DIGITAL FORENSICS

Chapter 1 : Digital Forensics Fundamentals

FORENSIC SCIENCE :

Definition
Forensic science involves the application of the natural, physical, and social sciences to
matters of law.
Forensic science refers to the application of natural, physical, and social sciences to matters
of the law. Most forensic scientists hold that investigation begins at the scene, regardless
of their associated field. The proper investigation, collection, and preservation of evidence
are essential for fact-finding and for ensuring proper evaluation and interpretation of the
evidence, whether the evidence is bloodstains, human remains, hard drives, ledgers, and
files or medical records. Scene investigations are concerned with the documentation,
preservation, and evaluation of a location in which a criminal act may have occurred and
any associated evidence within the location for the purpose of reconstructing events using
the scientific method. The proper documentation of a scene and the subsequent collection,
packaging, and storage of evidence are paramount. Evidence must be collected in such a
manner to maintain its integrity and prevent loss, contamination, or deleterious change.
Maintenance of the chain of custody of the evidence from the scene to the laboratory or a
storage facility is critical. A chain of custody refers to the process whereby investigators
preserve evidence throughout the life of a case. It includes information about: who collected
the evidence, the manner in which the evidence was collected, and all individuals who took
possession of the evidence after its collection and the date and time which such possession
took place.

Significant attention has been brought to the joint scientific and investigative nature of
scene investigations. Proper crime scene investigation requires more than experience; it
mandates analytical and creative thinking as well as the correct application of science and
the scientific method. There is a growing movement toward a shift from solely experiential-
based investigations to investigations that include scientific methodology and thinking. One
critic of the experience based approach lists the following pitfalls of limiting scene
investigations to lay individuals and law enforcement personnel: lack of scientific
supervision and oversight, lack of understanding of the scientific tools employed and
technologies being used at the scene, and an overall lack of understanding of the
application of the scientific method to develop hypotheses supported by the evidence
(Schaler 2012). Another criticism is that some investigators (as well as attorneys) will draw
conclusions and then obtain (or present) evidence to support their version of events while
ignoring other types of evidence that do not support their version or seem to contradict their
version

Digital Forensics Page 1

(i.e., confirmation bias). Many advocates of the scientific-based approach believe that having
scientists at the scene will minimize bias and allow for more objective interpretations and
reconstructions of the events under investigation.
HISTORY OF FORENSIC

Date Event
44 BC Death of an emperor

Julius Caesar is assassinated. Following this event, a physician performed an autopsy,

and determined that of the 23 wounds found on the body, only one was fatal.
400 Who determines cause of death(400s)

Germanic and Slavic societies made law that medical experts must be the ones to
determine cause of death in crimes.
600 Use of fingerprints for the first time (600s)

Fingerprints first used to determine identity. Arabic merchants would take a debtor's
fingerprint and attach it to the bill.
1248 First forensic science book

First forensic science manual published by the Chinese. This was the first known record
of medical knowledge being used to solve criminal cases.
1600 Reporting cases (1600s)

First pathology reports published.

1784 Physical evidence used in criminal case

First recorded instance of physical matching of evidence leading to a murder conviction

(John Toms, England). Evidence was a torn edge of newspaper in a pistol that matched
newspaper in his pocket.
1806 Investigating poisoning

German chemist Valentin Ross developed a method of detecting arsenic in a victim's

stomach, thus advancing the investigation of poison deaths.
1816 More physical evidence discovered to work in forensics

Clothing and shoes of a farm laborer were examined and found to match evidence of a
nearby murder scene, where a young woman was found drowned in a shallow pool.
1836 Chemical testing utilized

Digital Forensics Page 2

 James Marsh, an English chemist, uses chemical processes to determine arsenic as the
cause of death in a murder trial.
1854 First uses of photos in identification (1854-59 )

San Francisco uses photography for criminal identification, the first city in the US to do
so.
1880 Fingerprints found to be unique

Henry Faulds and William James Herschel publish a paper describing the uniqueness of
fingerprints. Francis Galton, a scientist, adapted their findings for the court. Galton's
system identified the following patterns: plain arch, tented arch, simple loop, central
pocket loop, double loop, lateral pocket loop, plain whorl, and accidental.
1887 Sherlock Holmes and the coroner

Coroner's act established that coroners' were to determine the causes of sudden, violent,
and unnatural deaths. Arthur Conan Doyle also publishes the first Sherlock Holmes story.
1892 Fingerprint ID used in crime

Juan Vucetich, an Argentinean police officer, is the first to use fingerprints as evidence in
a murder investigation. He created a system of fingerprint identification, which he termed
dactyloscopy.
1888 Criminal features reduced to numerical measurements

Anthropometry, a system using various measurements of physical features and bones,

used throughout the US and Europe. Using the system, a criminal's information could be
reduced to a set of numbers.
1901 Investigations into blood markers

Human blood grouping, ABO, discovered by Karl Landsteiner and adapted for use on
bloodstains by Dieter Max Richter.
1901 Fingerprint ID more common

Galton-Henry system of fingerprint identification officially used by Scotland Yard, and is

the most widely used fingerprinting method to date.
1903 First fingerprint prisoner ID used

NY state prison system implemented fingerprint identification.

1909 Learning about forensics

First school of forensic science founded by Rodolphe Archibald Reiss, in Switzerland.

Digital Forensics Page 3

1910 Hair now used in forensics

Victor Balthazard and Marcelle Lambert publish first study on hair, including
microscopic studies from most animals. First legal case ever involving hair also took
place following this study.
1912 Guns are unique

Victor Balthazard realizes that tools used to make gun barrels never leave the same
markings, and individual gun barrels leave identifying grooves on each bullet fired
through it. He developed several methods of matching bullets to guns via photography.
1923 Crime labs built

First police crime lab established in Los Angeles.

1930 Lie detection

Prototype polygraph, which was invented by John Larson in 1921, developed for use in
police stations.
1932 Crime experts build lab

FBI establishes its own crime laboratory, now one of the foremost crime labs in the
world. This same year, a chair of legal medicine at Harvard was established.
1960 Voice recording, used as evidence (1960s)

A sound spectrograph discovered to be able to record voices. Voiceprints began to be

used in investigations and as court evidence from recordings of phones, answering
machines, or tape recorders.
1967 First national crime system

FBI established the National Crime Information Center, a computerized national filing
system on wanted people, stolen vehicles, weapons, etc.
1974 Advances in residue detection

Technology developed at Aerospace Corporation in the US to detect gunshot residue,

which can link a suspect to a crime scene, and can show how close that suspect was to
the gun.
1975 Advanced manual fingerprints

First fingerprint reader installed at the FBI

1979 Auto fingerprint system first used

Royal Canadian Mounted Police implement first automatic fingerprint identification

Digital Forensics Page 4

 system.
1984 DNA technique for unique ID

DNA fingerprinting techniques developed by Sir Alec Jeffreys.

1983 Advances in DNA lead to conviction (1983-86)

DNA fingerprinting led to conviction of Colin Pitchfork in the murder of two teenage
girls. This evidence cleared the main suspect in the case, who likely would have been
convicted without it.
1987 DNA catches the criminal

Tommy Lee Andrews convicted of a series of sexual assaults, using DNA profiling.
1996 DNA evidence certified

National Academy of Sciences announces DNA evidence is reliable.

