Deivison Franco, Daniel Müller, Cleber Soares and Joas Santos
This article has the main objective of providing a theoretical basis for the forensic professional. Our intention with this work is to group the main concepts applied, generically, to Forensic Sciences and bringing them, specifically, to Computer Forensics. In this way, the fundamentals involved from the crime scene to the performance of examinations in different types of traces will be presented within the phases of the forensic process, through the general approach to the scientific police, providing an insight into the role of each one of the actors that make up the universe of criminalistics, as well as its scope and legal applicability.
How does one elucidate legal issues involving material traces? How does the scientific police transform traces into evidence? What is the chain of custody and what is its importance for the quality of evidence? What is the role of the official expert and technical assistant? How, through an email message, can one identify the IP addresses of servers? These and other questions will be addressed and clarified with schematic drawings, case analysis and an objective and didactic language to make the reader even more familiar with the topic.
RECOGNITION AND PERCEPTION OF FORENSIC TRACES
One of the most important and valued characteristics of the forensic scientist is the ability to perceive, as it is directly linked to selective human attention. Each scientist has his individualized way of perceiving, understanding, feeling, and imagining, and neuroscience and cognitive science are his great allies. Knowledge has a logical sequence, in which one conceives, perceives, and becomes aware. However, everyone has a nonlinear system perspective. The concept of perception is based on the Latin origin perceptio, which means the act or the ability to perceive, see, see, hear, feel.
Didactically, perception is divided into sensory (visual, auditory, tactile, olfactory, gustatory) and extrasensory (telepathy, clairvoyance, and premonition). Sensory perception stems directly from the ability to capture, through human senses, the external signals, process them and transform them into knowledge. The extrasensory perception derives from the ability to perceive in ways that science has not yet been able to explain scientifically.
The use of extrasensory perception at crime scenes gained notoriety with parapsychologist Sally Headding, who went on television to tell how she helped the police solve heinous crimes. Forensic science only works with sensory perception through scientifically measured methods, but it does not rule out any kind of method that may one day be proven by science. Although the feeling of the forensic scientist is important, simply because of the absence of a valid scientific method, forensic science does not use, or should not use without scientific validation, extrasensory methods.
Pure sensory perception or using auxiliary forensic instruments is fundamental for the recognition of traces. Visual perception is one of the most important, being conceptualized as the ability to perceive traces using visual stimuli (for example, when the expert at a crime scene can see a drop of blood in the soil).
Olfactory perception also significantly assists in the recognition of traces. It's the ability to smell the trace. For example, when the expert arrives at a crime scene and can smell fuel, gunpowder, blood, or an electronic component that has been short-circuited.
Tactile perception is also widely used to define textures, being conceptualized as the ability to feel a trace of touch. It is widely used in documentoscopy to understand the texture and weight of documents.
We can also mention auditory perception, which can be conceptualized as the ability to recognize traces by hearing. For example, when the expert hears, at a crime scene, the leak of liquid or even a projectile inside a vehicular steppe.
Finally, we treat gustatory perception, conceptualized as the ability to recognize traces by taste. When we mention this ability, the classic scene of old police films comes to mind when the officer put a piece of cocaine in his tongue to see if it was drugs or not. This is not acceptable today, precisely because of the risk that such a procedure offers to health. Therefore, olfactory, and gustatory perception methods should be used in cases that do not pose a risk to the health and safety of the professional.
Preservation and Isolation
When an infraction leaves traces, it is indispensable to perform the examination of the scene of the crime. This is the first action to be taken: as soon as it is aware of the criminal offence, the police authority should go to the site, making sure that the state and conservation of things are not changed.
To examine the place where the infringement has been committed, the authority will immediately arrange that the status of things is not changed until the arrival of the experts, who may instruct their reports with photographs, drawings, or explanatory schemes. In the same sense, it is also a preliminary measure to be adopted to go to the place, providing that the state and situation of things are not changed, as necessary, as well as apprehending the instruments and all objects that are related to the fact.
In addition, the authority or police officer who first arrives at a crime or accident site must initially observe safety aspects and, if necessary, rescue victims. Then, it should adequately isolate and preserve the area where the fact occurred and, if possible, the surroundings, until the arrival of criminal experts and the completion of expert surveys.
In the same sense, when attending to a crime scene, the expert should adequately isolate and preserve the immediate area and, if possible, mediate, taking care that the area is not disturbed, except in cases provided for by law, modifications on his initiative, preventing access of anyone, even relatives of the victim or other police officers who are not part of the specialized team.
In a way, the site should be preserved, not changing its shape under any circumstances, including:
- Do not mess with anything that composes the crime scene, by not removing, placing or modifying the position of whatever it is.
- Do not rifle through the pockets of the corpse’s garments when there is one.
- Do not collect belongings.
- Do not mess with the instruments of crime, especially weapons.
- Do not touch the corpse, mainly do not move it from its original position.
- Do not touch the objects that are under guard.
- Do not carry out the identification of the corpse, which will oversee the expertise.
- Do not smoke or eat or drink anything at the crime scene.
- Do not use any existing telephone, toilet, or washbasin indoors.
- In internal locations, keep doors, windows, furniture, appliances, utensils such as were found, not opening or closing them, not turning them on or off, except strictly necessary to contain any existing risk.
- Take care to ward off loose animals, especially in external places and especially where there is a corpse.
Generally, the military police officer is the first public security professional (first responder) to attend the scene of the crime, triggered by a citizen or family members who become aware of the criminal incident.
As we have seen, the police officer who first arrives at the scene of the crime must observe the security aspects, rescue the victims and then properly isolate and preserve the area where the fact occurred. So, the first questions that may arise are: Don't change the state of what things? Isolate and preserve what?
From these questions the logic arises: no one can isolate what they do not know. It is precisely because of these questions that it is determined that everything in a crime scene or search and seizure begins with the recognition of the trace.
According to the best forensic practices, recognition consists in the act of distinguishing an element as of potential interest to produce forensic evidence. Chain of custody is one of the most important concepts of forensic sciences, having its beginning in recognition and its end in disposal. The correct custody of the traces is a question of justice, of democratization of evidence with the use of the scientific method. The application of the scientific method of seeking truth to any of the parties at any time should be opportunistic.
The correct custody and preservation of the trace in a custody center is the obligation of the state entity. A criminal prosecution without a proper chain of custody is not permissible in the Democratic Rule of Law. There are many cases in which science has evolved and come to different conclusions in the reanalysis of old cases. The acquittal of innocents and the conviction of the true culprits is only possible with a good custody center of traces, which preserves their integrity and their authenticity.
The beginning of the chain of custody is precisely in the act of the public agent, who can detect the existence of a trace at the crime scene. Therefore, before any procedure, the professional must be able to recognize/identify/see a trace to comply with the law, isolating and preserving it.
Trace is all signs, marks, objects, situation, or sensitive concrete, potentially related to a person or an event of criminal relevance, and/or present in a crime location. In other words, trace comprises any raw material that is at the crime scene or body of crime and that is of interest to the elucidation of the facts.
After detecting an element as of potential interest to produce the evidence, the public agent is responsible for its isolation and preservation. If the first step at the crime scene is to recognize elements as of potential interest and take responsibility for them, then another question arises: Is the agent prepared to recognize a trace?
To answer this question, we observe that there are always many traces, many details that attract the attention of investigators and experts. A major problem at crime scenes is to determine the link between the various material elements present at the scene and their relationship to the facts. To be prepared to recognize a trace is to be prepared to deal with complexity, diversity, transdisciplinarity and schematics. It is to know how to differentiate illusory, forged, and true traces. It's knowing how to do critical analysis, parallel thinking. It is to be able to visualize that, in a crime scene, there is the immediate area, the mediated are and the related area.
