Digital Evidence

• Author: Steven L. Rogers
• Pages: 149-186

149

A. OVERVIEW OF THE DISCIPLINE: DIGITAL EVIDENCE

The use of computers to commit a criminal of‌fence or to aid in the com-

mission of an of‌fence is not new, having been f‌irst addressed by changes

to the Criminal Code1 and the Canada Evidence Act2 in 1983.3 Initially, the re-

sponse of Canadian law enforcement to the increase in of‌fences involving

computers was challenged by the lack of commercially available forensic

software. Canadian law enforcement agencies responded to the problem

using whatever knowledge, skill, and software was available to them. The

most critical issue and challenging aspect of performing a computer for-

ensic analysis was the inability to properly preserve the evidence to enable

the subsequent analysis. The mere act of reviewing the data may alter it.

In the mid-1980s, Canadian law enforcement authorities created the

f‌irst centralized computer forensics laboratory at the RCMP “P” Direc-

torate in Ottawa and, with civilian member Gord Hama, developed their

own suite of forensics software. This software was known by various

names, including “Hama Utils,” “RCMP Utilities,” and “Gord’s Utilities.”

Through this work, Hama became recognized as the leading pioneer in

1 Criminal Code, R.S.C. 1985, c. C-46.

2 Canada Evidence Act, R.S.C. 1985, c. C-5.

3 Marilyn Pilon & Monique Hébert, Computer Crime (Ottawa: Parliamentary Research

Branch, Library of Parliament, 1984, revised 1991), online: publications.gc.ca/collections/

collection_2008/lop-bdp/bp/bp87-e.pdf.

CHAPTER 7

Digital Evidence

Steven L. Rogers

LEgAL ConTExT: DAniEL M. sCAnLAn

150 6 Steven L. Rogers

the development of forensic utilities for digital forensics. At the sugges-

tion of other members of the RCMP, the RCMP Utilities were eventually

of‌fered as “take aways” for domestic and international law enforcement

agencies during computer forensics training sessions at the Canadian

Police College. The utilities were initially shared with the United States,

the United Kingdom, Australia, and New Zealand. Later, they were shared

across Europe and South America, as well as other countries. To main-

tain its position as a leader in computer forensics and cybercrime training,

the Canadian Police College established the Technological Crime Learn-

ing Institute, which continues to provide a variety of Computer Forensic

courses, teaching forensic techniques as well as the use of commercial

forensic software to the Canadian and international policing community.

One of the f‌irst commercially available disk duplication software pro-

grams, Safeback, was developed in 1990 by Sydex in the United States.4

Other commercially available forensic software began to evolve and, in

the early 1990s, Andrew Rosen, ASR Data Acquisition and Analysis, and

others began the development of Expert Witness.5 Rosen, among others,

subsequently provided computer forensics training at the Canadian Police

College that included how to use the Expert Witness forensic software.

In the mid-1990s, the computer forensic software EnCase by Guid-

ance Software became commercially available and was quickly embroiled

in litigation with ASR Data.6 Although ASR Data continues to provide fo-

rensic software and related services to law enforcement and private inves-

tigators, Guidance Software rose to become the world leader in the f‌ield.

Early computer forensic investigations typically included the exam-

ination of comparatively small hard drives,7 usually still inside the com-

puter,8 and removable storage devices such as diskettes, f‌loppy disks, jazz,

4 George Mohay et al., Computer and Intrusion Forensics (Norwood: Artech House, 2003)

at 115–16. See also Mark Pollitt, “A History of Digital Forensics” in Kam-Pui Chow &

Sujeet Shenoi, eds., Advances in Digital Forensics VI: Sixth IFIP WG 11.9 International

Conference on Digital Forensics, Hong Kong, China, January 4–6, 2010, Revised Selected Pa-

pers (New York: Springer-Verlag Berlin Heidelberg, 2010) 3 at 7, online: www.springer.

com/us/book/9783642155055.

5 ASR Data Acquisition & Analysis, online: www.asrdata.com/about-us.

6 ASR Data Acquisition & Analysis LLC v. Guidance Software Inc., AAA Case No. 72 117

01269 98 (L.A. American Arbitration Association Commercial Tribunal 1999), online:

www.asrdata.com/wp-content/themes/asr/pdf/ruling.pdf.

7 As compared to the capacity of today’s hard drives and often referred to as “memory”

but more accurately described as permanent storage or non-volatile memory.

8 Often referred to as the CPU by the public and legal community, which is not cor-

rect. The CPU is the central processing unit—essentially, the brains of the computer.

Digital Evidence 6 151

Bernoulli, and zip disks.9 These removable storage devices, although still

encountered during investigations, have since been replaced by more ad-

vanced technologies such as USB drives, which serve the same removable

storage purpose but are signif‌icantly faster, easier to use, and have much

greater storage capacity.

After the attacks on the World Trade Center in 2001, Mark Pollitt of

the FBI contacted Tom Pownall of the RCMP and requested an update

to the RCMP Utilities to assist them with the analysis of data seized af-

ter the attacks, since the current commercially available software was not

able to meet their needs. An update was shipped to the FBI about four

days later. In the following years, development of the RCMP Utilities was

discontinued and they were replaced by commercially available software

with advanced capabilities. In the mid-1990s, the RCMP began to decen-

tralize Computer Forensic services. One of the f‌irst regional laboratories

was established at “O” Division headquarters in London, Ontario. Other

policing partners, such as the Hamilton Police Service, the Toronto Police

Service, the Ontario Provincial Police, and the Waterloo Regional Police

attended the RCMP lab in London to observe operations and, in some

cases, to mentor the RCMP forensics investigators.

Law enforcement in the United States also responded to the emerging

need for computer forensic software:

[S]ome of the key individuals were Mike Anderson, Danny Mares and

Andy Fried from the IRS; Ron Peters and Jack Lewis from the U.S. Secret

Service; Jim Christy and Karen Matthews from the Department of De-

fense; [and] Tom Seipert, Roland Lascola and Sandy Mapstone from local

U.S. law enforcement agencies.10

Cross border law enforcement meetings eventually led the Canadian and

U.S. law enforcement communities to realize they were undertaking the

same challenge with forensic software development and they began to

share utilities.

Today, continued advancement in computer, storage, and mobile tech-

nologies, including those driving the Internet (i.e., e-commerce, discussion

forums, social media, online email, and f‌ile storage services), have changed

the way we think about remote data storage by introducing the term cloud

9 Jazz disks and Bernoulli disks are similar to f‌loppy disks, but larger and with greater

storage capacity.

10 Pollitt, “A History of Digital Forensics,” above note 4 at 6.