1999 Faster fingerprint IDs

FBI establishes the integrated automated fingerprint identification system, cutting down
fingerprint inquiry response from two weeks to two hours.
2001 Faster DNA IDs

Technology speeds up DNA profiling time, from 6-8 weeks to between 1-2 days.
2007 Footwear detection system

Britain's Forensic Science Service develops online footwear coding and detection system.
This helps police to identify footwear marks quickly.
2008 Detection after cleaning

A way for scientists to visualize fingerprints even after the print has been removed is
developed, relating to how fingerprints can corrode metal surfaces.
2011 Facial sketches matched to photos

Michigan state university develops software that automatically matches hand-drawn

facial sketches to mug shots stored in databases.
2011 4 second dental match

Japanese researchers develop a dental x-ray matching system. This system can
automatically match dental x-rays in a database, and makes a positive match in less than
4 seconds.

Digital Forensics Page 5

LAWS AND PRINCIPLES OF FORENSIC SCIENCE

Laws and Principles of Forensic Science

Forensic Science is the scientific discipline which is engaged to the recognition, identification,
individualization and evaluation of physical evidence by using the laws and principles of natural
science for the purpose of administration to terminate doubtful questions in the court of law.

The term “forensics” taken from latin word “forensis” which mean ‘the forum’. Forensic scientist
also play an active role in civil proceedings (such as violate of agreement and negligence) and in
regulatory issues. The principles of forensic science have a straight impact on criminal proceedings.

Laws and Principles of Forensic Science -

Law of Individuality
Law of Progressive change
Principle of Comparison

Digital Forensics Page 6

Principle of Analysis
Principle of Exchange (Locard’s principle of Exchange)
Law of Probability
Law of Circumstantial facts.
i) Law of Individuality -

This law states that, “Every object whether natural or man-made has a distinctive quality or
characteristic in it which is not duplicated in any other object,” in other words, no two things in this
universe are alike. Most common example is the human fingerprints; they are unique, permanent
and prove individuality of a person. Even the twins did not have the same fingerprints.

Consider grains of sand, salt, seeds or man-made objects such as currency notes, laptop, typewriter,
etc. they may look similar but a unique characteristic is always present between them.

This principle considered as the most basic elementary unit of Forensic Science. Fingerprints,
footprints, tool marks, obtained from the crime scene are studied and analyzed on the principle of
individuality.

2) Law of Progressive Change

This principle emphasizes that, “Everything changes with the passage of time and nothing remains
constant. “ The changing frequency varies from sample to sample and on different objects.

The crime scene must be secured in time otherwise a change in weather (rain, heat, wind), presence
of animals/humans, etc. affects the crime scene. For example, a road accident on a busy highway
may lose all essential evidence if not properly secured on time.

A bullet fragments may grow rust, firearm barrels loosen, shoes suffer wear and tear marks, wooden
objects may suffer due to presence of termite, etc. Longer the delay, greater the changes.

When samples are not much durable, several complications occur in an investigation as the process
of identification is affected due to the variations in the main features of identification. Without an
appropriate preservative, tissue samples start degrading immediately and they need immediate

Digital Forensics Page 7

analysis.

The criminals undergo progressive changes with time. If he is not apprehended in time he becomes
unrecognizable except his fingerprints or other characteristics of permanent nature.
3) Locard’s principle of Exchange (Law of exchange)

This principle was stated by French scientist -Edmond Locard (a pioneer in criminology and
forensic science). Law of exchange states that, “As soon as two things come in connection with each
other, they mutually interchange the traces between them.”

Whenever criminal or his weapon/instrument made connection with the victim or the things
surrounding him he left some traces at crime scene and also picked up the traces from the area or
person he has been in contacted with (mutual exchange of matter). These traces are very helpful for
investigation purposes as these traces are identified by the expert and linked to its original source
resulted in the decisive linkage of the criminal with the crime scene and the victim. This law forms
the basis of scientific crime investigation.

This principle is validated in all cases where there is a contact such as fingerprints, tyre marks,
bullet residues, foot marks, hair sample, skin, muscles, bodily fluids, blood, pieces of clothing etc.
DNA analysis is a straight application of this principle, where any such items are under analysis
which was believed to be held by the perpetrator.

Basic requirement of this law is the correct location of the physical evidence -

i) What are the areas and things with which the perpetrator or tool actually came in contact during
the crime?

ii) Investigating officer should establish the correct points of contact, its lead the investigation in
correct direction.

4) Principle of Comparison – For laboratory Investigation this law is very important. The law state
that “Only the likes can be compared”. It highlights the requirement of providing like samples and
specimens for evaluation with the questioned items’.

Digital Forensics Page 8

For example, if the murder is done by a firearm weapon then it is useless to send a knife for
comparison.

So, the important condition of this principle is to supply specimen/samples of like nature for proper
assessment with the questioned sample discovered from the crime scene.

5) Principle of Analysis

This principle states that, “The quality of any analysis would be better by collection of correct
sample and its correct preservation in the prescribed manner”. This leads to better result and avoid
tampering, contamination and destruction of a sample.

If you collect a hard disk in a paper bag, it can be damaged when it falls within the range of a strong
electromagnetic field resulted in poor results. Hence, always appropriate and effective collection and
packaging techniques must be used.

6) Law of Probability

This law states that, “All identifications (definite or indefinite), made consciously or unconsciously
on the basis of probability.”

The perpetrator blood group is also the blood group of various people is high, but the probability of
the same occurring in the case is low.

A woman with a tattoo bear on its right hand and an old injury mark on head is reported missing, an
unknown woman is found murdered with these characteristics then the probability for cops that the
unknown corpse is of that missing woman is high. The probability that the dead body is of another
woman will be 1 in millions.

7) Law of Circumstantial facts

Page 9
According to this law, “Facts cannot be wrong, they cannot lie not wholly absent but men can and
do.” This law emphasizes the significance of circumstantial facts and supports that a statement given
by a human may or may not be accurate. In an investigation identified and discovered facts are more
accurate and reliable than any eyewitness.

Conclusion

Forensic science by these principles is used for recognition, identification; individualization of

pieces of evidence collected from the scene of crime and guides the criminal proceedings from the
discovery of a crime to the conviction of the accused, helping the process of investigation.

COMPUTER FORENSIC

WHAT IS COMPUTER FORENSICS?

Computer forensics is the process of methodically examining computer media (hard disks,
diskettes, tapes, etc.) for evidence. In other words, computer forensics is the collection, preservation,
analysis, and presentation of computer-related evidence. Computer forensics also referred to as
computer forensic analysis, electronic discovery, electronic evidence discovery, digital discovery,
data recovery, data discovery, computer analysis, and computer examination. Computer evidence
can be useful in criminal cases, civil disputes, and human resources/ employment proceedings.

1.2 USE OF COMPUTER FORENSICS IN LAW ENFORCEMENT

Computer forensics assists in Law Enforcement. This can include:

Recovering deleted files such as documents, graphics, and photos.

Searching unallocated space on the hard drive, places where an abundance of data often resides.

Tracing artifacts, those tidbits of data left behind by the operating system. Our expert know how to
find these artifacts and, more importantly, they know how to evaluate the value of the information
they find.

Digital Forensics Page 10

Processing hidden files — files that are not visible or accessible to the user that contain past usage
information. Often, this process requires reconstructing and analyzing the date codes for each file
and determining when each file was created, last modified, last accessed and when deleted.

Running a string-search for e-mail, when no e-mail client is obvious.

COMPUTER FORENSICS ASSISTANCE TO HUMAN RESOURCES / EMPLOYMENT

PROCEEDINGS
Computers can contain evidence in many types of human resources proceedings, including sexual
harassment suits, allegations of discrimination, and wrongful termination claims. Evidence can be
found in electronic mail systems, on network servers, and on individual employee’s computers.

