Handwriting Analysis Computer, Mobile device Analysis FORENSIC SCIENCE: An Introduction by Richard Saferstein 1
SFS2 Students will use various scientific techniques to analyze physical and trace evidence. d. Identify methods used for the evaluation of handwriting and document evidence.
Introduction Any object with handwriting or print whose source or authenticity is in doubt may be referred to as a questioned document. Document examiners apply knowledge gathered through years of training and experience to recognize and compare the individual characteristics of questioned and known authentic writings. FORENSIC SCIENCE: An Introduction by Richard Saferstein 3
Introduction For this purpose, the gathering of documents of known authorship or origin is critical to the outcome of the examination. The uniqueness of handwriting makes this type of physical evidence one of the few definitive individual characteristics available. FORENSIC SCIENCE: An Introduction by Richard Saferstein 4
Character of Handwriting Document experts continually testify to the fact that no two individuals write exactly alike. Many factors comprise the total character of a person’s writing. The early stages of learning handwriting are characterized by a conscious effort to copy standard letter forms. FORENSIC SCIENCE: An Introduction by Richard Saferstein 5
Character of Handwriting As writing skills improve, nerve and motor responses associated with the act of writing become subconscious. The unconscious handwriting of two different individuals can never be identical. FORENSIC SCIENCE: An Introduction by Richard Saferstein 6
Character of Handwriting Variations are expected in angularity, slope, speed, pressure, letter and word spacing, relative dimensions of letters, connections, pen movement, writing skill, and finger dexterity. Other factors to consider include the arrangement of the writing on the paper, such as margins, spacing, crowding, insertions, and alignment. FORENSIC SCIENCE: An Introduction by Richard Saferstein 7
Character of Handwriting Spelling, punctuation, phraseology, and grammar can be personal and help to individualize the writer. Furthermore, the writing style of one individual may be altered beyond recognition by the influence of drugs or alcohol. FORENSIC SCIENCE: An Introduction by Richard Saferstein 8
Handwriting Exemplars The collection of an adequate number of known writings (exemplars) is most critical for determining the outcome of a handwriting comparison. Known writing should contain some of the words and combination of letters present in the questioned document and be adequate in number to show the range of natural variations in a suspect’s writing. FORENSIC SCIENCE: An Introduction by Richard Saferstein 9
Handwriting Exemplars The writing implement and paper should also be alike. The writing of dictation and several pages may serve to minimize attempts at deception. FORENSIC SCIENCE: An Introduction by Richard Saferstein 10
Transcript Comparisons The two requests most often made of the examiner in connection with the examination of photocopier, fax, and printing devices are: Whether a particular suspect printing device can be identified as having prepared the questioned document. Whether the make and model of the printing devices used to prepare the questioned document can be identified. FORENSIC SCIENCE: An Introduction by Richard Saferstein 11
Characteristics From Use As is true for any mechanical device, use of a printing device will result in wear and damage to the machine’s moving parts. These changes will occur in a fashion that is both random and irregular, thereby imparting individual characteristics to the printing device. FORENSIC SCIENCE: An Introduction by Richard Saferstein 12
Characteristics From Use The document examiner has to deal with problems involving business and personal computers, which often produce typed copies that have only subtle defects. FORENSIC SCIENCE: An Introduction by Richard Saferstein 13
Digital Technology In the cases of photocopiers, fax machines, and computer printers, an examiner may be called upon to identify the make and model of a machine or to compare a questioned document with test samples from a suspect machine. FORENSIC SCIENCE: An Introduction by Richard Saferstein 14
