Cyberpatterns

As computers and networks become more prevalent, investigators are encountering an increasing amount of digital evidence of witness, victim, and criminal activity. Criminals can use the Internet proactively to enhance their current modus operandi (MO) or they can use it reactively to avoid detection and capture. Additionally, the Internet gives offenders greater access to victims, extending their reach from a limited geographical area to victims all around the world. To date, the majority of efforts to apply profiling to crimes involving computers have focused on criminals who target computers. Although these efforts to create inductive profiles give a general overview of past offenders and may be useful for diagnosing and treating associated psychological disorders, they are of limited use in an investigation. They can even be misleading. Criminal profiling can be most useful when little is known about the offender, which is particularly important when offenders use the Internet to conceal their identities and activities. Feeling protected by some level of anonymity, individuals often do things on the Internet that they would only imagine doing in the physical world, and they express thoughts that they would otherwise keep to themselves. Digital evidence may also contain information that can be used to determine the offender's sex, age, occupation, interests, relationship status, and other potentially useful information. When an offender uses the Internet to commit crimes, it can be difficult to pinpoint all of the relevant evidence in the digital vastness. The Internet, however, has many areas that are private and may never show up in a routine search. Developing an understanding of the offender's MO can direct investigators to look for particular traces of digital behavior or to monitor particular virtual areas where the intruder is likely to appear

Reconstructing Digital Evidence

This chapter presents the use of digital evidence to reconstruct actions taken in furtherance of a crime, providing case examples to demonstrate key concepts. Digital evidence is defined as any data stored or transmitted using a computer that support or refute a theory of how an offense occurred or that addresses critical elements of the offense, such as intent or alibi. Homicide, sexual assault, and other violent crimes can involve digital evidence from a wide range of sources, including personal computers, handheld devices, servers, and the internet, helping investigators reconstruct events and gain insight into the state of mind of individuals. Computers and networks should be considered an extension of the crime scene, even when they are not involved directly in facilitating the crime. A single computer can contain e-mail communications between the victim and the offender, evidence of intent to commit a crime, incriminating digital photographs taken by the offender as trophies, and software applications used to conceal digital evidence. It is suggested that digital evidence that is handled and interpreted properly can be used to apprehend offenders, authenticate documents, assess alibis and statements, and determine intent

A formalized model of the Trace

This work proposes a formalized model, grounded in forensic science, to support a unified understanding of the Trace across scientific disciplines. The model is precisely defined in mathematical terms that reflect the dynamics of an offense as expressed in Locard’s Exchange principle. Specifically, this mathematical ap-proach represents the Trace as the modification of a Scene, subsequently perceptible, resulting from the Event under investigation. Examples are provided to illustrate how this conceptualization applies to for-ensic science, including DNA and digital evidence. Broader implications of this model are presented in the context of COVID-19, emphasizing the value of cohesive scientific study of the Trace. The aim of this work is to stimulate more formalized study of the Trace, both from tangible and abstract perspectives, and to strengthen forensic science as a whole

Using computed similarity of distinctive digital traces to evaluate non-obvious links and repetitions in cyber-investigations

This work addresses the challenge of discerning non-exact or non-obvious similarities between cyber-crimes, proposing a new approach to finding linkages and repetitions across cases in a cyber-investigation context using near similarity calculation of distinctive digital traces. A prototype system was developed to test the proposed approach, and the system was evaluated using digital traces collected during actual cyber-investigations. The prototype system also links cases on the basis of exact similarity between technical characteristics. This work found that the introduction of near similarity helps to confirm already existing links, and exposes additional linkages between cases. Automatic detection of near similarities across cybercrimes gives digital investigators a better understanding of the criminal context and the actual phenomenon, and can reveal a series of related offenses. Using case data from 207cyber-investigations, this study evaluated the effectiveness of computing similarity between cases by applying string similarity algorithms to email addresses. The Levenshtein algorithm was selected as the best algorithm to segregate similar email addresses from non-similar ones. This work can be extended to other digital traces common in cybercrimes such as URLs and domain names. In addition to finding linkages between related cybercrime at a technical level, similarities in patterns across cases provided insights at a behavioral level such as modus operandi (MO). This work also addresses the step that comes after the similarity computation, which is the linkage verification and the hypothesis formation. For forensic purposes, it is necessary to confirm that a near match with the similarity algorithm actually corresponds to a real relation between observed characteristics, and it is important to evaluate the likelihood that the disclosed similarity supports the hypothesis of the link between cases. This work recommends additional information, including certain technical, contextual and behavioral characteristics that could be collected routinely in cyber-investigations to support similarity computation and link evaluation