EMPLOYER SAFEGUARD PROGRAM

Employers must safeguard critical business information. An unfortunate concern today is the
possibility that data could be damaged, destroyed, or misappropriated by a discontented individual.
Before an individual is informed of their termination, a computer forensic specialist should come
on-site and create an exact duplicate of the data on the individual’s computer. In this way, should
the employee choose to do anything to that data before leaving, the employer is protected. Damaged
or deleted data can be re-placed, and evidence can be recovered to show what occurred. This method
can also be used to bolster an employer’s case by showing the removal of proprietary information or
to protect the employer from false charges made by the employee. You should be equipped to find
and interpret the clues that have been left behind. This includes situations where files have been
deleted, disks have been reformatted, or other steps have been taken to conceal or destroy the
evidence. For example, did you know?
What Web sites have been visited?
What files have been downloaded?
When files were last accessed?
Of attempts to conceal or destroy evidence?
Of attempts to fabricate evidence?
That the electronic copy of a document can contain text that was removed from the final printed
version?
That some fax machines can contain exact duplicates of the last several hundred pages received?

Digital Forensics Page 11

That faxes sent or received via computer may remain on the computer indefinitely?
That email is rapidly becoming the communications medium of choice for businesses?
That people tend to write things in email that they would never consider writing in a memorandum
or letter?
That email has been used successfully in criminal cases as well as in civil litigation?
That email is often backed up on tapes that are generally kept for months or years?
That many people keep their financial records, including investments, on computers?

COMPUTER FORENSICS SERVICES

Computer forensics professionals should be able to successfully perform complex evidence recovery
procedures with the skill and expertise that lends credibility to your case. For example, they should
be able to perform the following services:
1. DATA SEIZURE
Following federal guidelines, computer forensics experts should act as the representative, using
their knowledge of data storage technologies to track down evidence.
The experts should also be able to assist officials during the equipment seizure process.

2. DATA DUPLICATION/PRESERVATION
When one party must seize data from another, two concerns must be addressed; the data must not
be altered in any way the seizure must not put an undue burden on the responding party
The computer forensics experts should acknowledge both of these concerns by making an exact
duplicate of the needed data. ‘
When experts works on the duplicate data, the integrity of the original is maintained.

3. RECOVERY
Using proprietary tools, your computer forensics experts should be able to safely recover
and analyze otherwise inaccessible evidence.
The ability to recover lost evidence is made possible by the expert’s advanced understanding of
storage technologies

4. DOCUMENT SEARCHES
Computer forensics experts should also be able to search over 200,000 electronic documents in

Digital Forensics Page 12

seconds rather than hours.
The speed and efficiency of these searches make the discovery process less complicated and less
intrusive to all parties involved.

5. MEDIA CONVERSION
Computer forensics experts should extract the relevant data from old and un-readable devices,
convert it into readable formats, and place it onto new storage media for analysis.
6. EXPERT WITNESS SERVICES
Computer forensics experts should be able to explain complex technical processes in an easy-to-
understand fashion. This should help judges and juries comprehend how computer evidence is
found, what it consists of, and how it is relevant to a specific situation.

7. COMPUTER EVIDENCE SERVICE OPTIONS

Computer forensics experts should offer various levels of service, each designed to suit your
individual investigative needs. For example, they should be able to offer the following services:
Standard service: Computer forensics experts should be able to work on your case during nor-mal
business hours until your critical electronic evidence is found.
On-site service: Computer forensics experts should be able to travel to your location to
per-form complete computer evidence services. While on-site, the experts should quickly be able to
produce exact duplicates of the data storage media in question.
Emergency service: Your computer forensics experts should be able to give your case  the highest
priority in their laboratories. They should be able to work on it without interruption until your
evidence objectives are met.
Priority service: Dedicated computer forensics experts should be able to work on your  case
during normal business hours (8:00 A.M. to 5:00 P.M., Monday through Friday) until the evidence
is found. Priority service typically cuts your turnaround time in half.
Weekend service: Computer forensics experts should be able to work from 8:00 A.M. to 5:00
P.M., Saturday and Sunday, to locate the needed electronic evidence and will continue 14 Computer
Forensics, Second Edition working on your case until your evidence objectives are met.
8. OTHER MISCELLANEOUS SERVICES
Computer forensics experts should also be able to provide extended services. These services

Digital Forensics Page 13

include:
Analysis of computers and data in criminal investigations
On-site seizure of computer data in criminal investigations
Analysis of computers and data in civil litigation.
On-site seizure of computer data in civil litigation
Analysis of company computers to determine employee activity
Assistance in preparing electronic discovery requests
Reporting in a comprehensive and readily understandable manner
Court-recognized computer expert witness testimony
Computer forensics on both PC and Mac platforms
Fast turnaround time.

BENEFITS OF PROFESSIONAL FORENSIC METHODOLOGY

A knowledgeable computer forensics professional should ensure that a subject computer system is
carefully handled to ensure that:
1. No possible evidence is damaged, destroyed, or otherwise compromised by the procedures used
to investigate the computer.
2. No possible computer virus is introduced to a subject computer during the analysis process.
3. Extracted and possibly relevant evidence is properly handled and protected from later mechanical
or electromagnetic damage.
4. A continuing chain of custody is established and maintained.
5. Business operations are affected for a limited amount of time, if at all.
6. Any client-attorney information that is inadvertently acquired during a forensic exploration is
ethically and legally respected and not divulged.

DIGITAL FORENSIC

Digital forensics or digital forensic science is a branch of cybersecurity focused on the recovery and
investigation of material found in digital devices and cybercrimes. Digital forensics was originally
used as a synonym for computer forensics but has expanded to cover the investigation of all devices
that store digital data.

Digital Forensics Page 14

As society increases reliance on computer systems and cloud computing, digital forensics becomes a
crucial aspect of law enforcement agencies and businesses.

Digital forensics is concerned with the identification, preservation, examination and analysis
of digital evidence, using scientifically accepted and validated processes, to be used in and outside
of a court of law.

While its root stretch back to the personal computing revolution in the late 1970s, digital forensics
begun to take shape in the 1990s and it wasn't until the early 21st century that countries like the
United States begun rolling out nation-wide policies.

Today, the technical aspect of an investigation is divided into five branches that encompass the
seizure, forensic imaging and analysis of digital media.

What is the Purpose of Digital Forensics?

The most common use of digital forensics is to support or refute a hypothesis in a criminal or civil
court:

 Criminal cases: Involve the alleged breaking of laws and law enforcement agencies and
their digital forensic examiners.

 Civil cases: Involve the protection of rights and property of individuals or contractual
disputes between commercial entities where a form of digital forensics called electronic
discovery (eDiscovery) may be involved.

Digital forensics experts are also hired by the private sector as part of cybersecurity and information
security teams to identify the cause of data breaches, data leaks, cyber attacks and other cyber
threats. Digital forensic analysis may also be part of incident response to help recover or identify
any sensitive data or personally identifiable information (PII) that was lost or stolen in a
cybercrime.

What is Digital Forensics Used For?

Digital forensics is used in both criminal and private investigations.

Digital Forensics Page 15

Traditionally, it is associated with criminal law where evidence is collected to support or negate a
hypothesis before the court. Collected evidence may be used as part of intelligence gathering or to
locate, identify or halt other crimes. As a result, data gathered may be held to a less strict standard
than traditional forensics.

In civil cases, digital forensics may help with electronic discovery (eDiscovery). A common
example is following unauthorized network intrusion. A forensics examiner will attempt to
understand the nature and extent of the attack, as well as try to identify the attacker.

As encryption becomes more widespread, forensic investigation becomes harder, due to the limited
laws compelling individuals to disclose encryption keys.

What is the Digital Forensics Investigation Process?

There are a number of process models for digital forensics, which define how forensic examiners
should gather, process and analyze data. That said, digital forensics investigations commonly consist
of four stages:

1. Seizure: Prior to actual examination digital media is seized. In criminal cases, this will be
performed by law enforcement personnel to preserve the chain of custody.

