Digital Footprints - Computer Forensics and Digital Evidence: Information for Writers

_____________________________

“This office is Grand Central.” He plugged a new flash drive into the computer.

      “Are you finding what you need?” I asked.

      “Some of it. They have security on top of security.”

     ~ Missing Lynx





If you're writing a contemporary suspense/thriller/crime novel, then digital information is an important angle to consider.

Modern technology makes certain crimes easier to carry out than ever before, indeed there are certain crimes that exist now that were not possible before computers became generalized to the world population.

How many of you have been at the end of an African lottery win phishing expedition? Conversely, if the criminal is not aware of how digital forensics can help an investigation, it can also make crime harder to get away with.

Map showing the Strategic Alliance Cyber Crime Working Group member countries and lead agencies (Photo credit: Wikipedia)

Most interrogators working with computerized information are called Digital Forensic Investigators. Apparently calling them computer-geek-cops is frowned upon.

 (Photo credit: Wikipedia)

They cover such crimes as:

* Cyber bullying
* Child porn and child
   exploitation
* Pirating - software, music,
   videos, and
  other copyrighted work
   like books.
  Link to novalist John
  Dolan's blog post
  about his experience with
  pirating. Just FYI
* Credit card fraud
* Altering medical data for insurance fraud
* Espionage
* Terrorism
* Corporate crimes
* Pharming - Pretending to be a legitimate
   organization when they are not
* Phishing - Trying to defraud people


Video Quick Study (3:43) Phishing and Pharming examples
Video Quick Link (3:28) - excellent overview of digital crimes
Video Quick Study (6:44) - This is Josh Moulin who taught at
                                WPA 2011. He is explaining what he does,
                              listen carefully to his mode of speech and his
                              vocabulary. This is not specialized speak
                              for the interview. This is how he spoke with us.
                              (Don't go to the website he offers; it is
                              incorrect).
                             * Includes tips for how to protect a child on line
                             * Tips on general computer safety

The first hurtle to jump is just identifying that there is an issue.

* Is this a glitch in a program? A human error? Or, is this a crime?
   Often times computer crimes are hard to discover.
* Did the person have widely scoped criminal intent such as a
   terrorist? Or was this a bored teenager hacking into a system to
   see if he could?

Then they start looking for a suspect.

Digital Forensics Experts will:
1 Trace Back - the computer experts try to find the source
   computer - computer from which the attack originated - by
   following the trail of addresses (IP Addresses)
2. Scrutinize the computer system of the entity that was
   compromised called the target.

Once the investigators have narrowed in on the suspect, they need to prove:

MOTIVE
* Did the person have motive for perpetrating a crime and what
   was it? Motivators might include:
   ` Curiosity - like hackers to see if they can.
   ` Money
   ` Victimization (such as stalking or pedophilia)
   ` Power/leverage/ revenge

KNOWLEDGE and MEANS
* Believe me, I could have all of the motivation in the world, BUT
   if my scheme includes anything more than
   using a word processor, you've got the wrong girl.

ACCESS to perpetrate such things as:
* Data mining for materials that would benefit a criminal such as
  credit card numbers.
* Logic Bombs - "is a piece of code intentionally inserted into a
   software system that will set off a malicious
  function when specified conditions are met. For example, a
  programmer may hide a piece of code that
  starts deleting files, should they ever be terminated from the
  company." More information here.
* Opportunity to perform alterations of computer logs to show that
   the activity happened at a different time
    or date. (Investigators must look at the time/date stamp and make
   sure these were not tampered with,
    for example)

English: DCIS special agents investigate cyber crime within DoD. (Photo credit: Wikipedia)

In order to develop the motive, access, and means, the investigators will collect evidence. Evidence is collected, analyzed, and stored.

Traditional Investigation

1. Interview eye witnesses - did anyone see or hear anything
    pertaining to the crime?

    Link to blog article on eye witnesses

2. Conduct surveillance

    * Electronic surveillance might include pretending to be a target
       such as posing as a thirteen-year-old girl.

    * Discovering if the suspect would have been some how
       UNABLE to perform a cyber crime by location,

       activity, etc. Ex. a scuba diver would probably have an alibi if
       they were underwater.

    * Smart phones with internet capability make this difficult at
       times; though again, everything leaves a digital

       trail, so it might just be helping investigators.

Digital investigation

In order to access digital information from the target computer system, the investigators would need owner permission. If they wish to gather the information from the source computer they will need a warrant. 

Blog link to warrants article

* The investigators might want to do this surreptitiously so as not
    to let the suspect know that they are

    being investigated.

* They may confiscate the equipment.

COLLECT: 4 strategies for collecting the digital footprint.

English: A portable Tableau forensic write-blocker attached to a hard disk drive (Photo credit: Wikipedia)

1. Seizure - bag, tag, and send devices to
    the forensics laboratory.
   * Ever growing number of devices with
      huge amounts of memory makes long
      back logs.
   * No way to differentiate between items
      that might contain evidence and items that
      have no relevance.
2. Onsite Imaging
    * Time consuming
    * Issues of contamination
3. Digital Triage with Boot CD or Thumb
    Devices
    * Cannot cope with cell phones, GPSs or
       similar devices
    * Can contaminate the data that is being
       harvested.
4. Onsite collection with specialized equipment such as Spektor
    * The one in this video was developed for investigators who do not specialize in digital forensics. So your
      Joe-cop could collect the evidence with maximum forensic control.
   * Can handle cell phones and GPS devices.
   Video Quick Study  (4:53) Promotes Spektor - but is a good quicky-overview of the collection techniques

English: A Tableu internal forensic write-protection module (Photo credit: Wikipedia)

Once the device is in the hands of the investigator:

1. They make back up copy (working copy)
    * Original data must stay intact allows it to be presented later in original condition if needed in court.
    *  Making the copy is called imaging.
    * Working Copy Master (the original copy) is used to make
       more copies. The original WCM is archived along with the 
       original data.
    * Investigators work on one of the other versions - if it is
       somehow corrupted then the investigators can
        make a fresh copy from the WCM

Plot point: How are the investigators sure that the copy is correct? They use a hash value - program that converts data into whole numbers that are added up. These sums are compared and if they match, then investigators know that they have an exact replication. This is a very cool little piece to manipulate in a plot line so I'm including this LINK to an academic paper concerning its use.

2. Examination computer - the data is

Image found on Facebook

    removed by
   a. USB
   b. SCSI  small computer interface
   c. Computer firewires link to howstuffworks article
 
  The machine is placed inside of a
   protective box that prevents
   someone at a remote location
   from communicating with the data
   and, for example, wiping the hard
   drive.

Analyze - specifically and carefully

Preserve - with a documented chain of custody to maintain the integrity of the evidence for presentation in court.

DATA STORAGE - 

Where do people (the good guys and the bad guys) look for data?

Slack space - where data goes when your heroine thinks she deleted it.

 (Photo credit: Wikipedia)

* Unencripted passwords and bank account
   numbers could be found here by
   investigators
* Hackers can go and harvest that same kind
   of data
Browser history (opening individual files)
Keyword search 
Metadata searches ex:
*who created it
* when
* where was it received and by whom

Video Quick Study (5:07) Great easy-to-understand description of why data doesn't disappear when your heroine deletes her files.

Another way Digital Forensics Investigators gather evidence is cell phones via GPS.
Cell phones will ping off of a cell tower and give a general location. This can help establish an alibi; it can
also place a criminal in the vicinity of the crime. Investigators have to be careful in areas that have many cell towers because there can be bleed over. This happens when someone is near the overlapping area of two towers. PLOT TWIST if there is bleed over, it could put your heroine near the scene of the crime instead of in bed reading a good book like Virginia Is for Mysteries. (yup, I just unabashedly plugged my anthology!) Your heroine's lawyer might just use bring in an expert to testify on this very subject. Where was she the night of the murder? - Can't tell from her cell phone pings.

But this is all very cops and robbers. Your plot line runs more along the line of a savvy heroine who isn't taken advantage of. By anyone. What can she do? Your heroine doesn't have to be a forensic security geek - she can get simple tools like Recover It. LINK (quicky advertising video that shows this in action)

Pertinent Laws:

Cable Communications Policy Act 1984 link
Electronic Communications Privacy Act 1986 link
Digital Milennium Copyright Act 1998 link
USA Patriot Act 2001 (Uniting and Strengthening America Providing Appropriate Tools Required to Intercept and Obstruct Terrorism) link

See how this article influenced my plot lines in my novella MINE and my novel CHAOS IS COME AGAIN.

Fiona Quinn's Newsletter Link, Sign up HERE

Thank you so much for stopping by. And thank you for your support. When you buy my books, you make it possible for me to continue to bring you helpful articles and keep ThrillWriting free and accessible to all.

Footwear Evidence for Writers – by Patti Phillips

Conferences are a blast for the mystery/thriller writing crowd these days. And not just because of the workshops improving our craft and technique providd by the many writing organizations. I appreciate those I do. But for all-out, slam-dunk fun, I go to the Writers' Police Academy (founded by Lee Lofland). It’s a three day, hands-on, mind-blowing experience that demonstrates the nuts and bolts of police and fire and EMS procedure – taught by professionals and experts actively working in the field. All with the purpose of getting writers to improve their technical knowledge so that they can get it right on the page.

\

Along with several other strands of study, the last two WPA conferences provided classes in bloodstain patterns, fingerprinting, and alternate light sources (ALS) conducted by Sirchie instructors. Because of the standing room only enthusiasm for these classes, Sirchie offered a five-day Evidence Collection training session for writers at their own complex in North Carolina. Sirchie makes hundreds of products for the law enforcement community and I felt this would be a great opportunity for Detective Kerrian (my protagonist) to learn more about the latest and best gadgets being used to catch the crooks.

