CR 311 Ashford University Online Crime Scene Management Paper

Week 2 – AssignmentCrime Scene Management
[WLOs: 1, 2, 3, 4] [CLOs: 1, 2, 3, 5]
Blood Spatter and
Trajectories
From Title:
Bodies, Blood, and Ballistics: Forensics Schoo… (https://fod.infobase.com/PortalPlaylists.aspx?
wID=100753&xtid=40577)

Crime scene management skills are an extremely important component of an investigation because evidence
that originates at the crime scene will provide a picture of events for the court to consider in its deliberations.
Locard’s exchange principle argues that during the commission of a crime, evidence transfer occurs between the
victim, suspect, and scene. In this paper, you will identify the key elements of crime scene management, the
function served by each, as well as repercussions of allowing a scene to become contaminated or not
establishing a solid chain of custody. Support your paper with examples from this week’s required material(s)
and/or a minimum of three other scholarly or credible resources and properly cite any references.
Prior to beginning work on this assignment, please review the following:
• From the text:
◦ Chapter 3: Digital Forensics
◦ Chapter 6: Trace and Materials Evidence
• From the free, downloadable resource at the web page Crime Scene Investigation Guide
(https://www.nfstc.org/products/crime-scene-investigation-guide/) : Section C: Processing the Scene
• From the free PDF copy at the web page Strengthening Forensic Science in the United States: A Path
Forward (2009) (https://www.nap.edu/catalog/12589/strengthening-forensic-science-in-the-united-states-apath-forward) : Chapter 5: Descriptions of Some Forensic Science Disciplines
• The video Evidence and Forensics: Due Process
• From the video Forensic Science in Action: From Crime Scene to Courtroom:
◦ Segment 1. Discovery of a Crime Scene 03:45
◦ Segment 2. Crime Scene: Evidence Collection 03:03
◦ Segment 3. Gathering and Documenting Evidence at the Crime Scene 01:47
You are also strongly encouraged to review the recommended resources, as they will help you explore the
different types of evidence, as well as proper packaging and processing.
In your paper, address the following:
•
•
•
•
•
Explain why it is important to secure the crime scene and provide examples.
Identify possible ways that evidence might be contaminated.
Identify different methods that might be necessary to document evidence at a crime scene.
Identify different collection methods that might be used at a crime scene.
Explain chain of custody and why it is important.
• Identify the repercussions of failure to protect evidence or establish chain of custody.
• Explain how an investigator or forensic expert differentiates between what is or is not evidence.
The Crime Scene Management paper
• Must be 750 words in length (not including title and references pages) and formatted according to APA style
as outlined in the Ashford Writing Center’s APA Style
(http://writingcenter.ashford.edu/apa-style)
• Must include a separate title page with the following:
◦ Title of paper
◦ Student’s name
◦ Course name and number
◦ Instructor’s name
◦ Date submitted
For further assistance with the formatting and the title page, refer to APA Formatting for Word 2013
(http://writingcenter.ashford.edu/apa-formatting-word-2013) .
• Must utilize academic voice. See the Academic Voice (http://writingcenter.ashford.edu/academic-voice)
resource for additional guidance.
• Must include an introduction and conclusion paragraph. Your introduction paragraph needs to end with a
clear thesis statement that indicates the purpose of your paper.
◦ For assistance on writing Introductions & Conclusions (http://writingcenter.ashford.edu/introductionsconclusions) as well as Writing a Thesis Statement
(http://writingcenter.ashford.edu/writing-a-thesis) ,
refer to the Ashford Writing Center resources.
• Must use at least three scholarly and/or credible sources in addition to the course text.
◦ The Scholarly, Peer-Reviewed, and Other Credible Sources
(https://content.bridgepointeducation.com/curriculum/file/e5359309-7d3c-4a21-a41044d59303ccef/1/Scholarly%20Peer-Reviewed%20and%20Other%20Credible%20Sources.pdf) table offers
additional guidance on appropriate source types. If you have questions about whether a specific source is
appropriate for this assignment, please contact your instructor. Your instructor has the final say about the
appropriateness of a specific source for a particular assignment.
◦ To assist you in completing the research required for this assignment, view this Ashford University
Library Quick ‘n’ Dirty
(https://ashford.mediaspace.kaltura.com/media/Ashford+University+Library+Quick+%27n%27+Dirty/0_bcsbcjee)
tutorial, which introduces the Ashford University Library and the research process, and provides some
library search tips.
• Must document any information used from sources in APA style as outlined in the Ashford Writing Center’s
Citing Within Your Paper (http://writingcenter.ashford.edu/citing-within-your-paper)
• Must include a separate references page that is formatted according to APA style as outlined in the Ashford
Writing Center. See the Formatting Your References List (http://writingcenter.ashford.edu/format-yourreference-list) resource in the Ashford Writing Center for specifications.
Consider using Q for your library research and to access writing supports, and tutoring services available to you.
See the Guide to Installing and Using Q (https://content.bridgepointeducation.com/curriculum/file/dd00f7497449-469c-9bd3-1e6e269bd895/1/Guide%20to%20Installing%20and%20Using%20Q%20for%20Success.pdf) for more
information.
Carefully review the Grading Rubric (http://au.waypointoutcomes.com/assessment/25746/preview) for the
criteria that will be used to evaluate your assignment.
Waypoint Assignment
Submission
The assignments in this course will be submitted to Waypoint. Please refer to the instructions below to submit
your assignment.
1. Click on the Assignment Submission button below. The Waypoint “Student Dashboard” will open in a new
browser window.
2. Browse for your assignment.
3. Click Upload.
4. Confirm that your assignment was successfully submitted by viewing the appropriate week’s assignment tab
in Waypoint.
For more detailed instructions, refer to the Waypoint Tutorial
(https://content.bridgepointeducation.com/curriculum/file/dc358708-3d2b-41a6-a000ff53b3cc3794/1/Waypoint%20Tutorial.pdf)
(https://content.bridgepointeducation.com/curriculum/file/dc358708-
3d2b-41a6-a000-ff53b3cc3794/1/Waypoint%20Tutorial.pdf) .
This tool needs to be loaded in a new browser window
Load Week 2 – Assignment in a new window
CRJ311.W2A1.03.2019
Description:
Total Possible Score: 7.00
Explains Why It Is Important to Secure the Crime Scene, and Provides
Examples
Total: 1.25
Distinguished – Comprehensively explains why it is important to secure the crime scene, and provides details examples.
Proficient – Explains why it is important to secure the crime scene, and provides examples. Minor details are missing.
Basic – Minimally explains why it is important to secure the crime scene, and provides limited examples. Relevant details are
missing.
Below Expectations – Attempts to explain why it is important to secure the crime scene and provide examples; however,
significant details are missing.
Non-Performance – The explanation of why it is important to secure the crime scene and examples are either nonexistent or lack
the components described in the assignment instructions.
Identifies Possible Ways That Evidence Might Be Contaminated
Total: 0.50
Distinguished – Clearly and accurately identifies possible ways that evidence might be contaminated.
Proficient – Identifies possible ways that evidence might be contaminated. Minor details are slightly unclear or inaccurate.
Basic – Vaguely identifies possible ways that evidence might be contaminated. Relevant details are unclear and/or inaccurate.
Below Expectations – Attempts to identify possible ways that evidence might be contaminated; however, significant details are
entirely unclear and inaccurate.
Non-Performance – The identification of possible ways that evidence might be contaminated is either nonexistent or lacks the
components described in the assignment instructions.
Identifies the Different Methods That Might Be Necessary to Document
Evidence at a Crime Scene
Total: 1.25
Distinguished – Clearly and accurately identifies the different methods that might be necessary to document evidence at a crime
scene.
Proficient – Identifies the different methods that might be necessary to document evidence at a crime scene. Minor details are
slightly unclear or inaccurate.
Basic – Vaguely identifies the different methods that might be necessary to document evidence at a crime scene. Relevant details
are unclear and/or inaccurate.
Below Expectations – Attempts to identify the different methods that might be necessary to document evidence at a crime scene;
however, significant details are unclear and inaccurate.
Non-Performance – The identification of the different methods that might be necessary to document evidence at a crime scene is
either nonexistent or lacks the components described in the assignment instructions.
Identifies Different Collection Methods That Might Be Used at a Crime Scene
Total: 1.25
Distinguished – Clearly and accurately identifies different collection methods that might be used at a crime scene.
Proficient – Identifies different collection methods that might be used at a crime scene. Minor details are slightly unclear or
inaccurate.
Basic – Vaguely identifies different collection methods that might be used at a crime scene. Relevant details are unclear and/or
inaccurate.
Below Expectations – Attempts to identify different collection methods that might be used at a crime scene; however, significant
details are unclear and inaccurate.
Non-Performance – The identification of different collection methods that might be used at a crime scene is either nonexistent or
lacks the components described in the assignment instructions.
Explains Chain of Custody and Why It Is Important
Total: 0.50
Distinguished – Comprehensively explains chain of custody and why it is important.
Proficient – Explains chain of custody and why it is important. The explanation is slightly underdeveloped.
Basic – Minimally explains chain of custody and why it is important. The explanation is underdeveloped.
Below Expectations – Attempts to explain chain of custody and why it is important; however, the explanation is significantly
underdeveloped.
Non-Performance – The explanation of chain of custody and why it is important is either nonexistent or lacks the components
described in the assignment instructions.
Identifies the Repercussions of Failure to Protect Evidence or Establish Chain
of Custody
Total: 0.50
Distinguished – Clearly and accurately identifies the repercussions of failure to protect evidence or establish chain of custody.
Proficient – Identifies the repercussions of failure to protect evidence or establish chain of custody. Minor details are unclear or
slightly inaccurate.
Basic – Vaguely identifies the repercussions of failure to protect evidence or establish chain of custody. Relevant details are
unclear and/or inaccurate.
Below Expectations – Attempts to identify the repercussions of failure to protect evidence or establish chain of custody; however,
significant details are unclear and inaccurate.