2. Acquisition: Once exhibits are seized, a forensic duplicate of the data is created. Once
created using a hard drive duplicator or software imaging tool then the original drive is
returned to a secure storage to prevent tampering. The acquired image is verified with SHA-
1 or MD5 hash functions and will be verified again throughout analysis to verify the
evidence is still in its original state.

3. Analysis: After acquisition, files are analyzed to identify evidence to support or contradict a
hypothesis. The forensic analyst usually recovers evidence material using a number of
methods (and tools), often beginning with the recovery of deleted information. The type of
data analyzed varies but will generally include email, chat logs, images, internet history and
documents. The data can be recovered from accessible disk space, deleted space or from the
operating system cache.

Digital Forensics Page 16

 4. Reporting: Once the investigation is complete, the information is collated into a report that
is accessible to non-technical individuals. It may include audit information or other meta-
documentation.

What is the History of Digital Forensics?

Before the 1970s, cybercrimes were dealt with existing laws.

The first cyber crimes were recognized in the 1978 Florida Computer Crimes Act. The 1978 Florida
Computer Crimes Act included legislation against the unauthorized modification or deletion of
data.

As the range of computer crimes increased, state laws were passed to deal with copyright, privacy,
harassment and child pornography.

In the 1980s, federal laws began to incorporate computer offences. Canada was the first country to
pass legislation in 1983, with the United States following in 1986, Australia in 1989 and Britain's
Computer Misuse Act in 1990.

1980s-1990s

The growth in cyber crime in the 1980s and 1990s force law enforcement agencies to establish
specialized groups at a national level to handle technical investigations.

In 1984, the FBI launched a Computer Analysis and Response Team and in 1985, the British
Metropolitan Police fraud squat launched a computer crime department.

One of the first practical examples of digital forensics was Cliff Stoll's pursuit of Markus Hess in
1986. Hess is best known for hacking networks of military and industrial computers based in the
United States, Europe and East Asia. He then sold the information to the Soviet KGB for $54,000.
Stoll was not a digital forensic expert but used computer and network forensic techniques to identify
Hess.

In the 1990s there was a high demand for digital forensic resources and the strain on the central
units led to regional or even local groups to handle the load. This led to the science of digital
forensic maturing from an ad-hoc set of tools and techniques to a more developed discipline.

Digital Forensics Page 17

By 1992, "computer forensics" was used in academic literature in a paper by Collier and Spaul that
attempted to justify digital forensics as a new discipline. That said, digital forensic remained a
haphazard discipline due to a lack of standardization and training.

By the late 1990s, mobile phones were more widely available and advancing beyond simple
communication devices. Despite this, digital analysis of cell phones has lagged behind traditional
computer media due to the proprietary nature of devices.

2000s

Since 2000, various bodies and agencies have published guidelines for digital forensics in response
to the need for standardization. Standardization became more important as law
enforcement agencies moved away from central units to regional or even local units to try keep up
with demand.

For example, the British National Hi-Tech Crime Unit was set up in 2001 to provide national
infrastructure for computer crime, with personnel located centrally in London and with the various
regional police forces.

In 2002, the Scientific Working Group on Digital Evidence (SWGDE) produced Best practices for
Computer Forensics.

A European lead international treaty, the Convention of Cybercrime came into force in 2004 with
the aim of reconciling national computer crime laws, investigation techniques and international
cooperation. The treaty has been signed by 43 nations (including the United States, Canada, Japan,
South Africa, United Kingdom and other European nations) and ratified by 16.

In 2005, an ISO standard for digital forensics was released in ISO 17025, General requirements for
the competence of testing and calibration laboratories.

This was when digital forensics training began to receive more attention with commercial
companies beginning to offer certified forensic training programs.

The field of digital forensics still faces issues. A 2009 paper, Digital Forensic Research: The Good,
the Bad and the Unaddressed identified a bias towards Windows operating systems in digital
forensics research despite widespread use of smartphones, unix and linux based operating systems.

Digital Forensics Page 18

In 2010, Simson Garfinkel pointed out the increasing size of digital media, widespread encryption,
growing variety of operating systems and file formats, more individuals owning multiple devices
and legal limitations as key risks to digital forensics investigations. The paper also identified
training issues and the high cost of entering the field as key issues. Other key issues include the shift
toward Internet crime, cyber warfare and cyber terrorism.

What Tools Do Digital Forensic Examiners Use?

In the 1980s, very few digital forensic tools existed forcing forensic investigators to perform live
analysis, using existing sysadmin tools to extract evidence. This carried the risk of modifying data
on the disk which led to claims of evidence tampering.

The need for software to address this problem was first recognized in 1989 at the Federal Law
Enforcement Training Center and resulted in the creation of IMDUMP and SafeBack. DIBS, a
hardware and software solution, was released commercially in 1991.

These tools create an exact copy of a piece of digital media to work on while leaving the original
disk intact for verification.

By the end of the 1990s, the demand for digital evidence meant more advanced tools such as
EnCase and FTK were developed, allowing analysts to examine copies of media without live
forensics.

There is now a trend towards live memory forensics using tools such as WindowsSCOPE and tools
for mobile devices.

Today, there are single-purpose open-source tools like Wireshark, a packet sniffer, and HashKeeper,
a tool to speed up examination of database files. As well as commercial platforms with multiple
functions and reporting capabilities like Encase or CAINE, an entire Linux distribution designed for
forensics programs.

In general tools can be broken down into the following ten categories:

1. Disk and data capture tools

2. File viewers

Digital Forensics Page 19

 3. File analysis tools

4. Registry analysis tools

5. Internet analysis tools

6. Email analysis tools

7. Mobile devices analysis tools

8. Mac OS analysis tools

9. Network forensics tools

10. Database forensics tools

What are the Legal Considerations of Digital Forensics?

The examination of digital media is covered by national and international legislation. For civil
investigations, laws may restrict what can be examined. Restrictions against network monitoring or
reading personal communications are common.

Likewise, criminal investigations may be restricted by national laws that dictate how much
information can be seized. As an example, seizure of evidence by law enforcement is governed by
the PACE act in the United Kingdom. The 1990 computer misuse act legislates against unauthorized
access to computer material which makes it hard for civil investigators in the UK.

One of the common considerations which is largely undecided is an individual's right to privacy.
The US Electronic Communications Privacy Act places limitations on the ability for law
enforcement and civil investigators to intercept and access evidence.

The act makes a distinction between stored communication (e.g. email archives) and transmitted
communication (e.g. VOIP). Transmitted communication is considered more of a privacy invasion
and is harder to obtain a warrant for.

Digital evidence falls into the same legal guidelines as other evidence.

In general, laws dealing with digital evidence are concerned with:

Digital Forensics Page 20

  Integrity: Ensuring the act of seizing and acquiring digital media does not modify the
evidence (either the original or the copy).

 Authenticity: The ability to confirm the integrity of information. The chain of custody from
crime scene through analysis and ultimately to the court, in the form of an audit trail, is an
important part of establishing the authenticity of evidence.

Each of the branches of digital forensics have their own guidelines on how to conduct investigations
and handle data.

What are the Different Branches of Digital Forensics?

Digital forensics is no longer synonymous with computer forensics. It is increasingly concerned

with data from other digital devices such as tablets, smart phones, flash drives and even cloud
computing.

In general, we can break digital forensics into five branches:

1. Computer forensics

2. Mobile device forensics

3. Network forensics

4. Forensic data analysis

5. Database forensics

What is Computer Forensics?

Computer forensics or computer forensic science is a branch of digital forensics concerned with
evidence found in computers and digital storage media. The goal of computer forensics is to
examine digital data with the aim of identifying, preserving, recovering, analyzing and presenting
facts and opinions about the digital information.

