Monday, January 13, 2014

Digital Footprints - Computer Forensics and Digital Evidence: Information for Writers


This office is Grand Central.” He plugged a new flash drive into the computer.
      “Are you finding what you need?” I asked.
      “Some of it. They have security on top of security.”

     ~ Missing Lynx

If you're writing a contemporary suspense/thriller/crime novel, then digital information is an important angle to consider.

Modern technology makes certain crimes easier to carry out than ever before, indeed there are certain crimes that exist now that were not possible before computers became generalized to the world population.

How many of you have been at the end of an African lottery win phishing expedition? Conversely, if the criminal is not aware of how digital forensics can help an investigation, it can also make crime harder to get away with.

Map showing the Strategic Alliance Cyber Crime...
Map showing the Strategic Alliance Cyber Crime Working Group member countries and lead agencies (Photo credit: Wikipedia)

Most interrogators working with computerized information are called Digital Forensic Investigators. Apparently calling them computer-geek-cops is frowned upon.

Deutsch: Micro USB Ladekabel für Mobiltelefone
 (Photo credit: Wikipedia)

They cover such crimes as:

* Cyber bullying
* Child porn and child
* Pirating - software, music,
   videos, and
  other copyrighted work
   like books.
  Link to novalist John
  Dolan's blog post
  about his experience with
  pirating. Just FYI
* Credit card fraud
* Altering medical data for insurance fraud
* Espionage
* Terrorism
* Corporate crimes
* Pharming - Pretending to be a legitimate
   organization when they are not
* Phishing - Trying to defraud people

Video Quick Study (3:43) Phishing and Pharming examples
Video Quick Link (3:28) - excellent overview of digital crimes
Video Quick Study (6:44) - This is Josh Moulin who taught at
                                WPA 2011. He is explaining what he does,
                              listen carefully to his mode of speech and his
                              vocabulary. This is not specialized speak
                              for the interview. This is how he spoke with us.
                              (Don't go to the website he offers; it is
                             * Includes tips for how to protect a child on line
                             * Tips on general computer safety

The first hurtle to jump is just identifying that there is an issue.

* Is this a glitch in a program? A human error? Or, is this a crime?
   Often times computer crimes are hard to discover.
* Did the person have widely scoped criminal intent such as a
   terrorist? Or was this a bored teenager hacking into a system to
   see if he could?

Then they start looking for a suspect.

Digital Forensics Experts will:
1 Trace Back - the computer experts try to find the source
   computer - computer from which the attack originated - by
   following the trail of addresses (IP Addresses)
2. Scrutinize the computer system of the entity that was
   compromised called the target.

Once the investigators have narrowed in on the suspect, they need to prove:

* Did the person have motive for perpetrating a crime and what
   was it? Motivators might include:
   ` Curiosity - like hackers to see if they can.
   ` Money
   ` Victimization (such as stalking or pedophilia)
   ` Power/leverage/ revenge

* Believe me, I could have all of the motivation in the world, BUT
   if my scheme includes anything more than
   using a word processor, you've got the wrong girl.

ACCESS to perpetrate such things as:
* Data mining for materials that would benefit a criminal such as
  credit card numbers.
* Logic Bombs - "is a piece of code intentionally inserted into a
   software system that will set off a malicious
  function when specified conditions are met. For example, a
  programmer may hide a piece of code that
  starts deleting files, should they ever be terminated from the
  company." More information here.
* Opportunity to perform alterations of computer logs to show that
   the activity happened at a different time
    or date. (Investigators must look at the time/date stamp and make
   sure these were not tampered with,
    for example)

English: DCIS special agents investigate cyber...
English: DCIS special agents investigate cyber crime within DoD. (Photo credit: Wikipedia)

In order to develop the motive, access, and means, the investigators will collect evidence. Evidence is collected, analyzed, and stored.

Traditional Investigation
1. Interview eye witnesses - did anyone see or hear anything
    pertaining to the crime?
2. Conduct surveillance
    * Electronic surveillance might include pretending to be a target
       such as posing as a thirteen-year-old girl.
    * Discovering if the suspect would have been some how
       UNABLE to perform a cyber crime by location,
       activity, etc. Ex. a scuba diver would probably have an alibi if
       they were underwater.
    * Smart phones with internet capability make this difficult at
       times; though again, everything leaves a digital
       trail, so it might just be helping investigators.

Digital investigation

In order to access digital information from the target computer system, the investigators would need owner permission. If they wish to gather the information from the source computer they will need a warrant. 
* The investigators might want to do this surreptitiously so as not
    to let the suspect know that they are
    being investigated.
* They may confiscate the equipment.

COLLECT: 4 strategies for collecting the digital footprint.

