By C. M. Whitcomb, Director, National Center for Forensic Science, University of Central Florida, Orlando, Florida
he law enforcement community is constantly evaluating its environment and the effect it has on citizens. When the environmental impact is from a criminal act, law enforcement agencies and forensic scientists become involved in evaluating how the crime happened, who committed the crime, and what the intent was. Scientists are trained to observe, describe, measure, and categorize information in an orderly manner. They define groups by common characteristics and individuals within the group by unique characteristics. For example, natural scientists have arranged all the chemical elements in groups in a periodic table based on their atomic mass, structure, and reactivity. There are three basic building blocks of atoms: protons, electrons, and neutrons. The uniqueness of an element is based on the numbers of these three particles in a given atom. For a biological example, humans have a phenotype (i.e., physical characteristics) and a genotype (i.e., a genetic code). Genetics are complicated, but a person’s entire genetic code arises from only four chemical groups, arranged in different sequences. The sequences of these four chemical groups make most humans unique (except in the case of identical twins, triplets, and so on). Likewise, in the digital world, there are two basic units that make up everything digital: the numbers 0 and 1. Scientists have arranged the basic units into a series of codes that represent the letters of the alphabet, numerals, pixels in a graphic image, and even digitized sound and video.
The world is filled with simple codes arranged into groups and categories to make up complex parts. The process of categorizing allows researchers to assign characteristics to common groups or identify them as having unique traits. Forensic scientists locate and identify patterns that associate people, places, and things in related categories and then identify them by their uniqueness and their relationship to a crime. Physical and biological evidence have been part of forensic science disciplines since the inception of forensic science. Much of their uniqueness has been explored, and their patterns have been identified. As a new discipline such as digital evidence begins to evolve, certain steps must be taken for it to be accepted by the scientific community and the courts. DNA analysis, one of the newest biological disciplines, has already established a path to general acceptance in the law enforcement community; pioneers of digital-evidence analysis should obviously follow a similar path to gain acceptance as quickly as possible. Developing any new discipline, including this one, involves a few crucial components. A working group of experts must reach consensus during the development of the new discipline. Forensic laboratories should take a leading role, gaining support from government agencies, researching and developing needs assessments, determining educational and training programs, and conferring accreditation on laboratories and professional certification for individual practitioners. The final hurdles for a new discipline to clear are formal recognition from professional organizations and acceptance of evidence in court.
In the past, when a homicide crime scene at a personal residence was processed, the evidence collected included the victim’s corpse, any evidence related to the cause of death, the motive, the identity of the perpetrator, and whatever personal items that have the potential to develop investigative leads. Personal items that might contain valuable evidence could include personal letters, calendars, checkbooks, address books, photographs, business papers, and messages on a telephone answering machine. With the advent of personal computers, cellular telephones, the Internet, and a seemingly unending variety of electronic devices, the circumstances at the crime scene have begun to change. Much of an individual’s personal information and other evidence is saved in a potentially fragile digital format. In addition to physical and biological evidence, today we are faced with gigabytes to terabytes of digital evidence. Whether digital information comes in the form of letters, bank statements, photographs, spreadsheets, or e-mail addresses, it is all considered digital evidence, and it must be collected, preserved, and examined in a forensically sound manner to help ensure that the evidence is acceptable in court and that justice is served.
Should digital evidence be collected, preserved, and examined by forensic scientists or by law enforcement officers? The answer is “both.” The decision of where to perform forensic examinations depends solely on the structure of the individual organizations involved. The common model for other forensic disciplines is for the “crime scene squad” to process the crime scene; the investigators then write a letter requesting examination of the evidence, which is subsequently sent to the forensic laboratory. The investigators work closely with the forensic scientists to identify the evidence that will have the greatest value for solving the case. The investigators may be present at the scene during the collection of evidence or may be the parties responsible for collecting the actual evidence. In the 1980s, law enforcement agencies began conducting examinations on computers they seized; this eventually led to their development of forensic examination software. Typically, evidence is submitted to a forensic laboratory, where scientists process the items for both obvious and latent evidence and attempt to develop investigative leads or to find the “smoking gun.” Some law enforcement forensic laboratories picked up on this new trend in electronic evidence and began to develop digital-evidence sections in their laboratories. Assuming that computers would hold latent evidence, forensic scientists worked with investigators to collect and compile the appropriate data in a searchable manner to assist the investigation.
