As investigators systematically analyze crime scenes, certain aspects and patterns of the criminal's behavior should begin to emerge. Specifically, the behaviors that were necessary to commit the crime (modus operandi oriented behavior) and behaviors that were not necessary to commit the crime (motive or signature oriented behavior) may become evident if enough evidence is available. These characteristics can be used investigatively to link crimes that may have been committed by a single offender, thus changing investigators' understanding of the crime and offender. They can also lead to additional evidence and insights. For instance, realizing that an intruder broke into multiple computers on a network can result in more evidence, and the type of information on these systems can reveal an offender's true motive. Show
Most investigators are familiar with the concept of MO but may not realize that it is derived from a careful reconstruction of crime scene characteristics.
Such characteristics are derived from the totality of choices an offender makes during the commission of a crime. In addition to choosing a specific victim and/or target, an offender chooses (consciously or unconsciously) a location and time to commit the crime and a method of approaching the victim/target, a method of controlling the victim/target, whether or not tools will be brought or left behind, whether or not items will be taken from the scene, a method of leaving the location, and whether or how to conceal their actions. Each of these kinds of choices, and the skill with which they are carried out, evidence characteristics that establish an offender's modus operandi. When offenders plan their crimes, they can have in mind a specific victim (someone who has wronged them), a type of victim (someone who represents a group that has wronged them), or depend on acquiring a victim of a convenient victim (someone who they can easily find and control with limited fear of detection and subsequent consequences). The amount of planning related to victim selection, approach, and control varies depending on victim type; specific victims tend to involve the most planning and victims of opportunity tend to involve the least. The victim type becomes evident after a careful study of the location that was selected to commit the crime, as well as a careful study of the victim themselves. For example:
In all of the above scenarios, the crime scene has certain characteristics that appeal to the offender. When performing an investigative reconstruction, it is important to examine carefully these characteristics and determine why they appealed to the offender. Neglecting to analyze the characteristics of a crime scene, or failing to identify correctly the significance of a crime scene can result in overlooked evidence and grossly incorrect conclusions. Networks add complexity to crime scene analysis by allowing offenders to be in a different physical location than their victims or targets and furthermore allow them to be in multiple places in cyberspace. In essence, criminals use computer networks as virtual locations thus adding new characteristics and dimensions to the crime scene. For example, chat rooms and news-groups are the equivalent of town squares on the Internet providing a venue for meetings, discussions, and exchanges of materials in digital form. Criminals use these areas to acquire victims, convene with other criminals, and coordinate with accomplices while committing a crime. CASE EXAMPLE Some groups of computer intruders meet on IRC to help each other gain unauthorized access to hosts on the Internet. If the owner of a system that has been broken into does not notice the intrusion, word gets around and other computer intruders take advantage of the compromised system. Thus, a group of computer intruders become squatters, using the host as a base of operations to experiment and launch attacks against other hosts. IRC functions as a staging area for this type of criminal activity and investigators sometimes can find relevant information by searching IRC using individualizing characteristics of the digital evidence that the intruders left at the primary crime scene; the compromised host. Criminals choose specific virtual spaces that suit their needs and these choices and needs provide investigators with information about offenders. An offender might prefer a particular area of the Internet because it attracts potential victims or because it does not generate much digital evidence. Another offender might choose a virtual space that is associated with their local area to make it easier to meet victims in person. Conversely, an offender might select a virtual space that is far from their local area to make it more difficult to find and prosecute them (Figure 5.3). When a crime scene has multiple locations on the Internet, it is necessary to consider the unique characteristics of each location to determine their significance, such as where they are geographically, what they were used for, and how they were used. An area on the Internet can be the point of contact between the offender and victim and can be the primary scene where the crime was committed, or secondary scene used to facilitate a crime or avoid apprehension. The type of crime scene will dictate how much evidence it contains and how it will be searched. For example, a primary scene on a local area network will contain a high concentration of evidence (many bits per square inch) and can be searched thoroughly and methodically. Conversely, when secondary scenes are on the Internet, evidence might be scattered around the globe making a methodical search impractical and making any investigative direction towards a competent reconstruction all the more valuable. 5.3.1 Method of Approach and ControlHow the offender approaches and obtains control of a victim or target is significant, exposing the offender's confidences, concerns, intents, motives, etc. For example, an offender might use deception rather than threats to approach and obtain control because he/she does not want to cause alarm. Another offender might be less delicate and simply use threats to gain complete control over a victim quickly. An offender's choice of weapon is also significant. For practical or personal reasons an offender might choose a lead pipe, a gun, or a computer connected to a network to get close to and gain control over a victim or target. Criminals use computer networks like a weapon to terrorize victims and break into target computer systems. Although a criminal could visit the physical location of their victims or targets, using a network is easier and safer, allowing a criminal to commit a crime from home (for comfort) or from an innocuous Internet cafe (for anonymity). When an offender uses a network to approach and control a victim, the methods of approach and control are predominantly verbal since networks do not afford physical access/threats. These statements can be very revealing about the offender so investigators should make an effort to ascertain exactly what the offender said or typed. The way a computer intruder approaches, attacks, and controls a target can give investigators a clear sense of the offender's skill level, knowledge of the computer, intents, and motives. Crime scene characteristics of computer intrusions are described more fully in Chapter 19. Different offenders can use the same method of approach or control for very different reasons. Subsequently, it is not possible to make reliable generalizations based on individual crime scene characteristics. For example, one offender might use threats to discourage a victim from reporting the crime whereas another offender might simply want control over the victim regardless of the surrounding circumstances. Therefore, it is necessary to examine crime scene characteristics in unison, determining how they influence and relate to each other. 5.3.2 Offender Action, Inaction and ReactionSeemingly minor details regarding the offender can be important. Therefore, investigators should get in the habit of contemplating what the offender brought to, took from, changed or left at the crime scene. For instance, investigators might determine that an offender took valuables from a crime scene, indicating a profit motive. Alternatively, investigators might determine that an offender took a trophy or souvenir to satisfy a psychological need. In both cases, investigators would have to be perceptive enough to recognize that something was taken from the crime scene. Although it can be difficult to determine if someone took a copy of a digital file (e.g. a picture of a victim or valuable data from a computer), it is possible to do so. Investigators can use log files to glean that the offender took something from a computer and might even be able to ascertain what was taken. Of course, if the offender did not delete the log files investigators should attempt to determine why the offender left such a valuable source of digital evidence. Was the offender unaware of the logs? Was the offender unable to delete the logs? Did the offender believe that there was nothing of concern in the logs? Small questions like these are key to analyzing an offender's behavior. Page 2
Investigators and digital evidence examiners will rarely have an opportunity to examine a digital crime scene in its original state and should therefore expect some evidence dynamics. Evidence dynamics are any influence that changes, relocates, obscures, or obliterates evidence, regardless of intent between the time evidence is transferred and the time the case is resolved. Offenders, victims, first responders, digital evidence examiners, and anyone else who had access to digital evidence prior to its preservation can cause evidence dynamics. For instance, responding to a computer intrusion, a system administrator deleted an account that the intruder had created and attempted to preserve digital evidence using the standard backup facility on the system. This backup facility was outdated and had a flaw that caused it to change the times of the files on the disk before copying them. Thus, the date-time stamps of all files on the disk were changed to the current time making it nearly impossible to reconstruct the crime. As another example, during an investigation involving several machines, a first responder did not follow standard operating procedures and failed to collect important evidence. Additionally, evidence collected from several identical computer systems was not thoroughly documented making it very difficult to determine which evidence came from which system. Media containing digital evidence can deteriorate over time or when exposed to fire, water, jet fuel, and toxic chemicals. Errors can also be introduced during the examination and interpretation of digital evidence. Digital evidence examination tools can contain bugs that cause them incorrectly to represent data, and digital evidence examiners can misinterpret data. For instance, while a digital evidence examiner was examining several log files, transcribing relevant entries for later reference, he transcribed several dates and IP addresses incorrectly. For instance, he misread 03:13 as 3:13 P.M., resulted in the wrong dial-up records being retrieved, implicating the wrong individual. Similarly, he transcribed 192.168.1.54 as 192.168.1.45 in a search warrant and implicated the wrong individual. These examples are only a small sampling - there are many other ways that evidence dynamics can occur. CASE EXAMPLE (UNITED STATES v. BENEDICT): Lawrence Benedict was accused of possessing child pornography found on a tape that he exchanged with another individual named Mikel Bolander who had been previously convicted of sexual assault of a minor and possession of child pornography. Benedict claims that he was exchanging games with many individuals and did not realize that the tape contained child pornography. Although Benedict initially pleaded guilty purportedly based on advice from his attorney, he changed his plea when problems were found in digital evidence relating to his case. A computer and disks that the defense claimed could prove Benedict's innocence were stored in a post office basement that experienced several floods. The water damage caused the computers to rust and left a filmy white substance encrusted on the disks (McCullagh 2001). Furthermore, after Bolander's computer was seized, police apparently copied child pornography from the tape allegedly exchanged by Bolander and Benedict onto Bolander's computer for examination. Police also apparently installed software on Bolander's computer to examine its contents and files on the computer appeared to have been added, altered, and deleted while it was in police custody. According to the defense:
Bolander's computer was destroyed before Benedict's sentencing. Additionally, a floppy disk containing evidence was mostly overwritten, presumably by accident. The evidence dynamics in this case created a significant amount of controversy. Evidence dynamics creates investigative and legal challenges, making it more difficult to determine what occurred and making it more difficult to prove that the evidence is authentic and reliable. Additionally, any conclusions that a forensic examiner reaches without the knowledge of how evidence was changed will be open to criticism in court, may misdirect an investigation, and may even be completely incorrect. Page 3
Writing a report is one of the most important stages of the investigative reconstruction process because, unless findings are communicated clearly in writing, others are unlikely to understand or make use of them. The two types of reports most commonly associated with an investigative reconstruction are Threshold Assessments and Full Investigative Reports. A Threshold Assessment is an investigative report that reviews the initial physical evidence of crime related behavior, victimology, and crime scene characteristics for a particular unsolved crime, or a series of potentially related unsolved crimes, to provide immediate investigative direction. This type of report is more common because it requires less time and is often sufficient to bring an investigation to a close. Although a Threshold Assessment is a preliminary report, it still involves the employment of scientific principles and knowledge, including Locard's Exchange Principle, critical thinking, analytical logic, and evidence dynamics. A Full Investigative Report follows the same structure as a Threshold Assessment but includes more details and has firmer conclusions based on all available evidence. A full report is useful in particularly complex cases and can be useful when preparing for trial because it highlights many of the weaknesses that are likely to be questioned in court. Additionally, a Full Investigative Report provides the foundation for further analysis such as criminal profiling. A common format for these reports are provided here:
Two fictitious Threshold Assessments are provided here to demonstrate their structure and purpose. The first involves a homicide involving computers, very loosely based on The Name of the Rose by Umberto Eco. The second involves a computer intrusion. 5.5.1 Threshold Assessment: Questioned Deaths of Adelmo Otranto, Venantius Salvemec, And Berengar ArundelComplaint received: November 25, 1323 Investigating Agencies: Papal Inquisition, Avignon, Case No. 583 Report by: William Baskerville, Independent Examiner, appointed by Emperor Louis of Germany For. Abbot of the Abbey After reviewing case materials detailed below, this examiner has determined that insufficient investigation and forensic analysis have been performed in this case. That is to say, many of the suggested events and circumstances in this case require verification through additional investigation before reliable inferences about potentially crime related activity and behavior can be made. To assist the successful investigation and forensic analysis of the material and evidence in this case, this examiner prepared a Threshold Assessment. Examinations PerformedThe examiner made this Threshold Assessment of the above case based upon a careful examination of the following case materials:
Case BackgroundAll deaths in this case occurred in an Abbey inhabited by monks who cannot speak, having sworn an oath of silence before cutting off their own tongues. On November 21, Adelmo Otranto went missing and his body was found on November 23 by a goatherd at the bottom of a cliff near the Abbey and postmortem examination revealed anal tearing but no semen. Biological evidence may have been destroyed by a heavy snowfall on the night of his disappearance. On November 26, Venantius Salvemec's body was found partially immersed in a barrel of pig's blood that swineherds had preserved the previous day for food preparation. However, the cellarer later admitted to finding Salvemec's corpse in the kitchen, but moved the body to avoid questions about his nocturnal visits to the kitchen. A postmortem examination indicated that Salvemec had died by poison but the type of poison was not known. On November 27, Berengar Arundel's body was found immersed in a bath of water but the cause of death appeared to be poison versus drowning. VictimologyAll victims were Caucasian male monks residing at the Abbey in cells, working in the library translating, transcribing, and illuminating manuscripts. Details relating to each victim obtained during the investigation are summarized here.