Digital Technology A side-by-side comparison is made between the questioned document and the printed exemplars to compare markings produced by the machine. Examiners compare transitory defect marks, fax machine headers, toner, toner application methods, and mechanical and printing characteristics. FORENSIC SCIENCE: An Introduction by Richard Saferstein 15
Alterations Document examiners must deal with evidence that has been changed in several ways, such as through alterations, erasures, and obliterations. Erasures by rubber erasers, sandpaper, razor blades, or knives to remove writing or typing disturb the fibers of the paper and are readily apparent when examined with a microscope. FORENSIC SCIENCE: An Introduction by Richard Saferstein 16
Alterations If an alteration is made to a document with ink differing form the original, it can sometimes be detected due to differences in the luminescence properties of the inks. Obliteration of writing by overwriting or crossing out to hide the original writing can be revealed by infrared radiation, which may pass through the upper layer of writing while being absorbed by the underlying area. FORENSIC SCIENCE: An Introduction by Richard Saferstein 17
Other Problems Infrared photography and reflecting light at different angles are sometimes successfully used to reveal the contents of a document that has been accidentally or purposely charred in a fire. In certain situations, indented writings (partially visible depressions underneath the visible writing) have proven to be valuable evidence. FORENSIC SCIENCE: An Introduction by Richard Saferstein 18
Other Problems It may be possible to determine what was written by the impressions left on a paper pad. Applying an electrostatic charge to the surface of a polymer film placed in contact with a questioned document will visualize indented writings. FORENSIC SCIENCE: An Introduction by Richard Saferstein 19
Other Problems A study of the chemical composition of the ink used on documents may verify whether or not known and questioned documents were prepared by the same pen; and the paper itself may be analyzed. FORENSIC SCIENCE: An Introduction by Richard Saferstein 20
COMPUTER FORENSICS FORENSIC SCIENCE: An Introduction by Richard Saferstein 21
Introduction Computers have permeated society and are used in countless ways with innumerable applications. Similarly, the role of electronic data in investigative work has achieved exponential growth in the last decade. FORENSIC SCIENCE: An Introduction by Richard Saferstein 22
Introduction The use of computers and other electronic data storage devices leaves the footprints and data trails of their users. Computer forensics involves the preservation, acquisition, extraction, and interpretation of computer data. FORENSIC SCIENCE: An Introduction by Richard Saferstein 23
Introduction In today's world of technology, many devices are capable of storing data and could thus be grouped into the field of computer forensics. FORENSIC SCIENCE: An Introduction by Richard Saferstein 24
The Basics Hardware vs. software: Hardware comprises the physical and tangible components of the computer. Software, conversely, is a set of instructions compiled into a program that performs a particular task. Software consists of those programs and applications that carry out a set of instructions on the hardware. FORENSIC SCIENCE: An Introduction by Richard Saferstein 25
Terminology Computer Case/Chassis This is the physical box holding the fixed internal computer components in place. Power Supply PC's power supply converts the power it gets from the wall outlet to a useable format for the computer and its components. FORENSIC SCIENCE: An Introduction by Richard Saferstein 26
Terminology Motherboard The main circuit board contained within a computer (or other electronic devices) is referred to as the motherboard.
Terminology System Bus Contained on the motherboard, the system bus is a vast complex network of wires that serves to carry data from one hardware device to another.
