Over the course of several years, a nefarious character who came to be known as Mr. Swirl left his indelible mark on the Internet. He sexually assaulted at least a dozen young boys throughout Southeast Asia and posted more than 200 photos of his sexual activities on the Web. In order to hide his identity, the man created a digital swirl to replace his face.
Beginning in 2004, investigators from Interpol began to search for Mr. Swirl. But the pedophile continued posting images and, using digital photo-editing software, altering his face so that it was unrecognizable. Experts had to find a way to unswirl the images and figure out who was behind the brutal sexual assaults. This task required reassembling millions of pixels.
Interpol called in German computer forensics experts who began examining the photos. Since the pixels in the digital images were losslessthey were moved but not alteredthe task was to create an algorithm to reverse the swirl. Eventually, the forensics team cracked the photos and identified Mr. Swirl partly by examining objects in the photos and tracing the IP address of the computer from which the images were sent. In 2007, a Canadian citizen named Christopher Paul Neil was arrested in Thailand and sentenced to prison, where he currently resides.
Digital forensics has moved into mainstream society. As more and more devices record our movements, actions, and activities, there is a growing focus on using the data to solve crimes, fight lawsuits, and unravel accidents. Smartphones, automated teller machines, electronic tollbooths, credit and debit cards, and server logs all comprise a growing body of data that provide a window into numerous everyday events.
"We have moved beyond computer forensics and into the age of digital forensics," says James Robertson, a professorial fellow and director of The National Centre for Forensic Studies at the University of Canberra. "There is a growing array of software and hardware tools used to record what people are doing and where they are doing it."
Digital forensics has evolved far beyond a way to examine a hard drive for metadata, time stamps, and deleted files. It's now used to unravel everything from international business espionage to cyberspying and cyberwars. For example, an extensive examination of the Stuxnet code used to cripple an Iranian nuclear facility in 2010 eventually pointed to a joint American-Israeli operation, according to The New York Times.
"We have moved beyond computer forensics and into the age of digital forensics," says James Robertson.
Forensic techniques are also being used by individuals to document events that might have flown under the radar in the past. In July, University of Toronto computer science professor Steve Mann claimed he was assaulted and forcibly removed from a McDonald's in Paris after employees objected to an augmented reality headset device he was wearing. McDonald's conducted an investigation and claimed there was no physical contact. However, a video that Mann captured with the augmented reality headset appears to have recorded contact, including him being allegedly pushed out of the McDonald's and onto the street.
There's also the case of a Burger King employee in Ohio who posted a photo of himself on Internet image board 4chan with his feet in trays of lettuce and boasted "This is the lettuce you eat at Burger King." At that point, other 4chan users, including members of hacker group Anonymous, began conducting their own forensic investigation. They grabbed GPS data on the photo and used a barcode on a box captured in the photo to track the exact location of the restaurant within 15 minutes. Three employees were subsequently fired.
David Billard, a professor at the University of Applied Sciences in Geneva, Switzerland and a lecturer at the Institute for Scientific Police, points out that digital technology now touches nearly every part of our lives. Cameras snap photos with time and GPS stamps, cellular towers track our movements on highways and byways, RFID readers record the precise time we pass through a tollbooth, and electronic financial transactions display a fingerprint of what we have bought and where we have been. What's more, event data recorders (EDRs)once limited to commercial aircraftare now embedded in many automobiles.
In fact, these EDRs can reveal a number of things, including how fast a vehicle was traveling at the time of an incident or collision, how a driver was steering, braking, and accelerating, and which passengers were wearing seat belts. Although EDRs were designed to collect data that could be used to improve safety standards, they are increasingly used as evidence in court. Moreover, when they are combined with text and phone logsand possibly credit card receiptsit is sometimes possible to gain a remarkably complete picture of what was taking place around the time of a collision.
Almost every court case now includes some digital evidence, Billard notes. In many instances, particularly divorce cases, understanding a chain of events is as simple as sifting though text messages, credit card receipts, and phone logs. More sophisticated types of crimeor those where a computer is used to commit the offensemay require an examination of a hard drive or an analysis of network traffic flows and data packets, adds Cal Waits, technical manager of operations at the CERT Digital Intelligence and Investigation Directorial for Carnegie Mellon University.
The Mr. Swirl case is a prime example of how digital forensics helps solve crimes. Once investigators created an algorithm to unswirl Neil's face, they still faced the onerous task of tracking him down. An IP address indicated the computer was most likely located in a suburb of Vancouver, Canada, but law enforcement agencies could not identify the exact location. Only after investigators publicly released the images in 2007 did a Canadian teacher in South Korea recognize Neil and report him to police.
By then, however, Neil knew authorities were after him. He fled South Korea but an airline ticket revealed that he had traveled to Bangkok, Thailand. There, authorities caught his image on a surveillance camera and knew they were closing in on him. Thai police eventually tracked him down using a variety of high-tech surveillance systems focused on Neil's transvestite lover. This included monitoring his lover's movements through his mobile phone. A few weeks later, police arrested Neil in Khorat, a small village located about 150 miles from Bangkok.