Equivocal AnalysisGiven the exigent circumstances surrounding this investigation, this examiner has only made a preliminary examination of digital evidence relating to this case. A summary of findings is provided here and details of this preliminary examination are provided in a separate report "Digital Evidence Examination for Case No. 583".
Crime Scene Characteristics
Offender Characteristics
Investigative SuggestionsThe following is a list of suggestions for further investigation and establishing the facts of this case:
The same type of analysis and report structure can be used in computer intrusion investigation. For instance, the following report pertains to an intrusion into an important system (project-db.corpX.com) containing proprietary information. 5.5.2 Threshold Assessment: Unauthorized Access to project-db.corpx.comComplaint received: February 28, 2003 Investigating Agencies: Knowledge Solutions, Case No. 2003022801 Report by: Eoghan Casey For: CIO, Corporation X Case Background and Summary of FindingsOn February 28, an intruder gained unauthorized access to project-db.corpX.com and Corporation X is concerned that the intruder stole valuable proprietary information. Based on an analysis, the available digital evidence in this case, this examiner has determined that the attack against project-db.corpX.com was highly targeted. The amount and type of information accessed by the intruder suggests that intellectual property theft is likely. The perpetrator had a significant amount of knowledge of the computer systems involved and information they contained, suggesting insider involvement. The intruder used an internal system to perpetrate this attack - this system should be examined. Examinations PerformedThe examiner made this Threshold Assessment of the above case based upon a careful examination of the following case materials.
Victimology of Target Organization
Victimology of Target Computer
Equivocal Analysis of Network Related DataAn examination of the digital evidence in this case provided additional details of the intruder's activities and revealed several discrepancies that had been overlooked. The main findings are summarized here and a detailed description of the digital evidence examination is provided in a separate report "Digital Evidence Examination for Case No. 2003022801".
Crime Scene CharacteristicsLocation and type: The primary scene is project-db.corpX.com. Secondary scenes in this crime include the Corporation X network and the other computer that the intruder used to perpetrate this attack. This other computer (workstation13.corpX.com) will contain digital evidence relating to the intrusion such as SSH keys, tools used to commit or conceal the crime, and data remnants from the primary scene (project-db.corpX.com) transferred during the commission of the crime. If workstation13.corpX.com was compromised, there will be another secondary crime scene - the computer that the intruder used to launch the attack. Once the original source of the attack is found, the computer and surrounding workspace should be searched thoroughly because this crime scene will contain the most digital evidence of the intruder's activities. Point of contact: SSH daemon on project-db.corpX.com Use of weapons/exploits: Legitimate user account and SSH key Method of approach: Through workstation13.corpX.com Method of attack: Gained target's trust using legitimate user account and SSH key Method of control: Altering log files to misdirect investigators Destructive/precautionary acts: Altered log files to misdirect investigators Offender CharacteristicsKnowledge of/familiarity with target system: The intruder had knowledge of, and authentication tokens for, an authorized account on the system. However, the intruder did appear to know that the firewall was configured to block external connections (e.g. from Italy). Additionally, the intruder did not appear to know that Corporation X maintained NetFlow logs that could be used to determine the actual source of the intrusion. Knowledge of/familiarity with target information: There is no indication that the intruder scanned the network or probed any other machines prior to breaking into the target system. Once the intruder gained access to the target, very little time was spent exploring the system. The direct, focused nature of this attack indicates that the intruder knew what information he/she was looking for and where to find it. Skill level: Any regular user of the target computer would have the necessary skills to access the system as the intruder did. However, the intruder was also capable of altering log files to misdirect investigators, indicating a higher degree of technical skill than an average user. Investigative SuggestionsIt is likely that the intruder is within the organization or had assistance from someone in the organization. The following is a list of suggestions for further investigation and establishing the facts of this case:
It is worth reiterating that all conclusions should be based on fact and supporting evidence should be referenced in and attached to the report. Page 4
Investigative reconstruction provides a methodology for gaining a better understanding of a crime and focusing an investigation. Great clarity can emerge from objectively reviewing available evidence, performing temporal, relational, and functional analyses, and studying the victims and crime scenes. Although investigative reconstruction is an involved process, it can save time and effort in the long run by focusing an investigation from the outset. Furthermore, in many cases, a Threshold Assessment is sufficient, requiring less time than a full investigative reconstruction. However, in complex cases or when preparing a case for trial, a Full Investigative Report can be more useful. Page 5
Flusche K. J. (2001) Computer Forensic Case Study: Espionage, Part 1 Just Finding the File is Not Enough!, Information Systems Security, March–April 2001, Auerbach. Geberth V. (1996) Practical Homicide Investigation, 3rd edn. New York, NY: CRC Press. Horvath F. and Meesig R. (1996) "The Criminal Investigation Process and the Role of Forensic Evidence: A Review of Empirical Findings", Journal of Forensic Sciences 41 (6), 963–969. Holmes R. (1996) Profiling Violent Crimes: An Investigative Tool, 2nd edn, Sage Publications. Scott D. and Conner M. (1997) (Haglund and Sorg eds), Forensic Taphonomy: The Postmortem Fate of Human Remains, and, Chapter 2, Boca Raton, FL: CRC Press. Turvey B. (2002) Criminal Profiling: An Introduction to Behavioral Evidence Analysis, London: Academic Press. Page 6
California v. Westerfield (2002) Case No. CD165805, Superior Court of California, County of San Diego Central Division. Page 7
OverviewBrent E. Turvey
The purpose of this chapter is to discuss the development of computer and Internet technologies as they relate to both offender modus operandi and offender motive. That is to say, their impact on how and why criminals commit crimes. The context of this effort is informed by a historical perspective, and by examples of how computer and Internet technologies may and have influenced criminal behavior. It is hoped through this brief rendering that readers may come to appreciate that while technology and tools change, as does their language, the underlying psychological needs, or motives, for criminal behavior remain historically unchanged. Page 8
What the Internet is today was never intended or imagined by those who broke its first ground. In 1969 the US Department of Defense's research arm, ARPA (the Advanced Research Projects Agency) began funding what would eventually evolve to become the technological basis for the Internet.[1] Their intent was to create a mechanism for ensured communication between military installations. It was not their intent to provide for synchronous and asynchronous international person-to-person communication between private individuals, and the beginnings of a pervasive form of social-global connectedness. It was not their intent to create venues for trade and commerce in a digital-international marketplace. Nor was it their intent to place axes in the hands of pathological criminals in the form of robust and efficient tools for stealing information, monitoring individual activity, covert communication, and dispersing illicit material. Regardless, that technology, and every related technology subsequent to its evolution, provides for these things and much more. The Internet began as an endeavor to help one group within the US Government share information and communicate within its own ranks on a national level. It has evolved into a system that provides virtually any individual with some basic skills and materials the ability to share information and contact anyone else connected to that system on an international level. Without exaggeration, the Internet and its related technologies represent nothing short of historically unparalleled global, trans-social, and trans-economic connectedness. In every sense it is a technological success. However, history is replete with similar examples of sweet technological success followed by deep but unintended social consequences:
These simple examples do us the service of demonstrating that, historically, no matter what objective a technology is designed to achieve, and no matter what intentions or beliefs impel its initial development, technology is still subordinate to the motives and morality of those who employ it. Technology helps to create more efficient tools. Any tool, no matter how much technology goes into it, is still only an extension of individual motive and intent. Invariably, some individuals will be driven to satisfy criminal motives and intents. Either through fear or misunderstanding, there are those who believe and argue that technology is to blame for its misuse. This is a misguided endeavor, and one that shifts the responsibility for human action away from human hands:
In the process of demonizing technology, it may be suggested that there are new types of crimes and criminals emerging. This is not necessarily the case. It is more often that computer and Internet technologies merely add a new dimension to existing crime. As Meloy (1998) points out, "The rather mundane reality is that every new technology can serve as a vehicle for criminal behavior." McPherson (2003) discusses the issue as it relates to computer fraud and forensic accounting:
Computers and the Internet are no different from other technologies adapted by the criminal. With this simple observation in mind we can proceed towards understanding how it is that criminals employ technology in the commission of their crimes. [1]The development of the Internet is discussed in more detail in Chapter 15. Page 9
Modus operandi (MO) is a Latin term that means "a method of operating." It refers to the behaviors that are committed by a criminal for the purpose of successfully completing an offense. A criminal's MO reflects how they committed their crimes. It is separate from their motives, which have to do with why they commit their crimes (Burgess 1997; Turvey 2002). A criminal's MO has traditionally been investigatively relevant for the case linkage efforts of law enforcement. However, it is also investigatively relevant because it can involve procedures or techniques that are characteristic of a particular discipline or field of knowledge. This can include behaviors that are reflective of both criminal and non-criminal expertise (Turvey 2002). A criminal's MO consists of learned behaviors that can evolve and develop over time. It can be refined, as an offender becomes more experienced, sophisticated, and confident. It can also become less competent and less skilful over time, decompensating by virtue of a deteriorating mental state, or increased used of mind-altering substances (Turvey 2002). In either case, an offender's MO behavior is functional by its nature. It most often serves (or fails to serve) one or more of three purposes (Turvey 2002):
Examples of MO behaviors related to computer and Internet crimes include, but are most certainly not limited to (Turvey 2002):
Page 10