Wolverine cast

Criminals rob, murder, rape or otherwise inflict bodily harm upon their victims. Physical evidence at a crime scene is an essential part of figuring out what happened. It is up to the police officers, investigators, and examiners to recognize what is and is not part of the evidence and then interpret the importance of each fiber, fingerprint, bloodstain, and other material in order to secure a conviction of the correct individual.

One of the most overlooked pieces of evidence at a crime scene is created by footwear.

If a window breaks as a thief enters the premises during the commission of a burglary, the glass will fall into the house, and onto the floor or rug below the window. When the thief steps through the window, unless the thief has wings, he/she will probably plant a foot right in the middle of the glass. And walk through the house, most likely tracking minute pieces of that glass. That glass may also become embedded in the grooves of the sole of the shoe, creating a distinctive footprint.

If the investigating officer can place a suspect at the scene with the footprint, then there is probable cause to fingerprint that suspect and hopefully establish a link to the crime.

A new method of eliminating suspects right at the scene involves stepping into a tray that contains a pad impregnated with a harmless clear ink that doesn’t stain, then stepping onto a chemically treated impression card. (So safe that it’s often used on newborn babies for the hospital records) No messy cleanup, immediate results, and it can even show details of wear and tear on the shoe. This can be a way to establish a known standard (we know where this impression came from) to compare with multiple tread prints at the scene.

Footwear Clear Ink Impression

Another tool for creating a known standard is the foam impression system. It takes a bit longer, (24 hours) but clear, crisp impressions can be made, including of the pebbles and bits stuck deep into the grooves and the writing on the arch. Very helpful when trying to place suspects at the scene. A rock stuck in the sole is a random characteristic that can’t be duplicated, so becomes another point of identification.

We definitely wanted to try this method for ourselves. Each of the writers stepped into the box of stiff-ish foam – a bit like stepping into wet sand.

Using foam impression system

An impression is made instantaneously. Look at the detail – down to the wear on the heel.

Foam impression of Wolverine boot

We used pre-mixed dental stone (made with distilled water and the powder) to fill the impression.

 Making the cast with pre-mixed dental stone

We waited 24 hours for them to become firm enough to pop out of the foam. We now had permanent records of the footwear treads, which could be used for comparison to other prints found at the scene. There were more than a dozen of us walking through that room every day on a regular basis and assorted other visitors tramping through the perimeter. If a crime occurred before we left for the week, we’d have a LOT of eliminating to do, but we were ready!

Photo: Footwear casts

Occasionally footprints are found on the ground outside a window or in the gardens surrounding a house after a burglary or homicide. Ever see a crime show on TV  where the fictional investigator makes a snap judgment about the height and weight of the owner of the footprint because of the depth of the impression? That’s merely a plot device and is not scientific evidence in real life. A crime scene photographer or investigator can photograph the footprint (next to a measurement scale), make a take away cast, and then compare the impression with those of the suspects or other bystanders at the scene. Beware: making a cast of the print destroys the print, so a photograph must be taken before pouring that first drop of dental stone.

Footprints can be found at bloody crime scenes as well. The suspect walks through the blood, tracks it through the house, cleans it up, but the prints are still there, even though not obvious to the naked eye. As we learned during the ‘Blood and Other Bodily Fluids’ session, blood just doesn’t go away, no matter how hard you try to get rid of it. It seeps into the cracks and crevices of a floor and even behind baseboards.

A savvy investigator will collect sections of carpet (or flooring) taken from where the suspect might have walked during the commission of the crime, then conduct a presumptive test for blood (LCV - Aqueous Leuco Crystal Violet), find a usable footprint, compare it to a known standard, and then be able to place the suspect at the scene.

Footwear Print

Kudos to Robert Skiff, the Sirchie Training Manager/Technical Training Specialist who conducted the classes with his assistant, Chrissy Hunter, all week. He fielded our many (sometimes wild) questions with solid expertise as we attempted to find the perfect scenarios for our fictional crime-fighters and criminals.

~~~~~~~~~~~~

Patti Phillips is a transplanted metropolitan New Yorker/north Texan, now living in the piney state of North Carolina. Her best investigative days are spent writing, cooking, traveling for research, and playing golf. Her time on the golf course has been murderously valuable while creating the perfect alibi for the chief villain in “One Sweet Motion.”

Did you know that there are spots on the golf course that can’t be accessed by listening devices? Of course, it helps to avoid suspicion if you work on lowering your handicap while plotting the dirty deeds.

Patti Phillips writes the www.kerriansnotebook.com blog and the book review site www.nightstandbookreviews.com

Thanks for stopping by! Why not take a second to +1 this article and send it to your friends on FB and Twitter? Buttons conveniently found below.