Non-Performance – The identification of the repercussions of failure to protect evidence or establish chain of custody is either
nonexistent or lacks the components described in the assignment instructions.
Explains How an Investigator or Forensic Expert Differentiates Between What
Is or What Isn’t Evidence
Total: 0.75
Distinguished – Comprehensively explains how an investigator or forensic expert differentiates between what is or what isn’t
evidence.
Proficient – Explains how an investigator or forensic expert differentiates between what is or what isn’t evidence. The explanation
is slightly underdeveloped.
Basic – Minimally explains how an investigator or forensic expert differentiates between what is or what isn’t evidence. The
explanation is underdeveloped.
Below Expectations – Attempts to explain how an investigator or forensic expert differentiates between what is or what isn’t
evidence; however, the explanation is significantly underdeveloped.
Non-Performance – The explanation of how an investigator or forensic expert differentiates between what is or what isn’t
evidence is either nonexistent or lacks the components described in the assignment instructions.
Written Communication: Control of Syntax and Mechanics
Total: 0.20
Distinguished – Displays meticulous comprehension and organization of syntax and mechanics, such as spelling and grammar.
Written work contains no errors and is very easy to understand.
Proficient – Displays comprehension and organization of syntax and mechanics, such as spelling and grammar. Written work
contains only a few minor errors and is mostly easy to understand.
Basic – Displays basic comprehension of syntax and mechanics, such as spelling and grammar. Written work contains a few
errors which may slightly distract the reader.
Below Expectations – Fails to display basic comprehension of syntax or mechanics, such as spelling and grammar. Written work
contains major errors which distract the reader.
Non-Performance – The assignment is either nonexistent or lacks the components described in the instructions.
Written Communication: APA Formatting
Total: 0.20
Distinguished – Accurately uses APA formatting consistently throughout the paper, title page, and reference page.
Proficient – Exhibits APA formatting throughout the paper. However, layout contains a few minor errors.
Basic – Exhibits limited knowledge of APA formatting throughout the paper. However, layout does not meet all APA requirements.
Below Expectations – Fails to exhibit basic knowledge of APA formatting. There are frequent errors, making the layout difficult to
distinguish as APA.
Non-Performance – The assignment is either nonexistent or lacks the components described in the instructions.
Written Communication: Word Requirement
Total: 0.30
Distinguished – The length of the paper is equivalent to the required number of words.
Proficient – The length of the paper is nearly equivalent to the required number of words.
Basic – The length of the paper is equivalent to at least three quarters of the required number of words.
Below Expectations – The length of the paper is equivalent to at least one half of the required number of words.
Non-Performance – The assignment is either nonexistent or lacks the components described in the instructions.
Written Communication: Resource Requirement
Total: 0.30
Distinguished – Uses more than the required number of scholarly sources, providing compelling evidence to support ideas. All
sources on the reference page are used and cited correctly within the body of the assignment.
Proficient – Uses the required number of scholarly sources to support ideas. All sources on the reference page are used and
cited correctly within the body of the assignment.
Basic – Uses less than the required number of sources to support ideas. Some sources may not be scholarly. Most sources on
the reference page are used within the body of the assignment. Citations may not be formatted correctly.
Below Expectations – Uses an inadequate number of sources that provide little or no support for ideas. Sources used may not be
scholarly. Most sources on the reference page are not used within the body of the assignment. Citations are not formatted
correctly.
Non-Performance – The assignment is either nonexistent or lacks the components described in the instructions.
Powered by
Digital Forensics
3
scyther5/iStock/Thinkstock
George E. Richards, Edinboro University
Learning Outcomes
After reading this chapter, you should be able to
• Understand why the need for digital forensics has grown over the past 2
decades.
• Identify the basic components and functions of a computer.
• De ine digital forensics.
• Compare and contrast technological crimes.
• Explain the digital forensic investigative process.
• Understand the steps involved in inding a career in digital forensics.
Introduction
Marc Benioff, founder of Salesforce, an enterprise cloud computing company, stated, “The only constant in the technology industry is change” (as cited in Israel,
2013, para. 7). This has to date been proven accurate. The growth of electronic communications and the ability to store data has been exponential. In 1965 Gordon
Moore, a cofounder of Intel, postulated what has since become known as Moore’s law. Moore maintained computer processing speed would double every 24
months (Intel, n.d.). This has since been reduced to 18 months. The increased rate of processing—along with the increase in computer memory—and the
micronization of components have revolutionized how people communicate. There are now more mobile devices than there are people. Barnes (2014) held that
there are in excess of 7.2 billion mobile devices globally, and this number is increasing at 5 times the rate the population is. The growth in both prevalence and
complexity of digital devices has led to the increased use of these devices as tools in criminal acts.
Used in the perpetration of a crime, tools such as computers or smartphones may provide the digital criminal or cybercriminal an effective modus operandi which,
in this context, means the method of perpetration. In heists and robberies in ilms, it is routine to have a “getaway” car. The processing speed with which digital
devices can give commands provides digital criminals with a swift escape. In addition, digital devices provide perpetrators distance from the victim. With the
advent of the Internet, theft no longer requires personal interaction. For example, phishing is a common digital crime that entails victims receiving e­mails from
supposedly reputable companies that attempt to con the victims into revealing personal information such as passwords. Digital devices can be used by “phishers”
to steal personal data from anyone anywhere whose personal information is stored on a device with Internet capability. Digitization has provided perpetrators
with a wealth of extensive and effective modi operandi.
As technology has advanced, so have the methods for investigating technological crime, although it is increasingly challenging for law enforcement to keep up with
these advances. This chapter will address those students interested in the sub ields of computer security and digital forensics. However, any student interested in
pursuing work in the ield of criminal justice should have a grasp of the basics of investigating these devices, since they are impossible to avoid in today’s
environment. In order to adequately lay the foundation on which to address digital crime and its investigation, we need to have a basic understanding of
computers and other smart devices.
3.1 Computer Basics
In order to adequately discuss digital crime, it is essential that some of the basic terms associated with digital devices are explained. The irst digital devices we
recognized were computers. The earliest computers could weigh up to several tons and take up entire loors of buildings, but thanks to advancements in
technology, they are now lightweight and portable, as well as more powerful. At its most basic, a computer is an electronic device that both stores and transmits
data in binary code, which is a coding system expressed using series of zeros and ones. Binary commands given by the user direct device operations through the
use of software that contains the binary codes. All digital devices use both hardware and software.
Hardware are the parts of an information system we see. The monitor, keyboard, mouse, and motherboard are examples of a computer’s hardware. A crucial part
of a device’s hardware is the hard disk drive, which is a permanent data­storage device within a computer. The hard disk drive often comes into play in forensic
investigations, since it is where much of a computer’s information is stored—including, sometimes, iles that the user believes have been deleted. A hard drive can
be unplugged from a computer and retain all of the information that was stored on it while it was plugged in. When a hard drive is collected for evidence, an exact
copy is made to be used for analysis, to avoid unintentionally changing anything on the original.
Separate from the hard drive is a computer’s RAM, or random access memory. RAM is a quickly retrievable type of computer memory that temporarily stores the
information your computer immediately requires while you’re using it. Examples of RAM data would be the details of a web page you’re viewing and any user
name/password you used to log in to that web page. Unlike the hard drive, when a computer is off, the RAM is empty.
Working in tandem with hardware, software is the binary instruction for speci ic computer processes that are implemented thorough the hardware. These are the
programs a computer uses to carry out a speci ic task. For example, Microsoft Of ice is a software package that allows you to create and edit documents.
Information systems are combinations of hardware and software used to collect, store, and share data. An example of this would be a geographic information
system that manages and analyzes geographic data.
Another important facet of computers today is the IP address. An IP address is a string of numbers used to identify a computer so that it can access the Internet.
Its function is similar to that of a return address on an envelope. Anyone who accesses the Internet does so via a third party, often a commercial Internet provider.
This provider grants your computer access to the Internet based on your computer’s IP address. The IP address is attached to all online activity you complete, a
fact that is very useful in digital forensic investigations. However, an analyst can’t tell who made a certain request online, only which computer the request was
made on.
Up to this point, we have been discussing computers only, but digital forensics encompasses a wide range of digital devices, including
•
•
•
•
•
•
•
smartphones,
smart watches,
voice assistants,
cameras,
tablets,
e­readers, and
automobiles.
The full list is extensive and constantly expanding. Society is more dependent on technology today than at any point in human history, and the trend shows no
signs of waning. Without the ability to store information, digital devices would serve little purpose to the investigator. The rudimentary and limited memory that
characterized early computer hard drives became more complex as information storage became portable and luid. The early, malleable 5.25­inch loppy drives
were replaced by 3.5­inch disks, which were supplanted by USB drives.
These drives, also known as thumb drives, weigh less than 1 ounce and may provide from 8 megabytes to 1 terabyte of storage capacity. USB drives capable of
storing 2 terabytes of data are currently in development.
The information stored on the devices discussed above is referred to as data. There are two types of data that in luence computer operations: visible data and
latent data. Visible data is employed by the operating system and can be accessed by the user. For the investigator, it can describe any type of operational data
such as documents, spreadsheets, databases, and audio and video iles. Latent data, also known as ambient data, encompasses the information in computer
storage not included in ile­allocation tables. It is not easily viewed through the operating system, so most users do not know that it is there. Latent data is used in
digital forensic investigations to uncover evidence and recover deleted iles.
Data is not static. Karie and Venter (2015) describe data, and electronic evidence in general, as fragile. Any use of a digital device has the potential to damage or
destroy data. This may be accidental or intentional. It may be as mundane an act as turning the device on or powering it down. Power surges, changes in
temperature, or rough handling of the device may also destroy data. Because of this, analysts muse use a lot of care and caution when examining devices for
evidence.