The great challenge of the professional who works in crime scenes is to be able to establish a relationship between the traces found and the dynamics of the facts. Imagine an expert arriving at a crime scene and having to determine which elements present there are related to the fact that is being investigated. That's a crucial question. Therefore, a classification of the traces was established in relation to the fact:
- Illusory traces – present themselves from the beginning of investigations as very important and lead the researcher to waste a lot of time to study them and, in the end, conclude that they have no relation to the fact.
- Forged traces – are those that the perpetrator prepares with the aim of diverting attention from the investigation and leading it in a direction contrary to the facts.
- True traces – are related to the facts under investigation because they are the result of the action or omission of the author and whose correct interpretation can lead to the elucidation of the crime.
Recognizing a trace at the crime scene requires a real-time knowledge construction exercise using historical references, very logical reasoning, and technical preparation.
In a crime scene, there can be a wide variety of traces (biological, chemical, physical, cybernetic, etc.), each with its own particularities. Understanding these particularities is a key element to ensure integrity and, consequently, the probative characteristics of the material evidence until submission in a court of law.
To better exemplify, we can consider that despite the term "visualization" in its pure sense not being fully applied to the theme, we should clarify that for the specific case it is the best applicable, since it is guidance to the first public security professional who is attending the site. Because it does not have the mission of completely "seeing" the trace, it should make visible by the procedures oriented here, thus forming a mental visual image of the whole environment.
Therefore, from the act of directly seeing some larger trace (corpse, e.g.) you must – by inductive reasoning – "visualize" other probables and thus be surer to correctly delimit (isolate) the area. A trace is a material element, however, it can be any of a multiplicity of shapes and sizes, which ends up making it difficult to observe by those who are not accustomed to handle it. Each crime scene has its particularities and is therefore unique. This always requires a look far beyond what one expects to see.
In addition to being able to detect the trace, the agent needs to point out his relationship with its owner, which, in a didactic way, can be done by classifying the trace as absolute or relative. Absolute traces are those that allow an absolute, direct relationship with its owner or with the victim, such as a fingerprint, writing or genetic material contained in biological traces. In that case, whoever left such traces at the scene also left an identifiable part of himself.
The relative traces are those that do not have an absolute relationship, fully identifiable with its owner. In the case of a footprint, for example, it may indicate a group of suspects, but not its owner. Relative traces can help identify a single suspect depending on how much information they add up to. We say that if we have enough relative traces and we cross-track the data, always reducing the number of suspects, we can individualize it.
An example of classification of traces as to the relationship it establishes with the perpetrator of a crime is a shoe left at the scene during the escape. The object is a relative trace, but the epithelial cells with the owner's DNA, perhaps existing in the insole of the shoe, represent an absolute trace.
Preparatory Procedures
From the activation/designation, the expert must take all necessary measures to meet the request, which includes verifying that he has all the necessary materials to do so. The damage in the service of a place without the necessary equipment and materials is easily understood when we think of the possible loss of traces due to lack of equipment or collection materials. Gathering all the material and human resources necessary for the service consists of the preparation stage.
Arrival at the Crime Scene
The designated expert must take over the crime scene as soon as he arrives. This means introducing yourself to the officer in charge and informing you of the arrival of the expertise and the series of procedures that will be carried out. It is also at this moment that much subjective information is passed on to the expert, even informally. There is processing at crime scenes that can last many hours or even days. If the interruption of the expertise is necessary for some reason to be resumed later, the preservation of the scene must be ensured.
Interviews
Interviews are tools available to the expert to instruct the exam. Thus, as the performance of their function, the expert and technical assistants can use all the necessary means, listening to witnesses, obtaining information, requesting documents that are in the possession of the party, third parties or in public offices, as well as instruct the report with spreadsheets, maps, plans, drawings, photographs, or other elements necessary to clarify the object of the expertise.
On-site interviewing is a procedure in which it is intended to find additional information that can help assess the size of the isolated scene, the existence of related sites and other information useful to the investigation process. These interviews should be done at the beginning of work with possible witnesses and other persons who were present at the scene prior to the arrival of the experts. It is expected to obtain additional information that can help to learn more about the scene, thus speeding up the expert work.
Care should always be taken of the validity of this information. They will provide themselves to the expertise only as the trainers of a possible general picture and because they are subjective, should be treated with great care. Even if testimonies can help find some traces that prove the information, the expert should only consider the traces for his conclusions.
Entry into a Crime Scene for Reconnaissance
The first police officer to arrive at the scene must ascertain whether there is indeed the occurrence that has been reported to him. To do so, the officer must enter the crime scene and go to the body of crime. The entrance to the immediate/mediated place to the body of crime should be made by the point accessible closer to it, so that the trajectory even is a straight line. Once the offense is verified, the police officer should return to the periphery of the crime scene, going along the same trajectory that led him to the body of crime in the reverse direction.
The route should be memorized by the police officer since it should be communicated to the experts later. All the movement of the police to ascertain what happened must be meticulous and absolutely nothing should be removed from the positions they occupied when the final configuration of the crime, and the exceptions to these determinations are:
- To help the victim.
- For knowledge of the fact.
- To avoid greater evil.
- For the work of firefighters in the rescue and extinction of the fire.
The entry into a crime scene and the search for traces is one of the most time-consuming phases and aims to find all the traces inherent to the site being processed. The types of traces will depend on each place and type of crime. However, search procedures are generally the same.
The expert who participates in the search should be cautious and observant. Preconception of the fact in the mind can help if it is prepared to recognize a change of direction in the analyses before a new trace. A common expression in the expert area that brilliantly illustrates the importance of the phase of recognition and search for traces is: he who does not know what he is looking for does not understand what he finds.
Processing and Analysis
The processing is the expert examination itself, manipulation of the trace according to the methodology appropriate to its biological, physical, and chemical characteristics, to obtain the desired result that should be formalized in a report.
It is in the processing and analysis phase that the trace is transformed into evidence, or evidence that arrives raw in the hands of experts, who process them and analyze them to become a proof.
Briefly, the processing and analysis of the trace can be reduced to four phases, from the receipt of the material to the preparation of the report: collection/preservation; extraction/examination; forensic analyses and formalization/results. All of them are part of a large chain of custody that begins in recognition and ends in the disposal of the trace. The procedure is explained and illustrated below.
Stages of criminal forensics.
Collection and Preservation
Of paramount importance for expert analysis, it is at this stage that the largest possible amount of data should be collected and when essential care will be needed to ensure and maintain its integrity.
Other activities inherent to this phase are related to the crime scene, which must be isolated, and to the body of crime, which must be identified and packaged so that it is properly preserved and recorded in the chain of custody document.
For this phase to be carried out completely and successfully, the expert must meet the following requirements: recognize the trace, isolate the area, collect, identify, and pack traces, as well as ensure its integrity and elaborate the chain of custody.
Extraction and Examination
At this stage, the main objective is to screen the collected traces, that is, to separate what is relevant to the expertise in question. First, it is necessary that the methodologies and the tooling for the expert analysis are defined and related to the type of research that will be carried out. To do so, the expert must use techniques and procedures that bring him as much useful information as possible. Thus, it should use approved tooling, among other procedures, to expedite the search for evidence and ensure its authenticity and integrity, ensuring compliance with the following requirements: identify, extract, filter, and document (all related to the data examined).