Event data recordersonce limited to commercial aircraftare now embedded in many automobiles.
The most complex cases, like Mr. Swirl, involve data from multiple sources and an array of systems or devices. Besides the sheer volume of digital data that now exists, forensics experts must extract the evidence without destroying the underlying system or device. "It's not unlike DNA evidence," Billard notes. "When you use a fragment you destroy a bit of the evidence." Analyzing a mobile phone, for example, requires a forensics expert to modify the state of the device. "There is no way to capture the contents of the memory without modifying the device state," says Billard. As a result, forensics specialists must approach investigations methodically and, even then, they risk destroying valuable evidence.
It's something of a cat and mouse game too. Tech-savvy individuals and crooks are increasingly turning to encryption, cloaking techniques, anonymizer software, and other tools to make forensics more challenging. Even advances in technology create new challenges. For instance, solid-state computer drives and flash memory make it more difficult for experts to find and extract data. For one thing, the data is stored in smaller 2KiB or 4KiB blocks rather than traditional 512 byte blocks. For another, these drives completely erase data pages rather than storing deleted data on the drive even after it is erased. This usually results in a far more complex and lengthy process, with a lower likelihood of finding the desired data.
Likewise, cloud computing complicates an array of issues, including who owns data and which country's laws take precedence. In many cases, data might reside on multiple virtualized servers or travel across servers and change locations on a regular basis. In addition, the company that owns the data may not own the infrastructure. Consequently, a person or company under investigation could migrate its data to different servers. Establishing a chain of custody and authenticating the data can prove daunting.
Despite marked advances in digital forensics, police and courts are struggling to keep up with all the changes. "The digital age is only beginning to hit courts around the world," says Robertson, who served as chief of forensics for the Australian Federal Police for 20 years. "Across countries, there are radically different abilities to handle both the volume and complexity of digital data."
Steven Hunter, a partner in business litigation at Quarles & Brady, says digital forensics is increasingly used to investigate corporate data theft, determine whether a person who leaves one company and goes to work for another is taking along trade secrets, and address international business and trade disputes. He points out that as economies and companies become more digital and global, resolving disputes and handling e-discovery becomes more complex. "Countries have very different privacy and data protection laws," he says.
For example, Hunter notes that many countriesparticularly in Europeview data privacy as a fundamental right and impose restrictions on how electronically stored information can be gathered, processed, used, and transmitted beyond borders. In 2011, Russia amended its data privacy laws to require written consent to transfer any "personal data." China also strengthened its protection of "personal information" last year, apparently to protect against the loss of corporate and state secrets. In the U.S., where privacy laws are weaker, e-discovery is more advanced than in many other parts of the world.
Event data recorders can reveal how fast a car was traveling at the time of an accident, how a driver was steering, and which passengers were wearing seat belts.
All of this is leading some companiesand government agenciesto focus heavily on where data is actually stored on a server and, in some cases, avoid the cloud unless there is certainty about the specific physical location data is stored. Not surprisingly, some cloud providers now guarantee that data will remain in a specified country. Billard says these issues can cut both ways: They can protect organizations but complicate international crime investigations. "Police must comply with national laws, which may limit their ability to collect information," he says.
The stakes continue to grow. Today, spouses increasingly use digital forensics tools to spy on partners, banks have entire forensics departments set up to spot fraud, audit companies pore over financial transactions for major companies, and law enforcement agencies chase hackers and cyberspies through the wormholes of the virtual world. Governments, too, are turning to systems that enable digital forensics. For instance, in Greece, Italy, and Spain, there is now a push to limit cash transactions for larger purchases ranging from 1,000 to 2,500. This could be a step toward eliminating cash altogether, and to possibly help thwart crime and tax evasion.
At some point, society will have to define the limits of how EDRs and other devices can be usedand where the boundaries between reasonable privacy, fair use of data, and unreasonable search and seizures collide with governments' desire to monitor citizens and protect against perceived or real threats.
In the end, Waits says that as computers and digital systems become more sophisticated, society must think through the consequencesand the unintended consequencesof compiling vast stores of digital data. "There's a need to balance privacy with sophisticated tools used to understand complex events ranging from accidents to crimes," he says. "Digital forensics is often the key to unlocking complex mysteries."
Digital Evidence and Computer Crime, Third Edition: Forensic Science, Computers, and the Internet. Academic Press, Waltham, MA, 2011.
Digital forensics research: The next 10 years, Proceedings of the Tenth Annual DFRWS Conference 7, supplement, Portland, OR, August 24, 2010.
Golden, R.G. III and Roussev, V.
Next-generation digital forensics, CACM 49, 2, Feb. 2006.
The Hunt for Mr. Swirl, Part 1, http://www.youtube.com/watch?v=wSw4zN-7UA, Nov. 23, 2010.
©2012 ACM 0001-0782/11/01 $15.00
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and full citation on the first page. Copyright for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers, or to redistribute to lists, requires prior specific permission and/or fee. Request permission to publish from firstname.lastname@example.org or fax (212) 869-0481.
The Digital Library is published by the Association for Computing Machinery. Copyright © 2012 ACM, Inc.