When digital evidence arrives at forensic laboratories where no one is prepared to perform an examination, directors seek other laboratories better prepared for the job, such as the Regional Computer Forensic Laboratories (RCFLs).1 They might transfer the evidence to another laboratory with the appropriate expertise or outsource it to experts who have the appropriate skills. At first, the law enforcement agencies directly handled computer forensic examinations in greater numbers than did forensic laboratories. This tendency was probably due to convenience for the investigators and the lack of digital-evidence expertise in forensic laboratories. In the early days, laboratory expertise in forensic investigations focused on physical and biological evidence. Many laboratory managers did not consider facilities for examining electronic evidence. The expense of starting a computer forensic section, developing the laboratory infrastructure, and continual training for examiners would be another financial burden to the laboratories. This trend will likely change, though, as the volume of digital evidence increases and new technologies continue to arrive daily. Investigators will begin to see the value of working with forensic scientists and having them perform the esearch, validation, and forensic examination of digital devices, following established protocols and validated procedures with quality assurance measures in a controlled laboratory environment. Forensic scientists are expected to have the education, training, and experience to qualify as an expert witness in court. Thus, a burden shared is cut in half.
The Evolution of Forensic Technologies
New technologies arrive at crime laboratories by different means. A relatively new technology such as DNA analysis, after being developed in academic and private research facilities, has a profound impact when applied to forensic science. New technology may also arise when investigators begin to submit novel evidence, such as computers, cellular telephones, and other devices, to forensic laboratories to be examined for latent evidence. The power of the Internet and wireless transmission, still very new technology, gives digital evidence its versatility and power to travel around the world in seconds. The Internet was created in the 1960s “as a government-sponsored network for universities and company research laboratories.”2 As personal computers began to increase in popularity in the 1980s, they also began to arrive at forensic laboratories for examination. Computers submitted to forensic laboratories can be viewed as the obvious evolution of paper evidence. As director of the Postal Inspection Service Crime Laboratory from 1988 to 1990, the author reached out to the U.S. Federal Bureau of Investigation (FBI) Laboratory when a postal inspector submitted a computer to her laboratory for examination for “latent evidence.” At the federal level, the FBI laboratory’s first computer evidence case was assigned to its Questioned Document Section, which could accommodate computer examinations by using off-the-shelf software. The influx of computers began to grow. When local law enforcement agencies did not have the ability to examine computers and electronic devices, they would send their cases to state or federal laboratories. An FBI special agent shared that in 1985 he received his first electronic evidence: an 8-inch floppy disk. Another FBI special agent believes he was the first witness to use the word “computer forensics” in a trial in Pennsylvania in 1988. During this time, investigators were developing their own methods, techniques, and forensic software or using “off-the-shelf” software to work their cases. Some of them left investigations to develop software full-time. The U.S. Secret Service led in the forensics investigations of early cellular telephones. The FBI’s Computer Analysis and Response Team (CART) was formed in 1992 and was dedicated to the forensic examination of computers and all varieties of digital evidence. The growth in the amount of data in digital-evidence cases at CART in fiscal year (FY) 1999 went from a total of 17 terabytes per year of evidence to 265 terabytes in the first quarter of 2005. In FY 2006, the CART and the RCFLs accepted 15,070 requests for assistance and processed 2,139 terabytes of data.
A document published in 2001 by the U.S. Department of Justice (DOJ), Office of Justice Programs, Bureau of Justice Statistics (BJS), titled “National Computer Security Survey,” addressed the cybercrime threat against business.3 Cybercrime generally refers to crimes committed through the Internet or a local network. The cybercrime that businesses experience most often, according to the report, are “fraud, embezzlement, theft of proprietary information, denial of service, vandalism or sabotage, and computer virus.”4 Personal computers can also be susceptible to these crimes. In previous times, it would be obvious when a bank was being robbed. Today, customers can use the drive-through window of their bank while it is being robbed. It is immediately obvious neither to the customers nor the bank. Technology, like everything else, has both positive and negative effects on individual citizens as well as on their governments. Forensic technology is continually developing to keep up with technologically savvy criminals.
