Digital trace Jozef Meteňko Martin Meteňko Jan Hejda

Digital trace Jozef Meteňko, Martin Meteňko, Jan Hejda 1

Key words • Digital trace • • • evidence, data, trace, digital trace, types of digital trace, parameters of digital traces 2

Introduction Development of human society • is significantly characterized by the development of new technologies. Automated data and information processing penetrates into all spheres of social life An integration of telecommunication and information system (ICT[1]) • enables the speeding and improves the reliability • of information processing, storage and transmission. • opening a wide spectrum of possibilities in positive or negative directions. 3

Problems • non-existence of relevant regulations within Criminal Code, • problems in the use of forensic procedures: the mentioned “non-existence of criminalistic methods” was connected, in particular, to theoretical and practical defect – failing to elaborate the knowledge of digital trace existence. 4

Problems • a notion of digital record has been used in English speaking countries, … digital evidence / digital trace, • conception of digital trace as an independent type of field trace has not been elaborated so far. Provided we do accept the classification of all criminalistic traces into: • material, field and memory ones, then in connection to digital traces we may speak about a group of field traces along with traces related to electric charge or various radiation forms. 5

Problems Besides • primary content, which is featured via peripheries (text, photography, sound, video etc. ), • data files often include also so called metadata … - which define important information about a file, characterizing it – making it individual among other objects. • metadata define e. g. when a picture was shot, under which luminous conditions, setting and type of digital camera, or even a camera owner is known etc. 6

Characteristics of digital trace Each technological equipment that gains, elaborates, hands over or stores data, leaves records – from criminalistic trace viewpoint these are reflections of its activity. – Such records are from criminalistic viewpoint traces. These activities and caused changes are reflected in material environment, having a direction inside technology and outside the given technology[1] environment. 7

Characteristics of digital trace – In the sense of communication and information crime the problem of equipment dealing with data is much wider than a pure PC work. – Some renowned Slovak or Czech authors make use of notion computer crime = cyber crime, which is applied more intuitively rather than clearly defined. – The notion of computer (cyber) trace arose in the same period as the notion cyber crime, – the notion “cyber” (crime) is not enough today, as other electronic equipments leave traces as well. Those traces have the same features, general or individual features as computer (cyber) trace. . 8

Characteristics of digital trace Foreign literature offers quite similar definitions ordinary notion digital evidence – in a meaning of digital trace (digital evidence)[1]. – In English – in relation to forensic practice – “evidence” takes the priority. Word “trace” that would be related to modern technologies does not exist in English literature. – The reason is simple and pragmatic – English theory and practice are strongly oriented to results of criminal procedure, i. e. trace must be acceptable by court. That’s why perception and use of notions in English make trace and evidence[1] identical. 9

Digital trace is any information having communicative value, stored or transmitted in digital shap It was drafted already in 1999 by a (working group SWGDE) – Scientific Working Group on Digital Evidence. 10

Digital trace is any information having communicative value, stored or transmitted in digital shap This definition is open to any digital technology. It covers a filed of computers, computer communication as well as a field of digital transmissions (mobile phones, but for future also digital TV etc. ), video, audio, digital photos, camera systems (CCTV)data, electronic security systems data and any other potential technologies connected to Hi-tech crime. 11

Digital trace is any information having communicative value, stored or transmitted in digital shap A digital trace as definiton must be usable for: crime control, criminalistics, general forensic investigation held by state bodies (civil litigation, trade laws etc. ), the needs of commercial base - needs of independent internal or external audits etc. 12

Other definitions In respect to definition of digital traces, other processes and entities are defined • digital traces seizing • data objects • physical objects • digital trace originals • duplicate of digital trace • copy of digital trace 13

Digital traces seizing • is a process, • which starts in time when information of equipment is found out or found as stored in order to seize and examine them. Seizing must be relevant to the knowledge of criminalistics and other sciences legal in relation to evidence matters in a given legal system (state or other legally delimited territory). Physical and data objects become evidence provided they are acceptable by law enforcement agencies. 14

Data objects are non-material objects or information • having trustworthy communicative value, • while being associated with touchable elements of material substance – as carrier/medium. Data object may be of different formats / but they can never change the original information. Data objects are e. g. represented by databases, address lists, files, content of virtual memories, digital video or audio records and many others. 15