Analysis
In the third phase, practically parallel to the previous phase, the data and separate information will be analyzed to find relevant evidence to assist in the investigation of the case. Thus, everything that is found and considered relevant to the case must be correlated in the forensics, in such a way that it is possible to perform the reconstruction of the events, establish its causal link and, thus, reach a conclusion, that is, to prove the materiality of the fact. Therefore, this phase consists of the examination of the extracted information that is related to the investigated offense.
Experts should be very judicious, preventing any content related to the questions formulated from being disregarded. It is the main phase of the expert examination and the one that requires greater effort, care, and technical capacity of the expert, because it requires special attention regarding what is being examined. For this phase to be performed completely and successfully, the expert must meet the following requirements: map, correlate, rebuild and document (all related to the information analyzed).
Results
In this last stage, the objective is to gather all the evidence collected, examined, and analyzed, to present a report ensuring the materiality of the crime fact – irrefutable proof. Methodologies, tools, techniques, and information that prove the integrity of the information should be included in the report. The document shall indicate the result and present the digital evidence found in the materials examined, as well as indicate the main procedures performed, including the techniques.
For this phase to be carried out completely and successfully, the expert must meet the following requirements: prepare the forensic report and attach evidence and documents related and relevant to the expertise (all related to the evidence processed). In view of the above, we emphasize that all the elements, data and information obtained and processed follow a logical and chronological cycle that constitutes the process of criminal investigation, which is synthetically illustrated in the next figure.
Criminal forensics case.
Processing does not mean need for equipment or laboratory. Often, the expert needs to process and analyze the trace at the crime scene itself. For example, at a crime scene where blood stains are sought, the first question the expert should ask is: Is the stain visible? If the answer is no, you should start processing using, for example, luminol. If the blood stain, after processing with luminol, is chemiluminescent, the expert realizes analysis, collection, and preservation of the material.
Still in the field of biology, another classic example of processing and analysis can be glimpsed in the forensic genetics laboratory, where biological material enters crudely, is processed by DNA extraction, and has the extracted genetic profile analyzed by the expert who will issue a report.
Forensic Report
Of the various expert scientific technical documents, we can say that the forensic report is the most complete document, because it materializes the result of the examination that was performed and responds to the questions proposed to it by the judge, delegate, etc., describing in detail everything that was examined and following an appropriate methodology for the case to, in the end, conclude.
As seen earlier, this document may have a variable structure, but most indoctrinators agree with the following basic parts: preamble, history (optional item), objective, examinations, and conclusion or answers to the questions. The table below describes what should be contained in each of these items.
Basic items of a Forensic Report. | |
ITEM | DESCRIPTION |
Title | It identifies the type of report, that is, whether it is a crime scene, an examination of computer equipment, etc. |
Preamble | Preliminary part that brings the information of the designation and request of the expert examination. |
Historic | An optional item in which the report of information, facts and circumstances that contribute to the systemic understanding of the events occurred, the dynamics, materiality and authorship of the unlawful act performed are presented. |
Purpose of the exams | This is where the purpose of the examinations performed in compliance with the requested items is described. |
Exams | Part of the report where the expert indicates the technique or method used in the examination, clarifies, and demonstrates the science applied to the analysis of traces. |
Conclusion and answers to the questions | Final version of the forensic report, which should end the period of technical-expert analysis. Thus, depending on the results obtained in the examination, this chapter may be conclusive or inconclusive. Thus, in both situations, the expert must categorically substantiate the reasons for the result. |
The main characteristic of the criminal forensic report is that all parties involved in the process can use it at all stages, as it is a unique technical document, which brings only the figure of the official expert as qualified to carry out the expertise, then the examination of the body of crime and other expertise will be carried out by an official expert, holder of a higher education degree.
As for the preparation of the forensic report, the experts will prepare the forensic report, where they will describe in detail what they examined, and will respond to those questions formulated, also determining, in its sole paragraph, the deadline for drafting the document: the forensic report shall be prepared within a maximum of 10 days, and this period may be extended, exceptional cases at the request of the experts. However, the document in question may be rejected by the court, and the judge will not be attached to the award, and may accept it or reject it, in whole or in part.
After its completion, the report is forwarded to the requesting authority, delegate, or judge, among others. After the judge accepts the complaint of the prosecutor, and provided that the expert has finalized the report, the parties may constitute technical assistants to review it. Experts may also have to respond to additional questions to provide clarification on the Forensic Report to the judge, prosecutor, and lawyers.
Technical Report
This is a document with the objective of clarifying something to someone, that is, unlike the forensic report, the technical report aims to elucidate or contest facts inherent to a case that is necessary for further clarification or challenge and may be structured by an examination itself or an opinion about a work (report, for example) previously produced by official experts.
For example: John does not agree with the result of an official report regarding a traffic accident in which he was involved, so he hired Paul as a technical assistant to issue an opinion on the technical quality of the accident report, looking for flaws in the document. In this case, Paul shall issue a technical report.
Therefore, the technical report will always be related to a specific objective (clarification or contestation of something), excluding from its analysis information that does not confirm, or that is not necessary, the clarification (or contestation) of the facts in question. In this sense, in the hypothetical situation of the example above, the technical assistant (Paul) will analyze and issue his opinion on the facts that support the arguments of his client (John), and should, for this, seek technical subsidies that support his thesis, obviously all based on ethics and truth.
The technical report also applies when requesting clarification from authorities, when it is not necessary to perform an effective expert examination, but it is necessary to analyze some case (real or hypothetical) before finalizing statements and/or reports, to technically verify the logic of what is being affirmed, or when it is essential for specialized technical knowledge to evaluate/analyze a given situation.
Finally, we can say that the technical report has a multitude of applications, and its content can deal from real facts to hypothetical situations that can serve as a parameter for other examinations or considerations. It is interesting to note that there is, similarly, great similarity between the internal topic structures of the report and the opinion, but there is no basic or standard rule for opinions.
Preservation and Storage
To preserve or store a trace is the procedure for the custody, under appropriate conditions, of the material to be processed, stored for counter-examination, discarded, or transported, linked to the corresponding report number.
One of the essential conditions for maintaining the chain of custody is that all forensic units must have a custody center for the custody and control of traces. The trace custody center is a controlled environment where access, temperature, pressure, and humidity are closely monitored. Each type of trace requires specific storage. For example, a corpse should be refrigerated, a cellular device needs to be kept away from moisture and electromagnetic interference.
In the same way that the forensic bodies have a custody center, the other bodies must have provisional trace centers, where they are placed until they are forwarded to the trace custody center. The trace custody center is a structure of the forensic body fundamental to the search for justice. There are numerous cases of acquittal or conviction based on traces re-examined years later. This was only possible because the forensic scans had a trace custody center that kept them after the trial of the action. Therefore, this center is an instrument of justice because it allows the traces to be reanalyzed from the perspective of the evolution of forensic sciences.
Examples of custody centers.
Discard
The disposal of the trace is the last phase of the chain of custody. This is the procedure for the release of the trace, respecting the current legislation and, when relevant, by judicial authorization.
The disposal of traces, in addition to requiring judicial authorization, must follow biosafety and environmental rules. Each trace follows a specific rule for destination. A mobile device, for example, cannot simply be thrown into ordinary waste. Disposal requires a sanitization of memory data, the correct destination of electronic components, all to preserve the privacy of information and the environment. Each type of material has an appropriate disposal technique, especially contaminating materials. The main type of discarded trace is biological. Therefore, biological traces and materials used in their collection, such as gloves and swabs, should be discarded observing the rules for the disposal of biological waste.
