Guidance on Digital Forensics

By Andy Spruill

December 16, 2009

In my last blog I talked about what the courts expect in the way of our reports as forensic experts. So what about our area of specialization? Namely, the field of Computer Science. Again, this field has been around awhile and reporting standards have been well established.

The first thing to understand is that there are very specific and formalized writing “styles” that exist and are updated on a regular basis. These formalized styles will vary by country and the industry being served. For instance, here in the United States, the Associated Press (AP) Stylebook is followed by most newspapers; the medical industry generally uses the American Medical Association (AMA) Manual of Style; and, as many college students know, academia will generally follow the Modern Language Association of America (MLA) Style Manual.

In the world of the Computer Sciences, it is generally expected that any technical writings or research papers published within this field will follow the Institute of Electrical and Electronics Engineers (IEEE) Style. However, outside of an academic environment, this style is seen as overkill.

Knowing this and wanting to make for a more user friendly environment, three of the major operating system manufacturers each published their own technical writing style guides using the IEEE Style as a foundation. Microsoft published its Microsoft Manual of Style for Technical Papers, Apple published its Apple Publications Style Guide; and Sun Microsystems published its Read Me First! A Style Guide for the Computer Industry. Of the three, I personally tend to follow the style as put forth by Microsoft. (Yes, I am a PC!)

The important thing to understand is that you should adopt one of the accepted writing styles within your industry and then adhere to it. This will allow you to put forward clean, consistent and professional reports.

The other part of writing within the Computer Sciences, and specifically in our discipline of Digital Forensics, is that we use a common set of terms and phrases. Like every profession, we have our own jargon that is meaningless to most laypersons. I recommend two basic references when defining these terms and phrases: Microsoft’s Computer Dictionary and The Sedona Conference Glossary: E-Discovery & Digital Information Management.

In my last blog I showed what was expected by the courts when writing our reports and here we have what is expected within our area of specialization. In my next blog I will talk about what is expected by the modern forensic sciences.

By Andy Spruill

October 20, 2009

One of my favorite soap box issues to talk about is the current state of reporting within the digital forensic discipline. Over the years I’ve had the opportunity to read many digital forensic reports, both as a peer and as an opposing expert. In doing so I’ve noticed a lack of understanding in what is required when creating these reports. The biggest reason I’ve heard, as many of you have, is that there is no standard in this area for our discipline. Well, that’s simply not true.

The Forensic Sciences has been around for quite awhile and there are clearly established standards when it comes to the reporting of forensic analysis and opinions. Our discipline brings to the table its own challenges, but every discipline does. In a prior blog entry, I mentioned that that there are three basic areas you must master as a forensic specialist: Area Expertise, the Law, and Forensic Methodology. Reporting standards are well established in all three of these areas.

Let’s take a look at the Law first.  After all, this is ultimately where most of the work we do will find itself.

There are only two types of basic reports you will write: an Analysis Report and an Expert Report. What makes your report one or the other? An Analysis Report is a straight forward presentation of the factual findings of any analysis of the evidence. If you provide any interpretation, opinions or conclusions based on the factual findings, then you’ve enter the realm of the Expert Report.

Which report do you need to write? Simple answer is to ask what type of witness you will be potentially designated as to the court. If a percipient witness (someone who will provide testimony to facts), you will write an Analysis Report. If an expert witness (someone who will be asked to provide an expert opinion), then you must write an Expert Report. It is not uncommon to have one forensic specialist carry out the procedural analysis and documentation, and then have a separate, perhaps more experienced, forensic specialist prepare and present an opinion based on the factual findings.(1)

The United States Federal courts have established some basic rules for Expert Witnesses (Federal Rules of Evidence 702, 703 and 705) and what type of reporting they are required to submit.

In federal criminal proceedings, both government and defense experts must, if requested by either side, present a written summary of any testimony they intend to give. This written summary must describe the witness's opinions, the bases and reasons for those opinions, and the witness's qualifications. (Federal Rule of Criminal Procedure 16 (a) (1) (G) and (b) (1) (C))

In federal civil proceedings, the rules regarding Expert Reports are expanded. Once an expert witness is disclosed, unless otherwise stipulated or ordered by the court, this disclosure must be accompanied by a written report. The report must contain (i) a complete statement of all opinions the witness will express and the basis and reasons for them; (ii) the data or other information considered by the witness in forming them; (iii) any exhibits that will be used to summarize or support them; (iv) the witness's qualifications, including a list of all publications authored in the previous 10 years; (v) a list of all other cases in which, during the previous 4 years, the witness testified as an expert at trial or by deposition; and (vi) a statement of the compensation to be paid for the study and testimony in the case. (Federal Rule of Civil Procedure 26 (a) (2) (B))

So right up front, we see that the courts have set requirements when it comes to reporting by forensic experts. In my next blog, we will take these requirements and then apply modern forensic methodology reporting standards.

(1) Historically, only the expert witness has been required to testify, but a recent controversial US Supreme Court decision, Melendez-Diaz v. Massachusetts (No. 07–591), now allows for both to be called.

By Andy Spruill

October 5, 2009

As I travel around and speak to various groups, I am constantly being approached by people who are excited about the prospect of moving into this fascinating discipline within the forensic sciences. Some are business owners wanting to expand their service offerings, some are seasoned individuals looking for a change in their current career paths, and some are students looking to find their calling in life. I, of course, encourage every one of them to pursue this desire. One of the greatest challenges our discipline currently faces is a shortage of well-trained and experienced personnel. It’s why I take time out of my life to spend several hours every week teaching at a local university. It has to start somewhere. But I digress and will save this point for another day.

