Document Analysis and Computer Forensics SFS2. Students will use various scientific techniques to analyze physical and trace evidence. d. Identify methods used for the evaluation of handwriting and document evidence.

ESSENTIAL QUESTIONS How can you individualize handwriting? What steps must be taken to recover good exemplars? How can you distinguish the types of forgery? What techniques can be used to examine a questioned document?

FYI: We will not be using graphology to interpret handwriting samples, as this is not a psychology course. We are only interested in the ability to distinguish origin and veracity of a questioned document.

What do document examiners do? Compare exemplars to questioned documents by Revealing text from indented impressions Detecting alterations, obliterations, erasures, and page substitutions Determining individual dye components Examining typewritten and machine-printed documents Examining seals and stamps Examining handwriting

Basic Information on Handwriting Penmanship is the technique of writing with the hand using a writing instrument. The various styles of writing are called hands (e.g. “print” and “cursive”). Handwriting is an individual personal style of penmanship. This does NOT develop until your brain and muscles have “learned” how to form the letters.

What do handwriting examiners look at? Document experts will testify to the fact that no two individuals write exactly alike. Each examiner must be skilled at looking at challenges that occur, for instance someone trying to sign a check with a broken finger. Focus of examination is on the characteristics of authenticity.

12 Characteristics of Authenticity Line quality Generally handwriting is smooth and free flowing when written at “regular” speed. Spacing of words and letters Ratio of relative height, width, and size of letters This is difficult to simulate accurately and consistently. Pen lifts and separations Forgeries typically indicate inconsistency in this area. Connecting strokes Beginning and ending strokes

12 Characteristics of Authenticity Unusual letter formation This is difficult to forge, as it is a learned habit. Shading or pen pressure Because this results, in part, from the weight of the arm and hand, this is difficult to forge. Slant Even disguising your own writing usually doesn’t change this. Baseline habits Flourishes or embellishments Placement of diacritics How are the “i”s dotted and “t”s crossed?

Collection of Handwriting Exemplars There must be an adequate amount of exemplars for a true comparison to be made, and there must be accountability for the natural variations that occur (greeting cards, diaries, planners) There is a 7-step method to ensuring a good exemplar from a suspect.

7 Step Method to a Good Exemplar The writer should be allowed to write sitting comfortably at a desk or table without distraction. The suspect should not under any conditions be shown the questioned document or be provided with instructions on how to spell certain words or what punctuation to use. The suspect should be furnished a pen and paper similar to those used in the questioned document. The dictated text should be the same as the contents of the questioned document, or at least should contain many of the same words, phrases, and letter combinations found in the document.

7 Step Method to a Good Exemplar Dictation of the text should take place at least three times. Signature exemplars can best be obtained when the suspect is required to combine other writings with a signature. Before requested exemplars are taken from the suspect, a document examiner should be consulted and shown the questioned document. Let's try one!

Methods of Forgery Forgery is the process of making, adapting, or imitating objects, statistics, or documents with the intent to deceive. When it applies to currency, is it called counterfeiting. Fraud is an intentional deception made for personal gain or to damage another individual. Forgery is one of the techniques of fraud and is a felony in all states The most commonly forged documents are signed checks.

Methods of Forgery Three types of forgery: Blind forgery Forger uses his/her own handwriting Simulated forgery Forger carefully simulates other’s handwriting Traced forgery Forger traces a genuine signature onto document

Examples of Forgery

Identifying a Forgery Excluding the handwriting differences, an document examiner will also look at inconsistencies with Paper type Ink (chromatographical analysis)

Georgia Law Forgery in 1st degree Forgery in 2nd degree Manufactures and distributes forgery (excluding checks) Forgery in 2nd degree Manufactures forgery (excluding checks) Forgery in 3rd degree Manufactures and/or distributes a check for $1500+ OR possesses 10+ forged checks Forgery in 4th degree Manufactures and/or distributes a check for <$1500 OR possesses <10 forged checks 1st – 3rd degrees are felony convictions and imprisonment (1-15 yrs) 4th degree is misdemeanor for 1st/2nd conviction; 3rd conv is felony

Georgia Law 1st – 3rd degrees are felony convictions and imprisonment (1-15 yrs) 4th degree is misdemeanor for 1st/2nd conviction; 3rd+ conviction is felony

Typescript Comparisons Typed-written documents must be checked under a microscope for typing and dot formation. Different Types: Typewriter Printer As the type of printer becomes more technical the harder it is to distinguish. Hopefully there will be a repeating mistake, like inkblots or offline setting, that will make it easier to find.

