Digital trace

1
Digital trace

• Jozef Metenko,
• Martin Metenko,
• Jan Hejda

2
Key words

• Digital trace
• evidence,
• data,
• trace, digital trace,
• types of digital trace,
• parameters of digital traces

3
 Introduction  

• Development of human society
• is significantly characterized by
• the development of new technologies.
• Automated data and information processing
  penetrates into all spheres of social
  life
• An integration of telecommunication and
  information system (ICT1)
• enables the speeding and improves the reliability
  
• of information processing, storage and
  transmission.
• opening a wide spectrum of possibilities in
  positive or negative directions.

4
 Problems  

• non-existence of relevant regulations within
  Criminal Code,
• problems in the use of forensic procedures
• the mentioned non-existence of criminalistic
  methods was connected, in particular, to
  theoretical and practical defect failing to
  elaborate the knowledge of digital trace
  existence.

5
 Problems  

• a notion of digital record
• has been used in English speaking countries,
  digital evidence / digital trace,
• conception of digital trace as an independent
  type of field trace has not been elaborated so
  far.
• Provided we do accept the classification of all
  criminalistic traces into
• material, field and memory ones,
• then in connection to digital traces we may speak
  about a group of field traces along with traces
  related to electric charge or various radiation
  forms.

6
 Problems  

• Besides
• primary content, which is featured via
  peripheries (text, photography, sound, video
  etc.),
• data files often include also so called metadata
  - which define important information about a
  file,
• characterizing it making it individual among
  other objects.
• metadata define e.g. when a picture was shot,
  under which luminous conditions, setting and type
  of digital camera, or even a camera owner is
  known etc.

7
Characteristics of digital trace

• Each technological equipment that gains,
  elaborates, hands over or stores data,
• leaves records from criminalistic trace
  viewpoint these are reflections of its activity.
  
• Such records are from criminalistic viewpoint
  traces.
• These activities and caused changes
• are reflected in material environment,
• having a direction inside technology and
• outside the given technology1 environment.

8
Characteristics of digital trace

• In the sense of communication and information
  crime the problem of equipment dealing with data
  is much wider than a pure PC work.
• Some renowned Slovak or Czech authors make use of
  notion computer crime cyber crime, which is
  applied more intuitively rather than clearly
  defined.
• The notion of computer (cyber) trace arose in the
  same period as the notion cyber crime,
• the notion cyber (crime) is not enough today,
  as other electronic equipments leave traces as
  well. Those traces have the same features,
  general or individual features as computer
  (cyber) trace..

9
Characteristics of digital trace

• Foreign literature offers quite similar
  definitions
• ordinary notion digital evidence in a meaning
  of digital trace (digital evidence)1.
• In English in relation to forensic practice
  evidence takes the priority.
• Word trace that would be related to modern
  technologies does not exist in English
  literature.
• The reason is simple and pragmatic English
  theory and practice are strongly oriented to
  results of criminal procedure, i.e. trace must be
  acceptable by court. Thats why perception and
  use of notions in English make trace and
  evidence1 identical.

10
It was drafted already in 1999 by a (working
group SWGDE) Scientific Working Group on
Digital Evidence.

• Digital trace is any
• information having
• communicative value,
• stored or transmitted in digital shap

11
This definition is open to any digital
technology. It covers a filed of computers,
computer communication as well as a field of
digital transmissions (mobile phones, but for
future also digital TV etc.), video, audio,
digital photos, camera systems (CCTV)data,
electronic security systems data and any other
potential technologies connected to
Hi-tech crime.

• Digital trace is any information having
  communicative value, stored or transmitted in
  digital shap

12
A digital trace as definiton must
be usable for crime control,
criminalistics, general forensic investigation
held by state bodies (civil litigation, trade
laws etc.), the needs of commercial base - needs
of independent internal or external audits etc.

• Digital trace is any information having
  communicative value, stored or transmitted in
  digital shap

13
Other definitions

• In respect to definition of digital traces,
  other processes and entities are defined
• digital traces seizing
• data objects
• physical objects
• digital trace originals
• duplicate of digital trace
• copy of digital trace

14
Digital traces seizing

• is a process,
• which starts in time when information of
  equipment is found out or found as stored in
  order to seize and examine them.
• Seizing must be relevant to the knowledge
  of criminalistics and other sciences
  legal in
  relation to evidence matters in a given legal
  system (state or other legally delimited
  territory).
• Physical and data objects become evidence
  provided they are acceptable by law enforcement
  agencies.

15
Data objects

• are non-material objects or information
• having trustworthy communicative value,
• while being associated with touchable elements of
  material substance as carrier/medium.
• Data object may be of different formats / but
  they can never change the original information.
• Data objects are e.g. represented by databases,
  address lists, files, content of virtual
  memories, digital video or audio records and many
  others.

