CHAPTER 9. Digital Evidence and Forensic Investigations
Janet Barber Duval
The extensive use of computers, voice and video recording devices, surveillance cameras, and a myriad of wireless applications in business and industry have added a new dimension to the realm of evidence that is available for legal proceedings. The use of these devices for forensic surveillance and lawful interception of data is a rapidly growing and specialized field. Hospitals and other healthcare agencies, insurance carriers, law enforcement, and many community services realize the power of forensic evidence in cases involving violent crimes, fraud, and other illegal activities. Forensic nurses and other investigators must have a working knowledge about the access, preservation, and use of digital evidence. This requires a basic identification of digital forensic media, an understanding of the technological features of these various storage devices, including their volatility, as well as the requirements for lawful interception, discovery, and use of digital data in the courtroom.
Introduction to Digital Forensics
Digital forensics is “The application of computer science and investigative procedures for a legal purpose involving the analysis of digital evidence after proper search authority, chain of custody, validation with mathematics, use of validated tools, repeatability, reporting, and possible expert presentation” (Zatyko, 2007, p. 18).
One other expert in digital forensic science defined the content area as “the use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation, and presentation of digital evidence derived from digital sources for the purpose of facilitation or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations.” (Carrier, 2003, p. 1).
In 2008, the American Academy of Forensic Sciences approved a new section, Digital and Multimedia Sciences, in recognition of the essential and rapidly expanding field of computers and their relevance to all disciplines within the forensic sciences. In addition to digital media devices being a prime source of evidence in many cases, digital technology has become a valuable tool in forensic investigations. Shortly after the introduction and proliferation of computers and their supporting networks, it was clear that they could be used to create mischief, incite chaos within business enterprises, and produce harm at the highest levels of government. In 1984, the Federal Bureau of Investigation (FBI) believed that the escalating use of computers and associated problems, such as hacking into networks, transmitting viruses and worms, and using computers for unlawful purposes, required a response. Soon the FBI formed a dedicated computer analysis and response team (CART) as well as regional computer forensics laboratories. Other U.S. entities and many countries throughout the world have followed the FBI’s lead and have established similar services to aid law enforcement and the courts in the investigation of forensic cases.
The detection, analysis, and reporting related to evidence found in the physical and virtual memory of computers is termed computer forensics or cyberforensics. As in all forensic investigations that are court-worthy, a documented chain of evidence is vital to the processes associated with the discovery, preservation, and use of digital information derived from any digital sources. Computer investigators must follow strict forensic guidelines when accessing a suspect computer. All user actions must be logged with dates, times, and personnel involved. This information will be an important component in validating chain of custody during subsequent litigation.
What Is Digital Evidence?
Digital evidence is any information of probative value that is either stored or transmitted in a binary (digital) form. Digital devices include computer hard drives, scanning devices, compact flash cards, compact discs, digital audio and video devices including answering machines, digital cameras, cell phones, digital fax machines, personal digital assistants (PDAs), and other handheld digital devices. The analysis of data stored in these communication instruments can be recovered and analyzed to assist in determining the facts. Information derived from such sources prove relationships between perpetrators and victims, confirm identification of those involved in a crime, and confirm time lines that support or refute reported information. The motives for certain activity and typical behaviors of offenders can also be appreciated.
Digital Forensic Analysis Processes
The forensic investigation will use both physical and digital evidence, and by using the scientific method, will draw certain conclusions. Three phases are required: (1) acquisition, (2) analysis, and (3) presentation (Carrier, 2003). During the acquisition phase, the digital system is saved and copied, producing an exact image of all allocated and unallocated space on the hard disk. The analysis phase examines files and directories and recovers any deleted content. During these two initial phases, emphasis is on technical issues of salvaging and organizing data. The presentation phase, however, focuses on policy and law. In corporate, military, or healthcare settings, there is representation from human resources, the offices of counsel, and various executives to ensure that privacy standards and organizational policies are followed. To a large extent, these will offer some constraints about what will eventually be made available to a court of law. Judges and juries will examine the evidence only after it has been scrutinized and determined to be admissible. The “Daubert Test,” which emerged from a U.S. Supreme Court ruling in Daubert v. Merrell Dow Pharmaceutical (1993), will determine admissibility of digital evidence (see p. 547). In regard to procedures related to the recovery and analysis of digital evidence, there are test components that address testing, error rates, publications and peer review, and general acceptance by the scientific community. In regard to the Federal Rules of Evidence, the status of digital evidence is yet to be determined. In accordance with the Daubert guidelines, it is scientific evidence, but may be considered nonscientific technical testimony according to Rule 901(b)(9).
