Title: Digital trace
1Digital trace
- Jozef Metenko,
- Martin Metenko,
- Jan Hejda
2Key words
- Digital trace
- evidence,
- data,
- trace, digital trace,
- types of digital trace,
- parameters of digital traces
3 Introduction
- Development of human society
- is significantly characterized by
- the development of new technologies.
- Automated data and information processing
penetrates into all spheres of social
life - An integration of telecommunication and
information system (ICT1) - enables the speeding and improves the reliability
- of information processing, storage and
transmission. - opening a wide spectrum of possibilities in
positive or negative directions.
4 Problems
- non-existence of relevant regulations within
Criminal Code, - problems in the use of forensic procedures
- the mentioned non-existence of criminalistic
methods was connected, in particular, to
theoretical and practical defect failing to
elaborate the knowledge of digital trace
existence.
5 Problems
- a notion of digital record
- has been used in English speaking countries,
digital evidence / digital trace, - conception of digital trace as an independent
type of field trace has not been elaborated so
far. - Provided we do accept the classification of all
criminalistic traces into - material, field and memory ones,
- then in connection to digital traces we may speak
about a group of field traces along with traces
related to electric charge or various radiation
forms.
6 Problems
- Besides
- primary content, which is featured via
peripheries (text, photography, sound, video
etc.), - data files often include also so called metadata
- which define important information about a
file, - characterizing it making it individual among
other objects. - metadata define e.g. when a picture was shot,
under which luminous conditions, setting and type
of digital camera, or even a camera owner is
known etc.
7Characteristics of digital trace
- Each technological equipment that gains,
elaborates, hands over or stores data, - leaves records from criminalistic trace
viewpoint these are reflections of its activity.
- Such records are from criminalistic viewpoint
traces. - These activities and caused changes
- are reflected in material environment,
- having a direction inside technology and
- outside the given technology1 environment.
8Characteristics of digital trace
- In the sense of communication and information
crime the problem of equipment dealing with data
is much wider than a pure PC work. - Some renowned Slovak or Czech authors make use of
notion computer crime cyber crime, which is
applied more intuitively rather than clearly
defined. - The notion of computer (cyber) trace arose in the
same period as the notion cyber crime, - the notion cyber (crime) is not enough today,
as other electronic equipments leave traces as
well. Those traces have the same features,
general or individual features as computer
(cyber) trace..
9Characteristics of digital trace
- Foreign literature offers quite similar
definitions - ordinary notion digital evidence in a meaning
of digital trace (digital evidence)1. - In English in relation to forensic practice
evidence takes the priority. - Word trace that would be related to modern
technologies does not exist in English
literature. - The reason is simple and pragmatic English
theory and practice are strongly oriented to
results of criminal procedure, i.e. trace must be
acceptable by court. Thats why perception and
use of notions in English make trace and
evidence1 identical.
10It was drafted already in 1999 by a (working
group SWGDE) Scientific Working Group on
Digital Evidence.
- Digital trace is any
- information having
- communicative value,
- stored or transmitted in digital shap
11This definition is open to any digital
technology. It covers a filed of computers,
computer communication as well as a field of
digital transmissions (mobile phones, but for
future also digital TV etc.), video, audio,
digital photos, camera systems (CCTV)data,
electronic security systems data and any other
potential technologies connected to
Hi-tech crime.
- Digital trace is any information having
communicative value, stored or transmitted in
digital shap
12A digital trace as definiton must
be usable for crime control,
criminalistics, general forensic investigation
held by state bodies (civil litigation, trade
laws etc.), the needs of commercial base - needs
of independent internal or external audits etc.
- Digital trace is any information having
communicative value, stored or transmitted in
digital shap
13Other definitions
- In respect to definition of digital traces,
other processes and entities are defined - digital traces seizing
- data objects
- physical objects
- digital trace originals
- duplicate of digital trace
- copy of digital trace
14Digital traces seizing
- is a process,
- which starts in time when information of
equipment is found out or found as stored in
order to seize and examine them. - Seizing must be relevant to the knowledge
of criminalistics and other sciences
legal in
relation to evidence matters in a given legal
system (state or other legally delimited
territory). - Physical and data objects become evidence
provided they are acceptable by law enforcement
agencies.
15Data objects
- are non-material objects or information
- having trustworthy communicative value,
- while being associated with touchable elements of
material substance as carrier/medium. - Data object may be of different formats / but
they can never change the original information. - Data objects are e.g. represented by databases,
address lists, files, content of virtual
memories, digital video or audio records and many
others.