Figure 8-1 Cutaway diagram of a personal computer showing the tangible hardware components of a computer system. FORENSIC SCIENCE: An Introduction by Richard Saferstein 29
Terminology Read-Only Memory (ROM) chips store programs called firmware, which are used to start the boot process and configure a computer's components. FORENSIC SCIENCE: An Introduction by Richard Saferstein 30
Terminology Random Access Memory (RAM) serves to take the burden off of the computer's processor and Hard Disk Drive (HDD). FORENSIC SCIENCE: An Introduction by Richard Saferstein 31
Terminology The computer, aware that it may need certain data at a moments notice, stores the data in RAM. RAM is referred to as volatile memory because it is not permanent; its contents undergo constant change and are forever lost once power is taken away from the computer. FORENSIC SCIENCE: An Introduction by Richard Saferstein 32
Terminology The Central Processing Unit (CPU), also referred to as a processor, is essentially the brains of the computer. FORENSIC SCIENCE: An Introduction by Richard Saferstein 33
Terminology Input Devices These devices are used to get data into the computer. For example: Keyboard Mouse Joystick Scanner FORENSIC SCIENCE: An Introduction by Richard Saferstein 34
Terminology Output Devices Equipment through which data is obtained from the computer. For example: Monitor Printer Speakers FORENSIC SCIENCE: An Introduction by Richard Saferstein 35
Terminology The Hard Disk Drive (HDD) is typically the primary location of data storage within the computer. FORENSIC SCIENCE: An Introduction by Richard Saferstein 36
Terminology Different operating systems map out (partition) HDDs in different manners. Examiners must be familiar with the file system that they are examining. FORENSIC SCIENCE: An Introduction by Richard Saferstein 37
Terminology Evidence exists in many different locations and in numerous forms on a HDD. The type of evidence can be grouped under two major sub- headings: visible and latent data. FORENSIC SCIENCE: An Introduction by Richard Saferstein 38
How Data is Stored Generally speaking, a HDD needs to have its space defined before it is ready for use. Partitioning the HDD is the first step. When partitioned, HDDs are mapped (formatted) and have a defined layout. FORENSIC SCIENCE: An Introduction by Richard Saferstein 39
How Data is Stored HDDs are logically divided into sectors, clusters, tracks, and cylinders. Sectors are typically 512 bytes in size. A byte is 8 bits. A bit is a single 1 or 0. FORENSIC SCIENCE: An Introduction by Richard Saferstein 40
How Data is Stored Clusters are groups of sectors, and their size is defined by the operating system. Clusters are always in sector multiples of two. A cluster, therefore, will consist of 2, 4, 6, 8, and so forth sectors. With modern-day operating systems, the user can exercise some control over the amount of sectors per cluster. FORENSIC SCIENCE: An Introduction by Richard Saferstein 41
How Data is Stored Tracks are concentric circles that are defined around the platter. Cylinders are groups of tracks that reside directly above and below each other. FORENSIC SCIENCE: An Introduction by Richard Saferstein 42
Figure 8-3 Partitions of a hard disk drive. FORENSIC SCIENCE: An Introduction by Richard Saferstein 43
How Data is Stored After the partitioning and formatting processes are complete, the HDD will have a map of the layout of the defined space in that partition. Partitions utilize a File Allocation Table (FAT) to keep track of the location of files and folders (data) on the HDD. FORENSIC SCIENCE: An Introduction by Richard Saferstein 44
How Data is Stored The NTFS partition (Windows 7, 8) utilizes, among other things, a Master File Table (MFT). FORENSIC SCIENCE: An Introduction by Richard Saferstein 45
How Data is Stored Each partition table (map) tracks data in different ways. The computer forensic examiners should be versed in the technical nuances of the HDDs that they examine. FORENSIC SCIENCE: An Introduction by Richard Saferstein 46
How Data is Stored It is sufficient for our purposes here, however, merely to visualize the partition table as a map to where the data is located. This map uses the numbering of sectors, clusters, tracks, and cylinders to keep track of the data. FORENSIC SCIENCE: An Introduction by Richard Saferstein 47
Processing the Electronic CS Processing the electronic crime scene has a lot in common with processing a traditional crime scene: Warrants Documentation Good investigation techniques At this point, a decision must be made as to whether a live acquisition of the data is necessary. FORENSIC SCIENCE: An Introduction by Richard Saferstein 48