Scientific Working Groups and Federal Agencies
The first step for a new forensic science discipline is to form a working group of experts in the field to develop definitions of terms, methods, procedures, validation processes, and best practices. The Scientific Working Group on Digital Evidence (SWGDE), supported by the FBI, was formed in 1998 after the agreement of the ad-hoc group Federal Crime Laboratory Directors in the Washington, D.C., Area discussed the need.5 Federal-laboratory members of the SWGDE met monthly to develop definitions and terms and later added state and local members. The first meeting in July 1998 was only for defining digital evidence: “Digital evidence is any information of probative value that is stored or transmitted in binary form.” Digital evidence can be text, numerals, images, sound, or videos.
Another working group was formed in 1998–1999 to address digital-photography issues. The Scientific Working Group on Imaging Technology (SWGIT) was formed and supported by the FBI. The SWGIT published its first document in 1999.6 Dr. Richard Vorder Bruegge was the first chair of SWGIT, serving until 2007.
The National Institute of Justice (NIJ), the research, development, and evaluation arm of the DOJ, played a pivotal role in focusing the efforts of the community by supporting the Electronic Crime Needs Assessment for State and Local Law Enforcement (March 2001).7 The consensus group developed 10 critical needs, as given in the summary headings of the final document:
- Public awareness
- Data and reporting
- Uniform training and certification courses
- On-site management assistance for electronic-crime units and task forces
- Updated laws
- Cooperation with the high-tech industry
- Special research and publications
- Management awareness and support
- Investigative and forensic tools
- Structuring a computer crime unit
There are numerous NIJ publications related to electronic crimes and digital evidence generated with the aim of meeting the 10 needs. Numerous related publications are available online at the NIJ Web site (http://www.ojp.usdoj.gov/nij/). The support of government agencies is essential for meeting the challenges of new technologies. Today, the NIJ’s mission is to “advance scientific research, development, and evaluation to enhance the administration of justice and public safety.”8 Some of the NIJ’s goals in this regard include the development and evaluation of technology and tools supporting law enforcement agencies dealing with electronic crime and the forensic aspects of digital evidence.
Another section of the DOJ critical to the early success of electronic-crime investigations is the Computer Crime and Intellectual Property Section (CCIPS).9 Among other tasks, the attorneys in the CCIPS had to transform the language of statutes that dealt with physical items into language that would work for electronic-evidence search and seizure. Their work in developing search warrants for electronic evidence was a very basic and essential contribution to the law enforcement community. Digital information considered to be “intellectual property” is a tremendous problem to manage and protect. It is difficult to conceive of the number of DVDs, CDs, and other electronic media that have intellectual property rights that must be protected by law.
Laboratory Management and Quality-Related Organization
The goal of forensic laboratory managers is to design a safe and secure facility; a scalable infrastructure; and an environment suitable for practitioners of forensic science to maintain their scientific skills, objectivity, and professionalism while supporting their agencies and our legal system. Quality assurance programs are essential for forensic laboratories. Quality in the organization and management of a forensic science laboratory is as important as the individual training and certification of the forensic scientists. The justice system looks to professional forensic science organizations to ensure the continuing professional development of forensic scientists, and there are several mechanisms forensic science laboratories have available to continually improve their quality and efficiency.