It is common, in places of crime, for health and safety professionals to wear gloves and leave them on site, i.e., in violation of waste disposal rules. Procedural error can lead to contamination and alteration of the scene context. Therefore, performing the disposal procedures correctly is essential.
Hazardous or highly contaminating waste, such as radioactive, chemical, explosive and infecting, must follow specific regulatory standards and legislation.
To complete the phase of disposal of traces, it is important to highlight the permanent archival value of photographs, videos, data, or any document of interest to justice.
RECOGNITION AND TREATMENT OF A CYBER TRACE
Initially, the term ‘computer’ was adopted in the seventeenth century to describe a person who performed mathematical calculations and did not even dream of the electronic devices we have today. However, the act of computing is much earlier and one of the first known computing instruments is the abacus.
Abacus.
The process of learning in the recognition of traces is as constant as innovations in the world of crime and technology. Technological advances allow new knowledge to be used for good and evil. In this last hypothesis, traces with distinct characteristics from those recognized in the recent past begin to emerge.
The latest example is associated with cybercrime and cyber investigations. The routine use of computers and other devices with embedded technology generates analyzable traces, including in the criminal action before becoming disassociated from electronic means. These traces may have several forms, but they are generically called cyber traces and today are considered the most complex found at crime scenes, permeating all areas of forensic sciences.
A cyber trace is one of the richest sources for elucidating crimes, especially homicides, suicides, infanticides, drug trafficking and money laundering, as it is currently common to inform and communicate through the computer environment. The cyber trace is one of the most present and important of the crime scene, but it is one that requires greater preparation of the agent for its recognition.
The first step to recognizing a trace, whether cybernetic or not, is to be able to see if it is in an immediate, mediated, or related area. To see the immediate, mediated and related areas, it is often necessary to use the zoom in/zoom out technique, because it allows the professional to have a panoramic and specific view of the crime scene. The electronic devices so present in our daily life leave a series of traces, which can allow an examination to determine by whom, when and for what purpose these devices were used. These elements, called cybernetic artifacts or traces, have different forms, and have become crucial in the most diverse areas of criminal or private investigations.
A classification widely used during criminal investigation involving cyber traces, but which can be transported to the civil sphere, is the division into own and improper crimes. In the first, the object of the crime is the computer itself or the information system, as happens in cases of false insertion in a public database or graffiti of a website. In the second, the crime is considered inappropriate when the computer is used as an instrument for performing the act, as in the case of exchanging messages by sending the payment of bribes to a public servant.
Working on cases involving cyber traces will require the professional's deep technical knowledge, under penalty of loss of information crucial to the investigation or even the non-recognition of the trace. The professional will need to learn how to select the equipment and delimit the information that will be examined, avoiding the collection of expendable information – or, worse, letting go of the essentials.
The recognition of the cyber trace begins by identifying whether the area covered will be immediate, mediated or related.
The following figure shows an overview and schematics of how a cyber trace can be found at a crime scene. Computer One would be the focal point of the crime scene. Compared to a murder site, that's where the body is. However, the good professional should be able to recognize that Computer 1 is connected to Computers 2, 3, 4, and 5, as well as to another Computer 6 on cloud service (Cloud-as-Service).
Schematized view of a cyber trace at the crime scene.
The search for traces at a crime scene will take place in every immediate, mediated and related area. Therefore, when encountering a crime scene, the public agent must strictly follow the first step of the chain of custody and know how to recognize traces in the immediate, mediated and related areas.
To know how to recognize a cyber trace, it is important to know at least its constitution, its behavior, and the environment. To make more palpable the complexity of a cyber trace, we will make an analogy with the human body, trying to bring to cybernetic concepts of anatomy and physiology.
In a historical analysis for the constitution of historical reference in the construction of knowledge, it is possible to notice that many public agents have already bumped into the concepts of computing and computer science. Are they the same? Computing comes from the act of computing, having as one of the first instruments the abacus. Computer science, on the other hand, is automated information, with computer programs (software) as its greatest exponent.
Overcoming this preliminary concept, it is important to conceptualize what a computer is. The easiest way to understand a computer is by the cause-and-effect system. The computer, as shown below, is nothing more than a central box, with inputs and outputs, that performs data processing and/or storage.
Simplified diagram of a computer.
Whenever the agent comes across a computer at a crime scene, it is important to keep in mind the figure above, as it helps as a historical reference to build knowledge. The figure below shows the classic external anatomy of a computer to help exercise your ability to recognize a cyber trace and your referential level.
Classical anatomy of a computer.
The computer is treated here as a broad concept, covering desktop, laptop, mobile device, i.e., any computer device.
To recognize a cyber trace, one must be aware that a computer has an external anatomy. So, a question that comes to mind is: Do all computers have the same external anatomy?
No. Below are examples of the various anatomies found in everyday life, which shows the variety of devices present in the daily life of the professional who makes the recognition of traces at crime scenes.
Examples of external anatomy of computers.
Didactically, we can classify computers by their external anatomy or functional application into four large groups:
- Desktop computers - desktop, workstation, and all-in-one.
- Laptops - notebook, netbook, Ultrabook.
- Servers - computers with greater processing or storage capacity, responsible for providing services to customers.
- Wearable or implantable computers – portable computers that can be wearable or implantable by orthosis, prostheses or nanorobots.
The external anatomy of computer devices does not always follow the classical pattern. See figure below. Are you able to distinguish what these devices are?
The devices in the figure above are examples of how the traces may have similar external anatomy but be of a completely diverse nature. While the first is a nettop type computer, the second is a modem. Knowing how to distinguish the external anatomy from a trace is part of the training of the security agent to be able to see a trace at a crime scene or in a search and seizure. However, it is also important to know the internal anatomy of the trace, as this allows identifying the potential that certain objects must become a proof.
A common error is the CPU system drive. In the forensics for analysis, the agent finds that it is only a computer enclosure. There's nothing inside, i.e., there's no CPU or any electronics in there. In a simplified way, and making an analogy with a self-propelled vehicle, we can consider that the internal anatomy of a computer is composed of a chassis on top of which are mounted the various vehicle components. The chassis is the motherboard, where components, such as processor, memory and input and output devices, are inserted. All computer equipment follows this internal anatomy:
- Processor or CPU - is the component responsible for the calculations performed by the computer.
- Main memory, volatile or RAM – is the component that stores the most frequently used data that is lost if the equipment shuts down.
- Secondary memory, non-volatile, or computer storage device/media – is the component in which data is stored on a perennial device, that is, it is kept even with the device turned off (e.g., hard disk, solid state disk (SSD), thumb drive, and memory card).
- Input device - equipment by which data is inserted into the computer (for example, keyboard, mouse, and scanner).
- Output device - equipment by which information is presented to the user (for example, monitor and printer).
The main components of the internal anatomy of a computer and that carry high probative interest are memories. That's why it's important to know how to identify it in the internal anatomy of a cyber trace.
It is essential that the professional knows how to distinguish a volatile memory from a nonvolatile one.
In volatile memory, when you turn off your computer, you do not save the data. The classic example is RAM. Nonvolatile memory is perennial. When you turn off your computer, the data is not lost. The classic example is the hard drive (HD). Any analogy made about the external and internal anatomy of the cyber trace can be extrapolated to other types of trace, being an essential condition for the recognition at the crime scene.
Knowing the external anatomy allows immediate recognition, while knowing the internal anatomy allows recognizing the potential probative content. In addition to recognizing the internal and external anatomies of a trace, another concept is fundamental: to recognize physiology.
