Digital Forensics Investigation
Digital Forensics Investigation
The advancement of technology has also come with such bad elements. Using the internet to access a multitude of content makes it easier for criminals to thrive in such an environment. These include cyberbullies, online harassment and even hackers of private data. The development of forensic science has made it easier to track down the specific addresses of the people involved and interpret any technical aspects that might be necessary to prosecute the perpetrators. As technology continues growing, the threats to it will continue increasing as well.
The Crime Being Investigated
James Cameron was indicted on February 17, 2009, charges of transportation, receipt, and possession of child pornography. He was alleged to have uploaded child pornography on a Yahoo photo album under different aliases between July 2006 and January 2008. Yahoo had reported the existence of a many child pornography images within the photo album of an account in their service. The Yahoo report triggered an investigation by the state police on September 6, which had received two referrals from the National Center for Missing and Exploited Children on August 28. After an investigation was conducted by the Maine Police Department, the account was traced to a woman named Barbara Cameron, who was the wife of the eventual perpetrator, James Cameron. (AdamsKennebec, 2011) A search warrant was issued for a search of the Cameron house where the police seized four computers. The ensuing examination uncovered child pornography, some involving children as young as 4-6 years. Internet conversations were discovered on the computer, made by a man describing himself as a 45-year old married father with a daughter (Justice.gov, 2014). The description was one that fit Mr. James Cameron, who was an assistant attorney general for the state of Maine.
The Digital Forensic Process Applied in the Case
The digital forensic process mainly involves the collection of evidence of a digital nature using forensic tools and techniques. The following are the five basic stages in the collection of digital evidence.
Preservation – in this stage, the relevant electronically stored information is preserved by securing the scene of the crime and taking pictures of scenes. The investigators responsible must also clearly document the necessary information regarding the evidence and how it got acquired.
Collection – the collection process involves the actual collection of the data relevant to the investigation at hand. The electronic devices involved in the crime are collected and imaged, copied and the contents printed out. The catalog will include every bit of data collected in the investigation. The original copy of the hard drive is not used, but rather imaged and kept in the safe. It is done to ensure the preservation of the original data as it was. A chain of custody is very important in a forensic investigation case as it will determine the integrity of the data. As such, the digital investigator needs to be acutely aware of the location of the collected evidence at all times in the various stages of the investigation. To safeguard the evidence, common best practice is to place it in safe or cabinet whose access is strictly limited to individuals relevant to the investigation (Casey, 2013).
Analysis – the analysis process conducts a thorough and systematic examination of the devices to find evidence to support the case and make it prosecutable. The output of the process will be the data that is discovered in the device and will include both the system-generated files and the user-generated files. During this stage, the forensic investigators will draw conclusions that they will base on the evidence that they discover. The analysis of the evidence must include both exculpatory and inculpatory interpretation of the data. In the former, the investigators attempt to find information that might exonerate the suspect from the crimes leveled against them. In the latter, they look for information that confirms their guilt.
Reporting – the reporting stage is an important one as it is where the results and conclusions of the case are communicated by the investigators. The reports need to be based on tried and tested forensic techniques and it is important that the conclusions will still stand even if a different team of capable forensic investigators can reproduce the same results.
Similar techniques were used in the collection of evidence in the James Cameron case. The investigators ensured they had a search warrant for Mr. James Cameron’s house. The search warrant was important since it would provide legal cover for accessing what still remained private property. Any failure during this stage would have severely affected the case on the grounds of illegal seizure of property. The investigation was carried out by the computer crimes unit of the criminal investigation and forensics division of the State Police of Maine (AdamsKennebec, 2011). After the collection of the computers from Cameron’s house, the chain of custody was established where the computers were transported from the house in a vehicle of the computer crimes unit and taken to their laboratory where it was secured accordingly. Beforehand at the house, the investigators had taken extensive photos of the computers before moving them. Also, they checked whether the computer was on or off and determined whether the information would be lost should the computer be switched off. After this was determined conclusively, the team then moved the four computers.
At the lab, the investigators conducted an evidence grading process. The process is conducted under two main criteria. These are evidence competency and evidence sufficiency. Evidence competency attempts to establish the trustworthiness of the evidence the investigators have collected. It is usually a process done at the discretion of the investigator. The next step was evidence sufficiency which was to determine that the evidence collected would capably support a reasonable opinion. Therefore, more of the findings are needed to prop up the case. These two processes represent important thresholds that must be met to ensure the success of the case (Jahankhani, 2014).