16
Physical objects

• (touchable, directly registered by human senses)
  are elements more frequently media where data
  objects are stored and via which these are
  transmitted.
• hard discs, various memory media (floppies, CD
  and DVD, memory cards, data tapes etc.) physical
  objects
• particularly info serial numbers, dactyloscopic,
  mechanic or biological traces and others proving
• logical link between a physical equipment (owner,
  user, time) and its user/offender

17
Original of digital trace

• is a physical or data object seized for the need
  of expert or forensic examination.
  Originals are the basic evidence.
• For working purposes, users (offenders) or
  investigators make their duplicates or copies of
  digital traces.
• This process is clear and no information change
  occurs. Only for digital traces in criminalistics
  are duplicated objects identical to original.
• Moreover the process is reversible,
  repeatable with the same results provided basic
  conditions are met.
• gained or made material has the same information
  value as the original and
• is available to users and independent experts
  physical objects

18
Duplicate

• Duplicate is comfortable, secure and
  fully-fledged to work with.
• They are made mostly for the needs of repeated
  examination.
• It is vitally necessary towards independent
  experts in those cases when a physical object
  itself (company PC) cannot be seized for the
  needs of law enforcement agencies due to various
  reasons.
• PC practice makes standard use of disc image
  
• Image is a spitting duplicate of its content,
  like a mirror of the original content stored in
  digital shape.

19
Copy of digital trace

• is an exact reproduction of information from
  original physical object onto others, physically
  independent data medium.
• When making a copy we create data objects with
  the same information but using a physical object,
  which can be of a different type.
• It is not inevitable to reproduce all data
  objects of the original physical object, but just
  some of them. In this respect, not all functional
  and logical links with other data objects have to
  be kept.
• We make copies if the investigation purpose is
  present, e.g. due to size. Copies contain only a
  part of data objects of the original physical
  object. Information value of every copied object
  does not change from its original though.

20
Digital traces and their specific features

• Digital traces,
• have their general and individual typological
  features and characteristics which, from the
  aspect of the
• for law enforcement bodies, have typically
  positive or negative consequences.
• Then we need to bear these
  aspects in mind all the time and
• in all stages of our work with the
  digital traces.

21
Digital traces and their specific features

• Digital traces are formed by human action
• user / offender
• on the application or system software,
  functionality of the digital equipment or
• automatic effect of one device on the other.
• Therefore,
• digital traces reflect the specific high-tech
  features to an unusually high extent and the rich
  colour of the human mind of their users.

22
Digital traces and their specific features

• Substance of digital traces as traces of a field,
• Latent nature of digital traces,
• Tracing digital traces in time,
• High density of content of digital traces,
• Very low life span of digital traces,
• Storage and quality of digital traces is
  influenced by a number of subjective factors,
• Great volume of data in digital traces,
• Data density of digital traces decreases with the
  development of new technologies,

23
Digital traces and their specific features

• Extreme dynamism of the environment of the
  digital traces,
• Heterogeneity and complexity of the environment
  of digital traces,
• Great geographical extent of the environment of
  digital traces,
• High degree of data protection hinders the work
  with digital traces,
• Digital traces are automatically identifiable and
  processable by specialized means,
• High degree of obliteration of digital traces by
  qualified offenders,
• Restorability of obliterated digital traces,
• Genuineness of digital traces,
• Contemporary low degree of judicial acceptation
  of digital traces in legal practice.

24
Digital traces as field traces

• Although data and information are immaterial, on
  material medium,
• with various technological equipment, format,
  data structure, reliability and lifespan etc., is
  needed in order to store them.
• The medium contains digital traces in the form of
  field and it is a physical component of means of
  evidence.

25
Latency of digital traces

• Digital traces are invisible. Latency is
  multiple.
• The records, which are processed or stored to the
  data medium, are invisible to the naked eye (with
  the exception of views of monitor screens, print
  screens, photographs or video recordings of
  screens and printed documents).
• a hidden attribute set, special settings of
  users rights or special application or system
  means.
• deleted recordings, reformatted disks or data
  destroyed or changed by other means. In the same
  way we approach encrypted data,

26
Time traceability of digital traces

• In comparison to other traces in criminalistic or
  forensic practice in some case the digital traces
  can precisely determine time span of activities.
• they significantly document the process of all
  particular activities in time.
• If all versions of working documents are stored,
  internal audit can analyse procedure of document
  processing in similar way.
• This is determined by fact
• digital devices (camcorders, cameras etc.) have
  digital clock, which determines the activities of
  system SW

27
Content of digital traces

• In specific cases digital traces have high
  information value on interests and activities of
  the person,
• they are unique in comparison to other types of
  the traces.
• to study not only particular activities of the
  computer users,
• what information he was interested in,
• what information he acquired, processed, stored
  or handed in to the others.
• Due to these facts it is possible to determine
  some fields of the interest of the perpetrator,
  his motivation and to create psychological
  profile

28
Very low lifespan of digital traces

• From criminalistic or forensic point view of
  digital traces digital records are recorded to
  memory medium.
• They can be intentionally deleted by the user or
• systematically and automatically (without ones
  involvement) rewritten by other records.
• It is possible to restore deleted recordings with
  the help of special SW, but the restoring must be
  done very quickly before the memory medium is
  rewritten by system means.