Dead-Box versus Live-Box Analysis
The conventional technique for computer forensic investigations involves analyses of hard drives, floppy discs, zip drives, and optical media storage (CDs and DVDs). This method is called “dead-box analysis” because the computer system is disconnected before creating an exact copy of the hard drive (Cummings, 2008).
A more recently developed technique for evidence collection is called “live-box analysis” because it relies on the computer’s random-access memory (RAM) or volatile memory, giving investigators access to all memory chips. This physical memory must be captured and preserved before the user turns off the computer. When the computer is removed from a power source and shut down, these data are no longer available to investigators. The invaluable information that can be recovered from live-box analysis includes registry data, user names and passwords, instant message or chat exchanges, open documents, and e-mail with addresses. When considering the value of these elements, it is obvious why live-box analysis is vital to help investigators understand a suspect’s computer activity over an extended period of time.
Investigators use software utilities, hardware devices, or certain keyboard sequences to create a snapshot of all physical memory within the computer. This is sometimes referred to as a crash dump. Common systems such as Windows offer free software designed to capture all physical memory. Once the memory is preserved, special training and software adjuncts are required to reveal all aspects of the memory system. Although live-box techniques are vital to many investigations, they should be used in conjunction with dead-box techniques to ensure a comprehensive approach to computer analysis.
Techniques for Computer Evidence Recovery
Most of the technology regarding the recovery of evidence from computers has been developed by an assortment of investigative agencies. For example, the FBI has identified hackers and intruders, as well as sexual predators who exploit their victims through online communication. The U.S. Secret Service has exposed criminals who engage in financial fraud and identity theft via the Internet. The Departments of Defense and Homeland Security also engage in cyberforensics to uncover networks of international espionage or terrorist plots. Cyber criminals tend to keep one step ahead of technology designed to secure computers from unlawful intrusions into personal and networked computers. Savvy hackers, sometimes sponsored by nation states, have developed specific malware and modus operandi resulting in intellectual property theft. Much of this sophisticated malware is difficult to detect and to defeat with the traditional computer security systems of business and government.
Lawful Interception of Data
The United States and many other countries have unique prerequisites for lawful surveillance for forensic investigations, including the capture of digital data. In the United States, the legal basis is “probable cause” as defined by the Fifth Amendment of the Constitution for serious crimes such as drug-trafficking, gambling, blackmailing, manslaughter and murder, armed robbery, debt crime and racketeering, bribery, and kidnapping. Prosecutors must establish that the target devices are being used for communications related to the crime, and the order is typically for 30 days or less. The passage of the U.S. Patriot Act has added others. These are the use of chemical weapons and weapons of mass destruction, global terrorism, financial transactions supporting terrorism, and financial support of terrorist and terrorist organizations (Hoffman & Terplan, 2006). Ordinarily, but not in all cases, a U.S. federal or state judge must order surveillance actions. There are some scenarios when alternate legal processes may be employed, such as an administrative or grand jury subpoena, a trial subpoena, a search warrant, or proof of customer consent. The content of unopened mail and electronic communications such as e-mail, voicemail, and text messages is accessible by search warrants in most cases; however, real-time interception of communications or unopened voice messages requires eavesdropping warrants. (Hoffman & Terplan, 2006, p. 340).
There are certain wiretap warrants that involve “real-time” obligations for data handover, and emergency operators represent the highest priority. Numbers such as 911, public-safety, emergency medical service providers and dispatch, fire service, public safety, law enforcement, and hospital emergency or trauma units are among those entities that have immediate access to the caller-identification data, and ordinarily this information is periodically downloaded and archived onto CD-ROMs. Private crisis or suicide-prevention hotlines do not have these same provisions, however (Hoffman & Terplan, 2006, p. 345.) The forensic nurse investigator is often able to use data from such sources to reconstruct communications and activities associated with a victim or suspect.