All components of anatomy relate to hardware, but to function properly, a computer also needs software. Two of the main types of software, in the basic context of computer physiology, are:
- Operating system - main program of a computer, being responsible for managing hardware resources and controlling other software (e.g., Microsoft Windows, Linux and macOS).
- File system - program that controls how files will be stored and retrieved from storage devices (e.g., NTFS, FAT32 and EXT4).
As much as the trace seems inanimate, static, lifeless, analogy with physiology helps us recognize its behavior. Physiology is the study of the functioning and functions of a trace, which can be mechanical, physical, biochemical, etc., and gain complexity in view of the nature of the trace and the environment in which it is inserted. It is not limited to the trace with end, but casts a transdisciplinary look, which can involve laws of thermodynamics, electricity, gravity, meteorology, biology, and computing.
To better understand the concept of physiology of a trace, take for example a watch. The purpose of the watch is to indicate the time, its external anatomy demonstrates this. However, for the security agent who will handle the trace, knowing how to look at the hands of the clock and identify the time is not enough. You need to understand what happens inside the watch and what can happen whether an action is performed. What's on the clock and what keeps it running? Do all watches have the same physiology? What can affect its operation or degrade it?
The agent who recognizes a trace should be able to answer such questions when contacting a crime scene. Here, the example is a clock, but it could be a cell phone, a blood stain, a corpse. Can you tell what happens when a computer is turned off and someone presses the power button? Imagine that the public safety officer is on a search and seizure operation and finds a disconnected computer in the target's house. This agent needs to decide whether to take the computer off or turn it on to verify its contents at the time of the search. To make this decision, he must be aware of the physiology of the trace found, that is, what will occur when you push the button. The figure below shows the physiological boot sequence of the computer.
By pressing the power button, the computer immediately triggers the POWER-on self-test (POST), which runs and starts machine components, such as monitors, disks, and memory. It then searches for the operating system (bootstrap) on a storage unit, and from that point on, the operating system takes control of the machine.
Computer startup physiology.
After the startup of all components, the operating system, which is nothing more than a set of programs with function of managing the system resources, takes control of memory, processor, and files, providing an interface between the machine and the user.
Therefore, the simple gesture of turning on a computer generates a series of physiological reactions that can unintentionally change the content.
It is important to highlight the complexity of a cyber trace. Each operating system behaves specifically, and it is up to the security agent to know them to act efficiently in the face of the trace. For desktop, laptops and servers, there are hundreds of versions of operating systems, the most common being Ubuntu, Mac OS, Microsoft Windows, CentOS, Debian, Fedora, Google Chrome OS, OpenSuSE, Slackware and Mint. Similarly, for mobile devices, there are a multitude of versions, the most common being iOS, Android, and Windows.
We can then affirm that recognizing a cyber trace is not an easy task and requires a close look from the professional. However, there are traces that are easily recognized and often appear at crime scenes.
Recognition of the Most Common Cyber Trace
The cyber trace of greatest interest to justice is related to data on storage devices. It is possible to list the most common storage devices in crime scenes so that the professional can train his or her look at them. The figure below shows a punched card, which many fail to recognize as a source of data storage because of its obsolescence.
Punched card.
It may seem strange, in times of quantum computing, to talk about something so old. However, just as we are in times of daily technology exchange, we are in times of a retro wave. Vinyl records reappear, and a perforated card or other obsolete devices may contain information relevant to the resolution of a case. For those who do not know, the punched card was designed by IBM to serve as memory for the first computers.
The evolution of the perforated card, as shown in the figure below, is the perforated tape, or paper tape, as well as the perforated card, is a rather obsolete way of storing data on long strips of paper or plastic, which were perforated to store information.
Following the evolutionary path of technology, as also shown in the figure, magnetic tapes emerged, practically a revolution in the form of storage.
Perforated Tape and Magnetic Tape.
Amazingly, magnetic tapes are still used in the world as one of the most common forms of backup. Therefore, if, in a crime scene or search and seizure, such a device is found, there is a good chance of significant volumes of information stored.
Mechanical hard drives are the most popular when we talk about home users. From the English translation Hard Disk Drive – HDD, as shown in the following figure, these disks are the most popular non-volatile memory. In its early days, the year 1956, these disks stored 5 megabytes. Something unimaginable to the present day when we have discs of 10 terabytes.
Hard disk.
Another computer storage media that looks obsolete but is constantly found at crime scenes is the floppy. Famous for the characteristic noise of writing and reading, it is still an option of criminals.
In the figure below, we can see examples of floppy drives and their evolution in capacity: the zip drive, which, despite having an external anatomy very similar to the floppy, has a larger capacity. In addition, one of the most popular storage media, as also showed in the figure, is optical media, the popularly known CDs, and DVDs.
Diskette, Zip Drive and Optical Media.
However, computer equipment with optical media readers is rare. Still, they are very common in crime and search and seizure sites.
The flagship of storage media is undoubtedly flash memory. This memory was revolutionary, moving from the era of mechanical storage to the era of electronic storage.
The exponents of flash memories, as we see in the figure below, are the thumb drive and memory card.
Flash memories.
The flash drive is the most used device for transporting files, especially from one computer to another. Memory cards are widely used in cameras and mobile phones.
Recognition of Camouflaged Media
Camouflage is the technique or method used to disguise, hide, or make something imperceptible in the environment in which it is located. Just as camouflage can be used in security and defense force equipment for protection, it can be used in the criminal environment to hide, confuse, hide certain traces. In the face of camouflage, the professional must redouble his attention to be able to correctly recognize a trace.
The cyber trace can be camouflaged in a variety of ways. The figure below shows examples of human creativity in cloaking a thumb drive.
Example of camouflaged media.
It is important to note that the external anatomy of a cyber trace can change significantly from the classic pattern of thumb drives and hard drives. To exercise the recognition of camouflaged media, we recommend the study of biomimetics, because camouflage is often based on creative principles and strategies of nature. Especially in cyber traces, biomimetics is used as a source of inspiration for technological innovation. For example, technological innovations in genetic algorithms, computer networks, social, design, etc., are often the result of nature's strategies. Thus, understanding biomimetics allows the professional to broaden the field of view and have an innovative look at the crime scene.
Whenever we talk about recognition of cyber traces and technology, we must remember that the human mind has no creational limits.
In the 21st century, transformational innovations require the public security professional to overcome mental models and plastered processes that block the possibility of recognition of a trace. He must be prepared for disruptive thinking at a crime scene, as not everything follows the traditional model and not everything is known. It is necessary to build knowledge to see the trace.
CYBER TRACE COLLECTION
One of the traces of increased volatility and complexity of isolation, fixation and collection is cybernetics. The first phase of the collection is to prevent the investigated trace from undergoing alterations, ensuring its validity with proof in the future. It is important to emphasize that this is not always possible since the researcher's own interaction with the trace can change it.
To preserve it, it is of paramount importance to plan the operation, especially when it comes to search and seizure. Given the importance of cyber trace collection, a Standard Operating Procedure was created for this modality of search and seizure. The search and seizure procedure recommends the participation of criminal experts in computing in the planning of the operation, precisely to preserve the trace and minimize the chances of loss.
It is recommended that the search and seizure of cyber traces is always preceded and planned to cover at least the following procedures:
- Court order for the collection of cyber information – obtaining judicial authorization to remotely collect information about the search and seizure target, including network scanning, cloud services, access and vulnerability search, monitoring, telematic and environmental interception by the cyber environment (including audio and video collection from cell phone cameras and CCTV).