It is used in both computer crime and civil proceedings. The discipline has similar techniques and
principles to data recovery, with additional guidelines and practices designed to create a legal audit
trail with a clear chain of custody.

Digital Forensics Page 21

Evidence from computer forensics investigations is subjected to the same guidelines and practices of
other digital evidence.

What is Mobile Device Forensics?

Mobile device forensics is a branch of digital forensics focused on the recovery of digital evidence
from mobile devices using forensically sound methods.

While the phrase mobile device generally refers to mobile phones, it can relate to any device that
has internal memory and communication ability including PDA devices, GPS devices and tablets.

While the use of mobile phones in crime has been widely recognized for years, the forensic study of
mobile phones is a new field, beginning in the late 1990s.

The growing need for mobile device forensics is driven by:

 Use of mobile phones to store and transmit personal and corporate information

 Use of mobile phones in online transactions

That said, mobile device forensics is particularly challenging due to:

 Evidential and technical challenges such as cell site analysis which makes it possible to
determine roughly the cell site zone from which a call was made or received but not a
specific location such as an address

 Changes in mobile phone form factors, operating systems, data storage, services, peripherals
and even pin connectors and cables

 Storage capacity growth

 Their proprietary nature

 Hibernation behavior where processes are suspended when the device is off or idle

As a result of these challenges, many tools exist to extract evidence from mobile devices. But no
one tool or method can acquire all evidence from all devices. This has forced forensic examiners,
especially those who wish to be expert witnesses, to undergo extensive training to understand how
each tool and method acquires evidence, how it maintains forensic soundness and how it meets legal
requirements.

Digital Forensics Page 22

 What is Network Forensics?

Network forensics is a branch of digital forensics focused on monitoring and analyzing computer
network traffic for information gathering, legal evidence or intrusion detection.

Unlike other branches of digital forensics, network data is volatile and dynamic. Once transmitted, it
is gone so network forensics is often a proactive investigation.

Network forensics has two general uses:

1. Monitoring a network for anomalous traffic and identifying intrusions.

2. Law enforcement may analyze capture network traffic as part of criminal investigations.

What is Forensic Data Analysis?

Forensic data analysis (FDA) is a branch of digital forensics that examines structured data in regards
to incidents of financial crime. The aim is to discover and analyze patterns of fraudulent activities.
Structured data is data from application systems or their databases.

This can be contrasted to unstructured data that is taken from communication, office applications
and mobile devices. Unstructured data has no overarching structure and analysis therefore means
applying keywords or mapping patterns. Analysis of unstructured data is usually done by computer
forensics or mobile device forensics experts.

What is Database Forensics?

Database forensics is a branch of digital forensics related to databases and their related metadata.
Cached information may also exist in a server's RAM requiring live analysis techniques.

A forensic examination of a database may relate to timestamps that apply to the update time of a
row in a relational database that is being inspected and tested for validity to verify the actions of a
database user. Alternatively, it may focus on identifying transactions within a database or
application that indicate evidence of wrongdoing, such as fraud.

CHALLENGES FACED BY DIGITAL FORENSIC

Development is severely challenged by the growing popularity of digital devices and the
heterogeneous hardware and software being utilised.

Digital Forensics Page 23

 • The increasing variety of file formats and OSs hampers the development of
standardized DF tools and processes.
• The emergence of smart phones that increasingly utilize encryption renders the
acquisition of digital evidence an intricate task.
Also, advancements in cybercrime have culminated in the substantial challenge, such as
Crime as a Service (CaaS), which provides the attackers with easy access to the tools,
programming frameworks, and services needed to conduct cyber attacks.
• Digital forensics has become an important tool in the investigation/identification of computer-
based and computer-assisted crime.
• Eric Holder (Deputy Attorney General of the United States Subcommittee on Criminal
Oversight for the Senate) has classified the challenges into three categories
1. Technical challenges
2. Legal challenges
3. Resource challenge
Technical challenges:Finding the forensics evidences have been hindered by:
➢Different Media format
➢Encryption
➢Anti-forensics
➢ Steganography.
➢Live acquisition and analysis
Legal challenges:
➢ Jurisdictional issue.
➢ Lack of standard legislation creates the legal challenges.
➢ Status as scientific evidence.
➢ What is the known or potential rate of error of the method used.
➢ whether the theory or method has been generally accepted by the scientific
community.
Resource challenges: It is severely challenged by the growing popularity of digital
devices and the heterogeneous hardware and software platforms being utilized.
➢ Volume of data.
➢ Time taken to acquire and analyze forensic media.
Digital Forensics Page 24
 ➢ To ensure to satisfied critical investigative and prosecutorial needs at all levels of
government
COMPUTER CRIME
Alternatively referred to as cyber crime, e-crime, electronic crime, or hi-tech
crime. Computer crime is an act performed by a knowledgeable computer user,
sometimes referred to as a hacker that illegally browses or steals a company's or
individual's private information. In some cases, this person or group of individuals
may be malicious and destroy or otherwise corrupt the computer or data files.
Why do people commit computer crimes?
In most cases, someone commits a computer crime to obtain goods or money. Greed and
desperation are powerful motivators for some people to try stealing by way of computer crimes.
Some people may also commit a computer crime because they are pressured, or forced, to do so by
another person.

Some people also commit a computer crime to prove they can do it. A person who can successfully
execute a computer crime may find great personal satisfaction in doing so. These types of people,
sometimes called black hat hackers, like to create chaos, wreak havoc on other people and
companies.

Another reason computer crimes are sometimes committed is because people are bored. They want
something to do and don't care if they commit a crime.

Examples of computer crimes

Below is a list of the different types of computer crimes today. Clicking any of the links gives
further information about each crime.

 Child pornography - Making, distributing, storing, or viewing child pornography.

 Copyright violation - Stealing or using another person's Copyrighted material without
permission.
 Cracking - Breaking or deciphering codes designed to protect data.
 Cyber terrorism - Hacking, threats, and blackmailing towards a business or person.
 Cyberbully or Cyberstalking - Harassing or stalking others online.

Digital Forensics Page 25

  Cybersquatting - Setting up a domain of another person or company with the sole intention
of selling it to them later at a premium price.
 Creating Malware - Writing, creating, or distributing malware (e.g., viruses and spyware.)
 Data diddling - Computer fraud involving the intentional falsification of numbers in data
entry.
 Denial of Service attack - Overloading a system with so many requests it cannot serve
normal requests.
 Doxing - Releasing another person's personal information without their permission.
 Espionage - Spying on a person or business.
 Fraud - Manipulating data, e.g., changing banking records to transfer money to an account
or participating in credit card fraud.
 Green Graffiti - A type of graffiti that uses projectors or lasers to project an image or
message onto a building.
 Harvesting - Collect account or account-related information on other people.
 Human trafficking - Participating in the illegal act of buying or selling other humans.
 Identity theft - Pretending to be someone you are not.
 Illegal sales - Buying or selling illicit goods online, including drugs, guns, and psychotropic
substances.
 Intellectual property theft - Stealing practical or conceptual information developed by
another person or company.
 IPR violation - An intellectual property rights violation is any infringement of another's
Copyright, patent, or trademark.
 Phishing or vishing - Deceiving individuals to gain private or personal information about
that person.
 Ransomware - Infecting a computer or network with ransomware that holds data hostage
until a ransom is paid.
 Salami slicing - Stealing tiny amounts of money from each transaction.
 Scam - Tricking people into believing something that is not true.
 Slander - Posting libel or slander against another person or company.
 Software piracy - Copying, distributing, or using software that was not purchased by the
user of the software.
 Spamming - Distributed unsolicited e-mail to dozens or hundreds of different addresses.