In talking to them about this field, I tell all of them, right up front, that to be successful and respected in this field there are basically three areas in which they must build up some amount of expertise. Like a three legged stool, each must be equally developed, or they will find themselves slipping off the stool or totally falling down.  They are:

Area Expertise. Most of them have this one pretty well developed. In our discipline we are talking about some technical expertise in the digital world. Whether it’s in computer science, networking environments, or programming, they have to have some skill that puts them ahead of the everyday lay person. Training and experience in the specialty is a must have requirement for any of the forensic disciplines and ours is no different.

Unfortunately, many of them think that this one requirement is all that is required to make the jump successfully. Many have made this jump based on this requirement alone, and many have failed because they realized too late that they had neglected the other two basic requirements.

The Law. Forensics is all about one thing and one thing only; the presentation of scientific evidence in a court of law. I tell them they can’t play ball if they don’t know the rules of the game. They don’t have to be lawyers, but they do need to know what is required by the courts when seizing, analyzing and presenting digital evidence in legal proceedings. Simple things like understanding Daubert / Frye or where in the litigation process the work they will be doing will fall and what will be required of them in each phase.

Courtrooms… Lawyers… Judges… Juries… Oh My!

Many of them have never experienced what is required to give a technical presentation in front of a group of people, much less have someone publically challenge their findings and opinions. Simply put, it’s not for everyone, but it is ultimately where all this is heading. This generally gives many of them some pause to think. So, on to the third and most important of the three legs of the stool:

Forensic Methodology. Understanding and following modern forensic practices and methods is essential. Digital forensics is only one of many forensic disciplines within the forensic sciences. Handling our medium has its own special requirements, just as all of the other disciplines have their own specific requirements. But there are some basic procedures that all must follow such as evidence handling, quality assurance controls, and documentation and reporting. Failure here generally means that all of the hard work and effort will have been for naught.

By this point in the conversation, many of them have come to realize that they have their work cut out before they can hang that shingle outside of their doors. Invariably, they all ask what they can do to get these legs developed. Where can they go to get started? Well, here are some suggestions:

Formal Education. Seek out local universities and colleges that have Forensic Science programs. Many are now offering coursework specifically in the digital forensic discipline. Some of these institutions have integrated these courses into their existing full-time programs, like at Cal Poly Pomona. Others have built it into a certificate program in their extended education curriculum, like at Cal State – Fullerton.

By Andy Spurill

September 21, 2009

On Friday, August 14, 2009, California Judge William Froeburg confirmed the death penalty handed down by a jury a few weeks earlier for Jason Aguirre, a member of a known violent street gang in Orange County, California (located just south of Los Angeles). In August 2003, six years earlier almost to the day, Mr. Aguirre had gunned down a young teen boy and critically wounded two other family members in a case of mistaken identity. For this, the jury found him guilty of first-degree murder with the special circumstance of committing the murder for the benefit of his gang.

What was it that convinced these twelve Californians from various walks of life to hand down the ultimate sentence? Was Mr. Aguirre's DNA recovered from the crime scene? No, his DNA was found on a bandana in a car that was used in the crime, but one he had been in many times, not just that night.

Were his fingerprints on the gun? Did the ballistics match up? No, the gun was never recovered. Though there were other perpetrators fingering him as the shooter, the motives behind their testimony could be easily challenged without something to give it some standing.

So what put Mr. Aguirre on California's death row?   Big surprise here... Digital Evidence.

Yes, it’s true, gang members use the same powerful social mediums to communicate with one another just as we do.

Like many of you, I have seized and analyzed my fair share of digital devices. But by far, the ones that have proven themselves, time and again, to be a treasure trove of evidence and criminal intelligence has been those used by gang members. In their online chat sessions, gang members discuss activities that include the planning and execution of crimes, drug cultivation and distribution, and the buying and selling of weapons, to name just a few of the things I have seen. The social networking Web sites they visit glorify gang culture or promote their individual street gangs. These same gang members, who won't say a word to you when questioned, will have folder after folder full of digital photos documenting their gang life, everything from gang posturing to drug use and other crimes. Throughout all of their use of digital devices, they nearly always use their known gang monikers as their online identifiers.

I can't count the number of times I've received surprised reactions from not just lay persons, but fellow officers, when explaining what I routinely collect from gang members devices.  Here's what I hear:  "They don't use that stuff, do they?" or "They're not that sophisticated. They're just street criminals." or "Really?"

Technology is simple to use by design. The simpler to use, the deeper the possibility of market penetration. You don't have to be an über-nerd anymore to use the most advanced of today's technology. This is good news for law enforcement groups that recognize the benefits of a computer forensics team that can build strong cases using the digital evidence that exists in just about every criminal case today.

I know this is the first blog I am posting and I wanted to drive home the point, right up front, that when we talk about digital forensics, we are talking about the forensic analysis of items that are a part of our everyday life. Things that permeate our society to the point that they are taken for granted and easily overlooked. Just like trace evidence, there is plenty there, if we just look.

By the way, if you want to learn more about the Aguirre case, Detective Tom Rackleff (the man responsible for luring me into the world of Digital Forensics) and I wrote an article published in Law Officer magazine this month. Here is the link to the online version of the article: http://www.lawofficer.com/news-and-articles/articles/lom/0508/caught_in_the_web.html.