E­mail
E­mail messages are messages distributed from one electronic device user to one or more recipients via a network such as the Internet or an organization’s
intranet. As you have no doubt experienced, it is an almost instantaneous transaction. While many organizations host their own e­mail servers for employees, it is
estimated there are over 1 billion web­based e­mail accounts for personal use (Magnet Forensics, 2014) with over 100 trillion e­mails sent each year (Global
Digital Forensics, n.d.). Among the most popular of these are Gmail and Yahoo! Mail. A suspect’s e­mail is often searched for evidence of communications related to
a crime. Perpetrators, especially novice ones, often believe deleting an e­mail permanently removes any record of it. This is not always the case.
Web­based e­mail is dependent on the use of a browser. Thus, e­mail evidence consists of browser artifacts within the cache, history, and cookies. The history and
cookies provide the dates and locations visited by the user. The greatest source of evidence is to be found in the cache, where some e­mails read by the user are
stored. The location of the cache within the operating system and browser may vary, depending on the browser used. Although evidence may be recovered from e­
mail transmissions, the sheer number of e­mail accounts that may be used and the large number of e­mails sent also add to the time commitment of an
investigator (Magnet Forensics, 2014).
Cloud Storage
Cloud storage of data has also grown in use and adds another piece to the puzzle of digital forensic expertise. Cloud storage houses data across multiple servers
and multiple locations. Cloud storage is typically owned by a third­party hosting company that is responsible for the maintenance and protection of client data.
Space is not bought in a cloud but is leased. Clients are seldom aware of the actual physical location of their data.
Clouds pose certain challenges to forensic investigation. “There is no foolproof, universal method for extracting evidence in an admissible fashion from cloud­
based applications, and, in some cases, very little evidence is available to extract” (as cited in Barbara, 2009, para. 6). First, the ability to access data from
anywhere using any device that can accept commands and be linked to the Internet poses problems for the integrity and protection of data. It is hard to verify that
data stored in the cloud is secure, even when password protected, and there are opportunities for digital­facilitated crime through the corruption or theft of data.
Human error in con iguring a cloud server in 2017, for instance, led to the leak of the data of 6 million Verizon users online (Larson, 2017). Intentional criminal
activity can be even more dangerous.
Requirements for the storage of data and the steps required for investigators to access the information legally differ between jurisdictions. Similar to physical
evidence, whether these regulations are followed during an investigation can impact whether evidence is admitted in court.
Voice Assistants
A type of electronic device irst released in 2015 and growing in popularity is the
virtual or smart assistant, more commonly known as the voice assistant. Among the
most popular of these are Amazon’s Alexa and Echo and Google’s Google Home.
Assisting is what these devices were literally designed to do. Activated, depending on
device, through voice recognition, text messaging, or uploading pictures, virtual
assistants help simplifythe management of one’s life through quick exchanges
between the user and the device. These can relay news, weather, sports scores, and
music. Bank accounts may be accessed and thermostats set.
Recently, it was discovered that these too can be hacked. Through “voice squatting,”
these devices may be used to eavesdrop or to open malicious apps. Another type of
virtual assistant hack, DolphinAttack, utilizes commands inside ultrasound frequencies
inaudible to human hearing to assume control of the device. According to researchers
at the University of Virginia and the Chinese Academy of Sciences, the possibilities of
this type of phishing for the manipulation and theft of personal information are
signi icant. Home security codes, bank account and credit card numbers, and other
personal information can be obtained with relative ease (Wycislik­Wilson, n.d.)
Voice assistants are another example of how digital crime poses a challenge to forensic
analysts and investigators in maintaining a currency of knowledge regarding
technological advances and the necessity of doing so. Although security precautions
are constantly being developed for digital devices, it has consistently shown that these
can be overcome by determined and talented perpetrators.
Frank Duenzl/picture­alliance/dpa/AP Images
Digital criminals can target virtual assistants to gain access to sensitive
information, such as credit card and bank account numbers.
3.2 What Is Digital Forensics?
As you may remember from Chapter 1, Dr. Edmond Locard postulated that anytime individuals come into contact with someone or something or enter a speci ic
area, they will make physical contact and leave a trace (Forensics Library, n.d.). The Locard exchange principle is also applicable in the electronic or digital realm,
even though the person may be thousands of miles away from the “scene.” People leave user­speci ic information behind when they visit a website, send an e­mail,
or do any number of things on an electronic device. This information is known as a digital ingerprint, and it can often be traced back to an individual. This could
be as simple as the type of font used, or it could be complicated metadata.
We noted in Chapter 1 that forensics is not a proper term for forensic science. However, it has become so ingrained in people’s minds by popular media that its use
is probably inevitable now. The terms computer forensics and digital forensics are often used synonymously. This is understandable but not entirely accurate. In
the 1980s computer forensics would have been an appropriate term, but due to the rise in digital devices such as smartphones that are not considered computers,
digital forensics is the correct term. With mobile devices that can be carried on the user’s person and can transmit data within seconds globally, the requirements
for investigations of these devices has changed along with the terminology.
Digital forensics encompasses the investigation of all manner of devices that require the manipulation of binary code to operate. There are two types of digital
forensic investigations: digitally based and digitally facilitated. A digitally based crime is one in which the computer is used to commit the act; for example, a
phishing e­mail meant to con someone into sending his or her bank account information. Digitally facilitated crimes are those in which the digital device is the
target of what are traditionally referred to as computer criminals or cybercriminals. For example, an identity thief who steals bank account information from a
victim’s cell phone would be the perpetrator of a digitally facilitated crime.
Digital forensic analysts may collect evidence from a variety of mechanisms, including computer systems, networks, and removable media such as USB drives and
external hard drives. Even though devices may differ, digital forensic practitioners must all abide by certain legal requirements. The successful prosecution of a
digital crime is dependent on the investigator’s ability to collect electronic evidence in a manner that satis ies the requirements for admissibility in court
(Resendez, Martinez, & Abraham, 2012). As discussed in the Chapter 2 section on the fourth amendment, the requirements for acquiring digital evidence are still
evolving through litigation. The Supreme Court recently decided that a warrant is needed to place a GPS tracker on a person or a vehicle and also to gather
location data from a person’s cell phone.
The hardware and software necessary for the operation of digital devices differ signi icantly, depending on the requirements of the device and its complexity.
Consequentially, investigative approaches must also be adjusted for the speci ics of the device in question. In their 2018 article, Barmpatsalou, Cruz, Monteiro, and
Simoes referred to several subdisciplines of digital forensics, including
•
•
•
•
•
•
•
computer forensics,
audio forensics,
cloud forensics,
database forensics,
network forensics,
video forensics, and
mobile forensics.
Digital forensics then cannot be considered only an exploration of a device to see what data might be stored on it. It requires that investigators follow established
protocols governed by law. These laws address speci ic crimes executed through the actions of those involved using a digital device in its commission. To fully
understand digital forensic science, one needs to understand how the practice has evolved and is still evolving.
The Development of Digital Forensic Science
The application of forensic science practices to criminal investigations has evolved
over centuries. The practice of digital forensic investigation is a more recent step in
this progression. The active practice of digital crime investigations began in the late
1970s as law enforcement began to realize the possibilities computers held to assist in
the perpetration of crime and storage of evidence. The irst efforts at electronic
forensics targeted computers that were suspected to store incriminating evidence.
These early cases were primarily concerned with inancial fraud. The focus of
electronic investigations grew in complexity as devices were networked in one facility
or through an organization. The introduction of the Internet as a means of data
transmission was the next step in the evolution of technological understanding for
analysts.
The irst training programs in digital forensics were developed in the 1980s. The
Association of Certi ied Fraud Examiners, the National Consortium for Justice
Information and Statistics, and the High Technology Crime Investigation Association
were among the organizations that designed early digital crime curricula. In 1987
AccessData, the irst company to specialize in digital forensics, was founded
(Information Systems Audit and Control Association [ISACA], 2015).
Both government agencies and private industry recognized the need for a means to
Alexpoison/iStock/Thinkstock
investigate digital crime. The FBI’s Computer Analysis and Response Team, created in
Digital forensic analysts work with a variety of devices and technology,
1984, was a government pioneer in computer, and then digital, crime investigations.
including computers, external storage devices, mobile devices,
Other countries and government entities have also formed similar units and task
databases, and the cloud.
forces to combat digital crime. However, some argue that without the contribution of
private technological developments, effective investigations of digital crime today
would be impossible. Gogolin (2010) found in a study of Michigan law enforcement that while the number of digital­related crimes had dramatically increased, the
number of quali ied investigators had not kept pace. Part of the reason for this disparity may be the fact that an investigator who specializes in cellular telephone
forensics may have to invest as much as $25,000 in forensic tools. This is in addition to specialized training and certi ications necessary to maintain a currency of
knowledge.
The Information Systems Audit and Control Association (ISACA, 2015) credits the forensic tools available today to the open source/community­driven model
which makes “tool evolution modular, extensible, robust, and sustainable” (p. 3). That is, innovations by the greater technological community have helped law
enforcement’s digital forensic tools keep pace with the innovation of digital criminals.
3.3 Technological Crime
The intended purposes of technology, regardless of how noble the aim behind the development may have been, may be thwarted for more nefarious purposes.
Case Illustration: IBM and the Nuremberg Trials
In 1889 Herman Hollerith patented an electric punch­card device which could compile numerical data. The U.S. Census Bureau used his technology in the
1890 census and found that Hollerith’s device dramatically reduced the time necessary to summarize population data. Soon other countries began to lease
Hollerith’s equipment, and his business grew. He eventually merged with three other corporations to form what became known as International Business
Machines (IBM).
When Adolf Hitler became chancellor of Germany in 1933, the ruling Nazi Party soon implemented policies of Jewish persecution. The challenge facing the
Nazis was how to effectively identify, track, and manage Germany’s Jewish population. A subsidiary of IBM, IBM Germany, marketed the Hollerith
technology to the Third Reich and tailored the tabulation for the speci ic purpose of identifying Germany’s some 600,000 Jews (Black, 2001). It worked
with chilling ef iciency. The data collected via the use of the Hollerith device was used by the prosecution in the Nuremberg trials.
