Gathering electronic evidence

A NEW field of evidence gathering involves techniques designed to find relevant electronic evidence on personal computers. This investigative discipline will become an important discovery tool for both lawyers and law enforcement agencies. Here Dr Henry B Wolfe* explains the basics of what it can and cannot do.

Computer forensics refers to the developing field that captures and analyses information stored on personal computers. Relevant information is prepared in a format that will be easily used and understood in a court of law. The methods used can be demonstrated to be sound. Information found in this way can be used either to convict or to exonerate depending on each case.

Some of these investigative techniques are legal, some require a warrant to execute legally and some are completely illegal. Nevertheless, they are all used to one degree or another in the pursuit of evidence to prove guilt or innocence.

Electronic forensics is based on some technical facts that most personal computer users are not aware of. A good deal of information, whether deleted or not, may reside on a target PC without the knowledge of its user. Data resides in many places on a hard drive. Everyone knows that there are files and directories and system files.

What most users do not realize is that there is a great deal of left over data stored on their disk drives. This data may be in the form of deleted files (which are not normally overwritten when deleted) or fragments of files not overwritten by new data when it is written to disk. All this data can be retrieved with the proper tools and can be analyzed for content and relevance to a specific case.

The investigator uses specialized tools first to capture a mirror bit-wise image of the storage media associated with the computer thought to have relevant evidence. This image is handled just as any other evidence is, paying special attention to the normal rules required in order to maintain the chain of evidence.

There are also hiding places on a hard disk where data can be placed that might otherwise escape scrutiny. Once again with the proper tools, knowledge and understanding, data stored in all the hiding places can be retrieved for analysis. Powerful forensic analysis tools exist that facilitate searching for specific data or kinds of data.

For example, the court may have directed your opposition not to access the target computer after a specific date. The forensics investigator can determine when the target was last accessed and for what purpose (within some limits). If it were determined that the target PC was accessed after the specified time a contempt citation may be possible and the PC owner’s veracity called into question.

It is also possible to view all graphic images stored on the target machine – even those that may have been deleted in anticipation of such an investigation (if these files have not yet been overwritten). This may be useful when dealing with a child pornography case.

The internet has played a large part in the use of forensic techniques to track computer criminals and to help prove their guilt or innocence. This discipline is not confined to computer criminals but covers a much broader arena where all kinds of criminal activity take place. For example, where the computer is used as a means to communicate about a criminal activity or to store, track or plan activities of a criminal nature.

Cryptography is becoming more and more commonly used to protect individual privacy and it is often encountered in forensic investigations. This is the art/science of codes and ciphers. A piece of data is translated into a form that is meaningless to an unauthorized person. Without the proper key (a specific unique series of characters) and the specific cryptographic algorithm used to encrypt and decrypt, the content of the enciphered data may be difficult or even impossible to derive.

While encrypted data can be retrieved and scrutinized, most proven crypto-systems provide a degree of protection that cannot be overcome by normal means. There are methods of attack that have proved successful but, these methods are not of a crypto-analytic nature. If the individual is not cooperative and refuses to provide their key, there may be no way to gain access to a plain text version of what is protected in this way.

On the other hand, if the data has been encrypted using options readily available in standard software such as Microsoft Word or Excel, for example, the keys may be derived by using special purpose software. A number of standard software applications have poorly implemented or flawed cryptographic options and these can be attacked successfully, albeit for a price.

Obviously the outcome of any investigation cannot be predicted so there can be no assurances that it will produce any useful evidence. However, the amount of time needed to investigate properly the contents of any given system will be approximately the same regardless of the outcome – and it is an expensive process.

The production of reports containing just the evidence of interest in a format that is readable and practical to use is an important part of the process as is the investigator’s expert testimony. The tools currently available have been tested and proven and are becoming recognized and approved in many jurisdictions.

Useful evidence cannot be manufactured. As with any other type of investigative technique what is found is all there is. It may be relevant or it may not. However, computer forensics is one tool that everyone in the legal profession should be aware of.

*Dr. Wolfe is one of only a handful of professionals speaking about this topic around the world who are not vendors of product. He teaches computer security at the University of Otago and may be reached at (03) 479-8141 or via email at


Leave a Reply

You must be logged in to post a comment.