Digital Forensics Page 26

  Spoofing - Deceiving a system into thinking you are someone you're not.
 Swatting - The act of calling in a false police report to someone else's home.
 Theft - Stealing or taking anything (e.g., hardware, software, or information) that doesn't
belong to you.
 Typosquatting - Setting up a domain that is a misspelling of another domain.
 Unauthorized access - Gaining access to systems you have no permission to access.
 Vandalism - Damaging any hardware, software, website, or other object.
 Wiretapping - Connecting a device to a phone line to listen to conversations.

CRIMINALISTICS

The criminal justice system in America is the overarching establishment through which crimes and
those who commit them are discovered, tried, and punished. This includes all of the institutions of
government aimed at upholding social order, deterring and mitigating crime, and sanctioning those
who violate the law, such as law enforcement and the court and jail systems.

Criminology and criminalistics are two subsets of the criminal justice system. Criminology relates to
studying and preventing crime—typically with behavioral sciences like sociology, psychology, and
anthropology. Criminalistics refers to a type of forensics—the analysis of physical evidence from a
crime scene.
While criminology has preventative components, criminalistics comes into effect only after a crime
has been committed. A criminalist applies scientific principles to the recognition, documentation,
preservation, and analysis of physical evidence from a crime scene. Criminalistics can also include
crime scene investigations. The Bureau of Labor Statistics (BLS) classifies criminalists as forensic
science technicians. Most professionals regard criminalistics as a specialty within the field of
forensic science.

WHAT DO CRIMINALISTS DO?

Criminalists use their knowledge of physical and natural science to examine and analyze every piece
of evidence from a crime scene. They prepare written reports of their findings and may have to
present their conclusions in court. A criminalist is not involved in determining the guilt or innocence
of an accused individual. Their job, rather, is to present an objective analysis of the evidence.

Digital Forensics Page 27

 There are several critical skills that criminalists need to be successful in their work. First, they must
be detail-oriented and have excellent written and verbal communication skills. Second, they should
also have strong critical-thinking and problem-solving skills and a solid background in science,
statistics, physics, math, and ethics. Finally, criminalists should be comfortable testifying in court.

Most of a criminalist’s work is performed in a laboratory unless they specialize in crime scene
investigation. Their job typically includes recognizing what information is important, collecting and
analyzing evidence without contaminating it, and organizing all information and evidence
coherently.

Criminalistics has many fields of specialization. Specialties include, but are not limited to:
 Alcohol and drugs

 Arson

 Blood and tissue spatter

 Computer forensics

 DNA

 Explosions

 Serology (examining and analyzing body fluids)

 Toxicology

 Firearms and tool marks

 Trace evidence

 Wildlife (analyzing evidence against poachers)

As long as crimes continue to be committed, there will always be work for criminalists. A criminal
will always leave evidence, no matter how minute, according to forensic scientist and “Father of
Criminalistics” Paul L. Kirk:
“Wherever he steps, whatever he touches, whatever he leaves, even unconsciously, will serve as
silent evidence against him. Not only his fingerprints or his footprints, but his hair, the fibers
from his clothes, the glass he breaks, the tool mark he leaves, the paint he scratches, the blood or
semen that he deposits or collects – all these and more bear mute witness against him. This is
evidence that does not forget. It is not confused by the excitement of the moment. It is not absent

Digital Forensics Page 28

 because human witnesses are. It is factual evidence. Physical evidence cannot be wrong; it cannot
perjure itself; it cannot be wholly absent. Only its interpretation can err. Only human failure to
find it, study and understand it, can diminish its value.”

As soon as a crime is reported, an investigation is opened by the police or law enforcement agency
with jurisdiction.

Police detectives and investigators use criminalistics in crime-scene investigations. Criminalistics

is “the scientific study and evaluation of physical evidence in the commission of crimes.”
Criminalistics plays a vital role in organizing crime scenes, helping victims, ensuring justice, and
serving the public.

Criminalists cover a broad range of criminal justice jobs within the forensic science field
that examine physical evidence to link crime scenes with victims and offenders. Criminalists are
sometimes referred to as lab technicians or crime scene investigators, a term made famous by the
TV drama CSI.

These criminalists consult with experts, examine and analyze a variety of evidence including
fingerprints, hair, fibers, skin, blood, and more. The criminalists then use their analysis to determine
answers to how a crime was committed.

CRIMINALISTICS IN POLICE INVESTIGATIONS

A report from the National Institute of Justice outlined the role of criminalistics in police work.
Criminalists investigate a variety of crimes, including domestic and aggravated assaults, burglary,
robbery, sexual violence, and homicide.

Here are the basic functions completed by criminalists:

Establishing an element of the crime

Digital Forensics Page 29

  It’s important for criminalists to establish proof that a crime occurred and to determine the
cause and manner of death. Autopsies will help confirm the latter, while sending crime scene
samples of blood, drugs, or semen, for example, could help determine the crime itself.

Identification of a suspect or victim

 Fingerprint and DNA testing are two examples of forensic evidence that criminalists use to
identify an offender.

Associative evidence

 This type of scientific finding can help link the offender to the victim. Examples of
associative evidence include hair follicles, blood, semen, fingerprints left on an object, foot
impressions, and more.

Reconstruction

 Criminalists try to reconstruct how the crime happened using evidence from the crime scene.
For example, certain evidence on a gunshot victim can discern the distance between a victim
and the shooter.

Corroboration

 Physical evidence from a crime scene can corroborate or refute information that investigators
collect during interviews with witnesses, victims and suspects.

CRIMINALISTICS IN REAL TIME

The FBI and U.S. Department of Justice distribute a guide for criminalist protocols when responding
to a crime scene.

Here’s what the Justice Department recommends takes place.

Arrival/Initial Response

Digital Forensics Page 30

  Upon arriving on the scene, criminalists should attempt to preserve the crime scene with
minimal disturbance of the physical evidence.
 Criminalists should make initial observations to assess the scene while ensuring officer
safety and security.
 They should react with caution. Offenders could still be at the crime scene and criminalists
should remain alert and attentive until the crime scene is declared clear of danger.

Documentation and Evaluation

 The investigator(s) in charge should set responsibilities, share preliminary information and
develop investigative plans in compliance with department policy and local, state and federal
laws.
 Criminalists should speak with the first responders regarding observations from the crime
scene before evaluating safety issues at the scene, establishing a path of exit and entry, and
initial scene boundaries.
 If multiple scenes exist, criminalists should establish and maintain communication with
personnel at those sites.

Processing the Scene

 Based on the type of incident and complexity of the crime scene, criminalists should
determine team composition on site.
 Criminalists will assess the scene to determine which specialized resources are required. For
example, forensic examiners could be called to the scene, or a coroner to investigate a
cadaver.

Completing and Recording the Crime Scene Investigation

 Criminalists should establish a crime scene debriefing team, which enables all law
enforcement bodies to share information about findings before the scene is released.
 Criminalists determine what evidence was collected, discuss the preliminary scene findings
with scene personnel, discuss potential forensic tests that will take place, and initiate any
action required to complete the crime scene investigation.

