[Main] [Newsletter] [Resources] [Calendar]
[Mentor Program] [Officers
& Steering Committee] [Contact]
[Membership] [Education]
Young Forensic Scientists Forum Newsletter - January 2000 Computer
Evidence Analysis: An Emerging Field in Forensic Science |
| As part of my curriculum as a Forensic Document Examiner Trainee, I have participated in many training classes. Most are the traditional classes—fundamentals of document examination, paper fiber analysis, typewriting, etc. But, I also participated in a training class focusing on a newer type of document examination – computer analysis. Writing has progressed over the years from ink and feather pen, to ballpoint pen, to typewriters, and on to computers. Computer evidence analysis is greatly needed today, and as computer data is a natural progression of documents over time, it’s very relevant to our discipline. The class, “Criminal Investigations in an Automated Environment Training Program” was a two-week course presented by the Federal Law Enforcement Training Center (FLETC) in Glynco, Georgia. It was geared toward investigators who have a working knowledge of computers and routinely investigate fraud and other computer crimes, such as Internet crimes and child pornography. The purpose was to acquaint us with the basics of investigative procedures in a computer environment. It also taught us the procedures used to analyze media seized pursuant to the execution of a search warrant. I was in the class with investigators from many different agencies at the city, county, and state level. We all had different law enforcement backgrounds, ranging from insurance investigators to district attorneys. One of the most important things we learned was how to access the suspect’s computer without changing any data on the hard disk. For example, by turning on a computer utilizing a Windows operating system, files may be opened automatically, and dates associated with these files or other data may be altered. It is important to be able to show that no files were altered from the time you accessed the computer until you returned the computer. Some of the things we concentrated on were the methods used for recovering erased and/or deleted data from floppy disks or the hard drive. Did you know that when you delete a file you are not actually removing it? Unless that area of the disk has been overwritten, the file can be recovered easily. And even if it has been overwritten, pieces or bits of files can be retrieved, even down to the cluster level – the smallest storage level of the drive. This proved very advantageous in one case in our lab where the suspect claimed not to have written an incriminating letter. The contents of the letter were later found on his hard drive. The file had been deleted and partially overwritten, but enough remained to identify the letter as having been generated on that computer. We learned how to use different software programs that are designed specifically for this type of analysis. Some are only available to law enforcement agencies, but there is readily available software that is designed for other applications that is helpful in these analyses. The U.S. Department of Justice has guidelines for searching and seizing computers. These guidelines were used as a basis for instruction on the proper procedure for executing a search warrant, and how to confiscate a computer without losing any data. Of course as technology progresses, it becomes harder and harder to keep up with the “crooks” with their use of tricky software as well as the hardware. As hard drives become larger, it takes more time to perform each analysis. I am part of an agency-wide team, with one other document examiner and 16 investigators who perform computer analyses full-time. We meet every three to four months for a week at a time, and it seems like we never have enough time to cover everything that is constantly changing and being updated. So as the number of computers being used in crimes grows, and as technology improves, it appears that this new area of forensic science will continue to expand rapidly. |
Copyright
© 1999 Young Forensic Scientists Forum / American Academy of Forensic Sciences |