Digital Data in Healthcare
Within healthcare, there are multiple applications of digital evidence that might become relevant to a forensic investigation. Even before a gunshot victim reaches the hospital, important information has already been captured, which may later prove important to an investigation. The victim may have used a cell phone before or during a robbery attempt, there is the 911 call for assistance at the time of the shooting, police scanners record precise times of units being dispatched, and the conversations of the EMTs and other emergency personnel are being recorded and date/time stamped. In public places, there might be video surveillance of the crime scene. In addition, personal cell phones and digital cameras of bystanders might have been used to document the scene of the shooting. One can readily appreciate that once the patient reaches the hospital, more digital records are being made. The ER ambulance entrance camera records the arrival of the emergency vehicles; a computerized medical record is begun with data streaming to predetermined locales within the hospital; vital signs are automatically monitored, recorded, and sent to the hospital information system; the imbedded computer boards for the ventilator, IV pumps, blood warmer, and internal probes capture details of treatment and the patient’s responses to therapy; personnel actions are tracked by pin numbers, passwords, or electronic signatures as they enter and leave the trauma room or access emergency drugs/supplies; digital x-rays are taken and sent to a consulting trauma center; telephonic communications are being recorded; the trauma receiving room is recording all events by audio and video media; and personal digital assistants (PDAs) of physicians and other staff are storing and transmitting data about the patient’s condition. These are but a few samples of events in one type of hospital case, but it should be obvious that digital data are rapidly accumulating about the patient’s condition and treatment, and such information in retrospect is crucial in reconstructing events within the hospital. Despite the Health Insurance Portability and Accountability Act (HIPAA [Privacy Act]) guidance, there is little or no privacy for the patient or the staff, and most of the information gathered during such incidents is discoverable and can be used later by investigators who suspect that criminal activity has occurred. HIPAA provisions are designed to protect patients from unauthorized or accidental disclosure of medical information during transmission within and among medical facilities, healthcare workers or providers, and third-party payers (Frank-Stromborg, 2006).
Computer Use in Hospital Communications
In today’s hospitals, administrators are forced to address efficiencies in patient care and workflow processes. Higher patient acuity, the nursing shortage, and increased demands for documentation have placed new demands on the shrinking workforce, and workers are expected to do more with less. Consumer expectations of healthcare quality are also at an all-time high. In response to the ever-increasing pressures to improve care, contain costs, and operate within a highly competitive environment, hospitals have looked to new technologies for answers. One solution to the dilemma is to provide personnel with connections to data, records, and people that are vital for making the right things happen. Efficiency, expediency, and flawless precision are required for positive outcomes. Since the 1990s, there has been a rapid growth of computer and other digital interfaces at the point of care, which can contribute to these goals and even improve the hospital’s “bottom line.”
Ready, rapid connectivity through wired and wireless devices offer several advantages to the frustrated nurse who by now has learned to survive in this stressful and complex environment by becoming a genius at multitasking. Hard-wired computer and physiological monitors have contributed immensely to clinical safety and efficiency. Now, in addition, there is an array of sophisticated wireless devices that offer even more opportunities for communication and data access that are vital to prompt clinical decision making.
Wireless Technologies in Healthcare
The widespread use of wireless devices poses multiple challenges for investigators who are attempting to discover all information about a legal scenario. In addition to planned wireless communication connections, personnel bring their own wireless devices and use them liberally during their activities. They initiate and return calls, transmit data, and even take photographs using such devices. PDAs permit the storage and transmission of communications pertaining to patient care, and these devices are often used in public spaces and occasionally become misplaced, potentially compromising sensitive information. The hospital has an impossible job in harnessing and protecting healthcare data. Furthermore, information contained within the memory of such devices is typically discoverable for forensic investigations (Barber, 2007).
Hospitals and physicians have not traditionally permitted interchange between their informational sources and patient records. Federal Medicare regulations do not permit hospitals to share software or other computer services that have the potential for influencing utilization. To prevent hospitals from becoming involved in fraud and abuse investigations, the barriers remain between computer applications of hospitals and physician offices (Goldsmith, 2003). The Internal Revenue code and certain state laws for the nation’s 85% of nonprofit hospitals prevent them from giving anything of monetary value to physicians. Sharing software could risk tax-exempt status (Goldsmith, 2003). Although the opportunities exist for improving efficiency through shared computer services and software applications, these real barriers remain until new legislation is enacted.
The most progressive healthcare settings are using wireless connections and Bluetooth technology for many routine communications. In some cases, applications are written into software specifications for the capability of digital recording and archiving of such information, and few personnel are aware of what is being recorded or archived. However, there are safeguards built into most medical devices, permitting the storage of information about the functions of the device, its maintenance history, and often interactions with its users. Although some medical devices such as life-support equipment and critical monitors must be hard-wired to ensure maximum reliability, remote access to bedside monitors and other equipment is often achieved via hard-wired systems that are linked to a remote area such as a nurses’ station or telemetry monitoring room. When a patient is moved throughout the hospital, the monitors or other devices must be disconnected and reconnected into receptacles. Wireless connections, however, are managed automatically, making the devices truly mobile. Hospital beds, portable monitors, transport ventilators, and infusion pumps work seamlessly and memory continues, even when unplugged from their power source.