Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet

Posted on by Ben Rothke

When it comes to a physical crime scene and the resulting forensics, investigators can ascertain that a crime took place and gather the necessary evidence.  When it comes to digital crime, the evidence is often at the byte level, deep in the magnetics of digital media, initially invisible from the human eye. That is just one of the challenges of digital forensics, where it is easy to destroy crucial evidence, and often difficult to preserve correctly. 

For those looking for an authoritative guide, Digital Evidence and Computer Crime is an invaluable book that can be used to ensure that any digital investigation is done in a formal manner, that can ultimately be used to determine what happened, and if needed, used as evidence in court. 

Written by Eoghan Casey, a leader in the field of digital forensics, in collaboration with 10 other experts, the book’s 24 chapters and nearly 800 pages provide an all-encompassing reference.  Every relevant topic in digital forensics is dealt with in this extraordinary book.  Its breadth makes it relevant to an extremely large reading audience: system and security administrators, incident responders, forensic analysts, law enforcement, lawyers and more. 

In the introduction, Casey writes that one of the challenges of digital forensics is that the fundamental aspects of the field are still in development.  Be it the terminology, tools, definitions, standards, ethics and more, there is a lot of debate amongst professionals about these areas.  One of the book’s goals is to assist the reader in tackling these areas and to advance the field.  To that end, it achieves its goals and more. 

Chapter 1 is appropriately titled Foundation of Digital Forensics, and provides a fantastic overview and introduction to the topic.  Two of the superlative features in the book are the hundreds of case examples and practitioners’ tips.  The book magnificently integrates the theoretical aspects of forensics with real-world examples to make it an extremely decipherable guide. 

Casey notes that one of the most important advances in the history of digital forensics took place in 2008 when the American Academy of Forensic Sciences created a new section devoted to digital and multimedia sciences. That development advanced digital forensics as a scientific discipline and provided a common ground for the varied members of the forensic science community to share knowledge and address current challenges. 

In chapter 3 – Digital Evidence in the Courtroom – Casey notes that the most common mistake that prevents digital evidence from being admitted in court is that it is obtained without authorization. Generally, a warrant is required to search and seize evidence.  This and other chapters go into detail on how to ensure that evidence gathered is ultimately usable in court. 

Chapter 6 – Conducting Digital Investigations – is one of the best chapters in the book. Much of this chapter details how to apply the scientific method to digital investigations. The chapter is especially rich with tips and examples, which are crucial, for if an investigation is not conducted in a formal and consistent manner, a defense attorney will attempt to get the evidence dismissed.

Chapter 6 and other chapters reference the Association of Chief Police Officer’s Good Practice Guide for Computer-Based Electronic Evidence as one of the most mature and practical documents to use when handling digital crime scenes.  The focus of the guide is to help digital investigators handle the most common forms of digital evidence, including desktops, laptops and mobile devices. 

The Good Practice Guide is important in that digital evidence comes in many forms, including audit trails, application, badge reader and ISP and IDS logs, biometric data, application metadata, and much more.  The investigator needs to understand how all of these work and interoperate to ensure that they are collecting and interpreting the evidence correctly.

Chapter 9 - Modus Operandi - by Brent Turvey is a fascinating overview of how and why criminals commit crimes.  He writes that while technologies and tools change, the underlying psychological needs and motives of the offenders and their associated criminal behavior has not changed through the ages. 

Chapter 10 – Violent Crime and Digital Evidence - is another extremely fascinating and insightful chapter. Casey writes that whatever the circumstances of a violent crime, information is key to determining and thereby understanding the victim-offender relationship, and to developing an ongoing investigative strategy.  Any details gleaned from digital evidence can be important, and digital investigators must develop the ability to prioritize what can be overwhelming amounts of evidence. 

Chapter 13 – Forensic Preservation of Volatile Data - deals with the age-old forensic issue: to shut down or not to shut down?  It provides a highly detailed sample volatile data preservation process for an investigator to follow to preserve volatile data from a system.  There is also a fascinating section on the parallels between arson and digital intrusion investigations.

Part 4 of the book is Computers, in which the authors note that although digital investigators can use sophisticated software to recover deleted files and perform advanced analysis of computer hard drives, it is important for them to understand what is happening behind the scenes.  A lack of understanding of how computers function and the processes that sophisticated tools have automated make it more difficult for digital investigators to explain their findings in court and can lead to incorrect interpretations of digital evidence. 

Chapter 17 – File Systems – has an interesting section on dates and times.  Given the importance of dates and times when investigating computer-related crimes, investigators need an understanding of how these values are stored and converted.  The chapter has a table of the date-time stamp behavior on both FAT and NTFS file systems.  Time stamps are not a trivial issue, as there are many different actions involved (file moved, deletion, copy, etc.) that can affect the date-time stamp in very different ways.

A better title for Digital Evidence and Computer Crime might be the Comprehensive Guide to Everything You Need to Know About Digital Forensics.  One is hard pressed to find another book overflowing with so many valuable details and real-world examples. 

The book is also relevant for those who are new to the field, as it provides a significant amount of introductory material that delivers a broad overview to the core areas of digital forensics. 

The book progresses to more advanced and cutting-edge topics, including sections on various operating systems, from Windows and Unix to Macintosh. 

This is the third edition of the book and completely upda#ted and reedited. When it comes to digital forensics, this is the reference guide that all books on the topic will be measured against. 

With a list price of $70.00, this book is an incredible bargain given the depth and breadth of topics discussed, with each chapter written by an expert in the field.  For those truly serious about digital forensics, Digital Evidence and Computer Crime is an equally serious book. 

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.

Ben Rothke

Senior Information Security Manager, Tapad

data security forensics & e-discovery

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs