There is a flow chart depicting how a case passes through the criminal justice system, as well as some case law that affects digital evidence.
What is digital forensics, how does it related to the criminal justice system, and why should a non-criminal justice major take this course?
By the end of this course you will have a better understanding of why IT professionals, or other non-criminal justice professionals, should still understand the criminal justice system particularly if they plan to work in fields such as digital forensics, incident response, or information security. You will also gain an appreciation for the restrictions and structures placed on criminal case investigations conducted by public law enforcement officers.
In the 1980s, when home computers were not yet popular and desktop systems were being developed for business and the government, the only digital forensics being practiced were used to detect and investigate hacking and computer compromise. In fact, the most common criminal act involving computers was the use of systems and dial-up modems to connect to the Department of Defense’s networks to get free long distance. As home computers and desktop computers became more popular, the main communications systems for inter-connectivity among computer users was through the use of dial-up commercial systems, which eventually resulted in the development of more advanced commercial networks, such as America Online (AOL).
As with any mechanism that makes life easier for consumers, those with criminal intent developed a means to exploits those systems for other-than-lawful purposes. Thus, computers became a bigger focus of the criminal justice system, as they could be used for different types of criminal activity. A computer could be used to commit a crime, such as hacking or transferring private or illegal information (e.g., stolen social security numbers, credit card information, or child pornography); it could be used to store evidence of a crime (e.g., child pornography, a “murder list,” narcotics ledgers, “cooked” accounting books); or it could be the target of a crime. From a national and international perspective, computers can and have been used to facilitate acts of terrorism and/or threats to national security.
As a result, techniques had to be developed to allow criminal justice professionals to search through digital data contained on a computer or network to identify and collect evidence. Initially, criminal justice professionals used commercially mainstream or wide-use software that could be used to recover data or search for data on a hard drive. Norton Disk Edit tools, for example, could be used to search a computer for digital evidence, but it also caused changes to the computer’s data. However, specialized forensic software was eventually developed (e.g., EnCase, FTK, SMART, etc.) to more accurately collect and search digital evidence without damaging or changing its content.
Initially, the courts did not understand the technology (neither the computers nor the forensic processes and software developed to examine them), and the law was not up-to-date enough to facilitate the investigation and prosecution of technology-based crimes. Further, there were not yet universal digital forensic standards or established best practices that practitioners could follow, which would have helped circumvent challenges to digital evidence in court. But, fortunately, over the last twenty years, laws have created or modified to account for technology-based crimes, digital forensic standards have been developed that are used across the discipline, and specialized tools have been developed that help law enforcement meet those standards.
Why is this important to each of you, as non-criminal justice professionals? While conducting a forensic analysis of your organization’s computers systems or networks – whether you’re searching for evidence of hacking or employee misconduct, or in response to a request for discovery in a lawsuit, as just a few examples – you may come across information that could lead to a criminal prosecution. If you do not follow the same standards used by criminal justice professionals (e.g., making every effort to analyze a bit-by-bit forensic copy instead of the original evidence directly), any evidence you find could be rendered inadmissible in court. However, if you perform your duties as a forensic examiner with criminal justice standards in mind, not only will it increase the utility of the digital evidence in a criminal or civil court, but it should also provide more certainty in your own results. In all situations involving the potential misuse of digital information, you should maintain a sensitivity to the potential for commercial/corporate terrorism or threats to geopolitical security.