Digital Evidence

AuthorSteven L. Rogers
The use of computers to commit a criminal of‌fence or to aid in the com-
mission of an of‌fence is not new, having been f‌irst addressed by changes
to the Criminal Code1 and the Canada Evidence Act2 in 1983.3 Initially, the re-
sponse of Canadian law enforcement to the increase in of‌fences involving
computers was challenged by the lack of commercially available forensic
software. Canadian law enforcement agencies responded to the problem
using whatever knowledge, skill, and software was available to them. The
most critical issue and challenging aspect of performing a computer for-
ensic analysis was the inability to properly preserve the evidence to enable
the subsequent analysis. The mere act of reviewing the data may alter it.
In the mid-1980s, Canadian law enforcement authorities created the
f‌irst centralized computer forensics laboratory at the RCMP “P” Direc-
torate in Ottawa and, with civilian member Gord Hama, developed their
own suite of forensics software. This software was known by various
names, including “Hama Utils,” “RCMP Utilities,” and “Gord’s Utilities.”
Through this work, Hama became recognized as the leading pioneer in
1 Criminal Code, R.S.C. 1985, c. C-46.
2 Canada Evidence Act, R.S.C. 1985, c. C-5.
3 Marilyn Pilon & Monique Hébert, Computer Crime (Ottawa: Parliamentary Research
Branch, Library of Parliament, 1984, revised 1991), online:
Digital Evidence
Steven L. Rogers
150 6 Steven L. Rogers
the development of forensic utilities for digital forensics. At the sugges-
tion of other members of the RCMP, the RCMP Utilities were eventually
of‌fered as “take aways” for domestic and international law enforcement
agencies during computer forensics training sessions at the Canadian
Police College. The utilities were initially shared with the United States,
the United Kingdom, Australia, and New Zealand. Later, they were shared
across Europe and South America, as well as other countries. To main-
tain its position as a leader in computer forensics and cybercrime training,
the Canadian Police College established the Technological Crime Learn-
ing Institute, which continues to provide a variety of Computer Forensic
courses, teaching forensic techniques as well as the use of commercial
forensic software to the Canadian and international policing community.
One of the f‌irst commercially available disk duplication software pro-
grams, Safeback, was developed in 1990 by Sydex in the United States.4
Other commercially available forensic software began to evolve and, in
the early 1990s, Andrew Rosen, ASR Data Acquisition and Analysis, and
others began the development of Expert Witness.5 Rosen, among others,
subsequently provided computer forensics training at the Canadian Police
College that included how to use the Expert Witness forensic software.
In the mid-1990s, the computer forensic software EnCase by Guid-
ance Software became commercially available and was quickly embroiled
in litigation with ASR Data.6 Although ASR Data continues to provide fo-
rensic software and related services to law enforcement and private inves-
tigators, Guidance Software rose to become the world leader in the f‌ield.
Early computer forensic investigations typically included the exam-
ination of comparatively small hard drives,7 usually still inside the com-
puter,8 and removable storage devices such as diskettes, f‌loppy disks, jazz,
4 George Mohay et al., Computer and Intrusion Forensics (Norwood: Artech House, 2003)
at 115–16. See also Mark Pollitt, “A History of Digital Forensics” in Kam-Pui Chow &
Sujeet Shenoi, eds., Advances in Digital Forensics VI: Sixth IFIP WG 11.9 International
Conference on Digital Forensics, Hong Kong, China, January 4–6, 2010, Revised Selected Pa-
pers (New York: Springer-Verlag Berlin Heidelberg, 2010) 3 at 7, online: www.springer.
5 ASR Data Acquisition & Analysis, online:
6 ASR Data Acquisition & Analysis LLC v. Guidance Software Inc., AAA Case No. 72 117
01269 98 (L.A. American Arbitration Association Commercial Tribunal 1999), online:
7 As compared to the capacity of today’s hard drives and often referred to as “memory”
but more accurately described as permanent storage or non-volatile memory.
8 Often referred to as the CPU by the public and legal community, which is not cor-
rect. The CPU is the central processing unit—essentially, the brains of the computer.
Digital Evidence 6 151
Bernoulli, and zip disks.9 These removable storage devices, although still
encountered during investigations, have since been replaced by more ad-
vanced technologies such as USB drives, which serve the same removable
storage purpose but are signif‌icantly faster, easier to use, and have much
greater storage capacity.
After the attacks on the World Trade Center in 2001, Mark Pollitt of
the FBI contacted Tom Pownall of the RCMP and requested an update
to the RCMP Utilities to assist them with the analysis of data seized af-
ter the attacks, since the current commercially available software was not
able to meet their needs. An update was shipped to the FBI about four
days later. In the following years, development of the RCMP Utilities was
discontinued and they were replaced by commercially available software
with advanced capabilities. In the mid-1990s, the RCMP began to decen-
tralize Computer Forensic services. One of the f‌irst regional laboratories
was established at “O” Division headquarters in London, Ontario. Other
policing partners, such as the Hamilton Police Service, the Toronto Police
Service, the Ontario Provincial Police, and the Waterloo Regional Police
attended the RCMP lab in London to observe operations and, in some
cases, to mentor the RCMP forensics investigators.
Law enforcement in the United States also responded to the emerging
need for computer forensic software:
[S]ome of the key individuals were Mike Anderson, Danny Mares and
Andy Fried from the IRS; Ron Peters and Jack Lewis from the U.S. Secret
Service; Jim Christy and Karen Matthews from the Department of De-
fense; [and] Tom Seipert, Roland Lascola and Sandy Mapstone from local
U.S. law enforcement agencies.10
Cross border law enforcement meetings eventually led the Canadian and
U.S. law enforcement communities to realize they were undertaking the
same challenge with forensic software development and they began to
share utilities.
Today, continued advancement in computer, storage, and mobile tech-
nologies, including those driving the Internet (i.e., e-commerce, discussion
forums, social media, online email, and f‌ile storage services), have changed
the way we think about remote data storage by introducing the term cloud
9 Jazz disks and Bernoulli disks are similar to f‌loppy disks, but larger and with greater
storage capacity.
10 Pollitt, “A History of Digital Forensics,” above note 4 at 6.

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT