ln the 1980s, home computers were not yet popular and desktop systems were being developed for business and government. Early digital forensic techniques were used to detect and investigate hacking and computer compromise. In fact, the most common criminal act involving computers was the use of systems and dial-up modems to connect to the Department of Defense's networks to get free long distance. As home computers and desktop computers became more popular, the main communications systems for interconnectivity among computer users was through the use of dial-up commercial systems. Ultimately, this resulted in the development of more advanced commercial networks, such as America Online (AOL). [Does anyone remember “Prodigy”?]
As with any mechanism that makes life easier for consumers, those with criminal intent developed a means to exploit those systems for other-than-lawful purposes. Thus, since they could be used for different types of criminal activity, computers became a bigger focus of the criminal justice system.
A computer could be:
- used to commit a crime, such as hacking or transferring private or illegal information (e.g., stolen social security numbers, credit card information, or child pornography);
- used to store evidence of a crime (e.g., child pornography, a “murder list,” narcotics ledgers, “cooked” accounting books);
- Or it could be the target of a crime.
As a result, techniques had to be developed to allow criminal justice professionals to search through digital data contained on a computer or network to identify and collect evidence.
At first, criminal justice professionals used commercial mainstream software to search for and recover data on a hard drive. Norton Disk Edit tools, for example, could be used to search a computer for digital evidence, but it also caused changes to the computer’s data. Eventually, specialized forensic software was developed (e.g., EnCase, FTK, SMART, etc.) to more accurately collect and search digital evidence without damaging or changing its content.
Initially, courts did not understand the technology - neither the computers the forensic processes and software developed to examine them. The law was not up-to-date enough to facilitate the investigation and prosecution of technology-based crimes. Further, there were no universal digital forensic standards or established best practices that practitioners could follow and which would have helped circumvent court challenges to digital evidence. But, fortunately, over the last twenty years, new laws have been enacted to account for technology-based crimes. Digital forensic standards have been developed that are used across the discipline, and specialized tools have been developed to help law enforcement meet those standards.
So why is this important to each of you, as non-criminal justice professionals? Part of the answer is this: While conducting a forensic analysis of your organization’s computers systems or networks – whether you’re searching for evidence of hacking or employee misconduct, or in response to a request for discovery in a lawsuit, for example – you may come across information that could lead to a criminal prosecution. If you do not follow the same standards used by criminal justice professionals (e.g., making every effort to analyze a bit-by-bit forensic copy instead of the original evidence directly), any evidence you find could be rendered inadmissible in court. However, if you perform your duties as a forensic examiner with criminal justice standards in mind, not only will it increase the utility of the digital evidence in a criminal or civil court, but it should also provide more certainty in your own results.