Digital Forensics Page 31

 The object and categories of criminalistics

The structure of criminalistics in Europe is not uniform. Western European countries took
the British-American model which describes “criminalistics” as close to equal with “forensic
science”. According to this model, forensic science uses criminalistic techniques, employed
for technical solution of judicial problems. Additionally, this model contains crime scene
investigation techniques. Some of these techniques are used in central European models
within the field of criminalistic tactics. For a number of central European law practitioners,
criminalistics falls within the broad category of legal sciences31. Owing to the legal aspect
of the criminalistics, forensic science and the science of criminalistics cannot be linked to
each other. Not being identified in the Criminal Code, some of the forensic science
techniques, such as electro-technical examination, examination of digital evidence, or
metallographic examination, do not belong to legal methods, and therefore forensic science
is viewed as a different discipline than criminalistics. The legal aspect plays a critical role in
the differentiation between the two models32. Criminalistics is an independent science that
“examines the manifestation of the event in form of physical and memory characteristics”33.
In criminalistics, this manifestation is called trace evidence. Trace evidence is the object of
the science of criminalistics. Criminalistics differentiates two types of trace evidence:
physical (material) and mental (memory). Naturally, criminal investigation based on material
evidence provides a higher level of precision and certainty34 (It is necessary to note that in
criminalistics, we differentiate between evidence and trace evidence. Evidence is a term for
proving something, and is basically regarded as a proof, whereas trace evidence is meant as
an imprint used for identification). Contemporary criminalistics is broken down to two main
groups, criminalistic techniques and criminalistic tactics. Criminalistic techniques focus on
an examination of material (physical) trace evidence, while criminalistic tactics examine
mainly memory trace evidence. Regardless of the different categories of evidence,
criminalistics is focused on finding, seizing and examining the evidence35. Criminalistics
distinguishes between three categories of achieving this goal: (a) modus operandi – method
of committing a crime, (b) criminalistics trace evidence and (c) criminalistics identification.

Modus operandi/method of committing a crime

Digital Forensics Page 32

 Considerable emphasis in criminal investigation is placed on a detailed description of the
method of committing the crime, which is known as modus operandi (or MO). Three major
components of MO play a role in criminal investigation, and they are listed as follows: The
components pertaining to an action characterize the physical and psychological activity of
the offender while committing a crime. Material components consist of tools and items
necessary for committing the crime. Finally, multifaceted components are a complex group
of activities and information required for committing the crime.

Human behaviour is determined by numerous factors. Similarly, the behaviour of the

offender depends on the interaction between these factors. Criminalistics divides these
factors on objective and subjective determinants. Objective determinants do not depend on
offender’s choice. In general, they are social/cultural conditions, victim(s)/target(s), the
relationship between the offender and the victim/target, the crime scene, the time, the
accessibility of tools (weapon, etc.), and the existence of co-offender(s). Subjective
determinants depend on and are connected to the offender(s) specifically. They are the
physical (somatic) characteristics of the offender (ie. his/her strength, body build),
psychological and motor characteristics of the offender (his/her level of intelligence, ease of
mobility, hobbies, and sexual behaviour), age, gender, criminal experience and educational
level (qualification, skills)36. Knowledge of the method of committing a crime offers
additional important information. It enables investigators to create criminalistic versions, and
provides data for criminal profiling37 .

Criminalistic trace evidence

In criminal investigation, trace evidence gives investigators a picture of the criminal act
along with the indications about behaviour of the perpetrator and his/her victim(s) at the
scene. The knowledge of the trace evidence mechanism and its creation lays the foundation
for criminal investigation methods and techniques. The essence of trace evidence is the
mutual association of two objects that provide information about criminal act. When two
objects have an effect on one another, they create changes. These changes illustrate and
reproduce characteristics of affected objects. Each change in a physical environment or a
human mind that is influenced by a criminal act is considered to be trace evidence. As a
result of this, criminalistics distinguishes between material (physical) trace evidence and

Digital Forensics Page 33

 memory trace evidence. Three major changes must come into effect in order to produce trace
evidence: change that is generated by the criminal act, change that exists until the time of its
seizing, and change that can be assessed by criminalistics methods and techniques38. Trace
evidence is widely recognized as one of the subjects of scientific examination39 .

Material (physical) trace evidence is divided into five categories: Trace evidence that gives
information about (a) the structure of outer surface of the objects, such as finger-prints or
ballistics evidence, (b) the structure of the inner surface of the objects, such as biological,
chemical or pyrotechnical evidence, (c) the functional and dynamic features of the objects,
such as voice, posture while walking, or hand-writing, (d) characteristics of the objects that
created the trace evidence, such as finger-prints created by blood, foot-prints that provide
insight into walking patterns, and (e) features of the objects created by change, such as
peripheral trace evidence, (moving an object from one place to another), slits or bruises40.
Although memory trace evidence has physical features (like changes in brain cells) methods
of their examination are quite complex. Memory trace evidence is formed by the five human
senses (sight, hearing, touch, smell and taste), but it is very difficult to examine the exact
way in which it is created. Additionally, it is influenced by the personality of the person who
created it (the person’s short and long term memory as well as his/her emotional state, etc.)
and is not accessible immediately. Once the person dies or if he/she is not willing to share
his/her memory, the trace evidence is lost. All memory trace evidence is formed as a
reflection of the human mind, which is influenced by the organic or inorganic environment.
The basic impulse that creates the memory trace evidence is a perception that is generated by
the pressure of the environment on the human senses41 .

The examination of memory trace evidence is achievable merely by methods which allow a
person to interpret his/her own experience through recollection of a specific event. This can
be done using legal methods of psychological manipulation. As a result of this, memory
trace evidence is examined using a combination of methods of criminalistic tactics, such as
criminalistic versions, interrogation, confrontation, verification of the statement on the scene,
recognition, and in some cases, criminalistic experiment and criminalistic reconstruction42.

Criminalistic identification

Digital Forensics Page 34

 Once trace evidence is formed during a criminal act, the investigators strive to find out who
created the evidence and what object were used. Criminalistic identification includes
examining objects (living and non-living) which may have contributed to the formation of
trace evidence. During the process of criminalistic identification, the object is not only
identified, but also individualized. Individualization of the object is the process by which
investigators examine general and specific features of the object. Criminalistics
identification is divided according to four categories. In relation to the subject (person who
performed the identification), criminalistics distinguishes identification made by an expert
witness or recognition by the witness (lay person). Identification made by scientific methods
of examination consists of finger-print examination, ballistics, biological identification etc.
In relation to the identified objects criminalistics differentiates between identification of
people and identification of non-living objects. Identification of people is usually made on
the base of anatomic and anthropological features of the human body, functional
characteristics of motor signs, (human gesticulation, hand-writing), the human voice,
biological traces, and track traces (foot-print, lip-print, teeth). Identification of non-living
objects is conducted more often by ballistics, track traces, tool marks and microscopes. The
last category distinguishes identification on the basis of results; for instance, whether the
object was identified or not. Individual identification is achieved by confirmation (witnesses,
DNA, etc). In the case of the process of incomplete identification, the identification is
finished, but the object was not identified. Here, examiners conduct partial identification by
grouping the object into a bigger category (type of vehicle). Identification according to
identifying features is made on the basis of specific characteristics of the object, such as
functional, dynamic, structural, etc. As a result of its capability to be scientifically examined,
criminalistics identification belongs to both criminalistics sub-categories: criminalistic
tactics and criminalistic techniques. Therefore, identification enables the examination of
material and memory trace evidence43 .