English: A portable Tableau forensic write-blo...
English: A portable Tableau forensic write-blocker attached to a hard disk drive (Photo credit: Wikipedia)

1. Seizure - bag, tag, and send devices to
    the forensics laboratory.
   * Ever growing number of devices with
      huge amounts of memory makes long
      back logs.
   * No way to differentiate between items
      that might contain evidence and items that
      have no relevance.
2. Onsite Imaging
    * Time consuming
    * Issues of contamination
3. Digital Triage with Boot CD or Thumb
    * Cannot cope with cell phones, GPSs or
       similar devices
    * Can contaminate the data that is being
4. Onsite collection with specialized equipment such as Spektor
    * The one in this video was developed for investigators who do not specialize in digital forensics. So your
      Joe-cop could collect the evidence with maximum forensic control.
   * Can handle cell phones and GPS devices.
   Video Quick Study  (4:53) Promotes Spektor - but is a good quicky-overview of the collection techniques

English: A Tableu internal forensic write-prot...
English: A Tableu internal forensic write-protection module (Photo credit: Wikipedia)

Once the device is in the hands of the investigator:

1. They make back up copy (working copy)
    * Original data must stay intact allows it to be presented later in original condition if needed in court.
    *  Making the copy is called imaging.
    * Working Copy Master (the original copy) is used to make
       more copies. The original WCM is archived along with the 
       original data.
    * Investigators work on one of the other versions - if it is
       somehow corrupted then the investigators can
        make a fresh copy from the WCM

Plot point: How are the investigators sure that the copy is correct? They use a hash value - program that converts data into whole numbers that are added up. These sums are compared and if they match, then investigators know that they have an exact replication. This is a very cool little piece to manipulate in a plot line so I'm including this LINK to an academic paper concerning its use.

2. Examination computer - the data is
Image found on Facebook
    removed by
   a. USB
   b. SCSI  small computer interface
   c. Computer firewires link to howstuffworks article
  The machine is placed inside of a
   protective box that prevents
   someone at a remote location
   from communicating with the data
   and, for example, wiping the hard

Analyze - specifically and carefully

Preserve - with a documented chain of custody to maintain the integrity of the evidence for presentation in court.


Where do people (the good guys and the bad guys) look for data?

Slack space - where data goes when your heroine thinks she deleted it.
Any digital data storage device can be used to...
 (Photo credit: Wikipedia)
* Unencripted passwords and bank account
   numbers could be found here by
* Hackers can go and harvest that same kind
   of data
Browser history (opening individual files)
Keyword search 
Metadata searches ex:
*who created it
* when
* where was it received and by whom

Video Quick Study (5:07) Great easy-to-understand description of why data doesn't disappear when your heroine deletes her files.

Another way Digital Forensics Investigators gather evidence is cell phones via GPS.
Cell phones will ping off of a cell tower and give a general location. This can help establish an alibi; it can
also place a criminal in the vicinity of the crime. Investigators have to be careful in areas that have many cell towers because there can be bleed over. This happens when someone is near the overlapping area of two towers. PLOT TWIST if there is bleed over, it could put your heroine near the scene of the crime instead of in bed reading a good book like Virginia Is for Mysteries. (yup, I just unabashedly plugged my anthology!) Your heroine's lawyer might just use bring in an expert to testify on this very subject. Where was she the night of the murder? - Can't tell from her cell phone pings.

But this is all very cops and robbers. Your plot line runs more along the line of a savvy heroine who isn't taken advantage of. By anyone. What can she do? Your heroine doesn't have to be a forensic security geek - she can get simple tools like Recover It. LINK (quicky advertising video that shows this in action)

Pertinent Laws:

Cable Communications Policy Act 1984 link
Electronic Communications Privacy Act 1986 link
Digital Milennium Copyright Act 1998 link
USA Patriot Act 2001 (Uniting and Strengthening America Providing Appropriate Tools Required to Intercept and Obstruct Terrorism) link

See how this article influenced my plot lines in my novella MINE and my novel CHAOS IS COME AGAIN.

Thank you so much for stopping by. And thank you for your support. When you buy my books, you make it possible for me to continue to bring you helpful articles and keep ThrillWriting free and accessible to all.


  1. Great information! Intelligent stuff and likely too much for a country bumpkin like me to comprehend... :-) Thanks for all this digital soup! As if my mind could wrap itself around it... There might come a time for this old geezer! Hope your 2014 is happy, prosperous, and without too many hitches.

    1. Hey Billy Ray,

      Thank you for your kind regards - I hope the same for you and your wife. You know this stuff is easier when you have teens in the house. I just call them in when I'm at defcon 1 with technology. They sigh, roll their eyes, and feel vastly superior - it usually takes a bribe like "no chores tonight if you help." LOL - use what you've got.

  2. Digital forensic analysis of computers, laptops & servers can reveal emails, documents and spreadsheets that are often key to investigating theft of intellectual property including copyright, trademarks, patents and trade secrets.

    1. Thank you so much for adding this information!