Document Forensics: Physical and Digital,

The Difference and Varied Methodologies

by Everalm, Information Security Executive and CISO

Background

Where a document, be it physical of digital in nature, is suspected, rightly or wrongly of being altered, amended or forged, there certain specific minima steps, procedures and actions need to be taken before and during any analysis. If these steps are not undertaken the use, worth or validity of any results is at best suspect and most probably wholly worthless.

For the purpose of this document, after explaining the differences between a physical original, physical copy and an electronic representation we will focus on the steps necessary for a sound analysis of an electronic representation.

Basic criteria

1.     Has the analyst identified if he/she is looking at a physical original document, a physical copy of an original or an electronic representation of a physical original or copy?

An analyst that cannot answer this baseline question is incapable of performing any meaningful analysis and needs to be replaced by a competent analyst.

 2.    The map is not the country

An image or electronic representation of a physical document cannot be used to verify the validity of an original physical. It can be used to extract some information about an original physical but even then only has any forensic validity if the analyst can demonstrate beyond a reasonable doubt that the image used for analysis is a direct, forensically sound image or representation of the original. For example, using filters and other tools data, elements may be enhanced, have contrast increased or decreased, reverse an element etc. The information that may be captured can then be applied to further investigate the original physical copy, it does not however change or inherently validate/invalidate the original document and its provenance.

 3.    Mutability

A seized physical document, if handled and managed in a forensically sound manner, is an inherently immutable element. Information may be damaged or destroyed but cannot be altered or amended without leaving traces. Analysis via mechanical, physical, electrical or electronic means can and should be specifically targeted to leave the document information untouched. Destructive testing, for example to ascertain paper type, ink composition, washing with reagents etc needs to be fully documented and will always be noted as using material that, where practical, is only taken from areas where no other information is present.

A seized electronic copy or representation of a physical document by its nature is inherently mutable and changes will occur upon every access and work element unless sound data integrity processes and procedures are adhered to. As examples, data and time stamps may change, meta data may be altered, reproduction in transmission may be incomplete etc.

Due to the inherent nature of electronic media steps must be taken at the outset to ensure a static “frozen” copy of the data has been taken and all work can only be performed on forensically sound copies of the seized original master.

It cannot be emphasized enough that when an electronic document or image is seized, ANY WORK UNDERTAKEN ONLY HAS VALIDITY FOR THIS SPECIFIC SEIZED FILE FROM THE TIME IT WAS SEIZED.

For this reason, only documents captured on the original seized storage media are liable to provide sound data. For example, if an image of a document is presented on a web page, the act of downloading the image will alter elements of the file unless mechanisms are in place to verify the completeness, integrity and effective transfer such as comparing and storing “hashes” of the file in situ as well as the downloaded version. It again needs to be emphasized that the validity of the copying of the file does not and cannot denote that the file will remain inviolate once copied.

4.    Inviolability

For any analysis of an electronic representation of a document to occur, it must be ensured that the seized original or originals are demonstrably sound and inviolate, in effect Read-Only and “frozen” master files. The requirement is to ensure that all testing is only done on sound copies of the “frozen” master files which will ensure a certainty of reproducibility of the tests. The “frozen” masters need to be secured, access recorded and a demonstrable process be in place that can prove to a satisfactory level if the masters have been altered. Typically, but not exclusively this would be performed by ensuring the masters are on read only media and hash values of the files would be taken, secured and periodically tested against the masters.

Analysis of an electronic copy or electronic representation of an original physical copy

• The very first step that must be taken is to ensure that at the least 2 fixed immutable master copies of the data are taken and that these are secured and stored.
• A work record needs to opened stating what the file is, where and when it was obtained, the mechanisms use to obtain the file, the steps undertaken to ensure the inviolate nature of the seized file, and whether the file is an original document itself or a representation of a physical original.
• In addition the work files needs to contain a full record of all tasks undertaken.

Assuming that the work is being undertaken on a representation of an original physical copy:

1. What methodologies (if any) did the Cold Cae Posse and their as yet anonymous "experts" use to seize forensically sound originals of the images they analysed?
2. Did they have access to the data storage device the original file resides on or did they simply copy a file over the internet?
3. If they did not have access to the originating storage media, what steps could they have undertaken to ensure the file they worked on is the file stored on the originating media?
4. Where are the work books and records detailing the steps undertaken, tests performed, individuals performing them, test software and hardware used?
5. What methods were used to ensure inviolate copies of the seized originals?
6. What steps were taken to take forensically sound working images of the “frozen” images?
7. What steps were taken to ensure that the files being analysed had a sound, inviolate chain of custody from start to finish?
8. Which hashing method, version, and application did they use?
9. Where and how were the hash values stored and can they be demonstrated not to have been altered, amended or changed at any stage?
10. Since, by the very nature of electronic transfer of data via the Internet, data can and (unless sound methods are in place) will be changed during the transfer and recording process, what steps, policies, processes, procedures, applications and methodologies were used to ensure an inviolate and sound copy was transferred?
11. What steps were undertaken to ensure that the file that was identified and copied was in point of fact originating from their supposed target. For example was any network traffic analysis undertaken to provide some surety that the believed target was the actual target?
12. In addition what steps (if any) were taken to ensure that the data was not maliciously or inadvertently altered, amended, changed, or corrupted in transit through multiple routers and routes? 
13. When the file was being worked on, what assumptions were taken and worked on and where is the record in the report?
14. When the file was initially analysed, was it noted and recorded that the file meta data indicated it was created using a Mac computer using an operating system specific and embedded process to create a PDF file via scanning?
15. If so noted, where is it recorded in the working documents and where is the decision matrix explaining exactly which criteria were adopted to NOT replicate this and instead use Windows PC’s, a Windows operating system and a third party application to create a PDF?
16. Is it recorded in the work record, or other contemporaneous record what differences could be expected by not using similar/identical hardware, software and processes and is this matrix of expected differences recorded and matched against actual results?
17. Were these differential records analysed independently of the analyst to ascertain if the differences were insignificant, significant, or fatal for forensic analysis?
18. Where is it documented and recorded that the CCP and their analysts identified which model, make and manufacturer of scanner was used to create the file and where is it also noted that the CCP and their analysts used the same to create and work on their images?
19. Is it recorded in the work record, or other contemporaneous record what differences could be expected by not using similar/identical scanner hardware, software, and processes, and is this matrix of expected differences recorded and matched against actual results? 
20. Were these differential records analysed independently of the analyst to ascertain if the scanner differences were insignificant, significant or fatal for forensic analysis?
21. Was the analysis run once or more than once and if more than once, were the results of the analysis compared to see if they provided the identical results?
22. Assuming that the analysis run was run for sanity checks more than once were they independently run by another analyst to act as a check against methodology or process bias?

Once the analysis was run and the results collated, was the report reviewed by the CCP? If the report was acceptable, did Sheriff Arpaio officially sign off as to satisfaction of the records and results?