The American Society of Crime Laboratory Directors (ASCLD, pronounced azz-clad), whose formation was sponsored by the FBI, “is a nonprofit professional society of crime laboratory directors and forensic science managers dedicated to promoting excellence in forensic science through leadership and innovation.”10 According to the ASCLD Web site, the organization was formed as follows:
The ASCLD organization began to take shape in a meeting that occurred in 1973. In the fall of 1973, a small group of some thirty crime laboratory directors, geographically representing the country, met in Quantico, Virginia. Although called there by Clarence Kelly, then Director of the FBI, it was Briggs White, Director of the FBI Laboratory, who, by his desire to bring local laboratories and the FBI Laboratory together, made it all possible. At that meeting, a steering committee under the able chairmanship of Richard Fox, was formed and met in Kansas City in the spring of 1974. A constitution was drafted, and, in the fall of 1974, in Quantico at the first meeting, ASCLD was born. Chairman - Briggs White, FBI; Vice Chairman - Richard Fox, Missouri; Secretary - Atley Peterson, ATF; Treasurer - Larry Howard, Georgia. On February 18, 1976, ASCLD became ASCLD, Inc.11
Very early in the formation of ASCLD, the members recognized the need to “self-assess” their laboratories and continually improve their quality. The organization that emerged to meet the challenge of improving quality was the American Society of Crime Laboratory Directors/Laboratory Accreditation Board (ASCLD/LAB), which became a separate organization in 1988.12 The members of ASCLD/LAB, referred to as the Delegate Assembly, are directors of accredited laboratories. Although accreditation is not a requirement for forensic laboratories, it is highly recommended to have either the ASCLD/LAB legacy programs accreditation or the international ISO accreditation. Forensic Quality Services–International (FQS-I), in Largo, Florida, also offers ISO accreditation.13 A list of FQS-I’s 52 ISO-accredited law enforcement and private laboratories is on its Web site,14 including the Georgia Bureau of Investigation and the Illinois State Police Crime Scene Services Command laboratories.
In 2003, through the efforts of the SWGDE and ASCLD/LAB, the ASCLD/LAB delegate assembly voted to make digital evidence a new section for accreditation in forensic laboratories and businesses that meet the requirements of a forensic laboratory. The current status of accredited digital evidence laboratories as reported in a personal communication from Ralph Keaton of ASCLD/LAB are as follows:
There are currently twenty-two (22) laboratories accredited by ASCLD/LAB in Digital and Multimedia Evidence. The North Carolina State Bureau of Investigation was the first forensic laboratory to have its Digital Evidence Unit accredited. State laboratories accredited under the Legacy program include North Carolina, New Hampshire, Virginia, Florida (2), Wisconsin (3), and Pennsylvania. Local laboratories accredited under the Legacy program include Arlington Police Department (Texas); Westchester County (New York); Johnson County (Kansas); Baltimore County (Maryland); and Santa Clara County (California). Federal/Regional laboratories include the Department of Defense Computer Forensics Laboratory; the North Texas RCFL; the New Jersey RCFL; and the Silicon Valley RCFL. Digital Evidence laboratories accredited under the ASCLD/LAB-International program include the DEA Digital Evidence Laboratory; the FBI Digital Evidence Laboratory; the Charleston [South Carolina] Police Department’s Forensic Laboratory and the Utah State Crime Laboratory.15
A new discipline gains momentum as a forensic science discipline when it is allowed to have its own session for the presentation of papers at established professional forensic science conferences. In 1999, the first forensic science session in digital evidence at a professional forensic science organization conference was at the International Association for Forensic Sciences (IAFS) conference in Los Angeles, California.16 The first professional forensic science session in the United States for digital evidence was hosted by members of the SWGDE. The SWGDE hosted the scientific session with many national and international presentations and also presented a workshop at this meeting. The next IAFS conference will be in New Orleans in 2008. There will be a session for digital-evidence presentations.
The American Academy of Forensic Sciences is the most prestigious professional forensic science organization.17 The SWGDE has had a representative report to the AAFS Executive Board since 2002 to provide updates on the progress of digital evidence. In August 2007 the Executive Board approved the formation of a section for digital evidence, but the creation of a new section requires a bylaws change, on which the membership will vote at the February 2008 meeting. The last new section created by the AAFS, the Engineering Sciences Section, happened over 30 years ago. AAFS attendees interested in digital evidence have held an ad-hoc meeting for the past several years. In 2007, the ad-hoc Digital Evidence Section voted on their ad-hoc officers: Zeno Geradts (from the Netherlands Forensic Science Institute and an AAFS Fellow) was elected chair; the author (director of NCFS and an AAFS Fellow) was elected director; and David Baker (MITRE Corporation; Fellow of AAFS) was elected secretary. Mark Pollitt is the program chairman for 2008. Currently, the General Section of the AAFS is housing the future members of the new section. The next meeting of the AAFS will be in Washington, D.C., in February 2008.
The International Association for Identification (IAI) has developed a digital evidence section and hosts the information generated by the SWGIT on its Web site (www.theiai.org).
