Document Forensics: Physical and Digital,
The Difference and Varied Methodologies
by Everalm, Information Security Executive and CISO
Where a document, be it physical of digital in nature, is suspected, rightly or wrongly of being altered, amended or forged, there certain specific minima steps, procedures and actions need to be taken before and during any analysis. If these steps are not undertaken the use, worth or validity of any results is at best suspect and most probably wholly worthless.
For the purpose of this document, after explaining the differences between a physical original, physical copy and an electronic representation we will focus on the steps necessary for a sound analysis of an electronic representation.
1. Has the analyst identified if he/she is looking at a physical original document, a physical copy of an original or an electronic representation of a physical original or copy?
An analyst that cannot answer this baseline question is incapable of performing any meaningful analysis and needs to be replaced by a competent analyst.
2. The map is not the country
An image or electronic representation of a physical document cannot be used to verify the validity of an original physical. It can be used to extract some information about an original physical but even then only has any forensic validity if the analyst can demonstrate beyond a reasonable doubt that the image used for analysis is a direct, forensically sound image or representation of the original. For example, using filters and other tools data, elements may be enhanced, have contrast increased or decreased, reverse an element etc. The information that may be captured can then be applied to further investigate the original physical copy, it does not however change or inherently validate/invalidate the original document and its provenance.
A seized physical document, if handled and managed in a forensically sound manner, is an inherently immutable element. Information may be damaged or destroyed but cannot be altered or amended without leaving traces. Analysis via mechanical, physical, electrical or electronic means can and should be specifically targeted to leave the document information untouched. Destructive testing, for example to ascertain paper type, ink composition, washing with reagents etc needs to be fully documented and will always be noted as using material that, where practical, is only taken from areas where no other information is present.
A seized electronic copy or representation of a physical document by its nature is inherently mutable and changes will occur upon every access and work element unless sound data integrity processes and procedures are adhered to. As examples, data and time stamps may change, meta data may be altered, reproduction in transmission may be incomplete etc.
Due to the inherent nature of electronic media steps must be taken at the outset to ensure a static “frozen” copy of the data has been taken and all work can only be performed on forensically sound copies of the seized original master.
It cannot be emphasized enough that when an electronic document or image is seized, ANY WORK UNDERTAKEN ONLY HAS VALIDITY FOR THIS SPECIFIC SEIZED FILE FROM THE TIME IT WAS SEIZED.
For this reason, only documents captured on the original seized storage media are liable to provide sound data. For example, if an image of a document is presented on a web page, the act of downloading the image will alter elements of the file unless mechanisms are in place to verify the completeness, integrity and effective transfer such as comparing and storing “hashes” of the file in situ as well as the downloaded version. It again needs to be emphasized that the validity of the copying of the file does not and cannot denote that the file will remain inviolate once copied.
For any analysis of an electronic representation of a document to occur, it must be ensured that the seized original or originals are demonstrably sound and inviolate, in effect Read-Only and “frozen” master files. The requirement is to ensure that all testing is only done on sound copies of the “frozen” master files which will ensure a certainty of reproducibility of the tests. The “frozen” masters need to be secured, access recorded and a demonstrable process be in place that can prove to a satisfactory level if the masters have been altered. Typically, but not exclusively this would be performed by ensuring the masters are on read only media and hash values of the files would be taken, secured and periodically tested against the masters.
Analysis of an electronic copy or electronic representation of an original physical copy
Assuming that the work is being undertaken on a representation of an original physical copy:
Once the analysis was run and the results collated, was the report reviewed by the CCP? If the report was acceptable, did Sheriff Arpaio officially sign off as to satisfaction of the records and results?