As already alluded to at that beginning of this chapter, technology has long shared a relationship with criminal behavior. For example, without notable exception each successive advance in communications technology (including most recently the proliferation of portable personal computers and Internet related technologies) has been adopted for use in criminal activity, or has acted as a vehicle for criminal behavior. Some prominent examples include, but are not limited to:
The proactive aspect of this relationship has been that criminals can borrow from existing technologies to enhance their current modus operandi to achieve their desired ends, or to defeat technologies, and circumstances that might make the completion of their crime more difficult. If dissatisfied with available or existing tools, and sufficiently skilled or motivated, criminals can also endeavor to develop new technologies. The result is a new technological spin on an existing form of criminal behavior. In a variety of forms, computer, and Internet technologies may be used on their own to facilitate of accomplish the following types of criminal activities:
The following examples are provided to illustrate some of these situations: CASE EXAMPLE 1 (REUTERS 1997): In August of 1997, a Swiss couple, John (52 years old) and Buntham (26 years old) Grabenstetter, were arrested at the Hilton in Buffalo, New York and accused of smuggling thousands of computerized pictures of children having sex into the United States. The couple were alleged by authorities to have sold wholesale amounts of child pornography through the Internet, and carried with them thousands of electronic files of child pornography to the United States from their Swiss home. They were alleged to have agreed over the Internet to sell child pornography to US Customs agents posing as local US porn shop owners. They were alleged to have agreed to sell 250 CD-ROMs to US investigators for $10,000. According to reports, one CD-ROM had over 7,000 images. It is further alleged that their two-year-old daughter, who was traveling with them at the time of their arrest, is also a victim. Authorities claim that photographs of their daughter are on the CD-ROMs her parents were distributing. In Case Example 1, digital imaging technology and the Internet allegedly enhanced an existing MO, which consisted of manufacturing and marketing child pornography to other distributors. Alleged contact with international buyers was first made using Internet technologies, through which communications resulted in an agreement for sale of illicit materials. The illicit images were then alleged to have been digitized for transport, ease of storage, and ease of duplication once in the United States. CASE EXAMPLE 2 (WIRED NEWS 1998): From an article in Wired magazine from February 1998: Police in four states say they're the victims of what amounts to a cybersex sting in reverse, the latest in a string of Internet pornography cases getting headlines around the United States. The News & Observer of Raleigh, North Carolina, reports that the officers encountered a 17-year-old Illinois girl in chat rooms - and that their e-mail relationships quickly became sexually explicit. The girl then told her mother about the contacts with deputies in Virginia, North Carolina, Georgia, and Texas, and her mother informed authorities in those states. Discipline followed. The chain of events - which included one North Carolina deputy sending the girl a photograph of his genitals - led an attorney for one of the officers to decry what he suggests was a setup. "This young woman has gone around the country, as best we can determine, and made contact with a very vulnerable element of our society - police officers - and then drawn them in and alleged some type of sexual misconduct," said Troy Spencer, the attorney for one suspended Virginia officer. "She's a cyberspider." The same teenager from the above instances, who acted under the alias "Rollerbabe," was connected to other similar incidents which were published in The News Observer of North Carolina in November of 1998 (Jarvis 1998): "... Earlier this year, Wake County sheriff's deputies were accused of taking advantage of a Midwestern teenager in an Internet sex scandal that eventually snared law enforcement officers in several states. Now another officer has been caught in the Web, raising questions about who is snaring whom. A rural county sheriff in Illinois said this week that he had been enticed into a romantic e-mail correspondence with "Rollerbabe" - who claimed to be an athletic, 18-year-old blonde from suburban Chicago named Brenda Thoma. The summer relationship surfaced this month when her mother complained to county officials about it. That pattern also emerged in Wake County and in three other states - prompting one officer's attorney to call the young woman a "cyberspider" - where e-mail friendships between law enforcement officers and Rollerbabe escalated into sexually explicit electronic conversations. Scandals broke out when her mother, Cathy Thoma, 44, complained to the officers' superiors. One officer whose career was ruined by the encounter, former Chesapeake, Va., police detective Bob Lunsford, said Friday that he is convinced the young woman's mother is involved with the e-mail. No one has brought criminal charges against the pair, nor has any one claimed that the women did anything illegal. In March, Mrs Thoma insisted her daughter was courted by the police officers whom she trusted after meeting them online. She said she wasn't troubled by her daughter's computer habits. The Thoma family - a husband and wife and several children - was living in Manhattan, III., until several weeks ago when they moved to Lansing, Mich. An e-mail request for comment about the incident with the sheriff brought a brief response Friday, signed by someone identifying herself as Brenda Thoma. ... Earlier this week, (Paul ) Spaur, 56, a Clinton County, III., sheriff, acknowledged carrying on an Internet romance with Rollerbabe from his county computer this summer. When Mrs Thoma complained to county officials, Spaur said he had done nothing wrong but offered to pay $1,222 for 679 hours worth of phone bills spent on the computer. ... In January, Wake County Sheriff John H. Baker Jr. suspended seven deputies and demoted one of them because some of the officers had e-mail conversations with Rollerbabe while on duty; their supervisors were punished because it happened on their watch. Mrs Thoma said the deputy who was demoted had initiated the relationship and sent nude photos of himself over the Internet, but Baker said there was no way to prove who was depicted in the photos. ... Shortly afterward, it was discovered that officers in Virginia, Texas, and Georgia had had similar encounters with Rollerbabe. An officer in Richland, Texas, resigned after Mrs Thoma complained about the relationship. Lunsford, the Virginia detective, was publicly humiliated when he was suspended and a local TV station referred to the investigation as a child pornography case, because the girl was then 17. Before that he had won several commendations, including for saving another police officer's life. In May, the Chesapeake Police Department formally cleared Lunsford, who had been on leave because of a stress-related illness; he eventually resigned. His marriage also broke apart. In Case Example 2, we have the MO of what might be referred to as a female law enforcement "groupie." Arguably, she is responding to what is referred to by some in the law enforcement community as the Blue Magnet. This term is derived from the reality that some individuals are deeply attracted to those in uniform, and who, by extension, have positions of perceived authority. In the past, their have been cases where law enforcement groupies have obsessively made contact with those in blue through seductive letter writing, random precinct house telephone calling, the frequenting of "cop bars," and participation in law enforcement conferences or fund raisers. Now, law enforcement e-mail addresses and personal profiles can be gathered quickly and easily over the Internet on personal and department websites, and in online chat rooms, making them more easily accessible to those attracted to the blue magnet. And the truth is that some officers provide this information, and seek out these online chat areas, with the overt intention of attracting just these types of individuals (i.e. registered IRC chat rooms such as #COPS, dedicated to "Cops Who Flirt"; AOL chat rooms such as "Cops who flirt," etc.). It is important to keep in mind, however, that law enforcement groupies are not necessarily individuals engaged in criminal activity. That is, unless they attempt to blackmail an officer in some fashion after they get them to engage in some kind of compromising circumstance, or engage in harassment and/or stalking behavior, all of which can and does happen. The criminal activity in these instances (if there is any at all), as in the example above, can actually come from the law enforcement officers involved. This can take the form of misusing and abusing department resources and violating the public trust, including but not limited to things like inappropriate telephone charges, vehicle use, and desertion of one's assigned duties. And we are not talking about small misallocations, but rather large ones such as in the example, which are symptomatic of ongoing patterns of departmental resource misuse and abuse. As in Case Example 2, criminal activity in these instances can also take on the form of the distribution of pornographic materials (an officer allegedly e-mailed a digital photograph of his genitals to the 17-year-old girl), which, depending on the circumstances, can have serious legal consequences. In both examples, technology facilitated criminal behavior in terms of providing both the mechanisms for initial contact between the involved parties, and a means for communication and illicit materials sharing between the parties over great distances. But as we have shown, less complex and "immediate" technologies do exist which have facilitated the same type of behavior in the past. A more reactive aspect of the relationship between MO and technology, from the criminal's point of view, involves the relationship between the advancement of crime detection technologies in the forensic sciences, and a criminal's knowledge of them. Successful criminals are arguably those who avoid detection and identification, or at the very least capture. The problem for criminals is that as they incorporate new and existing technologies into their MO to make their criminal behavior or identity more difficult to detect, the forensic sciences can make advances to become more competent at crime detection. Subsequently, criminals that are looking to make a career, or even a hobby, for themselves in the realm of illegal activity must rise to the meet that challenge. That is to say, as criminals learn about new forensic technologies and techniques being applied to their particular area of criminal behavior, they must be willing to modify their MO, if possible, to circumvent those efforts. But even an extremely skilful, motivated, and flexible offender may only learn of a new forensic technology when it has been applied to one of their crimes and resulted in their identification and/or capture. While this encounter can teach them something that they may never forget in the commission of future crimes, in such cases the damage will already have been done. Maury Roy TravisA glaring example of this type of inadvertent slip-up occurred in a recent case out of St Louis, Missouri, resulting in the apprehension of alleged serial killer Maury Roy Travis, a 36-year-old hotel waiter. In May of 2002, angered by a news story sympathetic to one of his victims, an unidentified serial killer wrote the publication in question to let his dissatisfaction be known. So that he would be believed, he provided details regarding location of an undiscovered victim. According to Bryan (2002):
The offender's map turned out to be a crucial form of previously untapped digital evidence. The online service that Mr Travis used to render his map had logged his IP address. A description of the technology involved in associating Mr Travis with the map he generated online, and his subsequent identification and apprehension, is provided in (Robinson 2002):