Shutdown vs. Pulling the Plug Several factors influence the systematic shutdown vs. pulling- the-plug decision. For example, if encryption is being used, pulling the plug will encrypt the data rendering it unreadable without a password or key; therefore, pulling the plug would not be prudent. FORENSIC SCIENCE: An Introduction by Richard Saferstein 49
Shutdown vs. Pulling the Plug Similarly, if crucial evidentiary data exists in RAM and has not been saved to the HDD and will thus be lost with discontinuation of power to the system, another option must be considered. Regardless, the equipment will most likely be seized. FORENSIC SCIENCE: An Introduction by Richard Saferstein 50
Forensic Image Acquisition Now that the items have been seized, the data needs to be obtained for analysis. The computer Hard Disk Drive will be used as an example, but the same "best practices" principals apply to other electronic devices as well. FORENSIC SCIENCE: An Introduction by Richard Saferstein 51
Forensic Image Acquisition Throughout the entire process, the computer forensic examiner must adopt the method that is least intrusive. The goal of obtaining data from a HDD is to do so without altering even one bit of data. FORENSIC SCIENCE: An Introduction by Richard Saferstein 52
Forensic Image Acquisition Because booting a HDD to its operating system changes many files and could potentially destroy evidentiary data, obtaining data is generally accomplished by removing the HDD from the system and placing it in a laboratory forensic computer so that a forensic image can be created. FORENSIC SCIENCE: An Introduction by Richard Saferstein 53
Forensic Image Acquisition Occasionally, in cases of specialized or unique equipment or systems, the image of the HDD must be obtained utilizing the seized computer. Regardless, the examiner needs to be able to prove that the forensic image obtained includes every bit of data and resulted in no changes (writes) to the HDD. FORENSIC SCIENCE: An Introduction by Richard Saferstein 54
Computer Fingerprint To this end, a sort of fingerprint of the drive is taken before and after imaging. This fingerprint is accomplished through the use of a Message Digest 5 (MD5), Secure Hash Algorithm (SHA), or similar validated algorithm. FORENSIC SCIENCE: An Introduction by Richard Saferstein 55
Computer Fingerprint Before imaging the drive, the algorithm is run and a 32- character alphanumeric string is produced based on the drive’s contents. FORENSIC SCIENCE: An Introduction by Richard Saferstein 56
Computer Fingerprint It then run against the resulting forensic image, and if nothing changed, the same alphanumeric string will be produced, thus demonstrating that the image is all-inclusive of the original contents and that nothing was altered in the process. FORENSIC SCIENCE: An Introduction by Richard Saferstein 57
Visible Data Visible data is the data of which the operating system is aware. Consequently, this data is easily accessible to the user. FORENSIC SCIENCE: An Introduction by Richard Saferstein 58
Visible Data From an evidentiary standpoint, it can encompass any type of user created data, such as: Word processing documents Spreadsheets Accounting records Databases Pictures FORENSIC SCIENCE: An Introduction by Richard Saferstein 59
Temporary Files and Swap Space Temporary files, created by programs as a sort of "back-up on the fly," can also prove valuable as evidence. Finally, data in the swap space (utilized to conserve valuable RAM within the computer system) can yield evidentiary data. FORENSIC SCIENCE: An Introduction by Richard Saferstein 60
Temporary Files and Swap Space Latent data, on the other hand, is that data of which the operating system is unaware. FORENSIC SCIENCE: An Introduction by Richard Saferstein 61
Figure 8-8 As a user switches between applications and performs multiple tasks, data is swapped back and forth between RAM and the computer's hard drive. This area on the hard drive is referred to as either swap space or a paging file. FORENSIC SCIENCE: An Introduction by Richard Saferstein 62
Latent Data Evidentiary latent data can exist in both RAM and file slack. RAM slack is the area from the end of the logical file to the end of the sector. File slack is the remaining area from the end of the final sector containing data to the end of the cluster. FORENSIC SCIENCE: An Introduction by Richard Saferstein 63
Latent Data Another area where latent data might be found is in unallocated space. Unallocated space is that space on a HDD that the operating system sees as empty and ready to store data. FORENSIC SCIENCE: An Introduction by Richard Saferstein 64