- Collection of information – collect relevant information from the target, such as branch of operation, existence of branches or other households, services provided, physical and remote addresses (cloud services), e-mail, IMEI (International Mobile Equipment Identity) of mobile phones, systems used, network infrastructure, etc.
- Network mapping and scanning – map the target's network to discover all network topology, IP addresses used, connected computers, operating systems, open ports, etc.
- Enumeration of services, access, and search for vulnerabilities - search for services and systems running on the target that contain vulnerabilities or allow monitoring and collection of remote traces.
- Remote data collection - collect as much data as possible before the search and seizure operation.
- Preservation of cyber traces – based on the information collected, issue letters to application and connection providers to preserve data (backup) of the accounts used by the target.
Overcoming the planning, preservation and collection of remote data, a multitude of scenarios can be found by the search and seizure teams. However, good planning allows to minimize surprises. Two scenarios are the most common and boil down to the presence of desktop computers, notebooks, servers, and mobile devices. When arriving at a search and seizure site or crime scene, the recommendation is to evaluate each situation individually to preserve the greatest number of traces.
If the computer is turned on, it is essential that volatile memory is collected, especially RAM. We remind you that all trace manipulation should be documented and reported in detail with date and time. In most cases, the procedure adopted for the preservation of computational storage media is forensic duplication, which consists of the exact copy of all the bits contained in the questioned media for an image file. However, it is not uncommon for computational storage media to be duplicated at the search location itself. As this is a time-intensive process, it is recommended that it be performed in the laboratory. The isolation phase prevents the investigated trace from undergoing alterations, ensuring its validity with proof in the future.
Imagine the following situation: during an investigation, the agent comes to a computer turned on and unlocked. The protocol adopted formerly recommended turning off the equipment, disconnecting it from the outlet or removing its battery. Suppose, however, that the user's files were encrypted. By shutting down the computer without any prior analysis, this information would receive an additional layer of encryption, impairing future scans. Thus, the current recommendation is to evaluate each situation individually and, if necessary, even copy the data deemed relevant before turning off the equipment.
It is worth remembering that all this interaction does not invalidate the trace. So how does one answer questions about possible improper computer manipulation? From the documentation. The investigator must record all interactions he/she makes, from the first contact with the equipment until its shutdown.
From this point, we will show some of the techniques and everyday tools used to identify the most varied cyber traces, coming from both computers and the internet. The main objective is to focus on the traces that are most likely to determine the authorship of the investigated incident.
Computer Traces Collection
Considering that the Microsoft Windows family of operating systems is the most popular, both in the corporate and home environments, we will emphasize these systems. The collection of traces in computers, as well as in any other computer equipment, must follow the order of volatility. However, some traces are classic and must be collected.
Log files keep historical records of occurrences related to the operation of the operating system and other applications. They are extremely useful for documenting what happened on a computer chronologically.
On Linux and Unix systems, these files are in text format, which allows them to be read easily by most text editors, such as Notepad. It is worth noting, however, that this application does not work very well with large files. Therefore, the investigator may prefer to use other options, such as Notepad++.
On Windows systems, log files are called event logs and have a different format, called Binary XML (BXML). The best way to view them is to use the Event Viewer itself, present by default in Windows. The following figure shows an example event record in which they were highlighted: the event identifier, description, date, responsible user, and additional information, which varies depending on the type of event displayed. The example shown is a case in which the credentials to connect to the computer were incorrect.
Example of Windows event.
The recycle bin is also a classic location for collecting traces, as it is a special folder on operating systems with graphical interface and where files deleted by the user are copied. Typically, each user has its own recycle bin. Files sent to this location often receive new naming, but that is easily reversed by using appropriate tools. On Windows systems, for each file sent to the recycle bin, two files will be created, as shown in the following figure.
Files sent to the recycle bin
The file itself receives a new name, starting with $R and followed by six random characters. Its extension remains the same. The second file starts with $I, followed by the same six characters, and contains information about the original file, such as size, date it was deleted, and the original name.
Another classic collection location is shortcut-type files, which allow users to access programs without worrying about their actual location. For example, you can open a spending control worksheet located in the My Documents folder from a shortcut on the desktop.
On Windows operating systems, this type of file maintains a lot of extremely useful information, even after deleting the target file. The figure below shows some of the information obtained from a shortcut file through the Windows File Analyzer software.
Windows File Analyzer program screen.
Thumbnails contain a reduced copy of files in the format of images and videos. These files are great for identifying the presence of an image that has already been deleted from the system. In Windows, these files are identified by the "thumbcache_XXXX.db" nomenclature, with XXXX being the resolution of the image. These files are stored in the Users\< user>\AppData\Local\microsoft\Windows\Explorer.
The Windows registry is a database that stores information hierarchically about the operating system, installed applications, and system users. Its structure resembles that of folders and files shown via Windows Explorer. In addition to storing information about system settings, the registry functions as a kind of log file, allowing you to identify when a user has run a particular program, for example. The figure below shows an image of the record viewed by the Registry Editor program.
Registry editor.
Although it has a structure centered on the previous image, the Windows registry is composed of several files located in different folders. The table below shows some essential information from these files.
Top Windows registry files.
Archive | Directory | Path in the Registry Editor | Observation |
---|---|---|---|
Bcd | Boot or EFI\Microsoft\Boot | HKEY_LOCAL_MACHINE\BCD0000000 | Information about operating system startup |
Sam | Windows\System32\Config | HKEY_LOCAL_MACHINE\SAM | Database containing user accounts, passwords, and groups |
SECURITY | Windows\System32\Config | HKEY_LOCAL_MACHINE\SECURITY | User and local computer security policies |
SOFTWARE | Windows\System32\Config | HKEY_LOCAL_MACHINE\SOFTWARE | App settings and some Windows settings |
SYSTEM | Windows\System32\Config | HKEY_LOCAL_MACHINE\SYSTEM | Operating system settings |
NTUSER.DAT | Users\<user> | HKEY_USERS\<user> | User settings |
An excellent tool used for registry analysis is RegRipper, which has a series of plug-ins to interpret the information stored in this database. The figure below, for example, shows the RegRipper report for applications run by a user.
RegRipper running.
RAM is where information is stored in a volatile way. They are lost if the computer shuts down. Examples of these types of information are clipboard, active network connections, running processes, and even passwords. Therefore, to safeguard this information, it is critical to preserve the contents of RAM. For this, there are several tools such as FTK Imager, Redline, MoonSols, Windows Memory Toolkit and RAM Capturer. RAM is one of the most important cyber traces and should be collected, as it may contain decisive information for case resolution and laboratory analysis of cyber trace. Once captured, the information can be analyzed by the Volatility application or equivalent.
Internet Traces Collection
As everything is informed and communicated by the computer environment, especially by the worldwide network of computers, social networks, web pages and messages are very rich sources for the collection of cyber traces. Browsing history and email are classic and must be collected.
Since the browser is one of the most used programs by internet users, it is essential to know what types of traces browsers leave on a computer:
- History - addresses of the websites visited by the user. Most browsers allow the user himself to delete this history or even disable it, which is a feature known as incognito mode.
- Cache – is a local copy of files accessed by the browser, making it easier to access later to cached sites.
- Cookie – is a text file stored locally by the browser and that contains information about a user's authentication, preference, or purchases.
These artifacts can be found in the user profile folder. Its format and location vary depending on the operating system and browser used. Some of the recommended programs for analyzing the traces left by browsers are BrowsingHistoryView, ChromeHistoryView and IEHistoryView, all from manufacturer NirSoft.
Email is still a widely used form of communication. One of the most common requests involving the internet is precisely the identification of the origin of an e-mail message.
