Turning the Juries on to Computer Evidence: Strategies for Forensic Examiners and Prosecutors Preparing for Trial
By Jim Mills1 and Duncan Brown2
The education level of the typical juror is roughly eighth grade. Thus, with the proliferation of cases involving computer evidence and technical expert testimony, it is important for the prosecution to present its case clearly, concisely, and in a manner comprehensible to non-experts. Computer evidence can include concepts such as slack space,3 unallocated space,4 Trojan horse programs,5 and other technical aspects of computer forensics. Compounding the complexity of the type of evidence in computer cases is the added difficulty that most jurors do not have knowledge of computers beyond the most basic familiarity needed to operate them. Therefore, the knowledge gap between the average juror and a computer forensic examiner is great.
Although the specificities of a forensic examination of a computer or computer data require a great amount of expertise and knowledge, it is possible for the examiner and prosecutor to present the results of their investigation in ways understandable to the average juror. This article will serve two purposes: first, it will outline potential problems and offer possible solutions for prosecutors and forensic examiners at trial; second, it will offer advice on how prosecutors can work with forensic examiners during the investigative stage in order to ensure that relevant and effective evidence is preserved. Below are seven questions addressing common problems that prosecutors and forensic examiners run into during the investigation and prosecution of computer facilitated child sexual exploitation cases. The problems are posed in bold from the perspective of a prosecutor presenting evidence at trial, and the computer forensic examiner gives the answers.
1. In general, testimony about high tech subjects like hard drives, peripherals, ISP addresses, and e-mail headers is difficult to explain to a jury. How can my forensic examiner and I present it in a more understandable way?
Avoid getting too technical.Let the defense ask the technical questions and instruct the forensic examiner to answer them only to the extent necessary. Simple explanations like, “I found this picture in the suspect’s computer” or “I traced the E-mail back to the defendant” can be bolstered by surrounding evidence instead of tech talk. Some examples of surrounding evidence that will help convince a jury that a suspect possessed the picture might include the folder or directory where it was stored, evidence that it was downloaded with other items linked to the defendant, or many other forensic findings. Testimony about serving a subpoena or search warrant on an Internet Service Provider (ISP) to help identify the sender of an E-mail may be all that is needed.
2. Specifically, concepts like slack space, unallocated space, and deleted files are hard for juries to understand. What are some analogies or parallels my forensic examiner and I can present to the jury that make those concepts more understandable?
Again, don’t overcomplicate your testimony. Only address these areas when they specifically relate to a key piece of evidence, and keep in mind that ultimately, most analogies will fail if relied upon too much.
When these explanations are necessary, the often-used parallel to videotaping can be used to help explain some of these concepts. (E.g., a long sporting event is taped on a VHS tape, then the tape is rewound and used to tape an hour sitcom. The sporting event, less one hour, is still present on the tape and can be watched after watching the taped sitcom.) Another factor to consider with analogies is how large to make them. While the File Allocation Table (FAT) can be compared to the table of contents for a book because it lists where on the hard drive certain clusters of information can be found, a more graphic example that incorporates how clusters store and retrieve information might be more useful to the jury. For instance, an analogy could use train cars to explain how the FAT tracks the contents of memory clusters. In this analogy the FAT is like the train company’s main operating system that keeps track of where each train is and which cargo cars (memory clusters) are linked to each other.
Remember that analogies and parallels always fail at some point, so be sure to present the example as an analogy and know where the analogies fall short. Ultimately, analogies are only an aid in explaining technical testimony, not a substitute for it.
3. How do I explain why my created, modified and access dates6 are different, and what can I do so they remain the same as when my forensic examiner first examined the hard drive?
Good forensic practices include preserving your electronic evidence in the same condition as it was at seizure. While there may be circumstances when the original media might be accessed, this should be the exception—not the rule. If the original media have been accessed post-seizure, be sure to fully document the circumstances and the dates and times of the access. Be prepared to explain this in the simplest terminology possible.
If dates and times become important to help show that a certain defendant was the person responsible for an action, be sure to compare the dates and times found to the BIOS settings or other verifiable time and date (like the time of seizure). Also, attempt to further validate the dates by using other information on the computer, keeping in mind that some programs do not strictly follow operating system guidelines for changing these dates and times and that local, network and/or other time settings may not be accurate.
Finally, to ensure that the dates are not changed before trial, never open a file on the original hard drive. Always make a duplicate copy of the hard drive and search that copy during the forensic analysis; tampering with the original will taint the evidence and raise questions as to its authenticity to the jury.
4. The Defendant had set up a number of machines networked together with many peripherals routed through each machine. Not only is the set up itself confusing, but how can I be sure that the machine will start smoothly when my forensic examiner boots it up in court?