Relect On It
As we have stated previously, technology is constantly changing and the crimes associated with it change as well. Using the above example regarding the
Hollerith device, how might contemporary digital technology be used to identify and target people for victimization by government? How might future
technological advances be used for the same purpose?
The perversion of technology for criminal or deviant purposes is not limited to Nazi Germany.
The original intent of the Internet was to provide a relay of networks so that during a nuclear
confrontation, electronic communications used by the military would not be interrupted. This
system of networks has since served as the backbone of what we have come to know as the
Internet. Those early designers and analysts could not have foreseen that their work would
someday be used as a vehicle for terrorism, theft, and pornography.
As technology has evolved, the enacting of laws addressing the criminal use of technology have
sought to keep up with this ever­expanding evolution. For example, the Computer Fraud and
Abuse Act of 1986 prohibits conduct that abuses or damages computer systems, particularly
those that have a federal interest; these include computers that are used by or for the federal
government or in commerce. In 2003, in response to the ever­growing amount of unsolicited
commercial e­mail, congress passed the CAN­SPAM Act, establishing standards for the sending
of commercial e­mail. Law 18 U.S.C. 1029 makes credit card (and other access device) fraud a
federal crime with punishments of up to 10 years in prison. Law 18 U.S.C. 2511 prohibits the
unauthorized interception, use, and disclosure of any electronic communications. In 2017
President Barack Obama signed an executive order that called for the creation of a voluntary
risk­based cybersecurity framework. This is another example of how the federal government
has recognized possible harms that may come from a cyber­based attack on public or private
infrastructure (ISACA, 2015).
The specter of cyberterrorism is a growing concern for law enforcement agencies globally.
Cyberterrorism is the use of digital devices and systems to orchestrate a terrorist attack on a
government or entity. The recent discovery that Russian state­sponsored hackers had
in iltrated American power grids following similar interference in the 2016 U.S. presidential
election has emphasized the need for greater security in digital infrastructure (Sanger, 2018).
The following sections outline a selection of the most common digital crimes.
National Cybersecurity and Communications
Integration Center
National Cybersecurity
and Communications
Integrati…
From Title:
Code Wars: America’s Cyber Threat
(https://fod.infobase.com/PortalPlaylists.aspx?
wID=100753&xtid=47288)

This video gives an overview of the National
Cybersecurity and Communications Integration Center
in Washington, DC, and discusses the cyber­threat to
America’s infrastructure.
Hacking
Hacking is the use of a computer to gain unauthorized access to data in a system. The
perpetrator is known as a hacker. Hacking can be malicious or nonmalicious. Malicious
hacking may take the form of information theft, systems sabotage, and vandalism.
Simple intrusion, when a hacker defeats the security of a system just for the challenge,
is considered nonmalicious.
Hackers may employ several techniques. Through vulnerability scanning, network
computers are checked for known weaknesses. Passwords may be cracked by
discovering them in stored data or intercepting them when transmitted electronically.
Spoo ing attacks utilize bogus websites that mimic legitimate sites and trick users into
entering their user names and passwords. There have been many large hacking
incidents in the past 10 years, including two massive data breaches suffered by Yahoo!
in 2013 and 2014, which exposed the passwords of over a billion users (Goel &
Perlroth, 2016). In 2017 hackers breached credit bureau company Equifax’s customer
database, exposing almost 150 million customers’ sensitive information, including
Social Security numbers and addresses (Borak & Vasel, 2018).
Identity Theft
Identity theft is the stealing of personal information so that the criminal may
impersonate the victim. Identity theft has been addressed at the federal level by 18
U.S.C. 1028A, known as the Identity Theft Penalty Enhancement Act. Identity theft is
most commonly associated with the perpetrator seeking inancial gain. Access to a
person’s Social Security number may allow an identity thief to open a credit line in the
Alex Milan Tracy/Sipa via AP Images
In 2017 hackers gained access to Equifax customer data. The breach of
one of the three major credit bureaus exposed the personal information
of nearly 150 million individuals.
person’s name. Bank accounts may be accessed electronically and funds transferred to a perpetrator’s account. Children may be the victims of identity theft when
their Social Security numbers are used to open credit lines. This can be made more complex when the perpetrator uses a fake name and a real Social Security
number.
Cyberbullying
Advancements in technology, especially surrounding social media and cell phones, have also been credited in contributing to bullying. Traditionally, bullying
required physical intimidation or contact. However, the Internet and cellular technology have made these requirements obsolete. Cyberbullying, which is bullying
that takes place through electronic communication, allows anyone with a rudimentary knowledge of digital devices, regardless of size or age, to bully another. It
most often takes place via social media, texting, instant message, and e­mail. Citing a study of American teens aged 13 to 17, Osborne (2012) wrote that 46% of
“heavy” cell phone users (those who send in excess of 60 text messages per day) suffer from cyberbullying on their cell phones, compared to only 23% of “normal”
users.
Case Illustration: United States v. Drew
One of the irst instances of cyberbullying that contributed to a suicide was the death of Megan Meier on October 17, 2006. Meier had a history of suicidal
tendencies and had exhibited these as early as the third grade when she shared with her mother she wanted to kill herself. Because Meier was overweight
and bullied throughout her elementary and middle school years, her parents enrolled her in a Catholic school where they believed the standardization of
uniform and curricula would reduce her torment at the hands of other students (Pokin, 2007).
Like so many adolescents, Megan Meier and a neighbor, Sarah Drew, had an off­again, on­again friendship. When Meier ended the friendship, Drew’s
mother, Lori, decided to seek revenge. Shortly after this, Meier began receiving messages on her MySpace account from a 16­year­old boy, “Josh Evans.”
From his picture and the lattering attention he paid to her, she soon became infatuated with him (Pokin, 2007). For 6 weeks, Meier and Evans used
MySpace to get to know each other. According to her mother, Meier’s self­esteem grew during this time. However, Meier was devastated when Evans told
her he no longer wanted to talk with her, because she was not nice to her friends. He also told her, “The world would be a better place without you”
(Steinhauer, 2008). Devastated, her pain was further accentuated by bulletin board posts stating she was a slut. Shortly after this, she hung herself in her
bedroom. Meier was 3 weeks shy of her 14th birthday (Pokin, 2007).
Josh Evans never existed. The MySpace account of Josh Evans was a bogus account created by Lori Drew to avenge her daughter for Meier ending their
relationship. Sarah Drew and an employee of Lori Drew were also involved in sending messages from the ictitious Evans to Meier. It was their plan to draw
Meier in emotionally and then abruptly end the relationship. They were aware of the bullying and lack of self­esteem Meier had routinely experienced (CBS
News, 2008).
Shortly after their daughter’s death, Meier’s parents were contacted by a neighbor whose daughter had been encouraged to join in with the Drews. The girl
had the password to the MySpace account, and the guilt over Meier’s suicide led her to confess her involvement to her mother. When the ambulance arrived
at the Meier home the night of Meier’s suicide, Lori Drew called the girl to tell her something had happened to Meier and not to mention the MySpace
account to anyone (Pokin, 2007).
Lori Drew was convicted of three misdemeanor charges of computer fraud. The jury deadlocked on the charge of conspiracy. (Steinhauer, 2008). Drew
appealed the decision, and the conviction was reversed in 2009. Criminal charges were not iled against Drew, because local prosecutors stated there was
no existing criminal charge they could apply to the case (Pokin, 2007).
Re lect On It
Pro ile the possible victim and perpetrator of cyberbullying. What are their characteristics? Where should the digital forensic investigator look for
evidence?
Cyberbullying can be more harmful than regular bullying, since it can take place at all hours of the day (instead of just school or work hours) and the messages
stay online permanently. The fact that it takes place silently makes it harder for authority igures to see it taking place and take steps to help the victim. Like
bullying, cyberbullying can lead to depression, anxiety, decreased performance in school, and many other negative effects (StopBullying.gov, 2017). Cyberbullying
has on occasion ended in suicide on the part of the victim when the victim has had a history of mental health issues or suicidal risk factors.
Although the interpersonal violence associated with violent crime is not present in cyber­crime, the damage caused by cyberbullying is equally real. All 50 states
plus the District of Columbia have laws against bullying, and 48 of those laws explicitly include electronic bullying (TeenSafe, 2017).
Nonconsensual Pornography
A relatively new criminal phenomenon that requires digital investigation is nonconsensual pornography, also known as revenge porn. This occurs when
photographic imagery, taken in the context of an intimate sexual relationship, is released online without the knowledge of one of the participants. It is often done
as a means of lashing out at the partner who ended the relationship. Revenge porn has been described by victims as feeling like rape. A Chicago woman related
how, after her divorce, her ex­husband took video shot during their honeymoon of the two of them having sex and uploaded it to a website. One of these clips had
in excess of a million views. She was upset by the response of law enforcement, which was not especially helpful. Upon reporting it, she was told by of icers, “Next
time don’t be identi iable if you choose to do something like this” (Fink & Seagall, 2016, para. 15). This issue has not yet been addressed by federal law. State
governments have been more active in de ining non­consensual pornography as criminal, with over 40 states plus the District of Columbia having statutes making
nonconsensual disclosure of intimate images illegal (Cyber Civil Rights Initiative, 2018).
3.4 The Digital Investigation Process
It is essential that investigators follow an established protocol for collecting and protecting digital evidence. There are a variety of specialists that may be
employed in the collection of digital data. These may focus on data recovery, data conversion, cryptoanalysis, and IP investigation. Digital forensic analysts may be
called to the scene to process the evidence, or they may process it in a laboratory, later. This will depend on the types of devices used and how complex the
investigation is considered to be.
Concern over digitally based or digitally facilitated attacks is not necessarily the jurisdiction of sworn of icers. Indeed, not all digital forensic analysts and
investigators are found within the law enforcement community. Private businesses may also employ or contract with digital forensic specialists to determine if
employees are incorrectly storing data, sharing private information with unauthorized parties via e­mail, or at risk of social engineering attacks.