A Framework for Harmonizing Forensic Science Practices and Digital/Multimedia Evidence

Like many other specializations within forensic science, the digital/multimedia discipline has been challenged with respect to demonstrating that the processes, activities, and techniques used are sufficiently scientific. To address this issue, in April 2015, the Organization of Scientific Area Committees for Forensic Science (OSAC) Digital/Multimedia Scientific Area Committee (SAC) established a Task Group (TG). This document summarizes the work of the TG that grew into establishing a harmonizing framework for forensic science practices and digital/multimedia evidence. The TG researched and deliberated on the essential elements of digital/multimedia science, the nature of evidence examined, the overarching scientific principles and reasoning processes, the questions addressed by core forensic processes, and the activities and techniques which support the core forensic processes. It reviewed a large volume of pertinent literature, conducted interviews of practitioners, academics, and other interested parties. Over a three-year period and many hours of debate, more than 40 discussion drafts were produced. The TG determined that digital/multimedia evidence, and other forensic disciplines, would be in a much stronger position to demonstrate their scientific basis as a harmonized forensic science rather than as mere disciplines at the intersection of forensic specialties and other sciences. The value of forensic science as a whole is that it uses scientific reasoning and processes within the framework articulated in this document to address questions – specific to an event or a case – for legal contexts, to provide decision-makers with trustworthy understanding of the traces in order to help them make decisions. The TG considered how the definitions and framework developed in the context of digital/multimedia evidence mesh with forensic science as a whole. The present document describes the concept of traces as the core nature of forensic evidence and the fundamental object of study in forensic science. It proposes a broad definition of forensic science, not limited to legal problems in civil and criminal justice systems (courtroom contexts), and describes the different types of reasoning that play a significant role in forensic science. Then it defines five core forensic processes, seven forensic activities, and three operational techniques. The formalization of forensic science reasoning processes and outcomes in this work leads to increased reliability, repeatability, and validation in forensic results. This, in turn, gives decision-makers increased confidence in and understanding of forensic results. The resulting definitions and framework can be used to harmonize concepts and practices within digital/multimedia science, and are likely applicable to most forensic disciplines. As such, this work may be useful in articulating their scientific basis, and promoting forensic science as one science, which is more than the union of a patchwork of forensic disciplines. The new paradigm created by the digital realm brings a unique opportunity to revisit fundamental definitions in forensic science and to strengthen the identity of forensic science as a whole, unified by common principles and processes that can address questions for legal contexts. This document represents the conclusions and recommendations of the TG as of the date of its writing. The work continues and future versions of this document can be expected to contain new observations and updated conclusions

Do Identities Matter?

It is difficult to overstate the importance of identity in the digital age, as well as the importance of digitized information for identity. In order to advance security, liberty, and privacy in modern society, it is crucial to understand the nuances of what identity means and how it is used and abused. This article defines identity, covering both physical and virtual entities, which is relevant in diverse contexts such as forensic science, cybersecurity, and national security. This article concentrates on the relevance of identity in forensic science, and provides illustrative examples. Approaches and challenges to evaluating and expressing confidence in identity-related conclusions are discussed. Privacy issues are considered along with the rising risks of identity usurpation and impersonation. Relationships between identification of physical and virtual entities are addressed, including the weaknesses and strengths of digital information alone, and the benefits of combining multiple forensic disciplines when assessing identity. This article concludes with a consideration of the benefits for forensic science specifically, and society generally, to take a pluridisciplinary approach to establishing identity