Daubert and Professional Journals
The criteria laid out in Daubert v. Merrell Dow Pharmaceuticals, Inc.,18 help ensure that “good science” will be admitted into court and assigns judges the task of being “gatekeepers” of scientific testimony.
“The basic Daubert rule: [T]he reasoning or methodology underlying [the] testimony [must be] scientifically valid.” The Daubert test involves a preliminary ruling based on FRE 104 (Federal Rules of Evidence) on whether the theory or technique is scientifically valid. Indicia of scientific validity to be examined include “widespread acceptance,” peer review, publications, testing, rate of error, and the existence of standards. No particular one of these elements is essential under Daubert.19
Peer review and journals are part of the Daubert criteria. Other professional organizations that are related to Daubert criteria are peer-reviewed journals for digital evidence. The FBI’s publication Forensic Science Communications was one of the first online journals for forensic science in general. In the spring of 2002, the first online journal dedicated specifically to digital evidence, the International Journal of Digital Evidence, debuted.20 Another journal dedicated to digital evidence is the Journal of Digital Forensic Practice, first published by Taylor and Francis in 2006.
Every second, harmless and harmful packets of information pass each other as they fly through the Internet and the airwaves. While trainers are using the Internet to teach cybercrime investigations classes, child predators are sending out their invitations to unsuspecting innocents. Clearly, digital evidence will be a major form of evidence with which society must contend for the foreseeable future. Luckily, there are educational programs and research organizations that have had the foresight to meet this challenge by developing classes and programs in digital forensics. The tools that law enforcement agencies and forensic scientists can acquire through such training will enable them to persist in their investigations to the very end, regardless of the media criminals employ.¦
|Historical Timeline of the Use of Digital Evidence|
1980s: The law enforcement community begins to collect computers and disks as evidence. Investigators begin writing their own forensic software.
1990s: Computers are submitted to crime labs for examination; digital photography is introduced into crime laboratories and crime scenes.
1997: C. M. Whitcomb proposes the concept that all aspects of digital evidence, regardless of the diversity of their outputs, should follow the same basic principles of forensic science for collection, preservation, and examination of digital evidence. Whitcomb describes her theory to Dr. Don Kerr, assistant director of the FBI laboratory, via telephone. Dr. Kerr asks Special Agent Mark Pollitt, unit chief of the FBI Headquarters CART, to write a white paper based on the concept. The federal crime laboratory directors are invited to the U.S. Postal Inspection Service Forensics Laboratory at Dulles, Virginia, in 1998, where the directors agree to form the Scientific Working Group on Digital Evidence (SWGDE).
July 1998: The first meeting of the SWGDE is held. Special Agent Mark Pollitt of the FBI serves as first chair of the SWGDE from this first meeting until his retirement in 2003. C. M. Whitcomb, U.S. Postal Inspection Service Forensic Laboratory, serves as first vice chair. The SWGDE defines digital evidence at this first meeting as “any information of probative value that is stored or transmitted in a binary form.” This includes digitized text, numerals, sound, images, and video.
1999: The International Association for Forensic Sciences (IAFS) holds a scientific session on digital evidence, the first such session at a professional meeting, in Los Angeles. SWGDE members put the program together, and the room is packed with presentations from around the world.
1999: The Scientific Working Group on Imaging Technologies (SWGIT) publishes “Definitions and Guidelines for the Imaging Technologies in the Criminal Justice System” in the journal Forensic Science Communications.
2001: The University of Central Florida offers a graduate certificate in computer forensics.
2002: The first peer-reviewed, online journal for digital evidence, International Journal of Digital Evidence, makes its debut.
2003: The American Society of Crime Laboratory Directors/LaboratoryAccreditation Board (ASCLD/LAB) approves digital evidence as part of its accreditation process for crime laboratories. The SWGDE works with ASCLD/LAB to write the criteria. North Carolina’s State Bureau of Investigation is the first laboratory to become accredited in digital evidence—the official act that makes digital forensics an accepted forensic science discipline.
2004: The SWGDE releases version 1.0 of its “Best Practices” on November 15 at www.swgde.org.
2006: The SWGDE releases version 2.0 of its “Best Practices” on April 12, with version 2.1 released on July 19.