Zatyko (2007) proposed a digital forensic investigation model containing eight steps and articulating a strict adherence to a precise, scienti ic process. The stages
of Zatyko’s investigative model are as follows:
•
•
•
•
•
•
•
•
Obtain search authority: An investigation admissible in court is dependent on the legal authority to initiate and conduct a search and/or seizure of
evidence. A search may be conducted with either the permission of the owner of the device or through a court order. Without this authority, any evidence
is inadmissible. Forcing or coercing someone to give a password or access to a device is not permitted.
Document chain of custody: Documentation of digital evidence handling and processing must be chronologically kept to avoid possible later claims of
evidence tampering. A fuller discussion of the chain of custody will be presented later in this chapter.
Image and hash: Once evidence is found, the investigator should duplicate and hash it to ensure the copy is valid and the integrity of evidence maintained.
This is covered more fully in the “Collecting Evidence, Imaging, and Hashing” section later in this chapter.
Validate tools: In most digital investigations, forensic tools need to be validated to ensure they are capable of contributing to the investigative process.
Investigators must be able to depend on the tool’s reliability and accuracy. This topic is covered further in the “Validating Tools” section later in the
chapter.
Analyze: Investigators are expected to assess evidence that is uncovered to ascertain if it either con irms an illegal or illicit activity or demonstrates lack of
evidence for illegal or illicit activities.
Repeat and reproduce (quality assurance): A key component of the scienti ic method is that experiments are able to be repeated and reproduced by the
same scientists or others. This same process holds true for digital forensic investigators; additional tests by other analysts should con irm their indings.
This and the previous step are covered more fully in the “Utilizing the Scienti ic Method in Digital Forensic Investigations” section later in the chapter.
Report: The process of documentation includes both the full notes of the investigation and a summary of indings by the investigator. This is what will be
used in court and is the foundation of a successful prosecution. The forms should be standardized depending on the agency conducting the investigation,
to ensure consistency. The report should be written as soon as possible from the initial investigation notes while it is fresh in the investigator’s memory.
The report should include facts only, not conjecture.
Present expert testimony: It is common for the forensic examiner to be called to testify in court. The examiner may be asked questions about the evidence,
how it was uncovered, and how it was protected, as well as his or her training, experience, and quali ications. For the testimony of an expert witness to be
effective, the attorneys involved on both sides must have a rudimentary knowledge of the digital investigation process to know what questions to ask, how
to ask them, and how to coach the expert in answering the questions. The expert also has to be able to explain complex technical terms and procedures in
such a manner that a jury can understand the issues involved.
Documenting the Chain of Custody of Digital Evidence
As discussed in Chapter 2, all the talent, work, and dedication of a digital forensic analyst means nothing if the legal requirements pertaining to the collection of
evidence are not followed. A key to protecting the chain of evidence is to limit the number of people who come into contact with the evidence. Seldom is the digital
forensic investigator the person who discovered that a crime occurred. The investigation usually begins with a report by a citizen, and an of icer then responds.
An example of the steps followed by a irst responder in a digital crime investigation follows.
1.
2.
3.
4.
5.
6.
Joe Smith reports to the local police that he has received harassing texts from
an unknown sender.
Of icer Carla Hernandez takes Smith’s report and secures Smith’s cellular
telephone. This includes photographing the device, taking video of it,
sketching it in the context of where it was when the incident was reported,
taking notes of her interview with Smith, and beginning the chain of custody
process.
Of icer Hernandez then determines if the device is on or off. She may examine
it to see if the screen saver is on, lights on the device are lit, or sounds are
emitted from it, and feel for heat from the power source. Most mobile devices
go into power­saving mode if not used for a speci ied amount of time, but they
are still active. If the device is on, it needs to stay on, as turning the device off
could result in evidence being deleted or a password or biometric log in
needing to be being reinstated.
Of icer Hernandez then collects the device (along with any necessary power
cables) and obtains the device password from Smith. (Devices may now be
activated by facial scans or ingerprints, which may require the device owner
to change the settings so that law enforcement can have access to the device. If
Rachel Leathe/Bozeman Daily Chronicle via AP
the device owner is unwilling to provide access to the device, this can cause
A digital forensic analyst demonstrates the process of removing
delays, but the problem can be overcome by forensic technicians trained in
information from devices, such as computers or cell phones, in a way
bypassing access controls.)
that prevents the information from being altered.
Of icer Hernandez should keep the device powered, unlocked, and in airplane
mode (if it was on when collected) until delivered to the crime laboratory. It is
important that Hernandez isolate the device from cellular or Wi­Fi networks to prevent evidence tampering. The phone should be packaged and labeled
in such a manner that it is not damaged. It should also be protected from dramatic changes in temperature and moisture. If the device was backed up on a
computer, Hernandez should take the necessary steps to secure this device also.
Of icer Hernandez then transports the device as soon as possible to the crime laboratory, where she signs it over to ananalyst/technician who begins the
process of examination.
In addition to the mobile telephone used in the previous example, computers, e­readers, tablets, virtual assistants, and removable media are also possible sources
of evidence. On occasion, the investigation occurs where the devices are located, in which case it is necessary to clone the device on the premises. However, it is
preferable to use a laboratory, where the conditions may be controlled. With each type of device, there will be some differences in the collection of evidence.
However, the key to maintaining the chain of evidence is to proceed carefully and document every step of the process.
Collecting Evidence, Imaging, and Hashing
An essential facet of a digital investigation is the collection and preservation of evidence. Digital evidence can be easily damaged through user manipulation, by
power surges, or during transport. To avoid altering the original piece of evidence, an exact copy is made through imaging and hashing. The imaging of a digital
device is done through the exact copying of data stored in iles, folders, or entire drives into a new ile, folder, or hard drive. Then, in order to shorten the time
necessary to search through the data, a process called hashing is used, in which a string of characters is transformed into a shorter format that represents the
original string. It is important that an exact copy be made during the imaging phase because if the copy is off by even a small margin, the hash values will be
signi icantly incorrect. Once the copy is created and hashed, it can be analyzed without fear of altering the evidence.
A newer avenue of evidence collection for digital forensic investigators is social media. Investigators will often check to see if a suspect has a social media presence
during the course of an investigation. Sometimes people post incriminating evidence on their social media pages without realizing that anyone can view it and
that it can be used against them. Even when posts or photos are deleted, they can often be recovered from a suspect’s device or from other places on the Internet if
they have been shared. Additionally, people often allow their social media to broadcast their location when they “check in” somewhere or tag a photo with the
location where it was taken. This information can be used by law enforcement as well. In one example, detectives were at a dead end when a suspect used his
Facebook account to “check in” at a strip club, leading the police to his car in the parking lot, which provided enough evidence for them to arrest him when he
walked out of the club (Knibbs, 2013).
Encryption
Encryption of data is one of the larger problems that law enforcement faces in collecting digital
evidence. As de ined by the National Forensic Science Technology Center (n.d.b), encryption is
the “procedure that converts plain text into symbols to prevent anyone but the intended
recipient from understanding the message” (p. 15). The level of encryption of a digital device
can easily stymie examination. Karie and Venter (2015) hypothesized that as encryption
standards for the protection of data increase and the associated algorithms become more
complex, it will become more time­intensive for investigators using cryptanalysis to uncover
and reconstruct evidence. There is currently no standard approach to cryptanalysis. Without
the cooperation of the suspect in giving the investigator the encryption key, uncovering
encrypted data is impossible.
Quantum Cryptography
Quantum
Cryptography
From Title:
Defeating the Hackers
(https://fod.infobase.com/PortalPlaylists.aspx?
wID=100753&xtid=55774)
Validating Tools
The fourth step in Zatyko’s (2007) recommended digital crime investigation process was to
validate the tools. Due to the vast amounts of data digital devices may store and the complex
technical knowledge necessary to understand digital processes and programming, tools to
assist investigations have been developed to speed the process of analysis and ensure the
validity of evidence discovered.
Of the digital forensic tools available to investigators, some address only one aspect of an
investigation while some have wider­ranging capacities. The application and use of the tool
depends on (a) the type of act perpetrated and (b) the device used. Digital forensic tools are
classi ied into the following categories.
•
•
•
•
•
•
•
•
•
•
A look into quantum computing and the future of
computer security.
Disk and data capture tools: These copy an image of the entire disk and all of the data on it to be analyzed.
File viewer tools: These are designed to view a speci ic ile or type of ile.
File analysis tools: These scan and report details about examined iles.
Registry analysis tools: These collect information about the running processes on a host.
Internet analysis tools: These are designed to monitor traf ic between computers and the Internet.
E­mail analysis tools: These examine the content and transmission of e­mail.
Mobile devices analysis tools: These analyze data on mobile devices (phones, tablets, etc.), who created the data, and to whom it may have been sent.
Mac OS analysis tools: These analyze devices using Apple operating systems.
Network forensic tools: These analyze network systems.
Database forensic tools: These examine databases for evidence (InfoSec Institute, 2018b).
Many digital forensic tools can perform a variety of functions, which means one tool can fall under several of the above categories. For example, Digital Forensics
Framework is an open­source piece of software that is designed to be used by professionals or the forensic layman. It may be employed to access remote devices,
recover hidden or deleted iles, and ensure the chain of custody. It can create reports as well, making it a disk and data capture tool and a ile analysis tool, among
other categories. Computer Aided Investigative Environment is another open­source software package that was developed to use existing forensic tools in a user­
friendly manner, making it also a multipurpose tool.
X­Ways Forensics was created for digital investigators and is considered one of the more advanced tools currently available. Among other tasks, it can assist
analysts with disk imaging and cloning, automatic detection of deleted or lost hard disk partition, and various data recovery techniques. EnCase is another tool
with the ability to multitask, and it also produces a report once the analysis is completed (InfoSec Institute, 2018b).
Through multiple rounds of testing, it has been shown that these investigative tools accurately assess what they aim to assess. This testing is done through
replicating investigations using the tool in question and using a tool that is known to work and then comparing the results. Finding a tool to be valid means that
the tool is known to be accurate for the purposes of digital forensic investigation. It is important to use tools that have been validated, because this not only
ensures that the investigator gathers accurate data, but also that the data holds up in court against scrutiny. If a tool has not been validated, a judge or jury may
not trust that the results are accurate.
