Digital trace - PowerPoint PPT Presentation

About This Presentation

Title:

Digital trace

Description:

Key words Digital trace evidence, data, trace, digital trace, ... Only a small part has character of a digital trace. Data density of digital traces, ... – PowerPoint PPT presentation

Number of Views:127

Avg rating:3.0/5.0

Slides: 42

Provided by: Uhr4

Category:

more less

Transcript and Presenter's Notes

Title: Digital trace

1
Digital trace

Jozef Metenko,
Martin Metenko,
Jan Hejda

2
Key words

Digital trace
evidence,
data,
trace, digital trace,
types of digital trace,
parameters of digital traces

3
Introduction

Development of human society
is significantly characterized by
the development of new technologies.
Automated data and information processing
penetrates into all spheres of social
life
An integration of telecommunication and
information system (ICT1)
enables the speeding and improves the reliability
of information processing, storage and
transmission.
opening a wide spectrum of possibilities in
positive or negative directions.

4
Problems

non-existence of relevant regulations within
Criminal Code,
problems in the use of forensic procedures
the mentioned non-existence of criminalistic
methods was connected, in particular, to
theoretical and practical defect failing to
elaborate the knowledge of digital trace
existence.

5
Problems

a notion of digital record
has been used in English speaking countries,
digital evidence / digital trace,
conception of digital trace as an independent
type of field trace has not been elaborated so
far.
Provided we do accept the classification of all
criminalistic traces into
material, field and memory ones,
then in connection to digital traces we may speak
about a group of field traces along with traces
related to electric charge or various radiation
forms.

6
Problems

Besides
primary content, which is featured via
peripheries (text, photography, sound, video
etc.),
data files often include also so called metadata
- which define important information about a
file,
characterizing it making it individual among
other objects.
metadata define e.g. when a picture was shot,
under which luminous conditions, setting and type
of digital camera, or even a camera owner is
known etc.

7
Characteristics of digital trace

Each technological equipment that gains,
elaborates, hands over or stores data,
leaves records from criminalistic trace
viewpoint these are reflections of its activity.
Such records are from criminalistic viewpoint
traces.
These activities and caused changes
are reflected in material environment,
having a direction inside technology and
outside the given technology1 environment.

8
Characteristics of digital trace

In the sense of communication and information
crime the problem of equipment dealing with data
is much wider than a pure PC work.
Some renowned Slovak or Czech authors make use of
notion computer crime cyber crime, which is
applied more intuitively rather than clearly
defined.
The notion of computer (cyber) trace arose in the
same period as the notion cyber crime,
the notion cyber (crime) is not enough today,
as other electronic equipments leave traces as
well. Those traces have the same features,
general or individual features as computer
(cyber) trace..

9
Characteristics of digital trace

Foreign literature offers quite similar
definitions
ordinary notion digital evidence in a meaning
of digital trace (digital evidence)1.
In English in relation to forensic practice
evidence takes the priority.
Word trace that would be related to modern
technologies does not exist in English
literature.
The reason is simple and pragmatic English
theory and practice are strongly oriented to
results of criminal procedure, i.e. trace must be
acceptable by court. Thats why perception and
use of notions in English make trace and
evidence1 identical.

10
It was drafted already in 1999 by a (working
group SWGDE) Scientific Working Group on
Digital Evidence.

Digital trace is any
information having
communicative value,
stored or transmitted in digital shap

11
This definition is open to any digital
technology. It covers a filed of computers,
computer communication as well as a field of
digital transmissions (mobile phones, but for
future also digital TV etc.), video, audio,
digital photos, camera systems (CCTV)data,
electronic security systems data and any other
potential technologies connected to
Hi-tech crime.

Digital trace is any information having
communicative value, stored or transmitted in
digital shap

12
A digital trace as definiton must
be usable for crime control,
criminalistics, general forensic investigation
held by state bodies (civil litigation, trade
laws etc.), the needs of commercial base - needs
of independent internal or external audits etc.

Digital trace is any information having
communicative value, stored or transmitted in
digital shap

13
Other definitions

In respect to definition of digital traces,
other processes and entities are defined
digital traces seizing
data objects
physical objects
digital trace originals
duplicate of digital trace
copy of digital trace

14
Digital traces seizing

is a process,
which starts in time when information of
equipment is found out or found as stored in
order to seize and examine them.
Seizing must be relevant to the knowledge
of criminalistics and other sciences
legal in
relation to evidence matters in a given legal
system (state or other legally delimited
territory).
Physical and data objects become evidence
provided they are acceptable by law enforcement
agencies.