Figure 8-11 A simplistic view of a hard drive platter demonstrating the concept of unallocated space. FORENSIC SCIENCE: An Introduction by Richard Saferstein 65
Latent Data The constant shuffling of data through deletion, defragmentation, swapping, and so on is one of the ways that data is orphaned in latent areas. Finally, when a user deletes files, the data typically remains behind. Deleted files are therefore another source of latent data to be examined during forensic analysis. FORENSIC SCIENCE: An Introduction by Richard Saferstein 66
Analysis of Internet Data Places on a computer where a forensic computer examiner might look to determine what websites a computer user has recently visited include: Internet cache Cookies Internet history FORENSIC SCIENCE: An Introduction by Richard Saferstein 67
Analysis of Internet Data The history file can be located and read with a forensic software package. Another way to access websites that have been visited is by examining bookmarks and favorite places. FORENSIC SCIENCE: An Introduction by Richard Saferstein 68
IP Addresses IP addresses provide the means by which data can be routed to the appropriate location, and they also provide the means by which most Internet investigations are conducted. IP addresses take the form ###.###.###.###, in which, generally speaking, ### can be any number between 0 and 255. FORENSIC SCIENCE: An Introduction by Richard Saferstein 69
Investigation of Internet Communications An investigator tracking the origin of an e-mail seeks out the sender’s IP address in the e-mail's header. Chat and instant messages are typically located in a computer’s random-access memory (RAM). FORENSIC SCIENCE: An Introduction by Richard Saferstein 70
Investigation of Internet Communications Tracking the origin of unauthorized computer intrusions, or hacking, requires investigating a computer’s log file, RAM, and network traffic. A firewall is a device designed to protect against intrusions into a computer network. FORENSIC SCIENCE: An Introduction by Richard Saferstein 71
Figure 18–14 Two computers communicating by sending data to each other's IP address via the Internet. An IP address is assigned to each computer by their respective Internet service providers. FORENSIC SCIENCE: An Introduction by Richard Saferstein 72
Mobile Forensics Mobile devices offer many of the same services offered by desktop or laptop computers and other devices. Mobile devices can provide a vast amount of useful and evidentiary data in an investigation. FORENSIC SCIENCE: An Introduction by Richard Saferstein 73
Mobile Forensics Leaving a mobile device running but placing it in something that will block its communication is the preferred method for preserving data on a mobile device. Complications arise in extracting and evaluating data from mobile devices because of the variety of ways that different devices store and manage data. FORENSIC SCIENCE: An Introduction by Richard Saferstein 74
MOBILE DEVICES FORENSIC SCIENCE: An Introduction by Richard Saferstein 75
Types of Mobile Devices Digital (2G) cellular networks moved phones into the small, handheld form and, because they were digital, the new networks opened the door for practical data communications and the beginning of what was referred to as "feature phones." FORENSIC SCIENCE: An Introduction by Richard Saferstein 76
Types of Mobile Devices A cellular system is a network of relatively short-distance transceivers that are spaced strategically so that low-power transmitters can reach the phones in their coverage areas and the very low-power transmitters in the cell phones can reach the cell towers. FORENSIC SCIENCE: An Introduction by Richard Saferstein 77
Types of Mobile Devices The architectural functionality that distinguishes 2G from 3G is that 2G systems were circuit switched and 3G systems are packet switched. FORENSIC SCIENCE: An Introduction by Richard Saferstein 78
Types of Mobile Devices The advent of packet- switched mobile phone networks allowed virtually any kind of data to be accessed by a mobile device, and the smartphone was born. FORENSIC SCIENCE: An Introduction by Richard Saferstein 79
Types of Mobile Devices Native IP (4G) networks differ technologically from 3G networks in that they can access the Internet directly, increasing speed and bandwidth dramatically. FORENSIC SCIENCE: An Introduction by Richard Saferstein 80
Mobile Phone Operating Systems The most popular operating systems for mobile devices— including smartphones and tablets—are Apple iOS, Google Android, and Microsoft Windows Phone. FORENSIC SCIENCE: An Introduction by Richard Saferstein 81
