CHAPTER 9 COMPUTER AND DIGITAL FORENSICS

• Jurisdiction: United States

Chapter 9 Computer and Digital Forensics

Overview

Computers are ubiquitous. Your laptop computer is only one small example of the availability of computer processing power. In modern society, one can hardly touch something that is not connected to computer processing power. Your cell phone tracks you almost constantly and usually by default. The computing power in your car does something similar. Even your household appliances can contain computing power.

The information stored and handled by computers and cell phones is generally referred to as "digital evidence." The quantity of such information boggles the mind. As of this writing, 97% of Americans use text messaging at least once a day, accounting for over 6 billion text messages per day.¹ By some estimates, there are well over 4 billion email accounts worldwide, and that number is expected to grow dramatically.² Are those text messages and emails usable as evidence at trial? How can one be certain, if one can at all, that they are real? Or that they were sent by the person who claims to have sent them? It can be very material and relevant to issues that present at trial. It may even answer the age-old question: "Where were you on the night of . . . ?"

But how do we go about obtaining this digital information? Where is it located? What are the circumstances under which it can be obtained? How do we ensure that it is what is purports to be? Do the rules, or for that matter the questions, differ for criminal prosecutions and civil actions? These are the questions that this chapter will address.

Chapter Objectives

Upon completion of this chapter, students will be able to:

1. Define digital evidence.
2. Explain legal authenticity, as it applies to digital information.
3. Explain the types of information that digital evidence reveals.
4. Have a working knowledge of the storage of digital data.
5. Identify various types of computer data.
6. Discuss forensically sound acquisition and examination of digital evidence.
7. Explain what data can be recovered, what cannot be recovered, and the value of both.

Case Studies

There are myriad examples of law enforcement using digital data to capture criminals. Frequently, law enforcement will pose as a member of a vulnerable class, for example a minor seeking companionship. After some communication, often a meeting is arranged with the understanding that it will be for illicit purposes. At the time of the meeting, law enforcement then pounces on the offender and an arrest is made.

Similarly, law enforcement will monitor sites wherein child pornography is exchanged. Once able to trace the computers to which the images are sent, a search warrant can be obtained and appropriate enforcement action taken.

State v. Lasaga; U.S. v. Lasaga

The matter of Antonio Lasaga, former professor at Yale University, presents an interesting, if lamentable, series of facts.³ Lasaga was employed at Yale in the geology and geophysics department. At some point, a graduate student in that department notified the person in charge of maintaining the department's computers that Lasaga had downloaded child pornography onto his office computer. The graduate student determined to continue monitoring Lasaga's computer activity, while the computer specialist remotely accessed the files that Lasaga had downloaded onto his office computer. He also installed a monitoring script that would alert him whenever Lasaga downloaded new files. When an alert came in, the computer specialist attempted to make certain that Lasaga was in fact in his office. While the door was shut, a student did confirm that Lasaga was in his office.

At that point, the geology department employees determined to contact law enforcement. An FBI agent applied for a search warrant to obtain the computer and related items, and that search warrant was executed by law enforcement the next day. Multiple items were seized, including the computer, discs and zip drives, and videotape. Based on the results of the search, Lasaga was charged under both Connecticut law and federal law. The federal court prosecution charged violations of the Child Pornography Prevention Act of 1996.⁴ In that matter, he was sentenced to 180 months in prison. In addition to child pornography, information obtained through the search warrant revealed actual sexual contact with a minor. Lasagna was charged under state law for these crimes and was sentenced to 20 years in prison, to run concurrently with his federal sentence.

Several interesting issues arise from the actions of the parties surrounding Lasaga's conduct. Were the Yale employees acting as agents of the police at any time during the investigation? If so, does that effect the legal validity of the search warrant, such that Lasaga's conviction is unconstitutional? With respect to the allegations of possession of child pornography, how do we know it was actually Lasaga that was downloading the images? Might it have been someone else in the department using his computer? Perhaps someone logged in with his credentials. These types of questions face law enforcement and the courts frequently. Can digital evidence overcome any potential doubt?