Digital Evidence Used
The case against Mr. James Cameron largely rested on the pornographic content found on his computer hard disk as well as email communication he conducted with an unidentified third party. The data was instrumental in building the case against Mr. Cameron since it directly tied him to the crime. The pornographic content was mostly made of videos and images that were contained on his computers that he kept at home. There were also pornographic videos and images that he kept in a Yahoo photo album as well as others that he shared through a chat service known as Google Hello. These were collected by the forensic team and formed part of his indictment sentence as pronounced by the judge (Justice.gov, 2014).
Collecting the data used in the case required a number of forensic techniques. When evaluating an email, a number of features are examined. These are located in the email header and include,
- To – this shows the email recipient.
- From – shows the email sender. It is, however, prone to forgery
- Subject – shows the topic of the email as sent by the sender.
- Date – displays the date and time the email was sent.
- Return path – displays the email to be used should there be an error when the email is sent.
- Received – displays the computers and servers where the email went through to reach the intended recipient. The IP addresses of the computers/servers the email passed through will also be contained in the header as will the date and time it happened. It is an important finding for the forensic investigator as they get to analyze the movement of an email message from the moment it was sent.
- Content type – It will show whether the email is in HTML or plain text.
The email header was used to gather the information on the emails that were sent to those computers. While the computer was indeed registered to Mr. Cameron’s wife, the headers were nonetheless successful in placing Mr. James Cameron as the user behind the content being sent. The videos and images of child pornographic content discovered in the computers obscured in hidden folders.
When conducting a forensic examination on a computer hard disk, it is usually important to first perform a full imaging of the hard disk. It is best practice for a forensic investigator to not use the original hard disk in the examination of the case. Instead, they copy the contents of the disk, bit by bit, or in certain instances they can trace the area on the disk with the information they need, they will image that specific sector. The result is that they get to have a complete recreation of the hard disk while the original one is locked away in a safe for the duration of the investigation. The hard disks from Mr. Cameron’s computer were acquired through the use of a forensic software tool known as FTK Imager. A log is kept as a chain of custody document throughout the examination and analysis phase of the disk. The Rootkit Revealer was used to extract data from the hard disk, including the video and photo evidence that was eventually used in the case Ethics in Forensic Science (Kruse II, and Heiser, 2014).
Theories of Ethics
The natural law is a position stating that rational reflection on human nature can lead to the discovery of good and bad actions. The discovery can then guide the person into a path of flourishing endeavors for the human race. It simply states that humans are capable of self-actualizing their own capacity for doing good things. In this case, the ethics of natural law can be viewed through the discovery of James Cameron’s activities and the subsequent chain of events that led to his arrest and indictment. Internet companies do not normally report their own customers, but by doing exactly that, Yahoo was able to let the natural law runs its course in the end. The evidence revealed that Mr. Cameron had indeed committed the alleged crimes leveled at him. With that, it is then possible to argue that all subsequent acts could be classified as necessary actions that were needed to build the case against James Cameron. Having committed a crime as despicable as that, it is fitting that the case against him be built as strongly as possible (Kruse II, and Heiser, 2014).
The theory of consequentialism posits that the consequences of an action, bad or good, will be primarily the focus. The consequences are viewed according to how they can serve the greatest number of humans possible. In James Cameron, the crime was considered foul to be allowed to continue existing in society. The further consequences of the crime would have led to an increase in such behavior in the larger community. Mr. Cameron would have roped in more people into his operation and make it unsafe for children in the neighborhood. The consequences of his crimes need to be considered to understand how he would have conducted further activities and if he would have involved more people in future. It is also a theory that can be used in other areas that include letting go of petty offenders if the consequences do not reflect that they would lead to a bigger impact on the community.
Adams, B. (2011, March 10). Cameron sentenced to 16 years in prison. Retrieved from https://www.pressherald.com/2011/03/10/cameron-sentenced-to-16-years-in-prison/
Casey, E. (2013). Digital evidence and computer crime: Forensic science, computers, and the internet. Academic press.
Jahankhani, H. (2014). Handbook of electronic security and digital forensics. New Jersey: World Scientific.
Justice.gov (Ed.). (2014, December 17). James Cameron Sentenced to 15 and 3/4 Years on Child Pornography and Contempt Charges. Retrieved from https://www.justice.gov/usao-me/pr/james-cameron-sentenced-15-and-34-years-child-pornography-and-contempt-charges
Kruse II, W.G., and Heiser, J.G. (2014). Computer Forensics: Incident Response Essentials. 14th edition, Indianapolis: Pearson Education