Utilizing the Scienti ic Method in Digital Forensic Investigations
As discussed in Chapter 1, the scienti ic method is the cornerstone of research practices in the natural, applied, and social sciences and has many applications in
forensic science. Forensic analysis depends on established and recognized scienti ic practices. However, criminal investigations are not scienti ic. They cannot be
standardized and repeated like experiments, since every investigation is unique. What follows is a discussion of the ive steps associated with the scienti ic
method, with examples of how these might be mirrored in digital crime investigations. The irst step of the scienti ic method is the question. This articulates what
the researcher or investigator wishes to learn. For a digital forensic analyst investigating accounting fraud uncovered through a routine examination of a public
computer terminal, the question would be who was involved. The second step is the hypothesis. A hypothesis is a conjecture based on information gathered during
the initial investigation that may explain the phenomenon under investigation.
In 2000 U.S. Air Force captain Marty Theer was murdered in North Carolina. The question was who killed him. Upon questioning neighbors of the Theers, police
discovered there was marital discord between the two. This information led to the hypothesis that Marty Theer’s wife, Michelle Theer, had a hand in his murder.
Police then obtained a warrant to search Michelle’s computer. Of icers uncovered e­mails between her and U.S. Army staff sergeant John Diamond that revealed
evidence of a sexual relationship and documentation of conspiracy to commit murder. Both Diamond and Theer are now serving life sentences for Captain Theer’s
murder.
The third step is the prediction. This is the use of inductive or deductive reasoning to derive logical consequences based on the hypothesis. The BTK Killer eluded
police for over 30 years until his apprehension in 2005. The killer sent the Wichita, Kansas, Police Department a loppy disk with his writings on it. In a deleted ile
on the disk, police uncovered the name Christ Lutheran Church and determined that the ile was last modi ied by someone named Dennis. Police found that a man
named Dennis Rader was a deacon at the church. The (correct) prediction made by detectives was that Dennis Rader was the BTK Killer.
Testing is the fourth component of the scienti ic method. In a science experiment, at this point, researchers conduct experiments to determine if the hypothesis is
supported by the indings. In a criminal investigation, the testing stage is the collection of evidence to determine if the prediction is supported by the evidence. In
2009 James Cameron, an assistant attorney general in Maine, was indicted on 16 charges of traf icking in child pornography. Cameron, using ive different aliases,
uploaded pornographic images of children onto a Yahoo! photo album. The investigation began when Yahoo! analysts uncovered these pornographic images and
informed the National Center for Missing and Exploited Children, which then contacted the Maine State Police. The Maine State Police’s Computer Crimes Unit
traced the owner of the account and found it was Barbara Cameron, James Cameron’s wife. Cameron had used her account to store and share images. When
Cameron’s computer was seized by police, evidence uncovered pornographic stills of children and the text of an Internet chat regarding sex with minors. The
process of evidence collection by the Maine State Police would be the forensic equivalent of testing.
The ifth step is analysis. This occurs when researchers view the results of their experiment and interpret what these mean. In a digital forensic investigation, the
investigator, who may be a law enforcement of icer or one who works for a private irm, examines the evidence collected and comes to a determination of whether
a criminal act has occurred.
Consider an example of a man accused of using his of ice computer to arrange the sale and shipment of narcotics. One of his coworkers reports seeing an open e­
mail on the man’s computer in which he offered to meet and deliver drugs. Of icers immediately begin an investigation. The man is pulled in for questioning. His
of ice computer is seized, and his e­mails are read. Over the course of the investigation, of icers discover that this man and his mother are diabetic, and that in the
e­mail in question, he offered to give her some of his insulin pen needles until she could get her prescription re illed. In this case, through analyzing the evidence
discovered in the course of the investigation, of icers determined no crime had been perpetrated.
In conclusion, while digital forensics itself may not be a scienti ic enterprise, the scienti ic method is routinely employed in the course of investigations. Criminal
investigations often bring in multiple different specialties from all across forensic science. Following the scienti ic method helps keep the process rigorous and
ensure that best practices are followed in all areas of an inquiry.
Think About It
Consider a crime of identity theft in which you have a suspect and have access to his or her digital devices. How would you, as a digital investigator, use the
scienti ic method to frame your investigation?
3.5 Digital Forensics as a Career
How does one become a digital forensic analyst or investigator? First you will need to pick a specialty, since it is possible for a person to have technical training
and knowledge in a few areas but not in every area. As discussed in Section 3.3, digital forensic specialties include computer forensics, audio forensics, cloud
forensics, database forensics, network forensics, video forensics, and mobile forensics, among others (Barmpatsalou et al., 2018). It is common for one digital
investigation to require the services of several specialists in uncovering evidence.
Each area requires specialized training and education. There are some colleges and universities that have degrees dedicated to digital forensics; however,
university­level instruction in this ield is usually delivered through speci ic courses and concentrations, not degree programs. A degree in computer science is
also desirable for those wishing to enter the ield. The education obtained in computer science programs can serve as a baseline of knowledge on which to build
expertise in digital forensics.
In technical ields especially, continuing education is essential for those who are considered experts. This can be demonstrated through a required number of
training hours per year or through maintaining certi ications that test one’s knowledge and require annual training. For instance, the International Association of
Computer Investigative Specialists (n.d.) offers the Certi ied Forensic Computer Examiner (CFCE) certi ication. It is composed of two phases. The irst phase is
peer review. It requires prospective candidates to complete four scenario exercises in a mentored process. After each of these exercises, applicants are required to
submit reports. During the second phase, certi ication, candidates complete an independent exercise and must successfully pass an examination. Those who hold
the CFCE must undergo recerti ication to maintain their credential.
Think About It
Are you interested in a career in digital forensics? Is there a speci ic specialty you are drawn to? How would you work toward this career goal?
The Global Information Assurance Certi ication (GIAC) organization offers a variety of certi ications pertaining to digital security and digital investigations. Among
the certi ications offered are the GIAC Security Essentials, with a focus on cyber defense; the GIAC Certi ied Forensic Examiner, which specializes in incident
response and forensic investigations; and the GIAC Penetration Tester, which certi ies expertise in penetration testing. As with the International Association of
Computer Investigative Specialists, each certi ication requires testing and renewal.
As of mid­2018, the average salary for a forensic computer analyst was nearly $70,000 (Pay­Scale, 2018). Salaries vary signi icantly by location. As careers
progress and analysts move into management positions, salaries increase signi icantly. The level of experience also in luences salary levels. In a survey of forensic
analysts, it was found that 5 years of experience can boost salary levels by 53% (InfoSec Institute, 2018b). Keep all of this information in mind when considering a
digital forensic specialty for a career.
Conclusion
Digital forensics is an evolutionary progression in the practice of forensic investigations. As a discipline, it has made signi icant strides in the past 2 decades
obtaining professional status. Under the rubric of digital forensics are several subspecializations, each requiring additional training. Education and certi ications
requiring practitioners to possess certain levels of knowledge have been developed to ensure competence in the ield.
While the type of evidence sought in digital investigations differs from evidence uncovered in traditional forensic investigations, the approaches of each mirror
those of the other. Effective digital forensic investigations are dependent on employing the scienti ic method, an understanding of applicable laws, and ensuring
and protecting the chain of evidence. Investigators or analysts gain this knowledge from a combination of education, training, and experience.
Society has grown increasing dependent on digitization of devices and electronic communications. As technological advances continue to be made, new means of
criminal modi operandi will be developed to exploit weaknesses in their security. For this reason, the need for quali ied digital forensic analysts will continue to
grow.
Key Ideas
•
•
•
•
•
•
•
Computer technology has grown exponentially, and digital devices are now used in all areas of life.
Digital forensics encompasses the investigation of all manner of devices that require the manipulation of binary code to operate. Methods for digital
forensic investigations have grown in complexity and continue to grow alongside the digital devices used for crime.
Digital crimes encompass more than inancial crime. Technology may used for personal harm also.
States and the federal government have been active in creating legislation to address digital crime.
It is essential for digital forensic investigators to follow established protocols and use validated tools.
Documenting the possession and protection of evidence through the chain of evidence is essential to a successful prosecution.
Continuing education is essential for the digital investigator. Even so, it is not possible for a digital forensic investigator to have technical knowledge and
training in all areas of investigations.
Critical­Thinking Questions
1.
2.
3.
4.
Consider you are an expert witness. How would you explain the hard drive, RAM, and the difference between the two to a jury of nonexperts?
How do you believe Moore’s law (that computer processing speed will double every 18 months) will in luence the challenges faced by forensic
investigators in the future?
What are the challenges faced by legislative bodies in creating laws that address digital crime?
People are often conned into revealing personal information through phishing or social media scams. What are some signs you would advise people to
look for in determining whether an e­mail or a communication is real or a ploy?
Key Terms
Click on each key term to see the de inition.
binary code
(http://content.thuzelearning.com/books/Gaensslen.5453.18.1/sections/cover/books/Gaensslen.5453.18.1/sections/cover/books/Gaensslen.5453.18.1/sections/cover/books/G
A coding system expressed using series of zeros and ones.
CAN­SPAM Act
(http://content.thuzelearning.com/books/Gaensslen.5453.18.1/sections/cover/books/Gaensslen.5453.18.1/sections/cover/books/Gaensslen.5453.18.1/sections/cover/books/G
A law that prohibits sending signi icant amounts of unsolicited commercial e­mail.
cloud storage
(http://content.thuzelearning.com/books/Gaensslen.5453.18.1/sections/cover/books/Gaensslen.5453.18.1/sections/cover/books/Gaensslen.5453.18.1/sections/cover/books/G
A storage system that houses data across multiple servers and multiple locations.
Computer Fraud and Abuse Act of 1986
(http://content.thuzelearning.com/books/Gaensslen.5453.18.1/sections/cover/books/Gaensslen.5453.18.1/sections/cover/books/Gaensslen.5453.18.1/sections/cover/books/G
A law that prohibits conduct that abuses or damages computer systems.
cyberbullying
(http://content.thuzelearning.com/books/Gaensslen.5453.18.1/sections/cover/books/Gaensslen.5453.18.1/sections/cover/books/Gaensslen.5453.18.1/sections/cover/books/G
The use of electronic communication to bully a person, typically by sending messages of an intimidating or threatening nature.
cyberterrorism
(http://content.thuzelearning.com/books/Gaensslen.5453.18.1/sections/cover/books/Gaensslen.5453.18.1/sections/cover/books/Gaensslen.5453.18.1/sections/cover/books/G
The use of digital devices and systems to orchestrate a terrorist attack on a government or entity.
digital forensics
(http://content.thuzelearning.com/books/Gaensslen.5453.18.1/sections/cover/books/Gaensslen.5453.18.1/sections/cover/books/Gaensslen.5453.18.1/sections/cover/books/G
The investigation of all manner of devices tht require the manipulation of binary code to operate.
digitally based
(http://content.thuzelearning.com/books/Gaensslen.5453.18.1/sections/cover/books/Gaensslen.5453.18.1/sections/cover/books/Gaensslen.5453.18.1/sections/cover/books/G
A crime in which an electronic device is used to commit the act; for example, identity theft.
digitally facilitated
(http://content.thuzelearning.com/books/Gaensslen.5453.18.1/sections/cover/books/Gaensslen.5453.18.1/sections/cover/books/Gaensslen.5453.18.1/sections/cover/books/G
A crime in which the digital device is the target of what are traditionally referred to as computer or cybercriminals.
encryption
(http://content.thuzelearning.com/books/Gaensslen.5453.18.1/sections/cover/books/Gaensslen.5453.18.1/sections/cover/books/Gaensslen.5453.18.1/sections/cover/books/G
A means of preventing others from understanding a digital message by changing regular text into symbols.
external hard drives
(http://content.thuzelearning.com/books/Gaensslen.5453.18.1/sections/cover/books/Gaensslen.5453.18.1/sections/cover/books/Gaensslen.5453.18.1/sections/cover/books/G
A form of removable data.
hacking
(http://content.thuzelearning.com/books/Gaensslen.5453.18.1/sections/cover/books/Gaensslen.5453.18.1/sections/cover/books/Gaensslen.5453.18.1/sections/cover/books/G
The use of a computer to gain unauthorized access to data in a system.
hard disk drive
(http://content.thuzelearning.com/books/Gaensslen.5453.18.1/sections/cover/books/Gaensslen.5453.18.1/sections/cover/books/Gaensslen.5453.18.1/sections/cover/books/G
A nonremovable data­storage device within a computer.
hardware
(http://content.thuzelearning.com/books/Gaensslen.5453.18.1/sections/cover/books/Gaensslen.5453.18.1/sections/cover/books/Gaensslen.5453.18.1/sections/cover/books/G
The parts of the computer visible to the user.
identity theft
(http://content.thuzelearning.com/books/Gaensslen.5453.18.1/sections/cover/books/Gaensslen.5453.18.1/sections/cover/books/Gaensslen.5453.18.1/sections/cover/books/G
The stealing of an individual’s personal information to impersonate him or her digitally.
Identity Theft Penalty Enhancement Act
(http://content.thuzelearning.com/books/Gaensslen.5453.18.1/sections/cover/books/Gaensslen.5453.18.1/sections/cover/books/Gaensslen.5453.18.1/sections/cover/books/G
Under this act, a defendant can be charged with knowingly using, without lawful authority, the identi ication of another person.
IP address
(http://content.thuzelearning.com/books/Gaensslen.5453.18.1/sections/cover/books/Gaensslen.5453.18.1/sections/cover/books/Gaensslen.5453.18.1/sections/cover/books/G
A string of numbers used to identify the computer, but not necessarily the user, used to access the Internet.
latent data
(http://content.thuzelearning.com/books/Gaensslen.5453.18.1/sections/cover/books/Gaensslen.5453.18.1/sections/cover/books/Gaensslen.5453.18.1/sections/cover/books/G
The information in computer storage not included in ile allocation tables and not easily viewed through the operating system.
phishing
(http://content.thuzelearning.com/books/Gaensslen.5453.18.1/sections/cover/books/Gaensslen.5453.18.1/sections/cover/books/Gaensslen.5453.18.1/sections/cover/books/G
A cyberattack involving e­mails supposedly from reputable companies in order to con people into revealing personal information such as passwords.
RAM
(http://content.thuzelearning.com/books/Gaensslen.5453.18.1/sections/cover/books/Gaensslen.5453.18.1/sections/cover/books/Gaensslen.5453.18.1/sections/cover/books/G
An acronym for Random Access Memory. It is a quickly retrievable type of computer memory that temporarily stores the information your computer requires
immediately and for future use.
revenge porn
(http://content.thuzelearning.com/books/Gaensslen.5453.18.1/sections/cover/books/Gaensslen.5453.18.1/sections/cover/books/Gaensslen.5453.18.1/sections/cover/books/G
Photographic imagery, taken in the context of an intimate sexual relationship, that is released online without the knowledge of one of the participants.
software
(http://content.thuzelearning.com/books/Gaensslen.5453.18.1/sections/cover/books/Gaensslen.5453.18.1/sections/cover/books/Gaensslen.5453.18.1/sections/cover/books/G
The binary instructions for speci ic computer processes that are implemented thorough the hardware.
virtual assistants
(http://content.thuzelearning.com/books/Gaensslen.5453.18.1/sections/cover/books/Gaensslen.5453.18.1/sections/cover/books/Gaensslen.5453.18.1/sections/cover/books/G
Devices designed to simplify the management of one’s life through quick exchanges between the user and the device.
visible data
(http://content.thuzelearning.com/books/Gaensslen.5453.18.1/sections/cover/books/Gaensslen.5453.18.1/sections/cover/books/Gaensslen.5453.18.1/sections/cover/books/G
Data that is employed by the operating system and can be accessed by the user.
Web Resources
Become a Forensics Expert
https://www.cyberdegrees.org/jobs/computer­forensics (https://www.cyberdegrees.org/jobs/computer­forensics)
Cyber Degrees developed this web page as an overview of digital forensic careers. It provides a partial list of colleges/universities that offer digital forensics–
related programs.
Computer Forensics
https://www.us­cert.gov/sites/default/ iles/publications/forensics.pdf (https://www.us­cert.gov/sites/default/ iles/publications/forensics.pdf)
This website was created by US­CERT and serves as an overview of the computer forensic process. The section titled “Why Is Computer Forensics Important?”
does an excellent job of outlining how computer (digital) forensics is essential in the protection of information systems.
Computer Forensics Examiner Job Outlook & Salary Info
https://www.forensicscolleges.com/careers/computer­forensics­examiner (https://www.forensicscolleges.com/careers/computer­forensics­examiner)
This website details the job outlook for computer (digital) forensic investigators. What prospective investigators in this ield will ind is that projected growth is
promising and salaries are well above average.
Digital Forensics—Davin Teo—TEDxHongKongSalon
https://youtu.be/Pf­JnQfAEew (https://youtu.be/Pf­JnQfAEew)
This TED Talk on YouTube is the story of Davin Teo and how he found a career in digital forensics. While most jobs in digital forensics are not as dramatic as Teo’s
career has been, it serves as an interesting perspective on how people create a career path.
Trace and Materials
Evidence
6
Alice S./BSIP/SuperStock
Learning Outcomes
After reading this chapter, you should be able to
• Brie ly explain the probability of chance duplication and the chain of custody
with trace evidence.
• Explain the structure of hair and how it is collected and analyzed.
• Describe natural and human­made ibers and how they are collected and
analyzed.
• Discuss the structure of glass and its collection and analysis.
• Summarize paint structure and how it is collected and analyzed.
• Explain the importance of soil and its collection and analysis.
• Describe the limitations a trace analyst should observe when presenting the
results of trace evidence analysis.
Introduction
While there can be many types of trace evidence, this chapter will cover some of the most common types, including hairs, ibers, glass, and soil. Trace evidence by
de inition relates to something small. It encompasses evidence such as particles of glass from a broken window embedded in the sole of a suspect’s shoes, or
particles of glass in a victim’s wounds that must be compared to a broken windshield on an automobile suspected of being involved in a hit­and­run accident. It
also includes a few hairs from a victim found on a suspect’s jacket, or a few ibers from the suspect’s jacket found on the victim’s clothing. It is worth noting that
while the term trace does refer to a small quantity, the term means that the forensic lab is capable of analyzing small quantities of a substance. It doesn’t
necessarily mean that you always ind the evidence in small quantities in casework.
While this type of evidence can be important to the solution of a crime, care must be taken in its use. Trace evidence is for the most part class evidence, also
known as circumstantial evidence. It can help point of icers in the right direction in their investigations—for instance, by exonerating an innocent person—but it
is not on its own usually enough to close a case. Also, remember that because the materials being dealt with are small, extreme care must be taken to avoid loss or
contamination of the evidence.
Although forensic scientists strive to devise methods applicable to small quantities of this kind of evidence, evidence could be present in larger amounts. For this
reason, we also refer to this category as materials evidence. Many types of transferred evidence fall into this broad category. One of the features that justi ies
placing it into the same category is that the methods used to analyze trace and materials evidence are similar. One principal technique is microscopy—the use of
microscopes. There are several types of microscopes used for different purposes in examining trace evidence. You are probably familiar with the “biological”
microscope, a compound microscope often used to look at biological specimens. These microscopes usually have one eyepiece. There are also stereoscopic
binocular microscopes, which have two eyepieces for “stereo” vision and provide views of specimens at various magni ications. A variant of the light microscope
called a polarized light microscope (or PLM) allows the same visualization as a regular light microscope but also the measurement of more sophisticated optical
and physical properties of specimens. Another type of microscope is the comparison microscope. This instrument uses two connected optical bridges and allows a
person to view two different specimens, side by side in the viewer, simultaneously. It is ideal for doing microscopic comparisons and can be used for hairs and
ibers as well. Finally, there are electron microscopes. They employ a beam of electrons rather than a beam of light and permit very high magni ications of
specimens. There are some limited uses for “scanning” electron microscopes in forensic work. For example, they may be used to con irm the identity of gunshot
residue particles. We will discuss comparison and electron microscopes in Chapter 9. Here, we’ll cover the concept of probability of duplication and the
importance of maintaining the chain of custody for these types of evidence.