However, before Mr Travis could be brought to trial, let alone be charged with murder, he committed suicide in custody. According to Clubb (2002):
By comparison with other serial murderers, Mr Travis was not foolish, impulsive, or unskilled. In fact, the evidence shows just the opposite: a patient and meticulous offender, conscious of the need for a disposable victim population and nurturing a specific set of sexual control oriented fantasies that required a specific methods of control and "props." According to reports (Home Movies 2003), Mr Travis was among other things sadistic in nature:
There is no question regarding the skill and care taken by Mr Travis in the commission of his crimes. There is further no question that police had failed to link him with all of his crimes prior to his capture, let alone link all of his crimes together. In fact, police had few tangible leads, and the case was apparently growing cold. The only question that remains is whether police would have linked him to his crimes without his inadvertent cybertrail and the work of diligent local investigators examining his correspondence for clues. The most reasonable answer is no. Page 11
The term motive refers to the emotional, psychological, or material need that impels, and is satisfied by, a behavior (Turvey 2002). Criminal motive is generally technology independent. That is to say, the psychological or material needs that are nurtured and satisfied by a criminal's pattern of behavior tend to be separate from the technology of the day. The same motives that exist today have arguably existed throughout recorded history, in one form or another. However, it may also be argued that existing motives (i.e. sexual fetishes) can evolve with the employment of, or association of, offense activities with specific technologies. Towards understanding these issues, this section demonstrates how an existing behavioral motivational typology may be applied within the context of computer and Internet related criminal behavior. In 1979, A. Nicholas Groth, an American clinical psychologist working with both victims and offender populations, published a study of over 500 rapists. In his study, he found that rape, like other crimes involving behaviors that satisfy emotional needs, is complex and multi-determined. That is to say, that the act of rape itself serves a number of psychological needs and purposes (motives) for the offender. The purpose of his work was clinical, to understand the motivations of rapists for the purpose of the development of effective treatment plans (Groth 1979). Eventually, the Groth rapist motivational typology was taken and modified by the FBI's National Center for the Analysis of Violent Crime (NCAVC) and its affiliates (Hazelwood, et al. 1991; Burgess and Hazelwood 1995). This author has found through casework, that this behaviorally based motivational classification system, with some modifications, is useful for understanding the psychological basis for most criminal behavior. The basic psychological needs, or motives, that impel human criminal behaviors remain essentially the same across different types of criminals, despite their behavioral expression, which may involve computer crimes, stalking, harassment, kidnapping, child molestation, terrorism, sexual assault, homicide, and/or arson. This is not to say that the motivational typology presented here should be considered the final word in terms of all specific offender motivations. But in terms of general types of psychological needs that are being satisfied by offender behavior, they are fairly inclusive, and fairly useful. Below, the author gives a proposed behavioral motivational typology (Turvey 2002), and examples, adapted from Burgess (1995). This author takes credit largely for the shift in emphasis from classifying offenders - to classifying offense behaviors (turning it from an inductive labeling system to a deductive tool). They include the following types of behaviors: Power Reassurance, Power Assertive, Anger Retaliatory, Sadistic, Opportunistic, and Profit oriented.[2] 6.4.1 Power Reassurance (Compensatory)These include criminal behaviors that are intended to restore the criminal's self-confidence or self-worth through the use of low aggression means. These behaviors suggest an underlying lack of confidence and a sense of personal inadequacy. This may manifest itself in a misguided belief that the victim desires the offense behavior, and is somehow a willing or culpable participant. In may also manifest itself in the form of self-deprecating or self-loathing behavior which is intended to garner a response of pity for sympathy from the victim. The belief motivating this behavior is often that the victim will enjoy and eroticize the offense behavior, and may subsequently fall in love with the offender. This stems from the criminal's own fears of personal inadequacy. The offense behavior is restorative of the offender's self doubt, and therefore emotionally reassuring. It will occur as his need for that kind of reassurance arises. CASE EXAMPLE (DURFEE 1996): The following is a media account of the circumstances surrounding Andrew Archambeau, a man who pled no contest to harassing a woman via e-mail and the telephone: ... Archambeau, 32, was charged with a misdemeanor almost two years ago for stalking the Farmington Hills woman ... Archambeau met the woman through a computer dating service. He messaged her by computer and (they) talked on the phone. The couple met in person twice. After the second meeting, the woman dumped Archambeau by e-mail. He continued to leave phone messages and e-mail the woman (urging her to continue dating him), even after police warned him to stop. Archambeau was charged in May 1994 under the state's stalking law, a misdemeanor. "Times have changed. People no longer have to leave the confines and comfort of their homes to harass somebody," (Oakland County Assistant Prosecutor Neal) Rockind said. In this example, the offender was unwilling to let go of the relationship, perceiving a connection to the victim that he was unwilling to relinquish. The content of the messages that he left was not described as violent, or threatening, merely persistent. While it is possible that this could have eventually escalated to more retaliatory behaviors, the behaviors did not appear to be coming from that emotion. 6.4.2 Power Assertive (Entitlement)These include criminal behaviors that are intended to restore the offender's self-confidence or self-worth through the use of moderate to high aggression means. These behaviors suggest an underlying lack of confidence and a sense of personal inadequacy, that are expressed through control, mastery, or humiliation of the victim, while demonstrating the offender's perceived sense of authority. Offenders evidencing this type of behavior exhibit little doubt about their own adequacy and masculinity. In fact, they may be using their attacks as an expression of their own virility. In their perception, they are entitled to the fruits of their attack by virtue of being a male and being physically stronger. Offenders evidencing this type of behavior may grow more confident over time, as their egocentricity may be very high. They may begin to do things that can lead to their identification. Law enforcement may interpret this as a sign that the offender desires to be caught. What is actually true is that the offender has no respect for law enforcement, has learned that they can commit their offenses without the need to fear identification or capture, and subsequently they may not take precautions that they have learned are generally unnecessary. This type of behavior does not evidence a desire to harm the victim, necessarily, but rather to posses them. Demonstrating power over their victims is their means of expressing mastery, strength, control, authority, and identity to themselves. The attacks are therefore intended to reinforce the offender's inflated sense of self-confidence or self-worth. CASE EXAMPLE (ASSOCIATED PRESS 1997b): The following is taken from a media account of the circumstances surrounding the Dwayne and Debbie Tamai family of Emeryville, Ontario. This case of electronic harassment involved their 15-year-old son, Billy, who took control of all of the electronic devices in the family's home, including the phone, and manipulated them to distress of other family members for his own amusement. The incidents began in December of 1996, when friends of the family complained that phone calls to the Tamai home were repeatedly being waylaid and cut off: ... Police confirmed that the sabotage was an inside job, but refused to name the culprit and said nothing would be gained by filing charges against him. Dwayne and Debbie Tamai issued a statement saying that their son, Billy, had admitted to making the mysterious calls. The interruptions included burps and babbling and claims of control over the inner workings of the Tamais' custom-built home, including what appeared to be the power to turn individual appliances on and off by remote control. "It started off as a joke with his friends and just got so out of hand that he didn't know how to stop it and was afraid to come forward and tell us in fear of us disowning him," the Tamais said in their statement, which was sent to local news media. On Saturday, the Tamais said they were planning to take their son to the police to defend him against persistent rumors that he was responsible. Instead, he confessed to being the intruder who called himself Sommy. "All the crying I heard from him at night I thought was because of the pain he was suffering caused by Sommy," the letter said. "We now realize it was him crying out for help because he wanted to end all this but was afraid because of how many people were now involved." ... "We eliminated all external sources and interior sources," Babbitt said. A two-day sweep by a team of intelligence and security experts loaded with high-tech equipment failed to locate "Sommy" on Friday. The team was brought in by two television networks. ... missed messages and strange clickings seemed minor when a disembodied voice, eerily distorted by computer, first interrupted a call to make himself known. After burping repeatedly, the caller told a startled Mrs Tamai, "I know who you are. I stole your voice mail." Mocking, sometimes menacing, the high-tech stalker became a constant presence, eavesdropping on family conversations, switching TV channels and shutting off the electricity. "He would threaten me," Mrs Tamai said last week. "It was very frightening: 'I'm going to get you. I know where you live.' "I befriended him, because the police asked me to, and he calmed down and said he wasn't going to hurt me. The more I felt I was kissing his butt, the safer I felt." In this case, the son repeatedly made contact with the victims (his parents), and made verbal threats in combination with the electronic harassment, all in an effort to demonstrate his power and authority over them. The victims were not physically harmed, though they were in fear and greatly inconvenienced by the fact that an unknown force appeared to have control over a great many aspects of their lives. 