Characteristics of Digital Evidence
paper
documents and digital documents differ in at least five key ways that affect how each
might be used as evidence (Table 1).
Table 1. Characteristics of Paper-Based and Digital Documents
Characteristic
Storage
Backup
Copying
Transmission
Security
Paper-Based Documents
Cumbersome
Organized
Backup is rare; stable
Centralized
Copies are same as original
Deliberate
No metadata
Traditional; perfect
One-to-one
Distribution limited
Defined perimeter
Lock-and-key
Digital Documents
Volume not an issue
Not well-organized
Backup is common; volatile
Distributed
Copies exist of all versions
Inadvertent
Metadata present
Electronic; alterable
Multicast
Distribution unlimited
Global perimeter
Encryption
Table 1 shows some ways in which the storage of paper-based and digital documents
differ. Every piece of paper occupies some amount of space so that the storage of a large
quantity of documents requires a large amount of physical space. Computers store
documents electronically, and an incredible volume of information can be stored in a very
small area. Consider that 32 billion bytes (32 gigabytes) of storage, the equivalent of all
of the books in most public libraries, can fit onto a single thumb drive at a cost of less
than $100 (Anderson, 2008; Brown, 2010). Despite the volume, the filing cabinets in
which paper documents are stored are typically well organized and cataloged for retrieval
purposes, and folders are labeled to identify their contents. In the digital environment,
documents may not be as well organized, and a folder’s name may have no necessary
relationship to its contents; this seeming disorganization is offset by the fact that
computers have powerful text string search capabilities, making retrieval of a document
file relatively straightforward, regardless of its location. Individuals also sometimes
purposely use file or folder names that have nothing to do with the actual content as a
way of hindering a search, although this misdirection is less effective in the digital
environment
Backing up documents is the second differentiator between physical and digital
documents. As suggested by Table 1, physical backup copies of physical documents are
rarely maintained because paper documents do not change over time (as long as the
environment is maintained and physical location protected), and the storage requirements
of a large quantity of paper documents can be significant. It is quite common, in contrast,
to find multiple backups of digital files due to the volatility of digital devices; failure of a
single hard drive could cause the loss of hundreds of thousands of files. In addition,
paper document storage is generally centralized at one or two locations, while digital
backups may be stored in multiple locations.
Copying documents is the third differentiator between physical and digital files, as
shown in Table 1. Copies of physical documents are typically made purposely and are
identical to the original. Copies of digital files may be made by an application, file
system, and/or operating system so that there are many copies of many versions of a file,
many of which are unknown to the user. Additionally, a digital backup of physical paper
is increasingly employed as companies attempt to reduce the volume of paper that is
stored. This approach is causing a shift in the evidentiary value of records that are
maintained electronically because when the original (paper) version is destroyed, the
digital copy becomes the best evidence . In addition,
digital files have metadata that describe a variety of characteristics about the file, whereas
physical documents have no such metadata .
Document transmission presents another difference depicted in Table 1. In the
physical world, documents are generally sent from one party to another, employing a
copy of the original sent via postal service or courier. Barring some deliberate act by a
third party, the document that the recipient receives is the same physical document that
the sender sends, and because the sender seals a delivery package, the intermediary that
transports the document does not maintain a copy of it . In the digital world, a single file can be sent to a nearly unlimited distribution list
in a matter of seconds via e-mail, providing an opportunity for an unintended recipient to
see a document, a network error to alter a message, or the message to be intercepted by a
third party anywhere on the communication network. In addition, a single e-mail
message may be transported by multiple network providers in multiple countries, each of
which might maintain copies for some period of time on their servers .
Finally, Table 1 depicts differences in how security controls are applied to physical
and digital documents. The security perimeter of physical files extends to the boundaries
of the building where the documents are stored. In the digital environment, physical
devices on which files are stored are vulnerable to attacks that may come from an insider
or anyone on the Internet. In addition, individuals can easily transmit even protected files
via the Internet almost instantaneously
Another security difference is in how files are secured from unwanted readers. In the
case of physical files, storage cabinets may be secured using a lock, and cabinets
themselves may be stored in a vault. If the key is lost, other methods can be used to open
the cabinet or vault to access the files. Digital files, in comparison, can be encrypted to
protect them from a third party. In the case of a lost encryption key, these files may be
beyond the reach of the rightful owner as well as the computer forensics examiner
Huang and Frince (2007) detailed other challenges that digital evidence provides as
compared to traditional evidence. First, information on a computer may exist for a period
of time, ranging from a fraction of a second to many years. Second, useful information
on a computer might be found in an amount of data ranging from a single bit to a multi-
gigabyte file. Third, all of the relevant information on a computer may be found in a
single cluster on a hard drive or spread across many servers on the Internet.
Further, some types of data, such as audio recordings, may suffer from noise or
distortion that makes completely reliable analysis impossible, causing a tension between
good science and legal reasonable doubt. Indeed,
other types of evidence, such as photographic images, have historically had a high degree
of acceptability by judges and juries but can, today, be easily manipulated and altered
There also may be legal hurdles associated with the acquisition and analysis of digital
data; in particular, defining the scope of a search warrant, subpoena, or search incident to
arrest may be difficult, given the inter connectivity of computing devices. A
final challenge is that correlating large data sets, demonstrating the nexus of the data to a
crime, and assembling all of the information as cogent evidence can be difficult. Indeed,
the management, processing, and analysis of digital evidence have been identified as
important subject areas for future research .
These differences in digital evidence and physical evidence have direct implications
for the practice of digital forensics. Kerr (2005b), for example, has identified
inconsistencies in Rule 41 of the Federal Rules of Criminal Procedure, which governs
search warrants (U.S. Courts, 2008b). Rule 41 states that search warrants should be
narrow in scope, clearly identify a specific time and place for the search, and specify the
evidence that is being sought. These requirements are generally easy to meet when
searching physical evidence.
The nature of digital evidence, however, usually requires that the entire store of digital
data is seized at the search warrant location, while the actual search of the hard drives and
other media to determine what information has probative value typically occurs at a
specialized lab well after the warrant has been served (Kerr, 2005b, 2010). In addition,
the search of digital evidence is often complicated by the large volume of digital evidence
(due to growing disk drive capacity) that is seized (Kenneally & Brown, 2005).
No comments:
Post a Comment