To achieve this goal, you need to search for information that goes beyond what is displayed by default by email client programs. An e-mail message can be divided into three parts:
- Body - is the part of the message displayed to users in email programs.
- Attachments - are files sent along with the message and widely used for the transmission of malicious programs.
- Header – is the part that is not normally shown by email applications and contains information about message routing, indicating the IP addresses of the servers you have been through. In some email software, it is called message source code. This is the useful part of the message to help determine its origin.
Header of an e-mail message.
The header can be divided into sections initiated by the word ‘received’. These sections are the most important part of the header, since they indicate the IP addresses of the email servers through which the message transited. The section also tells you when the message went through the server with the included zone. If you prefer, the reader can use an automated analysis tool, such as the one available at the following address: https://whatismyipaddress.com/trace-email. The figure below shows the same header after being submitted to the mentioned site.
Analysis of the message header.
In possession of the initial IP address, the analyst can already identify the responsible provider to then identify the author of the message. Details on how to find the provider responsible for an IP address will be seen in the next section.
Investigating content publishing is one of the most common internet-related requests. Bearing in mind how the information provided in this medium is very volatile, this content should be preserved as soon as possible, allowing its use as evidence, and enabling it to be examined even if the content is deleted.
The most suitable way to save information from a single page or an entire site is to use tools such as WGET and CURL, for command-line use, and HTTRACK, for those who prefer the graphical interface.
But what to do if the content has already been removed from the internet? Before you panic, there are still two approaches left. The first is to use an almost unknown option from search services such as Google and Bing: the cache, shown in the next figure.
Option to view the cached copy of a web page by Google.
The second option is to go to the Way Back Machine service, located at http://archive.org/web, which maintains historical versions of various websites. Figure 4.10, for example, shows what NASA’s website was like on 06/05/1997 after consulting that service.
Old version of the NASA website.
After the content is preserved, the next step is to identify the person responsible for its publication. This can be done by researching who is responsible for the domain under investigation using services such as Registro.BR, InterNIC and Network Solutions, or even commands such as whois, which is usually present in Linux and Unix systems. The figure below shows the result of the query made for the brasil.gov.br.
Domain information brasil.gov.br.
It is noteworthy that the same domain identification procedures can also be used to determine the provider responsible for an IP address.
Cell Phone Traces Collection
To better exemplify the collection of a cyber trace, three possible scenarios involving a cell phone at a crime scene were created.
The first scenario is of a mobile device connected and unlocked. What should one do to properly isolate, fix, and collect this trace?
If the professional disconnects the device, the locking mechanism may be switched on, with the possible loss of access to memory data due to an unbreakable security system.
If the professional leaves the device on, a command may be received via the Internet to wipe all data or data may overlap with the receipt of calls or messages.
Therefore, in the case of the scenario presented, it is important to isolate the cell phone by placing it in airplane mode or using a Faraday bag (next figure). Whenever possible, remove the automatic lock, enable USB debugging mechanisms and turn off the device. If the procedures described cannot be performed, you can increase the automatic lock time, keep the device charged, and take it immediately to a laboratory.
Faraday's bag.
After disconnecting the mobile device, it is important, whenever possible, to remove the battery and secure it with insulating tape to the body of the device, as well as remove the SIM card and number it according to the slot from which it was extracted.
In the second scenario, the professional finds a mobile device connected and locked by password. What's to be done?
If you leave the device on, a command may be received via the internet to wipe all data or overlay data by receiving calls or messages, as we said. The scenario in which the phone is locked is the most frequent. This is because most mobile devices allow password locking, and users configure this mechanism to lock the cell phone.
As the lock occurs after a few seconds of inactivity, the professional finds a cell phone at an already blocked crime scene. It is recommended to search for the password, either by asking a relative, spouse, or evaluating notes, other electronic devices.
In crime scenes, often, the owner or user of the mobile phone has died. In cases where the mobile device is blocked by biometric password, facial recognition or papilar print, it is recommended that the professional who is performing the collection of the trace try to unlock the device using the victim's face or fingerprint on site.
In the third scenario, the cell phone is turned off. What should one do to isolate, fix and collect the trace?
Any cyber trace that is at the scene of crime or search and seizure turned off should be kept off. The protocol of removing the battery and attaching it with insulating tape to the appliance screen should then be followed, as well as removing the SIM card and numbering it according to the slot from which it was extracted. We remind you that, in any of the scenarios, the professional must always follow the procedures of isolation (protect against degradation and contamination), fixation (sketch, photograph, video, georeferencing of the trace) and chain of custody (proper packaging, seal, documentation).
Trace collection should follow an order of volatility and importance for the case. Imagine that at a place of alleged murder, a residence, a cell phone was found in the garden. It was on and it was not possible to know, by observation, if it was locked, erased, etc. What is the procedure to be performed? Isolate the cell phone trying to put it into airplane mode? What is most important for solving the murder case: the data that is on the cell phone or who handled the device?
The professional must make this decision on the spot. If he manipulates the cell phone to put in airplane mode, it may lose important traces, such as papilar printing on the glass or body of the device, genetic material left by speech saliva or epithelial cells of the ear.
Therefore, whenever you find a trace, of whatever nature, the professional should always observe the order of volatility and relevance to the investigation and should make the decision about which trace to prioritize. Here's a flow diagram for the procedures we just described.
Flow diagram for cell phone traces collection.
Forensic Duplication
Some of the most complex and time-consuming tests are those related to cyber traces. It can take years, for example, in cases where the encrypted file is going through a process to crack the password. The volume of data to be processed and analyzed in cases involving cyber traces brings great challenges to criminal expertise.
In this sense, a simple 1 TB HD can contain 18,000 hours of audio in MP3 format, 4 million JPEG photos, about 1,500 hours of videos, and more than 30 million pages. That's why the analysis of this material can last for months. By way of illustration: How long would it take to read and understand 30,000 pages? People with the greatest capacity for reading and understanding in the world read and understand about 623 words per minute.
Extrapolating to something more palpable, just make a simple calculation: 150 pages times 200 words equal to 30,000 words. 30,000 words divided by about 500 words per minute would result in 60 minutes to read and understand 150 pages. Now, imagine reading and understanding 30 million pages of a simple 1TB HD.
Another procedure that precedes the extraction of data stored on the computer is the duplication of the media. As this is a process that takes time, it should be carried out in the laboratory. In most cases, the procedure adopted for the preservation of computational storage media is forensic duplication, which consists of the exact copy of all the bits contained in the questioned media for an image file.
Forensic duplication can be performed through specialized equipment, such as those shown in figure below.
Examples of specialized forensic duplication equipment.
The advantage in the use of these devices is that they block connections to the media by default, avoiding any modification in their content and, consequently, future questions. Its main disadvantage is the price.
A cheaper option is to use ordinary computers if some care is observed. If the chosen computer uses the Windows operating system, it is essential to purchase a USB cable, drawer, or dock for external connection of the investigated media. Then, the system must be configured not to write information via USB interface. This setting is done by creating the WriteProtect (DWORD) value in the following Windows registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies. Then simply change its value to 1 when you want to protect the USB interface from recordings, and to 0 after disconnecting the questioned media. All this caution is necessary because the default behavior of Windows systems is to write some information to any storage media connected to the computer.
Another option is to use forensic Linux distributions such as DEFT and CAINE, which are prepared not to write to the media. In this case, the USB connection is unnecessary, and the media can be connected to the computer's own internal connections. Forensic duplication would be done through software such as GNU dd and GNU ddrescue.