Physical objects (touchable, directly registered by human senses) are elements – more frequently media where data objects are stored and via which these are transmitted. • hard discs, various memory media (floppies, CD and DVD, memory cards, data tapes etc. ) physical objects • particularly info: serial numbers, dactyloscopic, mechanic or biological traces and others proving • logical link between a physical equipment (owner, user, time…) and its user/offender 16

Original of digital trace • is a physical or data object seized for the need of expert or forensic examination. Originals are the basic evidence. • For working purposes, users (offenders) or investigators make their duplicates or copies of digital traces. • This process is clear and no information change occurs. Only for digital traces in criminalistics are duplicated objects identical to original. • Moreover the process is reversible, repeatable with the same results provided basic conditions are met. • gained or made material has the same information value as the original and is available to users and independent experts physical objects 17

Duplicate • Duplicate is comfortable, secure and fully-fledged to work with. • They are made mostly for the needs of repeated examination. • It is vitally necessary towards independent experts in those cases when a physical object itself (company PC) cannot be seized for the needs of law enforcement agencies due to various reasons. • PC practice makes standard use of disc “image” • Image is a spitting duplicate of its content, like a mirror of the original content stored in digital shape. 18

Copy of digital trace • is an exact reproduction of information from original physical object onto others, physically independent data medium. • When making a copy we create data objects with the same information but using a physical object, which can be of a different type. • It is not inevitable to reproduce all data objects of the original physical object, but just some of them. In this respect, not all functional and logical links with other data objects have to be kept. • We make copies if the investigation purpose is present, e. g. due to size. Copies contain only a part of data objects of the original physical object. Information value of every copied object does not change from its original though. 19

Digital traces and their specific features • Digital traces, have their general and individual typological features and characteristics which, from the aspect of the: • for law enforcement bodies, have typically positive or negative consequences. • Then we need to bear these aspects in mind all the time and in all stages of our work with the digital traces. 20

Digital traces and their specific features Digital traces are formed by human action – user / offender – • on the application or system software, functionality of the digital equipment or • automatic effect of one device on the other. Therefore, • digital traces reflect the specific high-tech features to an unusually high extent and the rich colour of the human mind of their users. 21

Digital traces and their specific features • • • Substance of digital traces as traces of a field, Latent nature of digital traces, Tracing digital traces in time, High density of content of digital traces, Very low life span of digital traces, Storage and quality of digital traces is influenced by a number of subjective factors, • Great volume of data in digital traces, • Data density of digital traces decreases with 22 the development of new technologies,

Digital traces and their specific features • Extreme dynamism of the environment of the digital traces, • Heterogeneity and complexity of the environment of digital traces, • Great geographical extent of the environment of digital traces, • High degree of data protection hinders the work with digital traces, • Digital traces are automatically identifiable and processable by specialized means, • High degree of obliteration of digital traces by qualified offenders, • Restorability of obliterated digital traces, • Genuineness of digital traces, • Contemporary low degree of judicial acceptation of digital traces in legal practice. 23

Digital traces as field traces : Although data and information are immaterial, on material medium, with various technological equipment, format, data structure, reliability and lifespan etc. , is needed in order to store them. • The medium contains digital traces in the form of field and it is a physical component of means of evidence. 24

Latency of digital traces Digital traces are invisible. Latency is multiple. 1. The records, which are processed or stored to the data medium, are invisible to the naked eye (with the exception of views of monitor screens, print screens, photographs or video recordings of screens and printed documents). 2. a hidden attribute set, special settings of user’s rights or special application or system means. 3. deleted recordings, reformatted disks or data destroyed or changed by other means. In the same way we approach encrypted data, 25

Time traceability of digital traces : In comparison to other traces in criminalistic or forensic practice in some case the digital traces can precisely determine time span of activities. they significantly document the process of all particular activities in time. If all versions of working documents are stored, internal audit can analyse procedure of document processing in similar way. This is determined by fact • digital devices (camcorders, cameras etc. ) have digital clock, which determines the activities of system SW 26

Content of digital traces : In specific cases digital traces have high information value on interests and activities of the person, they are unique in comparison to other types of the traces. to study not only particular activities of the computer users, what information he was interested in, what information he acquired, processed, stored or handed in to the others. Due to these facts it is possible to determine some fields of the interest of the perpetrator, his motivation and to create psychological profile 27

Very low lifespan of digital traces : From criminalistic or forensic point view of digital traces digital records are recorded to memory medium. • They can be intentionally deleted by the user or • systematically and automatically (without one’s involvement) rewritten by other records. • It is possible to restore deleted recordings with the help of special SW, but the restoring must be done very quickly before the memory medium is rewritten by system means. 28

Storing and quality of digital traces is influenced by subjective factors : From the point of safety storing and quality of digital traces is directly proportional to international, national or institutional legislation, • experience of system administration and • it depends on institutional culture. Regular monitoring and audit of key transactions, providing storage backup and data archiving from important data sources to a special medium and their long-term 29 storage, play primary role.

