In the last 15 years, significant challenges have arisen in the field formerly known as "computer forensics." Among these challenges are the dramatic increase in the volume of digital evidence, the rise in use of effective encryption, the creation of new technologies that cause digital evidence to become increasingly evanescent (e.g., ephemeral), and an increased expectation amongst jurists that prosecutors not only prove that evidence was on the defendant's computer, but attribute the evidence to the defendant. This article discusses some of these challenges and identifies techniques that prosecutors, agents, and analysts can consider to effectively respond to these challenges.

Introduction
The Cybercrime Lab is a group of highly trained digital investigative analysts located in the Computer Crime and Intellectual Property Section of the Criminal Division in Washington, DC. The Cybercrime Lab provides support to prosecutors through advanced digital investigative analysis, technical and investigative consultations, and research and training to support Department of Justice initiatives. Digital Investigative Analysis (DIA) is the evolution of what was previously referred to as "computer forensics." It is important for prosecutors to appreciate the three aspects of the profession that caused this evolution:

Digital. Digital Investigative Analysts (analysists) no longer limit their analysis to standard computer systems. Today, analysts examine everything "digital," including desktop computers, laptops, mobile devices (cell phones and tablets), GPS navigation devices, vehicle computer systems, Internet of Things (IoT) devices, and much more. We are still in the infancy of the digital age, but developers of many products--from shoes and sports bras to lightbulbs and doorbells--are already incorporating technology into their products to collect, store, and transmit information about the user that they can analyze and hopefully monetize.

Investigative. While technology progresses at lightning speed, the legal system and those who uphold our laws are just beginning to appreciate the need for analysts to conduct deeper "investigative" analysis on digital devices to obtain a better understanding of issues being investigated. Each year we are generating or replicating eight zettabytes of information. That is equivalent to a stack of paper 1.6 trillion miles high. To manage the high volume of data that needs to be analyzed, some organizations have employed a raw data extraction process to digital evidence. This non-analytical approach blindly identifies types of files (e.g. pictures, documents, spreadsheets, etc.) in the storage media, without further analysis, to determine if the user opened the file or even knew the file was there. This raw data extraction process allows an organization to quickly process a large volume of data and may be an excellent first step in the simplest cases.

Raw data extraction, however, does little to satisfy many of the offense elements necessary to establish guilt. In contrast, DIA requires analysts to investigate or even "interrogate" digital devices. Analysts ask questions in the form of keyword searches and review digital artifacts to form additional questions or logical investigative leads based on the answers received. Even when the response to questions is silence (or a lack of recorded information), an analyst may ask why is there no response or recorded information. Was counter-forensics conducted? Is there something unique about the digital device being investigated that the technique or tool cannot read or display the information?

Analysis. Lastly, an analyst must "analyze" the response to each question and determine its relevance to other digital artifacts, as well as how it relates to information available from the non-digital investigation. An excellent example of this was used in "The Physical Computer and the Fourth Amendment" by acting Principal Deputy Chief of CCIPS, Josh Goldfoot, where he explained that in isolation, the fact that a suspect downloaded tide tables for a particular beach in Oregon at 5 a.m. might mean nothing. Josh Goldfoot, The Physical Computer and the Fourth Amendment, 16 BERKELEY J. CRIM. L. 112 (2011). When combined with the fact that a young woman's body was discovered in the surf on that beach an hour and a half later, however, the significance of the tide tables became apparent. Id.

Incident Response and Encryption
For years, law enforcement has debated the value of imaging Random Access Memory (RAM) when they encounter a powered-on computer with an active user account logged in. RAM is the place in a computing device where the operating system, applications and data in use are kept so they can be quickly reached by the device's processor. RAM is much faster than other kinds of storage. Data remains in RAM as long as the computer is running. When the computer is turned off, RAM information in RAM rapidly dissipates and is lost. In 2016, the majority of law enforcement more often elected to pull the power plug from the computer rather than image RAM.

< read the entire article >