Characteristics From Use As is true for any mechanical device, use of a printing device will result in wear and damage to the machine’s moving parts. These changes will occur in a fashion that is both random and irregular, thereby imparting individual characteristics to the printing device. The document examiner has to deal with problems involving business and personal computers, which often produce typed copies that have only subtle defects. Another area of investigation relates to the typewriter ribbon, which may contain type impressions.

Digital Technology In the cases of photocopiers, fax machines, and computer printers an examiner may be called on to identify the make and model of a machine or to compare a questioned document with test samples from a suspect machine. A side by side comparison is made between the questioned document and the printed exemplars to compare markings produced by the machine. Examiners compare transitory defect marks, fax machine headers, toner, toner application methods, and mechanical and printing characteristics.

Changes in Documents Document examiners must deal with evidence that has been changed in several ways, such as through alterations, erasures, and obliterations.

Changes in Documents Erasures remove writing or typing from a document by using rubber erasers, sandpaper, razor blade or knife, or chemicals The fibers of the paper are easily disturbed (torn, wrinkled) and the changes are readily apparent when examined with a microscope Using oblique lighting can often detect shadows from the indentations IR or UV lighting can detect thinner paper A mixture of baking soda and toner powder visualize surface abrasion

Changes in Documents Obliteration is the overwriting, covering, or crossing out to hide the original writing. It can be revealed by IR light, which may pass through the upper layer of writing while being absorbed by the underlying area.

Changes in Documents An alteration is made to a document when writing or typing is changed but the original remains visible When ink differing from the original is used, it can sometimes be detected due to differences in the IR reflectance or luminescence properties of the inks.

Other Document Problems Indented writings are impressions left on papers positioned under a piece of paper that has been written on. Usually can be seen using oblique lighting. Often effective, but oblique lighting techniques are unable to recover microscopic indentations- those which occur three or four sheets down.

Other Document Problems Electrostatic Detection Apparatus (ESDA) can be used to prevent destruction of the original document. Writing can be revealed from three or more pages beneath the original – very sensitive. A suspect page is covered with a cellophane material and vacuum sealed. The document and cellophane are then subjected to a high voltage static charge by waving a wand over the surface. Black toner, similar to that used in photocopiers and laser printers is then cascaded over the cellophane.

What is computer forensics? The systematic identification, preservation, extraction, documentation, and analysis of electronic data that could potentially be used in court. Extensive knowledge of computer hardware and software is required

Types of Cyber Crime Hacking Cyberterrorism DDoS Attacks Intentionally entering an unauthorized computer or network system Cyberterrorism Hacking into a company's internal networking system for the purpose of demonmstrating or protesting a political agenda DDoS Attacks Used to make an online service unavailable and take the network down by overwhielming the site with traffic from a variety of sources

Types of Cyber Crime Botnets Identity Theft Exploit Kits Networks from compromised computers that are controlled externally by remote hackers Identity Theft Gaining access to a user's personal information for fraudulent means Exploit Kits Readymade purchasable software designed to exploit system vulnerabilities

Types of Cyber Crime Cyberstalking Social Engineering PUPs Involves online harassment where the user is subjected to numerous online messages and emails Social Engineering Using deception to manipulate someone into divulging confidential or personal information that could be used fraudulently PUPs Designed to install unnecessary software in your system for information gathering or other fraudulent behavior (spyware, ransomware)

Types of Cyber Crime Phishing Prohibited/Illegal Content Online Scams Sending malicious email attachments or URLs to gain access to user accounts or systems Prohibited/Illegal Content Sharing and/or distributing inappropriate content Online Scams Usually ads or spam emails that promise unrealistic rewards but compromise user information instead

Investigating Cyber Crimes The most common type of cyber crime is unauthorized access and use of information Identify any hardware Determine how/whether the computer should be turned off/on Image the drive Document the findings Present the evidence in court

Categories of Computer Evidence Substantive evidence Introduced for what it helps to prove itself Illustrative evidence Illustrates testimony but does not by itself prove anything Computer-stored evidence Includes documents and other records that were created by a person and that happen to be sotred in electronic form Computer-generated evidence Direct output of computer programs

Categories of Computer Evidence Substantive evidence stored on a computer Checkbook software, e-mails, image files Substantive evidence generated by a computer Login record of ISP, ATM receipts Illustrative evidence generated by a computer Computer animation used to describe testimony

Georgia Law Georgia designates 5 types of cyber crimes: Computer Theft Computer Trespass Computer Invasion of Privacy Computer Forgery Computer Password Disclosure Criminal penalties for 1-4 include up to $50k in fines and/or up to 15 yrs in prison Criminal penalties for 5 may be fined up to $5k and/or up to 1 yr in prison