Large data capacity of digital traces : Strong centralization, arising from operational and economic reasons, is typical for computer and communication means. In our country data capacity is around tens TB in middle size companies. Only a small part has character of a digital trace. Data density of digital traces, among other data with development of new technologies, constantly decreases The digital trace itself is not limited by physical capacity. New technologies for data comprising are developed. It means that larger data capacity is 30 saved to the

Extreme dynamics of environment of digital traces This particularity is typical mainly for common network : environment in big institutions when data funds are distributed in real time. Comprehensive company applications are strongly centralized and dynamic with high requirements for application accessibility from the point of fulfilling information needs of the institution, economic and operational characteristics. Applications are included in critical company applications. It means that interruption of application function only for one minute (mainly in industry, transport, telecommunication, financial institutions etc. ) can have disastrous existential consequences. 31

Heterogeneity and complexity of the environment of digital traces : • Various operational systems, databases, application software and its versions, data interface among applications, data formats, transferable proceedings, proceedings of operational records, logo etc. are commonly and concurrently used in the same organizations. 32

Large geographic capacity of environment with geographic traces and small area : • • Computers are connected together around the whole world with the help of private computer network and the Internet, so distribution of distant data and application is possible. A highly experienced perpetrator the computer network does not recognize geographic boundaries, the investigation is always (usually) based 33 on present laws of the country

High level of data protection : • • makes the work with the digital traces difficult or impossible Due to the safety reasons there a lot of data transitions and nodal points, mainly in file systems and databases, which are cryptographically protected. If we are not familiar with the particular algorithm or technological means 34

A digital trace is automatically identifiable and processable by specialized devices : • • Since digital traces are generated as a final result by a certain technology general corporate database of officially purchased software products at our disposal and the computers are connected to the corporate network, it is possible to search/scan the system registers of all computers 35

High level of digital traces obliteration by qualified offenders : As practice shows, highly competent offenders whose professional education is associated with the field of information and communication technologies cause the largest traces. The offenders are extremely familiar with the keystone of crucial technologies functioning as the ways of the technologies and data protection they have to and are able to avoid, are of great 36 interest to them.

Damaged digital restoration : traces Under specific conditions, deliberately deleted or otherwise damaged digital traces can be restored. • As a rule, this is not true of other criminalistics relevant traces. A footprint once deleted cannot be restored. • Digital traces restoration is conditioned by the keystone of operation systems 37

Digital traces originality: During the files and data copying process, no data loss or distortion is caused • digital traces can be easily modified without the process of modification leaving any visible tracks of its activity behind • Digital traces may also be easily modified or destroyed right in the process of collecting or safeguarding it for the purposes of examination and investigation. • Unless the standard procedures of digital traces safeguarding 38

Low judicial acceptance of digital traces by legal practice: user´s activities or the activities associated with automated processes and programs The problematic issue related to digital traces is theoretical and in some cases also practical possibility of falsification and of challenging the legal quality of traces. 39

Low judicial acceptance of digital traces by legal practice: However, this possibility occurs within all types traces processed in criminalistic and forensic way. • we are exposed to prejudices of individuals made on grounds of unfamiliarity with the subject matter • rather that to relevant reference equipment is classified and certificated in the safety manner. The main problem is the identification of the person responsible for 40

Lt. Extraordinary professor Dr. hab. Jozef Meteňko, Ph. D. , Head - Chair of criminalistics and forensic science, Academy of the Police Force, Bratislava, Slovakia. metenko@minv. sk jmetenko@pobox. sk Mag. Meteňko Martin Dell Computers Slovak republic 00421 907 474 981 (Handy), Slovakia martin_metenko@dell. com Ass. prof. Jan Hejda, Ph. D. , Head - Chair of law and social science, faculty of management, VŠE Praha Czech republic, hejda@fm. vse. cz 41