This is the motivation behind labeling all connections on computer systems during seizure. If all connections, including empty ports, are well labeled at the time of seizure, putting the system back together for court should be as simple as matching “A” to “A,” or “A1” to “A2,” etc.
However, you cannot expect a seized machine to start smoothly in court. Many times the power was cut off to the machine without using any operating system shutdown procedure. While this practice helps to preserve the electronic evidence stored on hard drives, it may complicate booting the next time a system is powered up. If you must present a computer system in court, be sure to explain that the seizure procedure used may force the computer to run diagnostics tests when it boots.
5. What can the forensic examiner do when the computer is networked into a larger system and cannot be removed?
Being part of a larger network is not necessarily a reason not to seize or remove a given computer. However, there are many practical or legal considerations that may lead to the decision not to seize equipment. If a decision is made not to seize equipment and/or media, then trained forensic examiners usually obtain on-site forensic images. You may consider stipulations by the parties involved as to the authenticity of the copies.
6. When my forensic examiner presents evidence gained from running EnCase7 there are two possible problems: either the print outs are so long the evidence is hard to find, or there appear to be suspicious gaps in the EnCase results. How can I keep the reports to a reasonable length and minimize the appearance of gaps in the EnCase report?
While EnCase is not the only forensic program used to examine evidence, it has quickly evolved into one of the most widely used in computer forensic examinations. EnCase allows examiners to customize their reports with the information they believe to be important to any given case.
It would be a good idea, when practical, to have a discussion between the forensic examiner and prosecutor to determine which items would be most appropriate to include in the report for a given type of investigation (fraud, child pornography, etc.), given local laws and current defense strategies being employed.
When preparing a forensic examination report, just as in preparing a search warrant, templates and boilerplates should not be overly relied on. Each case has its own facts and circumstances, and these facts should determine whether to include an item in the report.
7. Viruses and Trojan horses appear to be rampant on the Internet. How do my forensic examiner and I protect from these defenses?
The forensic examiner should be alert for any signs that a given computer system contains viruses and/or Trojan horses. However, there are many viruses and Trojan horse programs, and the signatures of these programs are constantly changed to avoid detection by virus software. Examiners do have one advantage when looking for viruses or Trojan horses on a seized system: in many investigations, sufficient time has passed between the seizure and the examination for virus detection software to “catch up” to the programs that most likely would have been present on the system.
If there is any reason to believe a Trojan horse program or any other virus contamination may have occurred on a given system, the media should be “restored” to another piece of media and another virus check should be completed.
It is also important to note that the presence of a virus or Trojan horse program on a computer system does not necessarily mean that evidence was planted on a system by a third party, or that the data on a computer was affected by the program. If such a program is located on a system, the function of the virus or Trojan program should be researched and compared to the evidentiary findings.
Conclusion
Although the subject matter of a computer forensic examination is technical, the testimony about it does not have to be. Developing effective and easy to understand analogies and examples to use in court is a vitally important duty for the prosecutor and computer forensic examiner, especially with the continually increasing number of cases involving high tech elements. With a set of vocabulary terms and examples in place, the prosecution team can effectively anticipate any questions about technical issues from the defense that might confuse or mislead the jury. When the jury is comfortable with the technical aspects of the case, they will be better able to appreciate the underlying criminal charges.
Detective, Sexual Exploitation/Computer Forensics, Mesa Police Department, Mesa, Arizona.
Staff Attorney, American Prosecutors Research Institute’s National Center for Prosecution of Child Abuse.
Slack space is the extra space at the end of files placed by the computer to standardize file size. Computers store information in sectors, then arrange groups of those sectors into clusters in order to maximize storage space and retrieval speed. The slack space is the space added by the computer to a file so it fills completely a sector (this space is known as RAM slack), or so the sectors completely fill a cluster, (this space is known as disk slack).
Unallocated space is simply the space in a computer’s memory that is not being used to store information. It is either completely empty or contains deleted files. Often, suspects are able to use special programs to hide illegal images or programs in the unallocated space; also, deleted files may be retrieved and examined from here.
Trojan horses are harmful programs that are disguised as benign programs. A common example is a virus that is contained in a program for a screen saver. When the recipient opens the screen saver program, along with an image for the computer screen, the virus is unleashed. Trojan horses can also take the form of programs that allow outside users to access the computer. For example, opening the screen saver would also allow a third party to access the contents of the computer from a remote location without the user’s knowledge or consent.
Created, modified, and access dates are recorded by the computer for each file. These dates reflect when the file appeared on the hard drive (created) when the user modified the file in some way (modified), and the date the file was last accessed by a user (access).
EnCase is a program used by many forensic examiners that enables them to search the allocated and unallocated space of a computer. Using EnCase, examiners can tailor searches for specific types of files and view types of memory otherwise inaccessible to the average computer user.
|
