Since the late 1980s the use of computers throughout modern societies has increased exponentially, to a point where such societies have become virtually dependent on the usage of computers and other digital devices in day-to-day life and business economy. One has to concur that such implements apart from facilitating modern day society requirements have also made possible for wrongdoers to indulge in new forms of crime like cyber crime and Internet crime. However one should also note that in reality most of these so called 'new crimes' are nothing but age-old modes of behavior represented using newly available technologies. David Wall (2007) notes that when so-called cyber crime cases appear in court they often resemble the traditional type of crime. Wall (2007) contends that such offences include fraud, pornography, hacking gambling and pedophilia among others that were already part of existing criminal justice procedure. Zammit (2010) states that normally what is deemed as "true" digital crime comprises offences like hacking, denial of service attacks and the distribution of viruses. Nonetheless one should note that a criminal with specialized Information Technology expertise now is potentially able to rob a bank without stepping inside one. Therefore such forms of criminal behavior require the application of digital evidence collection and cyber crime investigation.
Digital evidence used in criminal cases is a relatively new concept according to Lessig (2000), while physical evidence is much better rooted in societies' collective mind and understood by all parties of a criminal justice system. The main goal of crime investigation is to find some indicative clues to determine the relationship between perpetrator, crime scene and victim (Uzunay et al. in Blyth & Sutherland, 2006). Locard's Principle of Exchange states that when a person commits a crime something is always left at the crime scene, which was not there when the person arrived. This principle also applies to Information Technology since according to Uzunay et al. (in Blyth & Sutherland, 2006) it is almost impossible to process something in digital form without leaving a trail behind. Much like as in the case of its physical counterpart, every contact made in cyber space or on a digital medium leaves a mark that can be traced back to its unwitting maker.
Traditional forensic sciences such as ballistics, fingerprint analysis, DNA profiling, serology or toxicology came about from previous academic research. Therefore as discussed by Beebe (2009), science precedes these types of forensic science applications. However this researcher argues that the emergence of computer forensics is quite different since it came from what Beebe (2009) calls the practitioners community. These are computer crime investigators and digital forensic tool developers. Digital evidence can be defined as information of value to a criminal case which is stored or transmitted in digital form (Blyth & Sutherland, 2006). Tilstone et al. (2006) state that digital evidence is the term used to describe information of evidential value that is stored or has been transmitted through a digital medium such as a computer. This is commonly referred to as computer forensics. Mukasey et al. (2001) identify some of these mediums which include hard drives, removable data storages like compact discs or pen-drives, memory cards and also handheld devices such as mobile phones and digital cameras.
Uzunay et al. (in Blyth & Sutherland, 2006) start by asserting that today's criminals use Information Technology extensively to facilitate their offences, creating new challenges for law enforcement agencies. Such challenges Uzunay et al. (in Blyth & Sutherland, 2006) argue, arise when faced with the task of effectively and securely, obtaining and preserving all types of digital evidence that is crucial to an investigation. Beebe (2009) supplies a rather lengthy definition of digital forensics which holds it as the use of scientifically derived methods used for the preservation, identification, documentation and presentation of digital evidence derived from electronic mediums. According to Beebe (2009) such evidence can be used to facilitate or formulate the reconstruction of criminal activities or help anticipate such events.
Beebe's research (in Peterson & Shenoi, 2009), showed that law enforcement official's perception with regards to digital evidence consider it of great value as evidence in investigations. Beebe (2009) asserts that today it has become common knowledge that digital trails or footprints which are left in a computer's storage device after usage, are valuable and probative in a law court. This means that in the majority of cases such evidence tends to prove the point of the investigator.
Digital evidence is based on the premise that examination of computer storage media may permit recovery of data. This means that the information is not damaged in such a way that is rendered irretrievable. Tilstone et al. (2006) assert that digital evidence can aid investigation in the same way written or printed documents do. The main difference lies in the successful recovery of the data. This means retrieving it without corrupting or destroying the information. In order to render the data more reliable. Tilstone et al. (2006) state that it is most important to have checks in place in order to prove that there has been no tempering with the digital record. Further more Tilstone et al. (2006) say that such information recovery has been very successful as court evidence. For example E-mails and web-page files hold data which can lead to the origin of the digital evidence. Also deleted data is most often not actually erased but rather its references to it on the computer in the file management system are deleted (Tilstone et al. 2006).
According to Uzunay et al. (in Blyth & Sutherland, 2006) digital data can lead to how an offence was perpetrated, provide investigative leads, disprove or support witness statements and also identify suspects. Vacca (2005) produces a list of where digital evidence finds practical application:
Criminal prosecutors use digital evidence in many types of crimes where incriminating digital documents may be found. Such crimes include homicide, financial fraud, drug trafficking, record keeping of embezzlements and child pornography.
