Column: Putting the Science in Digital Forensics

In a recent study, digital forensics was found to lack a consensus around even the most basis notions and terminology of the field. To quote: “These two preliminary studies individually suggest that (1) scientific consensus in the area of digital forensic evidence examination is lacking in the broad sense, but that different groups within that overall community may have limited consensus around areas in which they have special expertise, and (2) that the current peerreviewed publication process is not acting to bring about the sorts of elements typically found in the advancement of a science toward such a consensus. ... perhaps the most significant challenge may be in the development of a common language to describe the field...

Measuring Inconsistency Methods for Evidentiary Value

Many inconsistency analysis methods may be used to detect altered records or statements. But for admission as evidence, the reliability of the method has to be determined and measured. For example, in China, for evidence to be admitted, it has to have 95% certainty of being correct,1 and that certainty must be shown to the court, while in the US, evidence is admitted if it is more probative than prejudicial (a \u3e50% standard).2 In either case, it is necessary to provide a measurement of some sort in order to pass muster under challenges from the other side. And in most cases, no such measurement has been undertaken. The question of how to undertake a scientific measurement to make such a determination, or at least to claim such a metric, is not well defined for digital forensics, but perhaps we can bring some light to the subject this issue

Column: The Physics of Digital Information-Part 2

In part 1 of this series (Cohen, 2011a), we discussed some of the basics of building a physics of digital information. Assuming, as we have, that science is about causality and that a scientific theory should require that cause(C) produces effect (E) via mechanism M (written C→ME), we explore that general theory of digital systems from the perspective of attributing effects (i.e., traces of activities in digital systems) to their causes. Full details of the current version of this physics are available online2 , and in this article, we explore a few more of them

The Science of Digital Forensics: Recovery of Data from Overwritten Areas of Magnetic Media

The first time I encountered data loss and recovery effects of magnetic memory was as a night and weekend computer operator for the computer science department of Carnegie-Mellon University in the 1973-1974 time frame. Part of my job involved dealing directly with outages and failures associated with magnetic memory components used in what, at the time, were large computer systems. On occasions, portions of magnetic core memory or disk drives would encounter various failure modes and the systems using these devices would have to be reconfigured to operate without the failed components until repair personnel could come in to repair them, typically during normal business hours on weekdays. In the early hours of one Sunday morning, I was having such problems with a magnetic core memory module (a cabinet about 6 ft. high and 3 ft. across), and after awakening the manager in charge was instructed to restart the memory and continue the operation of the computer, setting a particular value into a particular memory location to cause the system to continue operation. After several such incidents within a period of less than an hour, a more definitive outage was produced after a mechanical impulse was applied to the cabinet, the memory was reconfigured out of the system, the system operated at reduced memory until the next weekday, and no further outages were experienced

Identifying and Attributing Similar Traces with Greatest Common Factor Analysis

This paper presents an algorithm for comparing large numbers of traces to each other and identifying and presenting groups of traces with similar features. It is applied to forensic analysis in which groups of similar traces are automatically identified and presented so that attribution and other related claims may be asserted, and independently confirmed or refuted. The approach of this paper is to identify an approximate algorithm that will find a large subset of greatest common factor similar groups of arbitrary factors in far less time and space than an exact algorithm using examiner-provided selection criteria for factor definition

A Case Study in Forensic Analysis of Control

This paper describes a case study in which a method for forensic analysis of control was applied to resolve probative technical issues in a legal action. It describes one instance in which the analysis was successfully applied without challenge, addresses the details of most of the different facets of the analysis method, and demonstrates how such analysis provides a systematic approach to using technical methods to address legal issues as a case study

Isolation in Penal Settings: The Isolation-Restraint Paradigm

Isolation, I suggest, should be analyzed constitutionally, much as physical restraints are now. As I describe in detail below, recent Supreme Court case law and longstanding lower court precedent has insisted that prisons and jails limit their use of physical restraints to situations in which those restraints are necessary for contemporaneous control and security—not as deterrent or punishment. This Essay asserts that isolation and the use of mechanical restraints should be treated as almost identical interventions in terms of rationale, duration, monitoring, and creation of law and policy. Isolation units are not a fixed, invariable condition of penal confinement. Penal isolation is variable in its extremes of deprivation. At its most extreme, it should simply be banned; in its less onerous forms, isolation should be sharply limited, closely monitored, and very closely regulated. This reform may well require abandonment of “supermax” confinement as well as the even more restrictive, primitive “dark cell.

In Search of a Model Act for Prisoners’ Rights

A first reading of A Model Act for the Protection of Rights of Prisoners (Model Act) is a melancholy experience. Regrettably, additional study and reflection only intensify the original mood. The Model Act comes too late in the movement for prison reform to serve as a catalyst for basic change. In its scope and content it is so limited, so ambiguously expressed, so content with leaving undisturbed the basic power arrangements between the inmate and the administration, that with but one or two exceptions its only appeal will be to prison officials fighting a rearguard action against the further “encroachment” of judicial decisions. Indeed, the Model Act lacks even the “menace of liberal reform.