29
Storing and quality of digital traces is
influenced by subjective factors

• From the point of safety storing and quality of
  digital traces is directly proportional to
  international, national or institutional
  legislation,
• experience of system administration and
• it depends on institutional culture.
• Regular monitoring and audit of key transactions,
  providing storage backup and data archiving from
  important data sources to a special medium and
  their long-term storage, play primary role.

30
Large data capacity of digital traces

• Strong centralization, arising from operational
  and economic reasons, is typical for computer and
  communication means. In our country data capacity
  is around tens TB in middle size companies. Only
  a small part has character of a digital trace.
• Data density of digital traces, among other data
  with development of new technologies, constantly
  decreases
• The digital trace itself is not limited by
  physical capacity. New technologies for data
  comprising are developed. It means that larger
  data capacity is saved to the

31
Extreme dynamics of environment of digital
traces

• This particularity is typical mainly for common
  network environment in big institutions when data
  funds are distributed in real time. Comprehensive
  company applications are strongly centralized and
  dynamic with high requirements for application
  accessibility from the point of fulfilling
  information needs of the institution, economic
  and operational characteristics.
• Applications are included in critical company
  applications. It means that interruption of
  application function only for one minute (mainly
  in industry, transport, telecommunication,
  financial institutions etc.) can have disastrous
  existential consequences.

32
Heterogeneity and complexity of the environment
of digital traces

• Various
• operational systems, databases,
  application software and its versions,
  data interface among applications,
  data formats, transferable proceedings,
  proceedings of operational records, logo
  etc. are commonly and concurrently used in the
  same organizations.

33
Large geographic capacity of environment with
geographic traces and small area

• Computers are connected together around the whole
  world with the help of private computer network
  and the Internet, so distribution of distant data
  and application is possible.
• A highly experienced perpetrator
• the computer network does not recognize
  geographic boundaries,
• the investigation is always (usually) based on
  present laws of the country

34
High level of data protection

• makes the work with the digital traces difficult
  or impossible
• Due to the safety reasons there are a lot of data
  transitions and nodal points, mainly in file
  systems and databases, which are
  cryptographically protected. If we are not
  familiar with the particular algorithm or
  technological means

35
A digital trace is automatically identifiable and
processable by specialized devices

• Since digital traces are generated as a final
  result by a certain technology
• general corporate database of officially
  purchased software products at our disposal and
  the computers are connected to the corporate
  network, it is possible to search/scan the system
  registers of all computers

36
High level of digital traces obliteration by
qualified offenders

• As practice shows, highly competent offenders
  whose professional education is associated with
  the field of information and communication
  technologies cause the largest traces.
• The offenders are extremely familiar with the
  keystone of crucial technologies functioning as
  the ways of the technologies and data protection
  they have to and are able to avoid, are of great
  interest to them.

37
Damaged digital traces restoration

• Under specific conditions, deliberately deleted
  or otherwise damaged digital traces can be
  restored.
• As a rule, this is not true of other
  criminalistics relevant traces. A footprint once
  deleted cannot be restored.
• Digital traces restoration is conditioned by the
  keystone of operation systems

38
Digital traces originality

• During the files and data copying process, no
  data loss or distortion is caused
• digital traces can be easily modified without the
  process of modification leaving any visible
  tracks of its activity behind
• Digital traces may also be easily modified or
  destroyed right in the process of collecting or
  safeguarding it for the purposes of examination
  and investigation.
• Unless the standard procedures of digital traces
  safeguarding

39
Low judicial acceptance of digital traces by
legal practice

• users activities or the activities associated
  with automated processes and programs
• The problematic issue related to digital traces
  is theoretical and in some cases also practical
  possibility of falsification and of challenging
  the legal quality of traces.

40
Low judicial acceptance of digital traces by
legal practice

• However, this possibility occurs within all types
  traces processed in criminalistic and forensic
  way.
• we are exposed to prejudices of individuals made
  on grounds of unfamiliarity with the subject
  matter
• rather that to relevant reference
• equipment is classified and certificated in the
  safety manner. The main problem is the
  identification of the person responsible for a
  particular digital trace

41

• Lt. Extraordinary professor
• Dr. hab. Jozef Metenko, PhD.,
• Head - Chair of criminalistics and forensic
  science,
• Academy of the Police Force, Bratislava,
  Slovakia.
• metenko_at_minv.sk jmetenko_at_pobox.sk
• Mag. Metenko Martin
• Dell Computers Slovak republic
• 00421 907 474 981 (Handy), Slovakia
• martin_metenko_at_dell.com
• Ass. prof. Jan Hejda, PhD.,
• Head - Chair of law and social science,
• faculty of management,
• VŠE Praha Czech republic,
• hejda_at_fm.vse.cz