6.4.3 Anger Retaliatory (Anger or Displaced)These include criminal behaviors that suggest a great deal of rage, either towards a specific person, group, institution, or a symbol of either. These types of behaviors are commonly evidenced in stranger-to-stranger sexual assaults, domestic homicides, work-related homicide, harassment, and cases involving terrorist activity. Anger retaliation behavior is just what the name suggests. The offender is acting on the basis of cumulative real or imagined wrongs from those that are in their world. The victim of the attack may be one of these people such as a relative, a girlfriend, or a coworker. Or the victim may symbolize that person to the offender in dress, occupation, and/or physical characteristics. The main goal of this offender behavior is to service their cumulative aggression. They are retaliating against the victim for wrongs or perceived wrongs, and their aggression can manifest itself spanning a wide range, from verbally abusive epithets to hyper-aggressed homicide with multiple collateral victims. In such cases, even sexual acts can be put into the service anger and aggression (this is the opposite of the sadistic offender, who employs aggression in the service of sexual gratification). It is important not to confuse retaliatory behavior with sadistic behavior. Although they can share some characteristics at first blush, the motivations are wholly separate. Just because a crime is terrible or brutal does not confirm that the offender responsible was a sadist, and tortured the victim. Reliance upon a competent reconstruction by the appropriate forensic scientists is requisite. CASE EXAMPLE (ASSOCIATED PRESS 1997a): The following is a media account of the circumstances surrounding the homicide of Marlene Stumpf. Her husband, Raymond Stumpf, who was host and producer of a home shopping show that aired in Pottstown, Pennsylvania, allegedly stabbed her to death. He was known as "Mr Telemart," and also worked full-time as a manager at a fast-food restaurant. A woman who received flowers from a man she corresponded with on the Internet has been slain, and her husband has been charged with murder. The dozen roses were sent several days ago to "Brandis," the online name used by Marlene Stumpf, 47, police said. Her son found her body Monday night on the kitchen floor with three blood-covered knives nearby. Raymond Stumpf, 54, her husband of 13 years and host of a local cable television show, was found in the dining room, bleeding from arm and stomach wounds that police consider self-inflicted. "It was a particularly gruesome scene with a lot of blood that showed evidence of extreme violence," prosecutor Bruce Castor Jr. said Wednesday. "(Stumpf) tried to kill himself, presumably because he felt bad he had killed his wife." Stumpf told police his wife started slapping him during an argument Monday night and he "just went wild." Police said he couldn't remember what happened. Detectives hope Mrs Stumpf's computer and computer files will provide information about her online relationships and people who could help prosecutors with a motive, Castor said. In this example, it is alleged that the husband killed his wife after an argument over her Internet romance, and then tried to kill himself. The fact that there is digital evidence related to this crime, and that the Internet is somehow involved, is incidental to the husband's motive for killing her. Instances of similar domestic murder-suicides involving real or perceived infidelity are nothing new in the history of human relationships, and are always tragic. The retaliatory aspect of this case comes from the description of the nature and extent of the injuries to the victim (i.e. that Mr Stumpf "just went wild," and that there was "extreme violence"). The retaliatory aspect of this case is further evidenced by circumstances that support the context of that retaliatory behavior, including:
6.4.4 Anger Excitation (Sadistic)These include criminal behaviors that evidence offender sexual gratification from victim pain and suffering. The primary motivation for the behavior is sexual, however the sexual expression for the offender is manifested in physical aggression, or torture behavior, toward the victim. This offense behavior is perhaps the most individually complex. This type of behavior is motivated by intense, individually varying fantasies that involve inflicting brutal levels of pain on the victim solely for offender sexual pleasure. The goal of this behavior is total victim fear and submission for the purposes of feeding the offender's sexual desires. Aggression services sexual gratification. The result is that the victim must be physically or psychologically abused and humiliated for this offender to become sexually excited and subsequently gratified. Examples of sadistic behavior must evidence sexual gratification that an offender achieves by witnessing the suffering of their victim, who must requisitely be both living and conscious. Dead or unconscious victims are incapable of suffering in the manner that gives the necessary sexual stimulation to the sadist. For an example of such a case involving the use of the Internet and a subsequent cybertrail, see the previous discussion regarding serial murderer Maury Roy Travis in this chapter. 6.4.5 Profit OrientedThese include criminal behaviors that evidence an offender motivation oriented towards material or personal gain. These can be found in all types of homicides, robberies, burglaries, muggings, arsons, bombings, kidnappings, and fraud, just to name a few. This type of behavior is the most straightforward, as the successful completion of the offense satisfies the offender's needs. Psychological and emotional needs are not necessarily satisfied by purely profit motivated behavior (if one wants to argue that a profit motivation is also motivated by a need for reassurance that one is a good provider, that would have to be followed by a host of other reassurance behaviors). Any behavior that is not purely profit motivated, which satisfies an emotional or psychological need should be examined with the lens of the other behavior motivational types. CASE EXAMPLE (PIPER 1998): The following is excepted from a media account regarding the circumstances surrounding the activities of Valdimir Levin in St Petersburg, Russia: Vladimir Levin, a computer expert from Russia's second city of St Petersburg, used his skills for ill-gotten gains. He was caught stealing from Citibank in a fraud scheme and said he used bank customer passwords and codes to transfer funds from their accounts to accounts he controlled in Finland, the Netherlands, Germany, Israel and the United States. In this example, regardless of any other motivation that may be evident in this offender's behavioral patterns, the desire for profit is clearly primary. [2]Sections of text in this typology are taken directly from Turvey (2002). Page 12
Perhaps the best way to finalize our exploration of how criminals engage and adapt computer and Internet technology is by discussing a couple of examples. The technologies discussed are only a very small sample of what is available to the cyber criminal. Of these technologies, only a few of the many criminal adaptations are illustrated. 6.5.1 A Computer VirusA computer virus is a foreign program that is designed to enter a computer system with the purpose of executing one or more particular functions without the knowledge or consent of the system administrator. The function of a virus is specified by its creator. The criminal applications of viruses in the cyberverse are almost without limits. They are typically used to steal, broadcast, and/or destroy information (examples include computer files containing personal contact information, credit card numbers, and passwords).
6.5.2 A Public E-Mail Discussion ListIndividuals may develop and maintain or join one of the many public e-mail discussion lists available via the Internet to share the details and experiences of their lives with others. They are also a way to meet and learn from people with similar experiences and interests. The content of an e-mail discussion list is dependent on the list topic, and the types of posts that are sent by subscribers. However, any e-mail discussion list represents a captive audience susceptible to individual and multiple broadcasts of information over that list.
Page 13
As this chapter has illustrated, technology is generally developed for one purpose, but is often harnessed or adapted for another by those with criminal motive and intent. It can also have unintended consequences within the criminal and forensic communities. So long as technology evolves, criminal enterprise will evolve to incorporate and build upon it. Page 14
Associated Press (1997a) "Wife's Internet friendship may have led to her death", January 23. Associated Press (1997b) "High-tech 'stalking' of Canadian family linked to teen-aged son", April 20. Bryan, B. (2002) "Letter writer is serial killer, concludes criminal profiler", St. Louis Post-Dispatch, May 28. Burgess A.,Burgess A.,Douglas J., and Ressler R. (1997) Crime Classification Manual, San Francisco, CA: Jossey-Bass, Inc. Burgess A. and Hazelwood R. (eds) (1995) Practical Aspects of Rape Investigation: A Multidisciplinary Approach, 2nd edn, New York, NY: CRC Press. Clubb S. (2002) "Police explain suspect's suicide," The Illinois River Bend Telegraph, June 12. (Available online at http://www.zwire.com/site/news.cfm?newsid=4412382&BRD=1719&PAG=461&dept_id=25271&rfi=8). Durfee D. (1996) "Man pleads no contest in stalking case", The Detroit News, January 25. Groth A.N. (1979) Men Who Rape: The Psychology of the Offender, New York, NY: Plenum. Hazelwood R.,Reboussin R.,Warren J.I., and Wright J.A., (1991) "Prediction of Rapist Type and Violence from Verbal, Physical, and Sexual Scales", Journal of Interpersonal Violence, 6(1), 55–67. Jarvis C. (1998) "Teen again linked to e-mail affair", The News Observer, North Carolina, November 28. McPherson T. (2003) "Sherlock Holmes' modern followers", The Advertiser, May 31. Meloy J.R. (ed) (1998) The Psychology of Stalking: Clinical and Forensic Perspectives, San Diego, CA: Academic Press. Piper E. (1998) "Russian cybercrime flourishes: deteriorating economic conditions have brought pirating and cracking mainstream", Reuters, December 30. Reuters Information Service (1997) "Swiss couple charged in U.S. child pornography sting", August 22. Robinson B. (2002) "Taking a byte out of cybercrime", ABC News, July 15. Shamburg R. (1999) "A tortured case", Net Life, April 7. Turvey B. (2002) Criminal Profiling: An Introduction to Behavioral Evidence Analysis, 2nd edn, London: Academic Press. Wired News (1998) "Cops 'lured' into net sex", February 16. Page 15
Overview
Individuals processing evidence must realize that, in addition to being pertinent, evidence must meet certain standards to be admitted. It is easy enough to claim that a bloody glove was found in a suspect's home, but it is another matter to prove it. When guilt or innocence hangs in the balance, the proof that evidence is authentic and has not been tampered with becomes essential. The US Federal Rules of Evidence, the UK Police and Criminal Evidence Act (PACE) and Civil Evidence Act, and similar rules of evidence in other countries were established to help evaluate evidence. For instance, before admitting evidence, a court will generally ensure that it is relevant and evaluate it to determine if it is what its proponent claims, if the evidence is hearsay, and if the original is required or a copy is sufficient. There are many other issues that a court must consider to determine if evidence is admissible and a failure to consider these issues from the outset may cause evidence to be excluded, potentially losing the case. One of the most important aspects of authentication is maintaining and documenting the chain of custody (a.k.a. continuity of possession) of evidence. Each person who handled evidence may be required to testify that the evidence presented in court is the same as when it was processed during the investigation. Although it may not be necessary to produce at trial every individual who handled the evidence, it is best to keep the number to a minimum and maintain documentation to demonstrate that digital evidence has not been altered since it was collected. Without a solid chain of custody, it could be argued that the evidence was handled improperly and may have been altered, replaced with incriminating evidence, or contaminated in some other fashion. Having someone on the search team who is trained to handle digital evidence can reduce the number of people who handle the evidence, thus streamlining the presentation of the case, and minimizing the defense opportunities to impugn the integrity of the evidence. Additionally, having standard operating procedures, continuing education, and clear policies help to maintain consistency and prevent contamination of evidence. Given the ease with which digital evidence can be altered, the importance of procedures and the use of only trained personnel to handle and examine cannot be overstated. This chapter provides an overview of the major issues that arise when digital evidence is presented in court, including admissibility, uncertainty, and presentation of digital evidence. The process of preparing a case for trial is time consuming, expensive, and may not result in a satisfactory outcome, particularly if there is insufficient evidence or evidence was handled improperly. Also, before deciding to take legal action, organizations should consider the impact if they are required to disclose information about their systems that may be sensitive (e.g. network topology, system configuration information, source code of custom monitoring tools) and other details about their operations that they may not want to make public. Page 16
The most common mistake that prevents digital evidence from being admitted by courts is that it was obtained without authorization. Generally, a warrant is required to search and seize evidence. The main exceptions are plain view, consent, and exigency. If investigators see evidence in plain view, they can seize it provided they obtained access to the area validly. By obtaining consent to search, investigators can perform a search without a warrant but some care must be employed when obtaining consent to reduce the chance of the search being successfully challenged in court. CASE EXAMPLE (UNITED STATES v. TURNER 1999): Law enforcement officers obtained permission from the defendant to search his home for evidence relating to a sexual assault of one of his neighbors. During the search, an investigator looked at Turner's computer and identified child pornography. Turner was indicted for possessing child pornography but filed a suppression hearing to exclude the computer files on the ground that he had not consented to the search of his computer and it was not objectively reasonable for the detective to have concluded that evidence of the sexual assault - the stated object of the consent search - would be found in files with such labels as "young" or "young with breasts." Regarding exigency, a warrantless search can be made for any emergency threatening life and limb. It is difficult to imagine a case in which a computer could be collected under exigent circumstances. Even in a homicide, a warrant is required for an in-depth search of the suspect's possessions. There are four questions that investigators must ask themselves when searching and seizing digital evidence:
When asking answering these questions, remember that the ECPA prohibits anyone, not just the government, from unlawfully accessing or intercepting electronic communications, whereas the Fourth Amendment only applies to the government. Recall that the Fourth Amendment requires that a search warrant be secured before law enforcement officers can search a person's house, person, papers, and effects. To obtain a warrant, investigators must demonstrate probable cause and detail the place to be searched and the persons or things to be seized. More specifically, investigators have to convince a judge or magistrate that:
Even when investigators are authorized to search a computer, they must maintain focus on the crime under investigation. For instance, in United States v. Carey (case ref), the investigator found child pornography on a machine while searching for evidence of drug related activity but the images were inadmissible because they were outside of the scope of the warrant. The proper action when evidence of another crime is discovered is to obtain another search warrant for that crime. CASE EXAMPLE (UNITED STATES v. GRAY 1999): During an investigation into Montgomery Gray's alleged unauthorized access to National Library of Medicine computer systems, the FBI obtained a warrant to seize four computers from Gray's home and look for information downloaded from the library. While examining Gray's computers, a digital evidence examiner found pornographic images in directories named "teen" and "tiny teen," halted the search and obtained a second warrant to search for pornography. CASE EXAMPLE (WISCONSIN v. SCHROEDER): While investigating an online harassment complaint made against Keith Schroeder, a digital evidence examiner found evidence relating to the harassment complaint on his computer and noticed some pornographic pictures of children. A second warrant was obtained, giving the digital evidence examiner authority to look for child pornography on Schroeder's computer. Schroeder was charged with 19 counts of possession of child pornography and convicted on 18 counts after a jury trial. For the harassment, Schroeder was tried in a separate proceeding for unlawful use of a computer and disorderly conduct. The other common mistake that prevents digital evidence from being admitted by courts is improper handling. Although courts were somewhat lenient in the past, as more judges and attorneys become familiar with digital evidence, more challenges are being raised relating to evidence handling procedures. Page 17
The process of determining whether evidence is worthy is called authentication.
Authentication is actually a two-step process, with an initial examination of the evidence to determine that it is what its proponent claims and, later, a closer analysis to determine its probative value. In the initial stage, it may be sufficient for an individual who is familiar with the digital evidence to testify to its authenticity. For instance, the individual who collected the evidence can confirm that the evidence presented in court is the same as when it was collected. Alternately, a system administrator can testify that log files presented in court originated from her/his system. In some cases, the defense will cast doubt on more malleable forms of digital evidence, such as logs of online chat sessions. CASE EXAMPLE (MICHIGAN v. MILLER 2002): In 2000, e-mail and AOL Instant Messages provided the compelling evidence to convict Sharee Miller of conspiring to kill her husband and abetting the suicide of the admitted killer (Jerry Cassaday) she had seduced with the assistance of the Internet. Miller carefully controlled the killer's perception of her husband, going so far as to masquerade as her husband to send the killer offensive messages. In this case, the authenticity of the AOL Instant Messages was questioned in light of the possibility that such an online conversation could be staged (Bean 2003). CASE EXAMPLE (UNITED STATES v. TANK): In United States v. Tank, a case related to the Orchid/Wonderland Club investigation, the defendant argued that the authenticity and relevance of Internet chat logs was not adequately established. One of the points the defense argued was that the chat logs could be easily modified. The prosecution used a number of witnesses to establish that the logs were authentic. The court held that "printouts of computer-generated logs of 'chat room' discussions may be established by evidence showing how they were prepared, their accuracy in representing the conversations, and their connection to the defendant." This case is significant because it is one of the first to deal with the authentication of chat logs. However, some feel that there are still questions about the authenticity and reliability of Internet chat logs that have not been addressed. On IRC, for example, in addition to the chat channel window, there may be important information in other areas of an IRC client such as the status window and in private chat or fserve windows. Since it is not possible for one investigator simultaneously to view every window, we must rely heavily on the logs for an account of what occurred. In some instances, investigators have been able to compensate for a lack of documentation by testifying that the evidence being presented is authentic and reliable. Of course, it is best to have solid documentation. To authenticate digital evidence, it may also be necessary to demonstrate that a computer system or process that generated digital evidence was working properly during the relevant time period. For instance, the section in the Federal Rules of Evidence 901(b)(9) titled "Requirement of Authentication or Identification" includes "evidence describing a process or system used to produce a result and showing that the process or system produces an accurate result." In the United Kingdom, under Section 69 of the PACE, there is a formal requirement for a positive assertion that the computer systems involved were working properly. CASE EXAMPLE (R. v. COCHRANE 1993, UNITED KINGDOM): The accused was convicted of theft by fraudulent use of his cash card, withdrawing sums that his building society inadvertently credited to his account. The issue before the court was whether the trial judge should have admitted evidence in the form of computer printouts or till rolls. The evidence before the court was that two computers were involved in the relevant process. The person using the cash-point machine provided certain information which was relayed to the branch computer, which retained a back-up in its memory before transmitting it to the central mainframe computer. The court found that none of the prosecution witnesses had any knowledge of the actual working of the mainframe computer in that part of its operation, and none of them was able to supply affirmative information that the mainframe computer was operating correctly at the relevant time. As such the prosecution had failed to adduce adequate evidence to enable the court to properly rule that the till rolls were admissible evidence; in the absence of the till rolls the prosecution's case could not be proved. The increasing variety and complexity of computer systems makes this type of evaluation increasingly difficult leading the UK Law Commission to recommend the repeal of Section 69 of PACE (Law Commission 1997). Requiring programmers and system designers to establish that computer systems are reliable at the lowest level is untenable, "overburdening already crowded courts with hordes of technical witnesses" (People v. Lugashi 1998). Therefore, US and UK courts have accepted the testimony of individuals who are familiar with the operation of computer systems. For instance, in R. v. Shephard (1993), The House of Lords held that Section 69(1) can be satisfied by the oral evidence of a person familiar with the operation of the computer who can give evidence of its reliability and the person need not be a computer expert. In United States v. Miller, telephone company records were admitted after a telephone-billing supervisor authenticated them. In a sexual assault case, the manager of the Southwestern Bell's security office testified that their telephone billing records were reliable as noted in the following quote.
Once digital evidence is admitted, its reliability is assessed to determine its probative value. For instance, if there is concern that the evidence was tampered with prior to collection, these doubts may reduce the weight assigned to the evidence. In several cases, attorneys have argued that digital evidence was untrustworthy simply because there was a theoretical possibility that it could have been altered or fabricated. However, as judges become more familiar with digital evidence, they are requiring evidence to support claims of untrustworthiness. As noted in the US Department of Justice Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations:
Even when there is a reasonable doubt regarding the reliability of digital evidence, this does not necessarily make it inadmissible, but will reduce the amount of weight it is given by the court. Page 18
7.3 Casey's Certainty ScaleComputers can introduce errors and uncertainty in various ways, making it difficult to assess the trustworthiness of digital evidence meaningfully. Although courts are warned to consider the computer systems involved carefully, little guidance is provided.
Computer networks complicate reliability considerations because multiple systems and mechanisms are involved. Possibly because of the complexity and multiplicity of computer systems, there is a lack of consistency in the way that the reliability of digital evidence is assessed. To improve our ability to assess the reliability of digital evidence, we need a consistent method of referring to the relative certainty of different types of digital evidence. The scale in Table 7.1 is proposed when attempting to assess the probative value of digital evidence (Casey 2002).