6.1 Probability and the Chain of Custody
Trace evidence was brie ly described in Chapter 1, de ining the scope of criminalistics. It is often used in forensic analysis because of the Locard exchange
principle (see Chapter 1.4), and it can be used to tie a suspect to a victim or crime scene, a victim to a crime scene, or—in lucky cases—tie the suspect, victim, and
crime scene together simultaneously. In the same way, trace evidence can indicate disassociations. While this sounds simple in principle, most often this type of
evidence is circumstantial, de ined only in terms of class rather than of individual characteristics. In other words, the evidence will relate to a group of similar
objects rather than an individual object at a scene or a speci ic suspect. This evidence will only indicate proof of a point at issue in a court case, rather than provide
conclusive proof. Oftentimes, interpretation of trace evidence comparisons comes down to the probability of chance duplication. What is the likelihood that two
people share hair characteristics? How many jackets were made of a particular cloth in a particular color? This information must be determined by forensic or
other scientists, in some manner, for presentation to a judge or jury. The trace analyst is generally unable to walk into court and say, “This is the jacket, to the
exclusion of all others.” However, the analyst can provide the circumstantial basis for the evidence that points to a suspect, while warning the trier of fact that
there could be others. A guilty verdict can be achieved if the buildup of this circumstantial evidence can lead the judge or jury to conclude beyond a reasonable
doubt that the evidence points to the suspect instead of another individual. Trace evidence can also be exclusionary. A trace analyst can use a comparison sample
taken from a known source to tell if the known was not the source of the evidence. This inding is important because it is de inite. If a textile object is excluded as
the source of a iber, this conclusion is absolute.
It is often dif icult to determine how common or rare an item really is. Sometimes, the research has just not been done. In other cases, it cannot be done. For
example, if carpet iber from a car trunk is taken as evidence, an analyst can ind out how many carpets of that kind and color were installed in a certain make,
model, and year of car. What likely cannot be determined is the number of vehicles still in use and where they are located. If the crime occurred in Los Angeles, the
national number matters less than the greater Los Angeles number. Investigators can go to the department of motor vehicles and ind out how many of these
vehicles are registered in the county, but their distribution among the population remains unknown, and it is dif icult to know if the vehicle from which the iber
came is registered in Los Angeles. So, while some frequencies may be given to the court, there is uncertainty in them. Often, several kinds of trace are present in a
case and can provide good circumstantial evidence. Therefore, trace evidence of several types can be used to assist in the association of a suspect with various
aspects of the crime scene, rather than depending on one item alone to convince a judge or jury that a suspect was at the scene. The logic is that it is unlikely for
several different varieties of trace evidence to match exemplars by chance, all at the same time and in the same case.
Think About It
Since trace evidence does not generally allow a scientist to reach an individualization conclusion, should we dismiss it in favor of evidence that will lead to
an undisputable conclusion about the inclusion or exclusion of a suspect? Why or why not?
As noted with other types of evidence, the chain of custody is crucial to the successful prosecution of a case. Additionally, the chain of custody allows the scientist
and everyone else who handled the evidence to demonstrate that there was most likely no contamination of the evidence or loss of important evidence and that
the evidence was not changed in some detrimental manner. How might this be done with trace evidence? This can be accomplished by maintaining the chain of
custody, which starts with proper collection, documentation, and preservation.
Collection
The location and collection of the evidence is important in any case. During the examination of large items, trace materials may be located and can be used as
evidence. Fibers or hairs on clothing or soil, glass or paint on the ground or elsewhere in a yard—these can help link the suspect to the victim or crime scene.
Some of this evidence can easily be picked up using tweezers, while some, such as paint on a wall, must be scraped, taking care to remove the sample all the way to
the wall surface. This type of evidence can also tie remote crime scenes or transport mechanisms to the victim or suspect. Conversely, if there is contamination of
the evidence in some manner, the evidence could lead to an erroneous conclusion by the analyst.
When locating and collecting trace evidence, the crime scene technician must be aware of the possibility of loss or contamination and take a few precautions. First,
he or she must wear proper garb when on the scene. This clothing—sort of like “space suit” garb—should be worn to prevent hairs or ibers from being left on the
evidence by the investigator. Also, the investigator should wear nonobstructive headgear so as not to shed hairs onto the evidence. Second, when processing
multiple items, victims, or suspects, the items of collected evidence should never share the same space and should not be handled by the investigator at the same
time in the same protective clothing. Any postincident contact that transfers hairs and ibers between the victim and suspect will render the evidence useless in
court. Lastly, if it appears there is trace evidence on some larger object, such as a bedspread, the entire object should be packaged as evidence. If large items are
collected, they should be handled gently and packaged in plastic, or if biological luids are present, paper containers of appropriate size should be used. Individual
hairs and ibers that are collected can be stored in druggist folds or small coin envelopes, which will help prevent loss of this evidence. The druggist fold
containing the evidence is often packaged in a sealable secondary container, such as a ziplock bag.
Generally speaking, there are two approaches to the collection of trace evidence items. The irst involves collecting in its entirety whatever object has the trace on
it. For instance, a crime scene technician would collect a bedspread that has hairs or ibers on it, a shoe that has soil on it, or a bicycle that has a paint smear on it
from being hit by a car. The second approach involves collecting the trace itself, and not the object on which it is deposited. It is always better to collect the intact
item, but sometimes it isn’t possible. What if a paint smear were on the side of a building? Proper documentation—notes, sketches, photography—precedes
collection and packaging, as discussed in Chapter 2.
Preservation
Packaging evidence was also discussed in Chapter 2; it helps preserve the evidence. It is always important to package evidence correctly so that the item is not
contaminated or compromised in any way and so that it cannot work its way out of the package. For example, a single hair placed in a paper envelope could fall
through the paper envelope seams at the end if it is not sealed with evidence tape. Investigators and crime scene technicians must also remember that trace
evidence alone does not have much value. The lab needs a comparison specimen—a specimen of the supposed source of the evidence. If the trace item is a hair,
the lab will need known hairs, such as from the victim or suspect. If the item is glass, the lab needs a specimen of the item from which the glass is thought to have
come, if possible.
Once an item of evidence arrives at the forensic science laboratory, it will be handled in
a manner that will also prevent loss and contamination. Some laboratories use clean
rooms, which are rooms set aside to handle trace evidence that are kept free of
possible contaminants, such as ibers and other materials, for processing. They may
use small vacuum cleaners itted with ilters to collect the evidence for packaging. Or
they may use tape to collect the evidence. In this method, called tape­lifting, a piece of
wide adhesive tape is placed on the surface of the item of evidence, and any hairs,
ibers, or other debris will stick to the tape. The tape will be repeatedly placed on the
item in a pattern to collect all possible trace evidence from the object. The tape can
then be folded over upon itself and effectively sealed against contamination. The tape
can be observed under a microscope, and any items that appear to be of probative
value (meaningful in the case at hand) can be collected from the tape lift. This is
accomplished by using a scalpel to slit the tape next to the item, removing that item
using forceps, mounting the item on a microscope slide, and pressing the tape closed
to reseal it with no contamination or loss of evidence.
Generally, hairs, ibers, glass fragments, soil, paint particles, and other nonbiological
trace items can be packaged in ziplock containers. These can be labeled and sealed
with evidence tape. They are also transparent, so you can see what is in them without
opening them. Often, the ziplock bag will be a secondary container. That is, the trace
itself will be irst folded up in a paper container, which is then placed into the ziplock
bag. The whole concept is to contain the trace items or material, keep it together, not
allow it to move around or transfer to other surfaces or get out of its container, and
make it reasonably easy for the forensic analyst to open the container, sample the
material, and examine it.
imageBROKER/Superstock
Tape­lifting is one way to prevent losing very small pieces of evidence.
Remember, trace evidence is by nature small and easily transferred. There are
examples in many court jurisdictions of defendants convicted of crimes only to ind out What do you think might be some bene its and drawbacks to this method
compared to others?
later that trace evidence had been mishandled and the verdict was wrong because of
contamination. Similarly, there have been cases where the evidence was lost during
collection or handling and could not be used during the case. Hairs and ibers have been seen in a number of cases in which contamination or loss was an issue.
Proper handling, packaging, and documentation will help establish that nothing has occurred that will compromise the evidence prior to analysis and prevent the
evidence from being used in the courtroom because of a technicality.
Probability of chance duplication and the chain of custody can impact the signi icance of trace evidence in a case and in court. Each of the major types of trace
evidence will be discussed with these concepts in mind. This will provide you with the proper methods to collect and preserve each type of trace evidence, as well
as analysis methods to help determine the probability of chance duplication of evidence. This can help either exclude the suspect, crime scene, and/or victim from
having contributed to the evidence or include them as possible contributors.
As with the other disciplines in forensic science today, the various areas of trace analysis are represented in the OSACs under the NIST, which have been previously
discussed. The Materials (Trace) subcommittee is under the Chemistry/Instrumental Analysis section of the OSACs (https://www.nist.gov/topics/forensic­
science/osac­organizational­structure (https://www.nist.gov/topics/organization­scienti ic­area­committees­forensic­science/osac­organizational­structure) ).
6.2 Hair
One of the most common types of trace evidence is hair. Hair is found on mammals and is an outgrowth of the epidermis (skin) composed of keratin and other
proteins. It appears as a long thin ilament and can serve as a covering for the animal on which it is found. Most hairs can be easily differentiated from one
another; the microscopic structure of a human hair can be used to distinguish it from any other species’ hair. Since humans continually shed hairs through the day,
it is a type of evidence that…