Mobile Phone Operating Systems 3G and 4G phones are close in architecture and design to a PC or Mac. These phones behave the same way (especially 4G devices) and have the ability to download and install applications (apps) the same as any PC or Mac. FORENSIC SCIENCE: An Introduction by Richard Saferstein 82
Variability of Mobile Devices One interesting aspect of mobile device forensics is geolocation. The GPS in a mobile device can locate the user's activities and, when used with a timeline, can place the user in the vicinity of a crime. This can make it much easier to track the user's movements. FORENSIC SCIENCE: An Introduction by Richard Saferstein 83
Variability of Mobile Devices Each mobile device has its own quirks: Each device needs special connectors and special device drivers on the tool used to examine it in order to decipher what is stored on the device. FORENSIC SCIENCE: An Introduction by Richard Saferstein 84
Variability of Mobile Devices Storage in a modern smartphone or tablet is accomplished by: Onboard nonvolatile memory Mini-SD cards FORENSIC SCIENCE: An Introduction by Richard Saferstein 85
Extracting Data from Mobile Devices All mobile devices should be kept in a Faraday bag or box. Storing the device in this manner prevents changes from being made remotely to the device. FORENSIC SCIENCE: An Introduction by Richard Saferstein 86
Extracting Data from Mobile Devices Physical forensic images are bit-by-bit copies of the file system, including deleted data. Logical extraction is a snapshot of the file system showing what the file system wants the user to see. FORENSIC SCIENCE: An Introduction by Richard Saferstein 87
Extracting Data from Mobile Devices Mobile device forensic analysis can provide an overlay to physical evidence and timelines as well as computer forensic timelines to give a clearer picture of the events preceding and following a crime event. FORENSIC SCIENCE: An Introduction by Richard Saferstein 88
Extracting Data from Mobile Phones Examiners make it a practice to run the forensic image twice, taking one of the images and treating it as evidence. The examiner should decide, based on what can be done with the particular device, whether to obtain a physical or logical extraction or both. FORENSIC SCIENCE: An Introduction by Richard Saferstein 89
Mobile Phone Architecture SD (Secure Digital) cards are storage expansion cards used by many mobile devices. The SD card adds memory for storing things such as photos and music. SD cards are nonvolatile. FORENSIC SCIENCE: An Introduction by Richard Saferstein 90
Mobile Phone Architecture SIM (Subscriber Identification Module) cards have an international mobile subscriber identity (IMSI) number that associates the phone with the subscriber’s mobile network. FORENSIC SCIENCE: An Introduction by Richard Saferstein 91
Mobile Phone Architecture Each SIM is an integrated circuit card identifier (ICCID). The ICCID contains the issuer identification number (IIN), the individual account identification, and a check digit. FORENSIC SCIENCE: An Introduction by Richard Saferstein 92
Mobile Phone Architecture In addition to memory, the typical mobile device contains a digital signal processor, a microprocessor, a radio frequency transmitter/receiver, audio components, and a power supply. The power supply provides the power to run the device and delivers the ability to charge the battery. FORENSIC SCIENCE: An Introduction by Richard Saferstein 93
Assessing the Impact of Digital Evidence on an Investigation Temporal chains show events in the order in which they occurred. Causal chains of evidence describe the events of a crime in terms of cause and effect. The links in the chain are the pieces of evidence, and they are tied together based on how one link affects one or more other links. FORENSIC SCIENCE: An Introduction by Richard Saferstein 94
Assessing the Impact of Digital Evidence on an Investigation Hybrid crime assessment is a technique that investigators can use when faced with a physical crime, such as murder, rape, or robbery, which has a digital element to it—a computer, smartphone, or some other mobile device. FORENSIC SCIENCE: An Introduction by Richard Saferstein 95
Assessing the Impact of Digital Evidence on an Investigation The object of hybrid crime assessment is to tie all of these elements together. The amount of information that we can get from a mobile device varies greatly, depending on the specific the device. FORENSIC SCIENCE: An Introduction by Richard Saferstein 96