2006: A June 6 article by Jon Swartz, “Cybercrime Spurs College Courses in Digital Forensics,” in USA Today reports, “About 100 colleges and universities offer undergraduate and graduate courses in digital forensics, with a few offering majors. There are programs at Purdue University, Johns Hopkins University, the University of Tulsa, Carnegie Mellon University, and the University of Central Florida. Five years ago there were only a handful.”
2006: A new journal is developed: the Journal of Digital Forensic Practice.
2007: The SWGDE “Best Practices for Forensic Audio” is posted online for comment at www.swgde.org.
2007–2008: On August 3, the executive board of the American Academy of Forensic Sciences (AAFS) approves the formation of a section for digital evidence pending a bylaws change at the February meeting in 2008. Zeno Geradts, C. M. Whitcomb, Dave Baker, and Mark Pollitt are elected to ad-hoc positions in this proposed section.
2008: The International Association for Forensic Sciences (IAFS) will hold its triennial meeting in New Orleans. C. M. Whitcomb will serve as chair of the Digital Evidence Session and will be in charge of developing the session’s program.
2008–2009: Consensus for the Digital Forensic Certification Board (DFCB) will be developed via NIJ funding and donations, an ongoing process begun in 2005. The goal of the DFCB is to offer the basic certification pilot test in 2008–2009.
Note: The author invites others to submit their history as it relates to this topic via e-mail to email@example.com.
1See the RCFL Web site: www.rcfl.gov.
2Donald A. Norman, The Invisible Computer (Cambridge, Mass.: MIT Press, 1998), 3.
3U.S. Department of Justice, Office of Justice Programs, Bureau of Justice Statistics, “National Computer Security Survey,” http://www.ojp.usdoj.gov/bjs/survey/ncss/ncss.htm (accessed September 28, 2007).
4U.S. Department of Justice, Office of Justice Programs, Bureau of Justice Statistics, “Cybercrime against Businesses: Pilot Test Results, 2001 Computer Security Survey,” by Romona R. Rantala, Technical Report, NCJ 200639, March 2004, http://www.ojp.usdoj.gov/bjs/pub/pdf/cb.pdf (accessed October 1, 2007).
5See the SWGDE Web site for more information: www.swgde.org.
6Scientific Working Group on Imaging Technologies, “Definitions and Guidelines for the Use of Imaging Technologies in the Criminal Justice System,” Forensic Science Communications 1, no. 3 (October 1999), http://www.fbi.gov/hq/lab/fsc/backissu/oct1999/swgit1.htm (accessed September 28, 2007). Other SWGIT documents are hosted by the International Association for Identification (IAI; www.theiai.org).
7U.S. Department of Justice, Office of Justice Programs, National Institute of Justice, Electronic Crime Needs Assessment for State and Local Law Enforcement, by Hollis Stambaugh et al., NCJ 186276, March 2001, http://www.ncjrs.gov/pdffiles1/nij/186276.pdf (accessed September 28, 2007).
8See the NIJ Web site: http://www.ojp.usdoj.gov/nij/about.htm.
9See the CCIPS Web site: www.cybercrime.gov.
10See the ASCLD Web site: www.ascld.org.
11American Society of Crime Laboratory Directors, “About ASLCD,” http://www.ascld.org/about/?PHPSESSID=6cf2940a842cb22f48415d5198146dc1 (accessed September 28, 2007).
12See the ASCLD/LAB Web site: www.ascld-lab.org.
13See the NFSTC Web site: www.nfstc.org.
14“FQS-I Accredited Labs: ISO/IEC 17025 Accredited Laboratories,” Forensic Quality Services Web site, http://www.forquality.org/fqs_I_Labs.htm (accessed September 28, 2007).
15The Web sites of many of these laboratories can be accessed via “FQS-I Accredited Labs.”
16See the IAFS Web site for its upcoming conference in 2008: www.iafs2008.com.
17See the AAFS Web site for a membership application: www.aafs.org.
18Daubert v. Merrell Dow Pharmaceuticals, Inc., 509 U.S. 579 (1993).
19Thomas L. Bohan and E. J. Heels, “The Case against Daubert: The New Scientific Evidence ‘Standard’ and the Standards of the Several States,” Journal of Forensic Sciences 40, no. 6 (November 1995): 1030–1044.
20See the International Journal of Digital Evidence Web site at www.ijde.org.