16Physical objects
- (touchable, directly registered by human senses)
are elements more frequently media where data
objects are stored and via which these are
transmitted. - hard discs, various memory media (floppies, CD
and DVD, memory cards, data tapes etc.) physical
objects - particularly info serial numbers, dactyloscopic,
mechanic or biological traces and others proving - logical link between a physical equipment (owner,
user, time) and its user/offender
17Original of digital trace
- is a physical or data object seized for the need
of expert or forensic examination.
Originals are the basic evidence. - For working purposes, users (offenders) or
investigators make their duplicates or copies of
digital traces. - This process is clear and no information change
occurs. Only for digital traces in criminalistics
are duplicated objects identical to original. - Moreover the process is reversible,
repeatable with the same results provided basic
conditions are met. - gained or made material has the same information
value as the original and - is available to users and independent experts
physical objects
18Duplicate
- Duplicate is comfortable, secure and
fully-fledged to work with. - They are made mostly for the needs of repeated
examination. - It is vitally necessary towards independent
experts in those cases when a physical object
itself (company PC) cannot be seized for the
needs of law enforcement agencies due to various
reasons. - PC practice makes standard use of disc image
- Image is a spitting duplicate of its content,
like a mirror of the original content stored in
digital shape.
19Copy of digital trace
- is an exact reproduction of information from
original physical object onto others, physically
independent data medium. - When making a copy we create data objects with
the same information but using a physical object,
which can be of a different type. - It is not inevitable to reproduce all data
objects of the original physical object, but just
some of them. In this respect, not all functional
and logical links with other data objects have to
be kept. - We make copies if the investigation purpose is
present, e.g. due to size. Copies contain only a
part of data objects of the original physical
object. Information value of every copied object
does not change from its original though.
20Digital traces and their specific features
- Digital traces,
- have their general and individual typological
features and characteristics which, from the
aspect of the - for law enforcement bodies, have typically
positive or negative consequences. - Then we need to bear these
aspects in mind all the time and - in all stages of our work with the
digital traces.
21Digital traces and their specific features
- Digital traces are formed by human action
- user / offender
- on the application or system software,
functionality of the digital equipment or - automatic effect of one device on the other.
- Therefore,
- digital traces reflect the specific high-tech
features to an unusually high extent and the rich
colour of the human mind of their users.
22Digital traces and their specific features
- Substance of digital traces as traces of a field,
- Latent nature of digital traces,
- Tracing digital traces in time,
- High density of content of digital traces,
- Very low life span of digital traces,
- Storage and quality of digital traces is
influenced by a number of subjective factors, - Great volume of data in digital traces,
- Data density of digital traces decreases with the
development of new technologies,
23Digital traces and their specific features
- Extreme dynamism of the environment of the
digital traces, - Heterogeneity and complexity of the environment
of digital traces, - Great geographical extent of the environment of
digital traces, - High degree of data protection hinders the work
with digital traces, - Digital traces are automatically identifiable and
processable by specialized means, - High degree of obliteration of digital traces by
qualified offenders, - Restorability of obliterated digital traces,
- Genuineness of digital traces,
- Contemporary low degree of judicial acceptation
of digital traces in legal practice.
24Digital traces as field traces
- Although data and information are immaterial, on
material medium, - with various technological equipment, format,
data structure, reliability and lifespan etc., is
needed in order to store them. - The medium contains digital traces in the form of
field and it is a physical component of means of
evidence.
25 Latency of digital traces
- Digital traces are invisible. Latency is
multiple. - The records, which are processed or stored to the
data medium, are invisible to the naked eye (with
the exception of views of monitor screens, print
screens, photographs or video recordings of
screens and printed documents). - a hidden attribute set, special settings of
users rights or special application or system
means. - deleted recordings, reformatted disks or data
destroyed or changed by other means. In the same
way we approach encrypted data,
26Time traceability of digital traces
- In comparison to other traces in criminalistic or
forensic practice in some case the digital traces
can precisely determine time span of activities. - they significantly document the process of all
particular activities in time. - If all versions of working documents are stored,
internal audit can analyse procedure of document
processing in similar way. - This is determined by fact
- digital devices (camcorders, cameras etc.) have
digital clock, which determines the activities of
system SW
27Content of digital traces
- In specific cases digital traces have high
information value on interests and activities of
the person, - they are unique in comparison to other types of
the traces. - to study not only particular activities of the
computer users, - what information he was interested in,
- what information he acquired, processed, stored
or handed in to the others. - Due to these facts it is possible to determine
some fields of the interest of the perpetrator,
his motivation and to create psychological
profile
28Very low lifespan of digital traces
- From criminalistic or forensic point view of
digital traces digital records are recorded to
memory medium. - They can be intentionally deleted by the user or
- systematically and automatically (without ones
involvement) rewritten by other records. - It is possible to restore deleted recordings with
the help of special SW, but the restoring must be
done very quickly before the memory medium is
rewritten by system means.
