Let’s talk evidence

Transfer of Evidence or a DNA of an Event

In this page, we’ll be focusing on evidence or data location as a process based discovery where we have to triage the event in question. In any digital system, humans interact with an operating system by using applications in turn the operating system interacts with the hardware. Thus, relevant evidence transfer must take place at each of these interaction points. Let’s start with a reference to this theory that has been used in forensic science, Locard’s exchange principle. Edmond Locard (1877-1966) was the founder and director of the Institute of criminalistics at the University of Lyons in France. Locard believed that whenever a criminal came into contact with his environment, a cross-transference of evidence occurred. He believed that “every criminal can be connected to a crime by dust particles carried from the scene.” (Saferstein, Richard, Criminalistics, Seventh Ed., 2001)

Therefore, relevant evidence can connect a person to a crime scene by blood, semen, saliva, and hair, to paint, explosive, drugs, impressions, and chemicals. In digital device interaction or even network communication, the basic premise is that where ever we go ( browse or launch an application ), we will carry some evidence with us and leave some behind. We cannot interact with digital devices without a transfer of evidence occurring.
In most cases, the main transfer points in local systems are:

– UA – User to Application ( i.e user starts IE browser )
– AOS – Application to Operating System ( i.e. IE browser stores recently typed URLs in the registry )
– UOS – User to Operating System ( i.e. user interrupts the boot process to load kernel drivers for a SCSI drive )
– OSH – Operating System to Hardware ( i.e. OS saves a file to the physical drive or temporarily stores data in physical memory )
– UH – User to Hardware ( user changes the hard drive jumper or sets the thumb drive switch to read only )

Note: In a network environment, the data path crosses network devices where transfer takes place as well.

To demonstrate this visually, I have designed a triple helix structure of the interaction between user, application, and OS. The most challenging evidence to validate and present as an admissible evidence is UA, UOS, UH, AOS, OSH, and network device artifacts are easier to classify as admissible evidence since they are not hearsay, but business records.


About zoltanszabodfw

I feel passionate about teaching those who want to learn and not afraid of the IT field and its constant learning challenges. I've been known to break down and simplify complex problems to layman's terms and to help develop a long term method for learning to keep up with the rapidly changing technology. I prefer teaching face-to-face vs. on-line since I need the constant feedback and student interaction to keep exploring better and more helpful methods of instruction. My classes are heavily hands-on and lab based courses. They feel like a separate full-time job since no one class starts and ends the same way and troubleshooting / problem solving is an everyday process that shows students above and beyond what to expect in the workplace after they graduate. View all posts by zoltanszabodfw

One response to “Let’s talk evidence

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: