Monthly Archives: January 2011

Let’s talk evidence

Transfer of Evidence or a DNA of an Event

In this page, we’ll be focusing on evidence or data location as a process based discovery where we have to triage the event in question. In any digital system, humans interact with an operating system by using applications in turn the operating system interacts with the hardware. Thus, relevant evidence transfer must take place at each of these interaction points. Let’s start with a reference to this theory that has been used in forensic science, Locard’s exchange principle. Edmond Locard (1877-1966) was the founder and director of the Institute of criminalistics at the University of Lyons in France. Locard believed that whenever a criminal came into contact with his environment, a cross-transference of evidence occurred. He believed that “every criminal can be connected to a crime by dust particles carried from the scene.” (Saferstein, Richard, Criminalistics, Seventh Ed., 2001)

Therefore, relevant evidence can connect a person to a crime scene by blood, semen, saliva, and hair, to paint, explosive, drugs, impressions, and chemicals. In digital device interaction or even network communication, the basic premise is that where ever we go ( browse or launch an application ), we will carry some evidence with us and leave some behind. We cannot interact with digital devices without a transfer of evidence occurring.
In most cases, the main transfer points in local systems are:

– UA – User to Application ( i.e user starts IE browser )
– AOS – Application to Operating System ( i.e. IE browser stores recently typed URLs in the registry )
– UOS – User to Operating System ( i.e. user interrupts the boot process to load kernel drivers for a SCSI drive )
– OSH – Operating System to Hardware ( i.e. OS saves a file to the physical drive or temporarily stores data in physical memory )
– UH – User to Hardware ( user changes the hard drive jumper or sets the thumb drive switch to read only )

Note: In a network environment, the data path crosses network devices where transfer takes place as well.

To demonstrate this visually, I have designed a triple helix structure of the interaction between user, application, and OS. The most challenging evidence to validate and present as an admissible evidence is UA, UOS, UH, AOS, OSH, and network device artifacts are easier to classify as admissible evidence since they are not hearsay, but business records.