In the mid-1980’s, the criminal and judicial world underwent a serious transformation as the role of DNA evidence swept onto the scene and established the field we now know as forensics. This process allowed experts to collect, preserve, and analyze any physical evidence found at a crime scene, which could then be used to unravel criminal investigations by tracing materials back to their original owners. If you’ve ever watched CSI on television, you already know all about it. Fingerprints on a window; strands of hair in a bathtub drain; blood stains on the floor; and even microscopic samples of stuff otherwise naked to the human eye—all of these once insignificant details became centerpieces of forensic crime fighting and allowed authorities to piece together all sorts of criminal details relating to timelines, locations, murder weapons, and yes—the identity of perpetrators.
This scientific approach to crime fighting soon took an even more fascinating turn when it moved over to the world of technology, creating a branch known as digital forensics. While the intention of the process was the same—to recover and analyze useful bits of evidence—the application evolved into something entirely new. It expanded to cover investigations of any computer device or system with the ability to store digital data. But instead of blood smears or fingerprints left on a countertop, the process preserved and recorded hard drives, mobile phones, network devices, and laptops.
The ultimate goal of computer forensics is to analyze the state of a digital device and find ways to extract data, so it can be used in the detection or prevention of a real crime. This process is just as delicate as traditional forensics because any evidence pulled from the device must be able to hold up in a court of law. It follows a clear course of action:
- Readiness includes training, regular testing, and an evolution of digital knowledge.
- Evaluation includes assigning roles and resources, including the need for risk analysis and physical threat.
- Collection involves finding evidence and properly gathering and storing it.
- Analysis relies on findings and forensic tools.
- Presentation involves producing a clear report of all findings and instructions going forward.
- Review is simply an examination of the overall process for signs of weakness or areas of improvement.
While scientific and digital forensics share many similarities, the truth is, prosecuting people for computer crimes is a whole different ball game and can be a lot more difficult than just looking for a “smoking gun.” Sometimes the proof investigators seek is as tiny as a shred of code or a one single email buried in a file with millions of other communications. Don’t forget, finding a bit of DNA in a bank vault is a whole lot easier than sifting through the massive amounts of sheer data we leave behind every, single day through our digital movements. And it is this abundance of information that’s made digital forensics one of the most important new methods of crime detection and prosecution. Let’s take a look at some real life examples where digital forensics saved the day.
It caught a serial killer.
Dennis Rader, otherwise known as the BTK killer, is the most famous perpetrator to be nabbed through the use of digital forensics, to date. Known for his tendency to “bind, torture, and kill” his victims, Rader taunted local police in Wichita, Kansas for over two decades, looking for recognition and notoriety through handwritten notes and clues. But in 2005, as technology was beginning to advance, Rader sent authorities a message written on a computer floppy disk, a fact that would eventually bring about his demise. Although he had scrubbed old documents from the disk, forensic experts were able to capture its “metadata,” which allowed them to see it had been used at a local Lutheran Church by someone named “Dennis.” A quick Google search, and investigators instantly landed on Rader’s name, as he was then president of the church council. And of course, once they dug into his profile, all the pieces came together to confirm his guilt, and a 20-some year crime was finally solved.
It confirmed the guilt of Michael Jackson’s doctor.
When the ultra-famous performer died suddenly in 2009, his autopsy proved he had taken a lethal dose of prescription medication. Although his personal physician, Dr. Conrad Murray, claimed to know nothing of the singer’s drug use, a subsequent search of his computer revealed documentation that the good doctor had, in fact, authorized the deadly dosage. And based on this digital evidence, Dr. Murray was convicted of involuntary manslaughter for Jackson’s death and served two years in federal prison—plus, he lost his medical license for good.
It identified a child pornographer.
In 2005, a professor at Marist College in New York named James Kent received a new office computer through a campus-wide upgrade in technology. What he didn’t realize, however, is that all of his old laptop old files automatically migrated over to his new device as soon as it was installed—even the “deleted” ones. So when his work computer began having problems seven years later, he didn’t hesitate to call the IT department for tech support. While running a virus scan of Kent’s new device, a file with a lot of “.jpg” images appeared, showing thumbnails of scantily clad young girls engaged in various sex acts.
The IT expert quickly removed the hard drive from Kent’s office and turned it over to the authorities who accused him of being in possession of child pornography. Although Kent claimed innocence, he did not realize the folders he once “deleted” had remained in the computer’s unallocated space, where things removed from the trash go to die—except they never do because that data is essentially permanent. His Mozilla and Internet Explorer cached files yielded thousands of child porn images, not to mention Kent’s browsing history confirmed his criminal behavior. He was convicted of 130 child pornography felonies and sentenced to three years in prison.