29Storing and quality of digital traces is
influenced by subjective factors
- From the point of safety storing and quality of
digital traces is directly proportional to
international, national or institutional
legislation, - experience of system administration and
- it depends on institutional culture.
- Regular monitoring and audit of key transactions,
providing storage backup and data archiving from
important data sources to a special medium and
their long-term storage, play primary role.
30Large data capacity of digital traces
- Strong centralization, arising from operational
and economic reasons, is typical for computer and
communication means. In our country data capacity
is around tens TB in middle size companies. Only
a small part has character of a digital trace. - Data density of digital traces, among other data
with development of new technologies, constantly
decreases - The digital trace itself is not limited by
physical capacity. New technologies for data
comprising are developed. It means that larger
data capacity is saved to the
31Extreme dynamics of environment of digital
traces
- This particularity is typical mainly for common
network environment in big institutions when data
funds are distributed in real time. Comprehensive
company applications are strongly centralized and
dynamic with high requirements for application
accessibility from the point of fulfilling
information needs of the institution, economic
and operational characteristics. - Applications are included in critical company
applications. It means that interruption of
application function only for one minute (mainly
in industry, transport, telecommunication,
financial institutions etc.) can have disastrous
existential consequences.
32Heterogeneity and complexity of the environment
of digital traces
- Various
- operational systems, databases,
application software and its versions,
data interface among applications,
data formats, transferable proceedings,
proceedings of operational records, logo
etc. are commonly and concurrently used in the
same organizations.
33Large geographic capacity of environment with
geographic traces and small area
- Computers are connected together around the whole
world with the help of private computer network
and the Internet, so distribution of distant data
and application is possible. - A highly experienced perpetrator
- the computer network does not recognize
geographic boundaries, - the investigation is always (usually) based on
present laws of the country
34High level of data protection
- makes the work with the digital traces difficult
or impossible - Due to the safety reasons there are a lot of data
transitions and nodal points, mainly in file
systems and databases, which are
cryptographically protected. If we are not
familiar with the particular algorithm or
technological means
35A digital trace is automatically identifiable and
processable by specialized devices
- Since digital traces are generated as a final
result by a certain technology - general corporate database of officially
purchased software products at our disposal and
the computers are connected to the corporate
network, it is possible to search/scan the system
registers of all computers
36High level of digital traces obliteration by
qualified offenders
- As practice shows, highly competent offenders
whose professional education is associated with
the field of information and communication
technologies cause the largest traces. - The offenders are extremely familiar with the
keystone of crucial technologies functioning as
the ways of the technologies and data protection
they have to and are able to avoid, are of great
interest to them.
37Damaged digital traces restoration
- Under specific conditions, deliberately deleted
or otherwise damaged digital traces can be
restored. - As a rule, this is not true of other
criminalistics relevant traces. A footprint once
deleted cannot be restored. - Digital traces restoration is conditioned by the
keystone of operation systems
38Digital traces originality
- During the files and data copying process, no
data loss or distortion is caused - digital traces can be easily modified without the
process of modification leaving any visible
tracks of its activity behind - Digital traces may also be easily modified or
destroyed right in the process of collecting or
safeguarding it for the purposes of examination
and investigation. - Unless the standard procedures of digital traces
safeguarding
39Low judicial acceptance of digital traces by
legal practice
- users activities or the activities associated
with automated processes and programs - The problematic issue related to digital traces
is theoretical and in some cases also practical
possibility of falsification and of challenging
the legal quality of traces.
40Low judicial acceptance of digital traces by
legal practice
- However, this possibility occurs within all types
traces processed in criminalistic and forensic
way. - we are exposed to prejudices of individuals made
on grounds of unfamiliarity with the subject
matter - rather that to relevant reference
- equipment is classified and certificated in the
safety manner. The main problem is the
identification of the person responsible for a
particular digital trace
41- Lt. Extraordinary professor
- Dr. hab. Jozef Metenko, PhD.,
- Head - Chair of criminalistics and forensic
science, - Academy of the Police Force, Bratislava,
Slovakia. - metenko_at_minv.sk jmetenko_at_pobox.sk
- Mag. Metenko Martin
- Dell Computers Slovak republic
- 00421 907 474 981 (Handy), Slovakia
- martin_metenko_at_dell.com
- Ass. prof. Jan Hejda, PhD.,
- Head - Chair of law and social science,
- faculty of management,
- VŠE Praha Czech republic,
- hejda_at_fm.vse.cz