Connecticut's Most Expensive Divorce

The type of information described above not only surfaces in criminal matters, but is also present in civil cases. The matter of Tauck v. Tauck,⁵ perhaps Connecticut's longest running and most expensive divorce case, illustrates this point well.

Several matters were litigated during the course of this hotly contested 86-day trial. As with many such cases, child custody and visitation, as well as financial matters, were at issue. In the course of trial, it was disclosed by Mrs. Tauck that her husband had viewed child pornography on his computer. In fact, forensic examination of his computer revealed child pornography and related search queries. Certainly such a revelation, if proved, would significantly and negatively affect Mr. Tauck's ability to appropriately parent his children, would it not? How could a trial judge not consider such a revelation in ruling on issues of custody and visitation?

But how to prove such an allegation? It would seem simple enough, merely by viewing the subject computer. However, opening files on a computer may destroy evidence that lurks in the background and can be quite valuable. For example, your computer tracks dates and times when files are accessed. If the files are opened, that information is overwritten and lost. Locard's exchange principal, discussed elsewhere in this text, cautions that whenever an area is entered, one picks up something and leaves something behind. Although you might think of that in terms of scientific evidence, like DNA, it holds true for digital evidence as well. Therefore, investigators must be certain to minimize the likelihood that something is taken away, left behind, or otherwise destroyed. Those steps are discussed below. In the Tauck matter, one of the reasons the trial took as long as it did was to conduct searches for forensic evidence on several computer hard drives, and this was how the child pornography was discovered.

Certainly, the possession of child pornography could be the proverbial "smoking gun" on which the court's decision rested. And in many respects it was, but certainly not in the way Mrs. Tauck might have anticipated.

Evidence was developed that Mr. Tauck travelled extensively for his business. The forensic investigation of Mr. Tauck's laptop computer showed that he was traveling at the time the child pornography was accessed. The evidence showed that he was on a ship at that time, and that there was no internet access. Furthermore, the laptop was left at home in Connecticut, and there was no indication of remote access to that computer. One of the various computer experts in the case testified that he

... was able to determine the location of the Toshiba I laptop on May 5, 2005. [The expert] observed what is commonly referred to as pop-ups as a result of access of adult web pages. The pop-up he found was for Adult Friend Finder. He explained that the pop-ups read the IP address that is responsible for access to pornography pages. It interprets the IP number (in essence a physical address of the computer) and offers an adult friend in that geographical area. [The expert] found several adult friend finder pop-ups and they all said the same thing, "find a partner in Westport tonight" for the date May 5, 2005. This indicated to [the expert] that the IP number associated with the computer browsing the website that created the pop-up, was showing an IP address associated with the Westport, CT, area.⁶

Clearly, computer IP and location data can truly make or break a case. In the Tauck matter, location data was particularly relevant and contributed a great deal to the determination of the case. Moreover, as alluded to above, unless a computer is biometrically enabled, can we really know who was using it? That is to say, although IP address information can tell us about the computer and its location, it cannot tell us who was actually sitting behind the computer at the time of the internet access.

Types of Cases

At this point, we will limit our inquiry to criminal matters. The types of crime that are facilitated by electronic means are almost boundless. And nearly every crime has some element of digital forensics attached to it. And it seems rather self-evident that if you have a computer, you are likely connected to the internet.

The Federal Bureau of Investigation's Internet Crime Complaint Center (the "IC3") deals with matters involving computer fraud. Their 2014 Internet Crime Report states that the most frequently reported internet crimes are auto fraud, government impersonation, intimidation/extortion scams, real estate fraud, and "romance" scams. Social media has also become an increasingly popular platform for criminal activity.⁷ The FBI lists as its key priorities computer and network intrusion, identity theft...