Methods of criminalistics

Criminalistic methods developed during the historical progress of criminalistics through its
own scientific growth and through the adaptation and adjustment of methods developed in
other sciences. However, criminalistic examination can be done by criminalistic methods
only. These methods must meet four strict criteria. The methods must (a) not contravene
Digital Forensics Page 35
 lawful norms, (b) be scientifically based, (c) be verified by criminalistic practice and (d) be
accepted by criminalistic practice. Satisfaction of the lawful (legal) norm is a central
criterion for the application of criminalistic methods. Its importance lies in the outcome of
the criminal investigation. If the evidence was gathered using an illegal method (for instance,
the use of physical or psychological force during the interrogation), evidence usually
becomes inadmissible in court. Scientific base criterion is determined by the current situation
of the progress in the scientific world. When new knowledge is scientifically recognized, the
method can be changed or altered and the old method is eventually discarded. Verifica-tion
criterion is fulfilled when the scientific basis of the method is confirmed in an existing
practical situation. Recognition criterion is linked to the verification principle, however, the
time that elapses from the verification of a particular method to the complete application of
this method into the practice is essentially longer44. Porada et al.45 identify three groups of
criminalisticc methods. The first group consists of “methods of universal perception”. These
methods are generally employed by all examiners, such as observation, description,
comparison, measurement and experiment. The second group involves “methods taken from
other sciences”. These methods of examination were created by other sciences, such as
physics, chemistry, and biology, and criminalistics includes them in its method of
examination. The last group is composed of “specific methods of criminalistics science” and
these are applied exclusively in the field of criminalistics, such as knowledge gathered from
criminal investigation, law enforcement or judicial practice46 . Criminalistic methods are
divided into two major groups. The first, methods of criminalistics techniques, examines
material (substantive) trace evidence (finger-print analysis, DNA, etc.), while the second,
methods of criminalistics tactics, usually studies memory trace evidence (crime scene
examination, interrogation, search, etc.)47 . Methods of criminalistic techniques The rapid
development of scientific disciplines and the colossal growth of modern technologies has
improved the methods and techniques of criminal investigation, along with the process of the
identification of material trace evidence. Therefore, criminalistic techniques focus on the
identification of people, items, and occasionally animals. With respect to the scientific
procedure used for the examination of trace evidence, criminalistics techniques are divided
into more categories. The first, methods that use procedures based on optical principles,
takes advantage of the miniature structure of trace evidence and the possibility of examining
it without causing any further damage. Magnifying glasses and microscopes are tools widely

Digital Forensics Page 36

 used by forensic specialists. The application of microscopes (binocular, comparing,
biological, metallographic, and electronic scanning) is exclusively achievable at forensic
laboratories. Magnifying glasses can be used both at the crime scene and forensic laboratory.
The second category, methods of criminalistics techniques that use procedures based on
electromagnetic light, employs X-rays, ultra-violet, infrared and nucleus light for further
identification of material trace evidence. Lastly, methods that use chemical and physical
procedures, are used in analyses of drugs, blood, toxins, fuels, emissions, plastics, etc.
andare commonly applied48. The application of knowledge incorporated from various
scientific disciplines into forensic science is the key factor that helps link the offender to the
crime by means of material trace evidence. Forensic specialists employ numerous techniques
appropriate to the characteristics of the crime. Frequently used techniques are finger-print
analysis, (daktyloscopy), DNA analysis, forensic pathology, forensic biology, forensic
anthropology, ballistics, forensic audio-expertise, firearm and tool mark examination, digital
imaging enhancement, forensic data recovery, and accounting.

Methods of criminalistic tactics

The significance of criminalistic tactics as a method of collection, examination, exploration

and application of evidence lies in its contribution to the process of criminal investigation. In
the 1950s, Bohuslav Nemec defined criminalistic tactics as (a) a science about crime and
criminal acts, (b) study about methods of offenders’ activities, (c) generalization of
criminalistic knowledge and its practical application, (d) active summary and statistics, (e)
effective functioning of law enforcement, and (f) investigative process”49. Later on in the
60s, the objects of criminalistic tactics shifted to investigative methods and techniques of
criminal investigation. Additionally, characteristics of the offender, methods of committing
crimes, and their classification were added. During the 70s, academics agreed that
criminalistic tactics should focus on the issues of examination and application of methods
related to the investigation and prevention of dangerous activities. Criminalistic tactics assist
in finding the facts in issue, and therefore they have to satisfy numerous requirements. A
specific tactic must be legally approved, scientifically verifiable, appropriate, and accessible;
finally, their application is required to be ethical. At present, methods of criminalistics tactics
focus on the examination of memory trace evidence. Each method examines evidence from a
specific point of view. However, this type of evidence does not exist in a vacuum; memory
Digital Forensics Page 37
 isfrequently interconnected with material evidence and the material environment. Existing
methods of criminalistic tactics include (a) crime scene investigation, (b) criminalistic
search, (c) criminalistic versions, (d) interrogation/interview, (e) confrontation, (f)
verification of the statement on the scene, (g) recognition, (h) criminalistic experiment, and
(i) criminalistic reconstruction. In some cases, criminalistic documentation, planning and
management of criminalistics examination are added to the methods of criminalistic
tactics50 .

Crime scene investigation

The key role of the crime scene investigation (or CSI) is the comparison between an object’s
material condition and trace evidence obtained from this object, as well as their mutual
relationship. The core of the CSI lies in direct observation of the scene and the object while
searching for material changes in the object, which can become evidence. However, this
process is not just mere observation. It is also empirical examination, continuous evaluation
and documentation of a crime scene’s physical condition and objects connected to it.
Observation can be made by the senses or using electronic/technical equipment.

The goal of the CSI is to (a) find evidence, (b) discover relationships and associations, and
(c) detect other circumstances, such as conditions, motives and hypotheses for the creation of
criminalistics versions51. The significance of the CSI as one of criminalistic methods is
remarkable. It enables investigators to understand the characteristics of the event that took
place at the crime scene including plausible causes and conditions that gave rise to the
criminal event, or to understand the offender who committed crime. Success of a criminal
investigation often depends on the quality of the CSI, which is one criminalistic tactic that
cannot be replaced by any other method. The level of its quality essentially influences the
quality of the gathered evidence. Insufficient knowledge and skills or an irresponsible
approach of law enforcement officers may lead to a lesser punishment or even acquittal of a
true offender. CSI provides initial information about evidence and the event itself which took
place at the crime scene. A shoe print might be an example, as it may lead to knowledge
one’s height. Facts derived from preliminary information about evidence depend
considerably on experience and knowledge. The crime scene investigation is considered to
be a team effort made by the police officers, investigators, and forensic specialists52. The

Digital Forensics Page 38

 first officers at the crime scene are the members of the “permanent access group”. Additional
participants of the CSI are witnesses, any victims or even the accused. It is crucial to use
good judgement in deciding whether the attendance of such people is necessary or not
because it might put the investigation at risk. A phone call made to 112 initiates four major
tasks: (a) completion of initial, emergency activities, (b) preparation for crime scene
examination, (c) completion of crime scene examination along with proper documentation of
its results and (d) evaluation of accomplished results and their application53 .

Criminalistic documentation

The aim of criminalistic documentation is to secure trace evidence (verbally and

acoustically) and to take control of the course and outcome of the criminal investigation. In
criminalistic examination, (investigation), trace evidence and comparing material have the
nature of documented marks and seized objects54. Documented marks are delivered in
written form, (transcript), phonogram (audio recording), photographic form (photographs,
hologram video, film, and digital recording), and topographic form (sketch, plan, and
drawing). Standard criminalistic documentation comes in the form of a transcript. In other
words, it describes a situation that was observed by its author. A transcript must consist of
objectively true statement of facts – the subjective feelings of the author are not allowed. In
addition to an oral description of the observed situation, investigators can choose the form of
an audio (phonographic) recording. Furthermore, this form of documentation is frequently
used at the interrogation/interview, where the statements made by the accused, witnesses or
the victim are recorded. However, photographic form provides the most precise
documentation. Written, phonographic and photographic forms are supplemented by
topographic form, usually consisting of sketches, plans, and drawings. Seized objects are
submitted in their natural form, and the exact location where they were found is documented
along with all of the circumstances and conditions surrounding their discovery. Not only
trace evidence but also any manipulation to it must be documented in order to protect the
chain of evidence. Each and every piece of evidence, its manipulation and the circumstances
around it is important for a criminal investigation, therefore thorough documentation is
crucial.

Digital Forensics Page 39