To end the preservation phase, you still need to make sure that the duplicate content is identical to the original. This is done through hash algorithms, capable of detecting the change of a single bit of information. From that point, the original media can already be stored in a safe place, as the work will now be done with the image file.
The second phase consists of the techniques used to extract digital traces. In the case of computational storage media, the active files, deleted files and even file fragments will be extracted. At this stage, it is common to use the Software Guidance Encase and AccessData FTK, as they have been on the market for several years and have a consolidated reputation. However, due to the high price tag, open-source alternatives such as Autopsy are welcome.
Some of the important features that should guide the choice of software are:
a) Interface – should be user friendly and agile, able to support hundreds of thousands of files.
b) Signature - sort the file by means of its signature or magic number, which consists of the first bytes. This feature allows detecting the use of a rudimentary information concealment technique, which consists of changing the file extension.
c) Data carving – uses the signature to identify files located in unused areas of the media.
d) Hash - the chosen tool should support the most common hashes.
The next phase consists of the analysis of the extracted files (or fragments), aiming to find information that allows the proof or refutation of the investigated fact. At this stage, techniques are used that allow searching the contents of the files, filtering those unrelated to the investigation, quickly identifying those of interest and transforming into useful information from its raw form.
FINAL CONSIDERATIONS
The recent and growing media repercussion of the criminal expertise work, in addition to instigating the popular imagination, has shown another side of an investigation: the logical sequence of events (traces, evidence and evidence) that lead to the criminal. If, on the one hand, this reality, especially in investigations of high-profile cases, generated benefits for criminal expertise, drawing attention to the need for resources, training and technological updating, on the other hand, it brought with it a Hollywood vision of everyday life, the role of the scientific police.
Have you heard of the “CSI effect”? It is a name given to the consequences of the emergence and popularization of TV series such as Crime Scene Investigation, CSI-Cyber, Mr. Robot, Bones, The Mentalist, Law & Order and Dexter, which deal with criminal investigations and ended up generating great expectations about forensic science. However, there is no doubt that television presents the public with an artistic vision of how criminal forensics is conducted and what it is and is not able to accomplish.
Although many resources and equipment shown in the series are possible to reproduce in forensic laboratories, there is a false perception of time and technologies in this work, which requires complex technical-scientific knowledge, trained professionals and expensive equipment. In addition, because of the shortage of forensic experts, there is a constant backlog of work to be done.
Technologies for criminal expertise are increasingly advanced. However, they are still far from what is shown in works of fiction. Furthermore, the mixture of police, detective and expert – interpreted as an investigative team – does not match what actually happens in real life, because every profession, by itself, is sufficiently complex and has its methods, requiring specific qualifications and training. In this way, as much as an expert knows the resources of other disciplines, he will never be qualified in all areas of forensic sciences.
REFERENCES
CARARO, A. Mediums. Super interesting, 31 Oct. 2016. Available at: <https://super.abril.com.br/historia/mediuns/>.
CARVEY, H. Windows Forensics Analysis Toolkit. 4. Ed. Campinas: Syngress, 2014.
CHISUM, W. J.; TURVEY, B. E. Crime Reconstruction. 2. Ed. Boston: Academic Press; New York: Elsevier, 2011.
COREY, A. CARVEY, H. Digital Forensics with Open-Source Tools. Campinas: Syngress. 2011.
DEMARTINI, M. Microsoft can store videos and books in human DNA. The exam. Oct. 11. 2016. Available at: <https://exame.abril.com.br/ciencia/microsoft-consegue-armazenar-videos-e-livros-em-dna-humano/>.
DEMERCIAN, P. H.; MALULY, J.A. Course of criminal proceedings. São Paulo: Atlas, 2001.
DIAS FILHO, C. R. Chain of custody: from the crime scene to the final transit; trace to evidence. Revista dos Tribunais, v. 98, n. 883, p. 436-451, May 2009.
ESPINDULA, A. Criminal and civil expertise: an overview for experts and forensics users. 4. Ed. Campinas: Millennium, 2013.
ESPINDULA, A. Forensic Report and other technical documents. 2008. Available at: <http://www.conteudojuridico.com.br/?artigos&ver=2.22509&seo=1>.
GROCHOCKI, R.C.; FRANCO, D.P. Procedural documents: Technical Reports and Forensic Reports. In: VELHO, J. A. et al. (Org.). Treatise of Computer Forensics. Campinas: Milennium, 2016. Cap. 17.
HOUCK, M. M. The reality of CSI. Scientific American Brazil, 2010. Available at: <http://www2.uol.com.br/sciam/reportagens/a_realidade_do_csi.html>.
RODRIGUES, C.V.; SILVA, M. T. da; TRUZZI, O.M. S. Criminal expertise: a service approach. Revista Gestão & Produção, São Carlos, v. 17, n. 4, p. 843-857, 2010.
THE ECONOMIST. The CSI Effect. 22 Nd Apr. 2010. Available at: <https://www.economist.com/node/15949089>.
VELHO, J.A.; COSTA, K. A.; DAMASCENO, C. T. Crime scenes: from traces to criminal dynamics. Campinas: Millennium, 2013.
VELHO, J.A.; GEISER, G.C.; ESPINDULA, A. Forensic sciences: an introduction to the main areas of modern criminalistics. 3. Ed. Campinas: Millennium, 2017.
VELHO, J.A.; VILAR, G.P.; GUSMÃO, E.; FRANCO, D.P.; GROCHOCKI, L.R. Scientific Police: transforming traces into evidence considering the chain of custody. Curitiba: Intersaberes, 2020.
ABOUT THE AUTHORS
Deivison Franco: Cofounder and CEO at aCCESS Security Lab. Master Degrees in Computer Science and in Business Administration. Specialist Degrees in Forensic Science (Emphasis in Computer Forensics) and in Computer Networks Support. Degree in Data Processing. Researcher and Consultant in Computer Forensics and Information Security. Member of the IEEE Information Forensics and Security Technical Committee (IEEE IFS-TC) and of the Brazilian Society of Forensic Sciences (SBCF). C|EH, C|HFI, DSFE and ISO 27002 Senior Manager. Author and technical reviewer of the book “Treatise of Computer Forensics”. Reviewer and editorial board member of the Brazilian Journal of Criminalistics and of the Digital Security Magazine. | |
Daniel Müller: Degree in Systems Analysis and Development, Specialist in Computer Forensics, Computer Forensic Investigator working in cases of fraud identification and data recovery. Wireless Penetration Test Specialist, Pentester and Computer Forensics articles writer. Currently working as Cybersecurity Specialist at C6 Bank. | |
Cleber Soares: Information Security enthusiast and researcher, adept of the free software culture. He has worked in the technology area for more than 20 years, passing through national and multinational companies. Has technical course in Data Processing, Graduated in Computer Networks and Post Graduated in Ethical Hacking and Cber Security. Acts as Information Security Analyst and Ad-hoc Forensic Computer Expert. Leader of the OWASP Belém Chapter at the OWASP Foundation and author at Hacker Culture Blog. | |
Joas Santos: Red Team and SOC Leader and Manager, Independent Information Security Researcher, OWASP Project Lead Researcher, Mitre Att&ck Contributor, and Cybersecurity Mentor with 1000+ technology courses, 50+ published CVEs, and 70+ certifications international. Full member of the 2.3 chair of the Open Finance Brazil Project and regular author of Hackin9 Magazine and eForensics Magazine. Main Certifications: OSWP | CEH Master | eJPT | eMAPT | eWPT | eWPTX | eCPPT | eCXD. |