the files they contain. The ultimate aim of forensic investigation is use in legal proceedings. At the same time an obsession with common law and judicial rules is likely to inhibit many investigations; it might be a mistake for enquiries not to be commenced simply because of fear of possible inadmissibility; further, as we have already seen, a number of computer investigatory methods may turn out not to be directly admissible but may nevertheless be useful in locating non-computer evidence which is admissible.

One may have to take a somewhat pragmatic view of the precise bounds of the subject-matter, but it should still be possible to define its core activities. It might help to explore the way in which forensic science in general has developed and then see what expectations one might reasonably have of computer forensics.

Although forensic science had been established long before then and indeed forms a central feature of many of Conan Doyle's Sherlock Holmes stories published from 1892 onwards, up until the 1970s each forensic scientist tended to develop his own methods and present them ad hoc to juries. Obviously reliance was placed on descriptions of methods used by others, but for courts the tests of whether to believe the forensic evidence were the manner of presentation, the supposed eminence of the forensic scientist and the skill of the opposition lawyer (and/or rival expert) who might be called. During the 1970s a more formal check-list-based approach was introduced. This was partly to bring about standardisation as between different laboratories and partly in response to the criticism (in the UK) that arose over such controversial cases as the Birmingham Six. In the UK Home Office Forensic Service, these check-lists would be devised by senior staff. Obviously such check-lists are revised in the light of experience - the publication of new specialist research or adverse experience during a trial. An increasing feature of modern practice is quality control, which involves work being checked by an otherwise uninvolved co-worker before being offered to external scrutiny. In any event, the broad tests for evidence include:

  • authenticity - does the material come from where it purports?
  • reliability - can the substance of the story the material tells be believed and is it consistent? In the case of computer-derived material are there reasons for doubting the correct working of the computer?
  • completeness - is the story that the material purports to tell complete? Are there other stories which the material also tells which might have a bearing on the legal dispute or hearing?
  • acceptable levels of freedom from interference and contamination as a result of forensic investigation and other post-event handling

Any approach to computer forensics would thus need to include the elements of:

  • well-defined procedures to address the various tasks
  • an anticipation of likely criticism of each methodology on the grounds of failure to demonstrate authenticity, reliability, completeness and possible contamination as a result of the forensic investigation
  • the possibility for repeat tests to be carried out, if necessary by experts hired by the other side
  • check-lists to support each methodology
  • an anticipation of any problems in formal legal tests of admissibility
  • the acceptance that any methods now described would almost certainly be subject to later modification

Back to Contents List

Divergences from conventional forensic investigation

However there will be divergences from the expectations of more traditional areas of forensic investigation.

The main reason is the rate of change of computer technology. The devisor of a test for the presence of a prohibited drug, an explosive, fabric fibres, bodily tissues, etc. can expect that over a period of time the test may improved or shown be defective, but the actual need for the test and most of its essential detail will probably not change. But in computers, newness and obsolesce is the norm.

  • a key feature of computer forensics is the examination of data media: new forms and techniques of methods of data storage occur at intervals of less than 5 years, e.g. the floppy disk of 10 years ago was in 5.25 in format and held 360k, the current equivalent is 3.5 inches and holds 1.44 MB and shortly much higher densities are expected; a typical hard-disk size on a PC of the same date was 20-30 MB , was in 5.25 inch form and used MFM controller technology, today most PCs have hard-disks in excess of 350 MB in 3.5 in or even 2.5 inch form using IDE or RLL technology; on minis and mainframes data may held on RAID, where individual files may be split and spread over 8 or more separate disk surfaces. Similar changes have taken place in tape technology and the use of EPROMs.
  • computer architectures have show profound change in the same short period. PCs have become much more powerful, the large central mainframe is now a rarity and large companies are now served by a multiplicity of smaller computers which all interact via complex network
  • computer peripherals keep on changing as well - modems and network routers have become "intelligent"; digitising scanners are fairly common devices. They can be subverted for example for forgery.
  • wide area telecoms methods are being used more and more. They opportunities both for high-tech criminals and for forensic investigators. The protocols they use keep on changing as well.

The foregoing simply lists technological changes; similar changes have taken place in computer applications and these in turn have affected the type of information one might expect to find held on computer. For example, over the same 10 years:

  • the growth of e-mail, both locally within a large organisation and world-wide
  • the growth of client / server applications, the software outcome of the more complex hardware architectures. In the client / server situation, software on, say, a PC or small local machine interacts with software and data held on other non-local machines and large mainframes in a way which appears to be seamless to the user. One key effect of this is that a computer "document" often does not exist in some computer equivalent of a filing cabinet but is assembled on demand by the activity of one computer drawing information from many others. The evidence of a transaction or event may therefore only be provable by the presentation of all the records from all the computers involved plus an explanation of how the assembly of the report relied on took place.
  • the greater use of EDIs and other forms of computer-based orders, bills of lading, payment authorisations, etc. EDIs have very complex structures, with some "evidence" being held in computers owned by the counter-parties and some by the EDI supplier / regulator
  • computer graphics: computer-aided design (CAD) methods, particularly those that provide an element of auto-completion or filling-in of basic design ideas
  • more extended, easier to use databases
  • the greater use of computer-controlled procedures, e.g. sales, despatch and emergency services, and computer-controlled processes, e.g. traffic control and in manufacture
  • the methods of writing and developing software have changed also: there is a much greater use of libraries of procedures, of new computer language models, for example, object-oriented programming environments, and new more formal methods of program development; standards and methods of testing have also changed

As a result, computer forensic methods may not have the time in which to establish themselves, nor the longevity, that more traditional chemistry and physics-based forensics enjoys.