The certainly values (C-values) in Table 7.1 provide a method for a digital evidence examiner to denote the level of certainty he/she has in a given piece of evidence in a given context. This scale is not intended to be used rigidly to categorize types of evidence in general - it is not valid to claim that all NT Event logs have C3 certainly level because in some cases there may be signs of tampering such as deleted log entries, reducing the certainly level of the log to C1. The primary purpose of this Certainty Scale is to help others understand how much weight an examiner has given pieces of digital evidence when making a conclusion based on that evidence. Without these C-values, one might wonder how a digital evidence examiner reached his/her conclusion, particularly if there is disagreement over the certainty assigned to a given piece of evidence. For instance, two digital evidence examiners might make the following conclusions about the same case:
It is difficult to assess the validity of the first conclusion because the examiner does not explicate his thought process. Conversely, the though process leading to the second conclusion is clear and easier to access. For instance, another digital evidence examiner might argue that the wtmp log on System 2 is highly questionable (C1) given the erroneous entry associated with Suspect B's logon and the fact that several individuals, including both suspects, had root access to the machine and could have modified the logs. Similarly, it can be argued that anyone with root access to System 2 could have altered the pacct logs, reducing their C-value to C2. Based on these revised certainty values, it is possible (not probable) that Suspect B is the offender but a more reliable source of digital evidence is required to be more certain because any of the (preferably few) people with root access to System 2 could have altered the wtmp, pacct, and command history logs after the crime to implicate Suspect B. Notably, these certainty values are not simply additive - the circumstances of a case, the questions at issue, and the types of digital evidence involved will determine how much weight each C-value is given and how they are combined. Digital evidence examiners must use their judgment when weighing and combining certainty values. One major advantage of this Certainty Scale is that it is flexible enough to assess the evidential weight of both the process that generated a piece of digital evidence and its contents, which may be documents or statements. For instance, an e-mail header may be assigned a C-value of C2 in a specific case but the contents may only be assigned a C-value of C1 because there are signs of tampering. In another case, the C-value of an e-mail header may drop to C1 if any inconsistencies or signs of forgery are detected. Another major advantage of this Certainty Scale is that it is non-technical and therefore easily understood by non-technical people such as those found in most juries. Although it may be necessary at some stage to ask the court to consider the complexities of the systems involved, it is invaluable to give them a general sense of the level of certainty they are dealing with and to help them decide what evidential weight to give the evidence. Only focusing on the complexities, without providing a non-technical overview, can lead to confusion and poor decisions. Ultimately, it is hoped that this Certainty Scale will point to areas that require additional attention in digital evidence research. Debate over C-values in specific cases may reveal that certain types of evidence are less reliable than was initially assumed. For some types of digital evidence, it may be possible to identify the main sources of error or uncertainty and develop analysis techniques for evaluating or reducing these influences. For other types of digital evidence, it may be possible to identify all potential sources of error or uncertainty and develop a more formal model for calculating the level of certainty for this type of evidence. [1]Observe that the use of the word "probable" here corresponds to the C4 level in the certainty scale Page 19
When dealing with the contents of a writing, recording, or photograph courts sometimes require the original evidence. This was originally intended to prevent a witness from misrepresenting such materials by simply accepting their testimony regarding the contents. With the advent of photocopiers, scanners, computers, and other technology that can create effectively identical duplicates, copies became acceptable in place of the original, unless "a genuine question is raised as to the authenticity of the original or the accuracy of the copy or under the circumstances it would be unfair to admit the copy in lieu of the original" (Best Evidence Rule). Because an exact duplicate of most forms of digital evidence can be made, a copy is generally acceptable. In fact, presenting a copy of digital evidence is usually more desirable because it eliminates the risk that the original will be accidentally altered. Even a paper printout of a digital document may be considered equivalent to the original unless important portions of the original are not visible in printed form. For example, a printed Microsoft Word document does not show all of the data embedded within the original file such as edits and notes. Page 20
Direct evidence establishes a fact. Circumstantial evidence may suggest one. It is a common misconception that digital evidence cannot be direct evidence because of its separation from the events it represents as discussed in Chapter 1. However, digital evidence can be used to prove facts. For example, if the reliability of a computer system is at issue, showing the proper functioning of that specific system is direct evidence of its reliability, whereas showing the proper functioning of an identical system is circumstantial. Although digital evidence is generally only suggestive of human activities, circumstantial evidence may be as weighty as direct evidence and digital evidence can be used to firmly establish facts. For example, a computer logon record is direct evidence that a given account was used to log into a system at a given time but is circumstantial evidence that the individual who owns the account was responsible. Someone else may have used the individual's account and other evidence would be required to prove that he actually logged into the system. It may be sufficient to demonstrate that nobody else had access to the individual's computer or password. Alternately, other sources of digital evidence such as building security logs may indicate that the account owner was the only person in the vicinity of the computer at the time of the logon. Consider intellectual property theft as another example. Even if nobody saw the defendant take the proprietary data, it may be sufficient to show that the data in his possession are the same as the proprietary data and that he had the opportunity for access. So, there is nothing inherently wrong with circumstantial evidence. Given enough circumstantial evidence, the court may not require direct evidence to convict an individual of a crime. Page 21
Digital evidence might not be admitted if it contains hearsay because the speaker or author of the evidence is not present in court to verify its truthfulness.
For instance, an e-mail message may be used to prove that an individual made certain statements but cannot be used to prove the truth of the statements its contains. Therefore, although Larry Froistad sent a message to an e-mail list indicating that he killed his daughter, investigators needed a confession and other evidence to prove this fact (see Chapter 18 for case details). The Canadian case against Pecciarich provides an interesting example of what may be considered hearsay in the context of online activities. CASE EXAMPLE (REGINA v PECCIARICH): Pecciarich was initially charged with one count of distributing obscene pictures and one count of distributing child pornography by using his personal computer to upload files to computer bulletin boards where others could download the files. The bulletin board was examined remotely, only allowing investigators to testify that they had seen many files on the bulletin board that contained the suspect's code name "Recent Zephyr" and had downloaded a few of them.
On appeal the judge overturned the distribution charges stating that, "the statements from the bulletin 'uploaded by Recent Zephyr' accompanied by a date in August or September 1993, are pure hearsay and therefore not evidence of uploading or of the date specified." This decision appears to have been influenced by the description of the bulletin board, leading the court to believe that the data could not be relied upon. In cross-examination, Blumberg acknowledged that even if a subscriber to the bulletin board uploaded the images, the systems operator could alter any data on the system, including removing clothing, "drawing in" body parts including genitalia, and inserting the words "uploaded by Recent Zephyr." Blumberg even acknowledged that an imposter could upload materials onto the bulletin board in the name of another subscriber, using his telephone number without his knowledge; however, in testimony, which was less than crystal clear, Blumberg explained that a system of call back verification may or may not pick up on the false identity of the uploader. The court upheld the charge of possession despite the defense argument that the evidence used to attribute the documents to Pecciarich was also hearsay.
Proving that someone distributed materials online is challenging and generally requires multiple data points that enable the court to connect the dots back to the defendant beyond a reasonable doubt. In Regina v. Pecciarich, although there was only a theoretical possibility of evidence tampering, the judge had little confidence in the digital evidence and believed that the date-time stamps on the bulletin board were hearsay even though the computer probably generated them (technically, hearsay only applies to human statements). The judge may have been skeptical of these date-time stamps because they were observed remotely through the bulletin board interface rather than collected directly from the system's hard drive. More corroborating evidence such as creation and modification times of the relevant files on the bulletin board system's hard drive and telephone records showing when the suspect had accessed the bulletin board may have helped prove distribution to the satisfaction of the court. A list of bulletin board user names with associated addresses and telephone numbers was presented to show that the defendant's telephone number was associated with the Recent Zephyr user name. However, the court determined that could not be used "to show that the accused and Recent Zephyr have the same telephone number and city of residence. Such use would clearly be for the truth of the contents, and thus would violate the hearsay rule." Furthermore, lists of users cannot demonstrate that the defendant had connected to the bulletin board at the times the images in question were uploaded. 7.6.1 Hearsay ExceptionsThere are several exceptions to the hearsay rule to accommodate evidence that portrays events quite accurately and that is easier to verify than other forms of hearsay. For instance, the US Federal Rules of Evidence specify that records of regularly conducted activity are not excluded by the hearsay rule:
The Irish Criminal Evidence Act, 1992, has a similar exception in Section 5(1):
Although some courts evaluate all computer-generated data as business records under the hearsay rule, this approach may be inappropriate when a person was not involved. In fact, computer-generated data may not considered hearsay at all because they do not contain human statements or they do not assert a fact but simply document an act. The USDOJ manual (USDOJ 2002) clearly described the difference between digital evidence that is computer-generated versus computer-stored:
As an example, in the English case of R. v. Governor of Brixton Prison, ex parte Levin ([1997] 3 All E.R. 289) the House of Lords considered whether computer printouts were inadmissible because they were hearsay. In this case Levin was charged with unauthorized access to the computerized fund transfer service of Citibank in New Jersey, USA, and making fraudulent transfers of funds from the bank to accounts that he or his associates controlled. Lord Hoffman concluded that the printouts were not hearsay:
However, data that depend on humans for their accuracy, such as entries in a database that are derived from information provided by an individual, are covered under the business record exception if they meet the above description. More courts are likely to acknowledge the distinction between computer-generated and computer-stored records as they become familiar with digital evidence and as more refined methods for evaluating the reliability of computer-generated data become available, such as the Certainty Scale. Page 22
In addition to challenging the admissibility of digital evidence directly, tools and techniques used to process digital evidence have been challenged by evaluating them as scientific evidence. Because of the power of science to persuade, courts are careful to assess the validity of a scientific process before accepting its results. If scientific process is found to be questionable, this may influence the admissibility or weight of the evidence, depending on the situation. In the United States, scientific evidence is evaluated using four criteria developed in Daubert v. Merrell Dow Pharmaceuticals, Inc., 1993. These criteria are:
