Computing Profession

Crawling Inside Hard Drives

Digital forensics describes the search for evidence in digital data.
Digital forensics investigators and law enforcement face significant challenges in obtaining evidence that can be found in digital data.

The proliferation of digital devices such as smartphones, tablets, and fitness trackers, combined with the ubiquitous, always-on connectivity of the Internet, presents a conundrum from the legal perspective. While we might upgrade our cellphones every two years on average, the laws governing personal data we store on, and share from, our digital devices still date back to the 1960s and 1970s. As a result, both digital forensics investigators and law enforcement face significant challenges, with personal privacy rights left hanging in the balance.

Digital forensics is a new field, relatively speaking, but growth metrics are hard to find. John P. Lucich, president of the High Tech Crime Network, a Union, NJ-based organization offering certifications in computer forensics, explains the field has grown dramatically since the late 1980s. "Forensic software did not come around until the mid-1990s," Lucich says. Before that, Luccini recalls, he would use SnapBack, a Columbia Data Products program to image drives, and then he would restore and install those images on clean drives. After that, he would use Norton Techsearch to forensically examine the drives.

Sharon D. Nelson, president of Sensei Enterprises, a digital forensics and cybersecurity firm based in Fairfax, VA, and author of several books on digital evidence, says that since she became involved with digital forensics in the late 1990s, a lot has changed. In the beginning, computers and servers were being imaged; today, Sensei Enterprises examines more smartphones than any other type of digital device.

Mobile devices are where most digital evidence is found today, according to Craig Ball, a trial lawyer, computer forensic examiner, adjunct professor of law in the University of Texas at Austin School of Law, and noted authority on electronic evidence. Ball says mobile devices have eclipsed laptop and desktop computers as the principal conduit to online information, with texts and app data residing almost exclusively on mobile devices.

"Increasingly, the information lawyers will use to cross-examine, to indict, is going to be information that is going to be in conversations on mobile devices and through a variety of mobile channels," Ball says. Such conversations may start in a messaging app, switch to Facebook, and conclude on Skype, presenting a challenge to investigators, he adds.

On the whole, law enforcement in the U.S. is woefully unprepared for digital forensics. A recent study by Washington, D.C.-based think tank the Center for Strategic and International Studies (CSIS) found that federal, state, and local law enforcement organizations encounter difficulties in accessing, analyzing, and utilizing digital evidence in over a third of cases that involve digital evidence. The CSIS study also suggests accessing data from service providers—primarily Facebook and Google—is the biggest problem law enforcement faces in terms of its ability to use digital evidence in their cases.

The CSIS report implies that the growth of digital evidence has outpaced law enforcement's ability to effectively investigate and prosecute crime. Significant resources are required to access and analyze digital evidence, ranging from tools and equipment to access devices, analysis tools, legal help so the evidence will stand up in court, as well as overall technical expertise to aid in all of these areas. Local investigators may be well-versed in processing forensic evidence like fingerprints or DNA, but they probably know little about digital forensics, technically and legally, and are forced to reach out for help. The CSIS report found a whopping 95% of those surveyed had sought digital evidence assistance in the past year.

There are few statistics available tracking digital forensics, but one shows rapid growth. According to the U.S. Department of Justice, there are 409 publicly funded forensic crime labs in the U.S. at the federal, state, county, and municipal levels. The survey reports 22% of them handled digital evidence analysis in 2014, the latest year for which statistics are available, up from 12% in 2002.

Yet law enforcement wants unfettered access to the data in mobile devices. "Law enforcement always has the sense that the ends justify the means," Ball suggests. "They're dealing with 'bad guys', so their ability to defeat encryption and gain access to evidence of criminal behavior is paramount, and they are less sensitive to due process issues."

Civil libertarian and often individual citizens recognize protection is needed from not only those who would do us harm, but sometimes from unrestrained governmental actors. "There is no easy calculus, it is always a tension," Ball says, "so do we want to endure incursions on our civil rights and our protections against government overreach?"

These issues become even more important when dealing with personal data in the cloud. Carpenter v. United States is widely seen as a landmark case, in which the U.S. Supreme Court found that government acquisition of cell-site location data is subject to the Fourth Amendment; that is, a warrant is needed to access cellphone location records. In that context, law enforcement can no longer simply ask Verizon, AT&T, or Sprint for cell tower records that reveal the whereabouts of a mobile phone's interaction with those towers, without a warrant.

The Justice Department had argued in favor of the third-party doctrine, a longtime legal precedent supported by the courts, which holds that people who share personal data with third parties have no reasonable expectation to privacy. A 2018 ruling in the Carpenter case raises questions on how courts might deal with future technologies, which is critically important given how much of our personal data is now held in the cloud. However, the courts can only rule on cases that come before them, so this might be an area for state legislatures and Congress to step in and craft laws that weigh privacy rights against the needs of law enforcement. The Carpenter decision reflects a broader shift in the way the Supreme Court is evolving to accommodate new technological realities.

Sensei Enterprise's Nelson points out that giving your data to a third party, absent express consent that it be shared, doesn't mean the government should be able to access it without a warrant. "For the most part, it doesn't matter where the data is (on-premise or in the cloud) if the government has a right to the data via getting a search warrant," she said.

"Why should law enforcement have more rights than the citizens they protect?" asks retired law enforcement officer John Lucich. Law enforcement should need a subpoena or court order for anything they do, Lucich says, because otherwise all of our records are open for anything.

Ball maintains the cloud does away with the paradigms we have had of private information. Historically, Ball explains, the law maintained that if you had not protected your information from being in the hands of third parties, then it wasn't deemed sufficiently protected to prevent the government from getting to it. "There is a longtime body of law that says if the information being sought isn't personally held but is held by a third-party—such as a wireless provider—then that information is less deserving of protection.

"The cloud means that all of our information is being held by third-parties," Ball says, adding that the whole idea of personal information being protected falls apart when you start dealing with the cloud. "We will have to decide if we are going to extend the kind of protection we have historically given to the physical premises, to the virtual premise we are all starting to use."

Ball adds that such an additional level of protection, while it may slow investigations and result in certain forms of surveillance being curtailed, is a worthwhile check on investigative power.

John Delaney is a freelance technology writer based in Brooklyn, NY, USA.

Join the Discussion (0)

Become a Member or Sign In to Post a Comment

The Latest from CACM

Shape the Future of Computing

ACM encourages its members to take a direct hand in shaping the future of the association. There are more ways than ever to get involved.

Get Involved

Communications of the ACM (CACM) is now a fully Open Access publication.

By opening CACM to the world, we hope to increase engagement among the broader computer science community and encourage non-members to discover the rich resources ACM has to offer.

Learn More