The usual way in which specific forensic methods become accepted is via publication in a specialist academic journal. A forensic scientist, seeking to justify a methodology in court, can do so by stating that it is based on a specific published method which has not, up to the point of the hearing, been criticised. (The rule of "best practice" refers to the use of best practice available and known at the time of the giving of evidence).

Back to Contents List

Computer Forensics Situations

We can try now and indicate some of the more common questions that computer forensics can hope to answer.

The following list is not exhaustive, nor is the order significant:

  • documents - to prove authenticity; alternatively to demonstrate a forgery. This is the direct analogy to proving a print-based document
  • reports, computer generated from human input. This is the situation where a series of original events or transactions are input by human beings but where, after regular computer processing, a large number of "reports", both via print-out and on-screen can be generated. Examples would include the order/sales/inventory applications used by many commercial organisations and retail banking
  • real evidence - machine readable measurements, etc., e.g. weighing, counting, otherwise recording events, the reading of the contents of magnetic stripes and bar codes and of "smart cards"
  • reports, generated from machine readable measurements, etc. Items have been counted, weighed, etc. and the results then processed and collated.
  • electronic transactions - to prove that a transaction took place - or to demonstrate that a presumption that it had taken place was incorrect. Typical examples would include money transfers, ATM transactions, securities settlement, EDIs
  • conclusions reached by "search" programs - programs which have searched documents, reports, etc. for, e.g., names and patterns. Typical users of such programs are auditors and investigators
  • event reconstruction - to show a sequence of events or transactions passing through a complex computer system. This is related to the proving of electronic transactions but with more pro-active means of investigation event reconstruction - to show how a computer installation or process dependent on a computer may have failed. Typical examples include computer contract disputes (e.g. when a computer failed to deliver acceptable levels of service and blame must be apportioned), disaster investigations and "failed trade" situations in securities dealing systems
  • liability in situations where CAD designs have relied on auto-completion or filling in by a program (in other respects a CAD design is a straight-forward computer-held document) conclusions of computer "experts" - the results of expert systems. When a computer program has made a decision (or recommendation) based on the application of rules and formulae and where the legal issue is the quality and reliability of the application program and the rules with which it has been fed

These occasions could arise in any of a number of forms of litigation, e.g.

  • Civil Matters
  • Breach of Contract
  • Asset recovery
  • Tort, including negligence
  • Breach of Confidence
  • Defamation
  • Breach of securities industry legislation and regulation and /or Companies Acts
  • Employee disputes
  • Copyright and other intellectual property disputes
  • Consumer Protection law obligations (and other examples of no-fault liability)
  • Data Protection law legislation
  • Criminal Matters:

    Theft Acts, including deception
    Criminal Damage
    Demanding money with menaces
    Companies Law, Securities Industry and banking offences
    Criminal offences concerned with copyright and intellectual property
    Drug offences
    Trading standards offences
    Official Secrets
    Computer Misuse Act offences

As mentioned earlier, the most likely situations are that computer-based evidence makes a contribution to an investigation or to litigation and is not the whole of it.

Back to Contents List

Computer Forensics Methods

The following is a provisional list of some of the principle forensic methods. The order is not significant; however these are the activities for which the research would want to provide detailed description of procedures, review and assessment for ease of use and admissibility A number of these methods have been mentioned in passing already:

 

  • safe seizure of computer systems and files, to avoid contamination and/or interference
  • safe collection of data and software
  • safe and non-contaminating copying of disks and other data media
  • reviewing and reporting on data media
  • sourcing and reviewing of back-up and archived files
  • recovery / reconstruction of deleted files - logical methods
  • recovery of material from "swap" and "cache" files
  • recovery of deleted / damaged files - physical methods
  • core-dump: collecting an image of the contents of the active memory of a computer at a particular time
  • estimating if files have been used to generate forged output
  • reviewing of single computers for "proper" working during relevant period, including service logs, fault records, etc.
  • proving / testing of reports produced by complex client / server applications
  • reviewing of complex computer systems and networks for "proper" working during relevant period, including service logs, fault records, etc.
  • review of system / program documentation for: design methods, testing, audit, revisions, operations management.
  • reviewing of applications programs for "proper" working during relevant period, including service logs, fault records, etc.
  • identification and examination of audit trails
  • identification and review of monitoring logs
  • telecoms call path tracing (PTTs and telecoms utilities companies only)
  • reviewing of access control services - quality and resilience of facilities (hardware and software, identification / authentication services)
  • reviewing and assessment of access control services - quality of security management
  • reviewing and assessment of encryption methods - resilience and implementation
  • setting up of pro-active monitoring in order to detect unauthorised or suspect activity

    within applications programs
    within operating systems
    across local area networks
    across wide area network

  • monitoring of e-mail
  • use of special "alarm" or "trace" programs
  • use of "honey pots"
  • inter-action with third parties, e.g. suppliers, emergency response teams, law enforcement agencies
  • reviewing and assessment of measuring devices, etc. and other sources of real evidence, including service logs, fault records, etc.
  • use of routine search programs to examine the contents of a file
  • use of purpose-written search programs to examine the contents of a file
  • reconciliation of multi-source files
  • examination of telecoms devices, location of associated activity logs and other records perhaps held by third parties
  • event reconstruction
  • complex computer intrusion
  • complex fraud
  • system failure
  • disaster affecting computer driven machinery or process
  • review of "expert" or rule-based systems
  • reverse compilation of suspect code
  • use of computer programs which purport to provide simulations or animations of events: review of accuracy, reliability and quality
  •