15
Data objects

are non-material objects or information
having trustworthy communicative value,
while being associated with touchable elements of
material substance as carrier/medium.
Data object may be of different formats / but
they can never change the original information.
Data objects are e.g. represented by databases,
address lists, files, content of virtual
memories, digital video or audio records and many
others.

16
Physical objects

(touchable, directly registered by human senses)
are elements more frequently media where data
objects are stored and via which these are
transmitted.
hard discs, various memory media (floppies, CD
and DVD, memory cards, data tapes etc.) physical
objects
particularly info serial numbers, dactyloscopic,
mechanic or biological traces and others proving
logical link between a physical equipment (owner,
user, time) and its user/offender

17
Original of digital trace

is a physical or data object seized for the need
of expert or forensic examination.
Originals are the basic evidence.
For working purposes, users (offenders) or
investigators make their duplicates or copies of
digital traces.
This process is clear and no information change
occurs. Only for digital traces in criminalistics
are duplicated objects identical to original.
Moreover the process is reversible,
repeatable with the same results provided basic
conditions are met.
gained or made material has the same information
value as the original and
is available to users and independent experts
physical objects

18
Duplicate

Duplicate is comfortable, secure and
fully-fledged to work with.
They are made mostly for the needs of repeated
examination.
It is vitally necessary towards independent
experts in those cases when a physical object
itself (company PC) cannot be seized for the
needs of law enforcement agencies due to various
reasons.
PC practice makes standard use of disc image
Image is a spitting duplicate of its content,
like a mirror of the original content stored in
digital shape.

19
Copy of digital trace

is an exact reproduction of information from
original physical object onto others, physically
independent data medium.
When making a copy we create data objects with
the same information but using a physical object,
which can be of a different type.
It is not inevitable to reproduce all data
objects of the original physical object, but just
some of them. In this respect, not all functional
and logical links with other data objects have to
be kept.
We make copies if the investigation purpose is
present, e.g. due to size. Copies contain only a
part of data objects of the original physical
object. Information value of every copied object
does not change from its original though.

20
Digital traces and their specific features

Digital traces,
have their general and individual typological
features and characteristics which, from the
aspect of the
for law enforcement bodies, have typically
positive or negative consequences.
Then we need to bear these
aspects in mind all the time and
in all stages of our work with the
digital traces.

21
Digital traces and their specific features

Digital traces are formed by human action
user / offender
on the application or system software,
functionality of the digital equipment or
automatic effect of one device on the other.
Therefore,
digital traces reflect the specific high-tech
features to an unusually high extent and the rich
colour of the human mind of their users.

22
Digital traces and their specific features

Substance of digital traces as traces of a field,
Latent nature of digital traces,
Tracing digital traces in time,
High density of content of digital traces,
Very low life span of digital traces,
Storage and quality of digital traces is
influenced by a number of subjective factors,
Great volume of data in digital traces,
Data density of digital traces decreases with the
development of new technologies,

23
Digital traces and their specific features

Extreme dynamism of the environment of the
digital traces,
Heterogeneity and complexity of the environment
of digital traces,
Great geographical extent of the environment of
digital traces,
High degree of data protection hinders the work
with digital traces,
Digital traces are automatically identifiable and
processable by specialized means,
High degree of obliteration of digital traces by
qualified offenders,
Restorability of obliterated digital traces,
Genuineness of digital traces,
Contemporary low degree of judicial acceptation
of digital traces in legal practice.

24
Digital traces as field traces

Although data and information are immaterial, on
material medium,
with various technological equipment, format,
data structure, reliability and lifespan etc., is
needed in order to store them.
The medium contains digital traces in the form of
field and it is a physical component of means of
evidence.

25
Latency of digital traces

Digital traces are invisible. Latency is
multiple.
The records, which are processed or stored to the
data medium, are invisible to the naked eye (with
the exception of views of monitor screens, print
screens, photographs or video recordings of
screens and printed documents).
a hidden attribute set, special settings of
users rights or special application or system
means.
deleted recordings, reformatted disks or data
destroyed or changed by other means. In the same
way we approach encrypted data,

26
Time traceability of digital traces

In comparison to other traces in criminalistic or
forensic practice in some case the digital traces
can precisely determine time span of activities.
they significantly document the process of all
particular activities in time.
If all versions of working documents are stored,
internal audit can analyse procedure of document
processing in similar way.
This is determined by fact
digital devices (camcorders, cameras etc.) have
digital clock, which determines the activities of
system SW

