Peeking under the hoods

In today's world, computers contain information vital to a business or person. Hence when a crime is committed, traces of any crime that took place in the physical world lives out evidence in cyberspace. Computerisation has made the evidence harder for investigators to analyse than paper records. For example, financial fraudster of the Ponzi Scheme Bernard Madoff kept track of his victims' accounts using an old IBM AS/400 from the 1980s. As only a few people on Wall Street had experience with a 25-year-old technology, it helped Madoff prolong his crime. It also created additional snags even after he was arrested, because investigators did not have enough tools and skills to make sense of his data.

Nowadays computers are so pervasive that the collection and use of digital evidence has become a usual part of any criminal and civil investigation. Law enforcers routinely examine the suspects' laptops, cellphones, tablets examined for verifying evidence. Corporate lawsuits are also dominated by electronic discovery of implicating materials.

Then there are Digital Forensics cases in which the crime was essentially involving computer systems, such as cyber-terrorism or hacking. In these instances, investigations are often hindered by the technical intricacies of the systems and the colossal amount of evidence to examine.

All digital evidence is subject to the same rules and laws that apply to documentary evidence. The principle of digital evidence may be explained thus: the onus is on the prosecution to show to the court that the evidence produced is no more and no less now than when it was first taken into the possession of law enforcement.

Electronic data are easily changed, damaged, or erased if handled improperly. Operating Systems and other programs frequently alter, add and delete the contents of electronic storage. This may happen routinely without user intervention or the user being aware that the data has been modified. Simply turning on a consumer GPS may cause the device to delete critical evidence.

Digital Forensics is powerful because computers are openings into the past. Many retain enormous quantities of information—either deliberately, in the form of log files and archives, or unintentionally, as a result of software that does not cleanly erase memory and files. Consequently, investigators can often recover old emails, chat logs, searched items, and other kinds of data that were created weeks, months or even years before. Such concomitant records can disclose an individual's state of mind or intent at the time the crime was committed.

As it can look into the past and unearth concealed information, Digital Forensics tools are more and more used in crime investigations. Security professionals regularly use such tools to analyze network interventions—not necessarily to convict the culprit, but to comprehend how the offender gained access and to plug the hole. Data Recovery firms trust on similar tools to restore files from storage devices that have been accidentally formatted or spoiled. Several commercial and open source tools for Digital Forensics are available. Some of the tools are EnCase, FTK, Helix, DFF, LiveView, The Sleuth Kit, etc.

Digital evidence can even be inspected and analyzed to determine that something did not happen at all. Such as, a hacker might have gotten into the computer network, but could not read sensitive information. One way to make such a deduction is by inspecting the access and alteration times associated with each file on the storage. But, someone taking advantage of the same forensic techniques could have viewed the files without altering those timestamps; so the investigators actually determined only that the files had not been opened by conventional means. Thus the significance of digital forensics is utmost in today's world.

The writer is the CEO of MetroNet & Director of BASIS