Civil justice can use this evidence in fraud, divorce, discrimination and harassment cases
Insurance companies might be able to mitigate costs by using digital evidence to uncover possible foul play such as fraud, arson or false compensation cases.
Corporations can employ computer forensic experts to uncover evidence of theft, embezzlement, industrial espionage, misuse of confidential information and also sexual harassment.
Vacca (2005) asserts that computer forensic experts are able to search for critical evidence on digital mediums, sifting through hundreds of thousands of files in seconds. Therefore this means that speed is a major strength in digital evidence collection under normal conditions where no evident damage of the device exists. Mukasey et al. (2001) address the fact that digital evidence is latent much as in the case of DNA traces or fingerprints, they also note that this evidence can be easily and swiftly be transferred from one jurisdictional parameter to another. This near instant accessibility of evidence is a major advantage in today's international crime investigation, especially in the E.U. where the European Arrest Warrant and the Schengen Information System are implemented. Also according to Vacca (2005) unlike paper evidence digital evidence can exist in many forms and formats unbeknown to the average criminal. Thus a criminal might attempt to erase or temper with certain incriminating data however an expert could still find way to extract and present the data as evidence.
On the other hand Uzunay et al. (in Blyth & Sutherland, 2006) assert that by definition digital data is abstract, that is it has no discernable physical components and thus the nature of such evidence might present some weaknesses. In order to secure admittance as evidence in court it must meet certain required standards. According to Uzunay et al. (in Blyth & Sutherland, 2006) digital evidence presents certain structural problems which are listed these authors as the following:
Digital evidenced can be easily changed, replaced or erased.
It is extremely easy to copy the same data
Digital data is fragile in structure and might be damaged or corrupted by environmental factors such as magnetic fields, physical hits, humidity and temperature.
Since digital evidence is potentially so easy to manipulate it becomes very hard to provide suitably the integrity and reliability of such evidence.
The meaning of digital data may change according to how they are interpreted or coded through encryption. Nowadays malicious computer programs such as viruses, spy ware, trojans, worms or data miners can alter the meaning of digital data (Uzunay et al. in Blyth & Sutherland, 2006).
Casey (2004) argues that digital investigation does not currently have a systematic method for stating certainty they place in digital evidence they are using to reach their conclusions. This According to Casey (2004) might render the job of the courts more difficult in order to reach a verdict. Casey (2004) argues that lack of formalization of evidence reduces the reliability of such evidence and the strength of investigators' conclusions. Rogers et al. (Crager & Shenoi, 2007) also point out that the fact that digital evidence collection lacks the standards and there exists a scarcity of certifications for practitioners. Rogers et al. (Crager & Shenoi, 2007) argue that more "systematic educational and research and development initiatives" are needed in order for digital forensics to achieve the scientific and legal status of the other forensic sciences. Zammit (2010) also agrees that there is no single methodology to carry out a computer evidence enquiry, nonetheless he states that digital forensics is an exact science and any error may jeopardize evidential value of data in front of a court. Also Vacca (2005) argues that if a computer or its contents which are of evidential value in a criminal case, are used even for a brief amount of time by anyone other than a trained expert the usefulness and credibility of the evidence is diminished.
Casey (2004) argues that digital evidence is a very difficult type of evidence to handle. Casey (2004) gives an example comparing extraction of data from a hard-drive to DNA analysis where specific information has to be filtered from a much larger combination of information. Also this information has to be presented or translated in a way one can understand, further more Casey (2004) admits that digital evidence is an abstraction of an actual event or electronic object. Thus one is never able to sees the actual but just a representation of it and Carrier (2003 in Casey 2004) argues that each new layer of abstraction is liable to add errors to the data. Casey (2004) pertains that in reality digital evidence can only be one part in a sound investigation because this evidence is circumstantial and thus becomes more difficult to attribute computer usage to one individual. Further more Casey (2004) suggests that if a case is crucially dependant on a single type or source of digital evidence, the strength of the case is undermined. For example date-time logs on electronic files are not reliable enough as evidence since it could be simply stated that someone else made use of the PC in question at that time (Casey, 2004).
Casey (2004) also highlights the fact that digital evidence is easily manipulated, either through malicious intent or by accident while the data is being collected for inspection. Casey (2004) notes that such alteration might not even leave obvious signs of disruption however Casey (2004) explains and lists some features that mitigate digital evidence's weaknesses:
Digital evidence can be entirely duplicated and the resulting copy may be inspected in order to preserve the original. Than the copy can be inspected as if it were the original.
If suspicion of tempering arises, there exist specialized tools to detect such action and than compare the evidence with an original copy.
Digital evidence is difficult to destroy electronically. When file are deleted or a computer hard disc is formatted (i.e. completely erased by using software) evidence can still be harvested by an expert.
Even when offenders try to physically destroy digital evidence, copies and related data are very likely to remain on other mediums without the knowledge of the offender (Casey, 2004).