27
Content of digital traces

In specific cases digital traces have high
information value on interests and activities of
the person,
they are unique in comparison to other types of
the traces.
to study not only particular activities of the
computer users,
what information he was interested in,
what information he acquired, processed, stored
or handed in to the others.
Due to these facts it is possible to determine
some fields of the interest of the perpetrator,
his motivation and to create psychological
profile

28
Very low lifespan of digital traces

From criminalistic or forensic point view of
digital traces digital records are recorded to
memory medium.
They can be intentionally deleted by the user or
systematically and automatically (without ones
involvement) rewritten by other records.
It is possible to restore deleted recordings with
the help of special SW, but the restoring must be
done very quickly before the memory medium is
rewritten by system means.

29
Storing and quality of digital traces is
influenced by subjective factors

From the point of safety storing and quality of
digital traces is directly proportional to
international, national or institutional
legislation,
experience of system administration and
it depends on institutional culture.
Regular monitoring and audit of key transactions,
providing storage backup and data archiving from
important data sources to a special medium and
their long-term storage, play primary role.

30
Large data capacity of digital traces

Strong centralization, arising from operational
and economic reasons, is typical for computer and
communication means. In our country data capacity
is around tens TB in middle size companies. Only
a small part has character of a digital trace.
Data density of digital traces, among other data
with development of new technologies, constantly
decreases
The digital trace itself is not limited by
physical capacity. New technologies for data
comprising are developed. It means that larger
data capacity is saved to the

31
Extreme dynamics of environment of digital
traces

This particularity is typical mainly for common
network environment in big institutions when data
funds are distributed in real time. Comprehensive
company applications are strongly centralized and
dynamic with high requirements for application
accessibility from the point of fulfilling
information needs of the institution, economic
and operational characteristics.
Applications are included in critical company
applications. It means that interruption of
application function only for one minute (mainly
in industry, transport, telecommunication,
financial institutions etc.) can have disastrous
existential consequences.

32
Heterogeneity and complexity of the environment
of digital traces

Various
operational systems, databases,
application software and its versions,
data interface among applications,
data formats, transferable proceedings,
proceedings of operational records, logo
etc. are commonly and concurrently used in the
same organizations.

33
Large geographic capacity of environment with
geographic traces and small area

Computers are connected together around the whole
world with the help of private computer network
and the Internet, so distribution of distant data
and application is possible.
A highly experienced perpetrator
the computer network does not recognize
geographic boundaries,
the investigation is always (usually) based on
present laws of the country

34
High level of data protection

makes the work with the digital traces difficult
or impossible
Due to the safety reasons there are a lot of data
transitions and nodal points, mainly in file
systems and databases, which are
cryptographically protected. If we are not
familiar with the particular algorithm or
technological means

35
A digital trace is automatically identifiable and
processable by specialized devices

Since digital traces are generated as a final
result by a certain technology
general corporate database of officially
purchased software products at our disposal and
the computers are connected to the corporate
network, it is possible to search/scan the system
registers of all computers

36
High level of digital traces obliteration by
qualified offenders

As practice shows, highly competent offenders
whose professional education is associated with
the field of information and communication
technologies cause the largest traces.
The offenders are extremely familiar with the
keystone of crucial technologies functioning as
the ways of the technologies and data protection
they have to and are able to avoid, are of great
interest to them.

37
Damaged digital traces restoration

Under specific conditions, deliberately deleted
or otherwise damaged digital traces can be
restored.
As a rule, this is not true of other
criminalistics relevant traces. A footprint once
deleted cannot be restored.
Digital traces restoration is conditioned by the
keystone of operation systems

38
Digital traces originality

During the files and data copying process, no
data loss or distortion is caused
digital traces can be easily modified without the
process of modification leaving any visible
tracks of its activity behind
Digital traces may also be easily modified or
destroyed right in the process of collecting or
safeguarding it for the purposes of examination
and investigation.
Unless the standard procedures of digital traces
safeguarding

39
Low judicial acceptance of digital traces by
legal practice

users activities or the activities associated
with automated processes and programs
The problematic issue related to digital traces
is theoretical and in some cases also practical
possibility of falsification and of challenging
the legal quality of traces.

40
Low judicial acceptance of digital traces by
legal practice

However, this possibility occurs within all types
traces processed in criminalistic and forensic
way.
we are exposed to prejudices of individuals made
on grounds of unfamiliarity with the subject
matter
rather that to relevant reference
equipment is classified and certificated in the
safety manner. The main problem is the
identification of the person responsible for a
particular digital trace