Thus far, digital evidence processing tools and techniques have withstood scrutiny when evaluated as scientific evidence. However, testing techniques or tools and determining error rates is challenging, not just in the digital realm. Although many types of forensic examinations have been evaluated using the criteria set out in Daubert, the testing methods have been weak. "The issue is not whether a particular approach has been tested, but whether the sort of testing that has taken place could pass muster in a court of science." (Thornton 1997). Also, error rates have not been established for most types of forensic examinations, largely because there are no good mechanisms in place for determining error rates. Fingerprinting, for example, has undergone recent controversy (Specter 2002). Although the underlying concepts are quite reliable, in practice, there is much room for error. Therefore, errors are not simply caused by flaws in underlying theory but also in its application. This problem applies to the digital realm and can be addressed with increased standards and training. One approach to validating tools is to examine the source code. However, as noted earlier, many commercial developers are unwilling to disclose this information. When the source code is not available, another form of validation is performed - verifying the results by examining evidence using another tool to ensure that the same results are obtained. Formal testing is being performed by the National Institute of Standards and Technology (NIST) and some organizations and individuals perform informal tests. However, given the rate at which computer technology is changing, it is difficult for testers to keep pace and establish error rates for the various tools and systems. Additionally, tool testing does not account for errors introduced by digital investigators through misapplication or misinterpretation. Therefore, the most effective approach to validating results and establishing error rates is through peer review - that is to have another digital investigator double check findings using multiple tools to ensure that the results are reliable and repeatable. Page 23
Preparation is one of the most important aspects of testifying in court (National Center for Forensic Science 2003). Scripting direct examination and rehearsing it with the attorney ahead of time provides an opportunity to identify areas that need further explanation and to anticipate questions that the opposition might raise during cross-examination. Conclusions should be stated early in testimony rather than as a punch line at the end because there is a risk that the opportunity will not arise later. During cross-examination, attorneys often attempt to point out flaws and details that were overlooked by the digital investigator. The most effective response to this type of questioning is to be prepared with clear explanations and supporting evidence. It is advisable to pause before answering questions to give your attorney time to express objections. When objections are raised, carefully consider why the attorney is objecting before answering the question. If prompted to answer a complex question with simply "Yes" or "No," inform the court that you do not feel that you can adequately address the question with such a simplistic answer but follow the direction of the court. Above all, be honest. In addition to presenting findings, it is necessary to explain how the evidence was handled and analyzed to demonstrate chain of custody and thoroughness of methods. Also, expect to be asked about underlying technical aspects in a relatively non-technical way, such as how files are deleted and recovered and how tools acquire and preserve digital evidence. Simple diagrams depicting these processes are strongly recommended. It can be difficult to present digital evidence in even the simplest of cases. In direct examination, the attorney usually needs to refer to digital evidence and display it for the trier of fact (e.g. judge, jury). This presentation can become confusing and counterproductive, particularly if materials are voluminous and not well arranged. For instance, referring to printed pages in a binder is difficult for each person in a jury to follow, particularly when it is necessary to flip forwards and backwards to find exhibits and compare items. Such disorder can be reduced by arranging exhibits in a way that facilitates understanding and by projecting data onto a screen to make it visible to everyone in the court. Displaying digital evidence with the tools used to examine and analyze it can help clarify details and provide context, taking some of the weight of explaining off the examiner. Some examiners place links to exhibits in their final reports, enabling them to display the reports onscreen and efficiently display relevant evidence when required. However, it is important to become familiar with the computer that will be used during the presentation to ensure a smooth testimony. Visual representations of timelines, locations of computers, and other fundamental features of a case also help provide context and clarity. Also, when presenting technical aspects of digital evidence such as how files are recovered or how logon records are generated, first give a simplified, generalized example and then demonstrate how this applies to the evidence in the case. The risk of confusion increases when multiple computers are involved and it is not completely clear where each piece of evidence originated. Therefore, make every effort to maintain the context of each exhibit, noting which computer or floppy disk it came from and the associated evidence number. Also, when presenting reconstructions of events based on large amounts of data such as server logs or telephone records, provide simplified visual depictions of the main entities and events rather than just presenting the complex data. It should not be necessary to fumble through pages of notes to determine the associated computer or evidence number. Also, refer to exhibit numbers during testimony rather than saying, "this e-mail" or "that print screen." Digital investigators are often required to provide all notes related to their work and possibly different versions of an edited/corrected report. Therefore, organize any screenshots or printouts (initialed, dated, and numbered) of important items found during examination. For instance, create a neatly written index of all screenshots and printouts. Page 24
The foundation of any case involving digital evidence is proper evidence handling. Therefore, the practice of seizing, storing, and accessing evidence must be routine to the point of perfection. Standard operating procedures with forms are a key component of consistent evidence handling, acting as both memory aids for digital investigators and documentation of chain of custody. Also, training and policies should provide digital investigators with a clear understanding of acceptable evidence handling practices and associated laws. Verifying that evidence was handled properly is only the first stage of assessing its reliability. Courts may also consider whether digital evidence was altered before, during, or after collection, and whether the process that generated the evidence is reliable. Claims of tampering generally require some substantiation before they are seriously considered. Someone familiar with the system in question, who can testify that the computer was operating normally at the time, can generally address questions regarding the process that generated a given piece of digital evidence. Digital evidence examiners are encouraged to state clearly their certainty in each piece of digital evidence that they use to reach their conclusions. A proposed Certainty Scale is provided in Table 7.1 for this purpose. If there are significant doubts about the reliability of relevant computer systems and processes, the court may decide to give the associated digital evidence less weight in the final decision. On the stand, digital investigators may be asked to testify to the reliability of the original evidence, the collection and analysis systems and processes, assert that they personally collected and verified the data, and established the chain of custody. An unexplained break in the chain of custody could be used to exclude evidence. An understanding of direct versus circumstantial evidence, hearsay, and scientific evidence is necessary to develop solid conclusions and to defend those conclusions and the associated evidence on the stand. A failure to understand these concepts can weaken an examiner's conclusions and testimony. For instance, interpreting circumstantial evidence as though it were direct evidence, or basing conclusions on hearsay, could undermine an examiner's findings and credibility. Ultimately, digital evidence examiners must present their findings in court to a non-technical audience. As with any presentation, the key to success is preparation, preparation, and more preparation. Be familiar with all aspects of the case, anticipate questions, rehearse answers, and prepare visual presentations to address important issues. Although this requires a significant amount of effort, keep in mind that someone's liberty might be at stake. Page 25
Breyer S. (2000) "Reference Manual on Scientific Evidence", 2nd Ed., Federal Judicial Center (Available online at http://www.fjc.gov/public/pdf.nsf/lookup/sciman00.pdf) Casey E. (2002) "Error, Uncertainty and Loss in Digital Evidence", International Journal of Digital Evidence, Volume 1, Issue 2, 2002 (Available online at http://www.ijde.org/archives/docs/02_summer_art1.pdf) Gahtan A. (1999) "Electronic Evidence", Ontario: Carswell Legal Publications Guidance Software (2001–2002) "EnCase Legal Journal" 2nd Ed. (Available online at http://www.guidancesoftware.com/support/downloads/LegalJournal.pdf) Hoey A. (1996) "Analysis of The Police and Criminal Evidence Act, s.69 - Computer Generated Evidence", Web Journal of Current Legal Issues, in association with Blackstone Press Ltd. Law Commission (1997) Evidence in Criminal Proceedings: Hearsay and Related Topics, Law Commission Report 245 (Available online at http://www.lawcom.gov.uk/231.htm#lcr245) Mattei M.,Blawie J. F. and Russell A. (2000) "Connecticut Law Enforcement Guidelines for Computer Systems and Data Search and Seizure", State of Connecticut Department of Public Safety and Division of Criminal Justice National Center for Forensic Science (2003) "Digital Evidence in the Courtroom: A Guide for Preparing Digital Evidence for Courtroom Presentation", Mater Draft Document, U.S. Department of Justice, National Institute of Justice, Washington (Available online at http://www.ncfs.org/DE_courtroomdraft.pdf) Reed C. (1990–91) 2 CLSR 13–16 as quoted in Sommer, P. "Downloads, Logs and Captures: Evidence from Cyberspace Journal of Financial Crime", October, 1997, 5JFC2 138–152 Specter M. (2002) "Do Fingerprints Lie?: The gold standard of forensic evidence is now being challenged", The New Yorker Issue of 2002-05-27 (Available online at http://www.newyorker.com/printable/?fact/020527fa_FACT) Thornton J. I. (1997) "The General Assumptions and Rationale of Forensic Identification," for David L. Faigman, David H. Kaye, Michael J. Saks, & Joseph Sanders, Editors, Modern Scientific Evidence: The Law and Science of Expert Testimony, Volume 2, St. Paul, MN: West Publishing Company United States Department of Justice (2002) "Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations" (Available online at http://www.usdoj.gov/criminal/cybercrime/s&smanual2002.htm) Page 26
American Oil Co. v. Valenti (1979) 179 Connecticut 349, 358, 426 A.2d 305 Bean M. (2003) "Mich. v. Miller: Sex, lies and murder", Court TV (Available online at http://www.courttv.com/trials/taped/miller/background.html) Daubert v. Merrell Dow Pharmaceuticals, Inc. (1993) 509 U.S. 579, 113 S.Ct. 2786, 125 L.Ed.2d 469. Michigan v. Miller (2001) 7th Circuit Court, Michigan Missouri v. Dunn (1999) Appeals Court, Western District of Missouri, Case Number 56028 (Available online at http://www.missourilawyersweekly.com/mocoa/56028.htm) People v. Lugashi, (1988) Appeals Court, California (205 Cal.App.3d 632) Case Number B025012 R. v. Cochrane (1993) Crim. L. R. 48 R. v. Governor of Brixton Prison, ex parte Levin (1997) 3 All E. R. 289 R. v. Shephard (1993) 1 All E. R. 225 Regina v. Pecciarich (1995) 22 O.R. (3d) 748, Ontario Court, Canada (Available online at http://www.efc.ca/pages/law/court/R.v.Pecciarich.html) United States v. Gray (1999) District Court, Eastern District of Virginia, Alexandria Division, Case Number 99-326-A United States v. Miller (1985) 771 F.2d 1219, 1237 (9th Cir.) United States v. Tank (1998) Appeals Court, 9th Circuit, Case Number 98–10001 (Available online at http://laws.findlaw.com/9th/9810001.html) United States v. Turner (1999) Appeals Court, 1st Circuit, Case Number 98–1258 (Available online at http://laws.lp.findlaw.com/1st/981258.html) Wisconsin v Schroeder (1999) Appeals Court, Wisconsin, Case Number 99-1292-CR (Available online at http://www.courts.state.wi.us/html/ca/99/99-2264.HTM) |
Distinguishing between single-scene, multiple-scene, and network crime scenes is based on:
Postagens relacionadas
direito autoral © 2024 aprendervalor Inc.
