Expert Witness & Digital Forensic Services


Site Contents: © Peter Sommer, 2015 Not to be reproduced without permission

PO Box 6447  London N4 4RX UK




This is a very brief primer for lawyers to familiarise themselves with the basics of the forensic handling of computers and associated data media and to help  understand the terminology.  The first part deals with hard disk evidence, the second with tracing on the Internet and IP Addresses

Evidence from Hard Disks and  Data Storage Media

Procedures are defined by the ACPO Good Practice Guide for Computer-based Electronic Evidence.

Computers are seized;   if the computer is switched off, all well and good, if not the Good Practice Guide offers advice and procedures.  The computer (and data media) is “bagged and tagged” and from thereon in there should be full continuity records and statements.

The computer is passed to a technician who creates a “forensic disk image” which seeks to preserve all the contents of the hard-disk(s) or other media.  Usually the hard-disk to be imaged is connected to an imaging computer using a “write protect” device which prevents any further writing so as to avoid contamination.  The hard-disk is either removed from the original computer and placed in an examining computer  or connected to the original via a special “cross-over” network cable - the original computer is started up from its CD drive with special software which does not “touch” the computer’s main hard-disk (start it up actively).  Imaging software products used for this purpose include Encase and Accessdata FTK Imager.   Other “open source” products also produce what is referred to as a “raw” or dd  image.  The proprietary products create compressed images which are accurate but easier to handle.    The most image popular format, and the one most likely to be encountered by criminal defence solicitors, is EnCase.  

Experts hired by the defence will want a copy of all relevant forensic disk images in order to carry out their instructions and also copies of witness statements describing what prosecution technicians have done.

There are some inbuilt integrity tests to forensic images, and a defence expert will also want to check that the last recorded dates and times on the forensic image match the continuity statements.   Only in very rare circumstances will a defence expert need access to the original seized computer disk(s).  

Both prosecution and defence experts conduct their examinations on the forensic copies, not on the originals.

One use of the forensic disk image is to create a clone of the original hard-disk by writing the image back to another hard-disk (or other medium) of the same size.  But this technique is used very rarely as the process of examination causes many changes to the disk.  The major computer forensics analysis tools,  EnCase,  AccessData FTK ,  X-Ways Forensics,  allow direct analysis of the disk image.  Other tools are for Apple Mac OSX.   The investigating technician can ask for a variety of displays, some of them similar to Windows Explorer, others rather more sophisticated.   One very useful technique is to be able to build chronologies of activity.  Emails are often held in a database on the computer but the analysis software is able to present them for easy reading. Files of interest can be “exported” for further examination or exhibiting.   

The tools can, among other things,  carry out various forms of data recovery of deleted material,   analyse files and file fragments in their “raw” state, and carry out complex searches against “keywords” across the entire hard-disk,  including parts normally hidden to the ordinary user, for example   the System Registry and Restore Points.

Additional specialist tools may be used to examine Internet browsing activity (NetAnalysis) or, for example, where file-sharing may have been used.

Files to be referred to in evidence (or in Particulars) should usually be identified by means of their “full path” name, eg C:\Documents and Setting\Username\My Documents\My Downloads\interesting file.doc.  This works for extant and easily recovered files;  file fragments normally have to be identified by their “absolute sector” location on disk.

If it is desired to “see what the user of the computer saw” then a useful technique is virtualisation, where the computer to be examined is made to “run” safely in a window on another computer.

 As a prelude to full imaging,  some law enforcement examiners use facilities built into the popular products to “preview” computers of  concern.  The “target” computer and the examiner’s computer are connected over a network cable;  very soon thereafter the contents of the target can be examined to see if there is anything of interest, at which point a full image can be made.  This approach is important as quantities of computer material to be examined increase, and some form of triage becomes necessary.

In some circumstances it is not practically possible to carry out a full physical forensic image exercise of the type described.  Where only part of a disk is captured,  the result is described as a “logical image” - this is better than nothing and technical  precautions are still necessary.    Most smartphone and tablet images are “logical” as the design of these devices prevents full physical access.

The most basic type of instruction given to a defence expert is “due diligence”;  in essence to verify the procedures and findings of the prosecution’s experts and any inferences therefrom.   Time can be saved at trial where agreement on procedures and exhibits can be achieved, even if different inferences may be drawn.  

Tracing People and Computers on the Internet:  IP addresses

The primary means of identifying computers on the Internet is via its IP address;  with additional information you may be able to say who was using the computer at the time.  IP addresses,  in the current version, consist of four groups each of up to three numbers, for example:   Transmission across the Internet takes place in “packets” of information and a typical packet will contain the IP addresses of the originator and the intended recipient.   Web-servers,  e-commerce websites many other resources will capture and record IP addresses.

Unfortunately the current addressing system  (known as IP V4) is insufficient for all the computers that wish to use the Internet and a number of “cheats” are deployed.  One of the most important is used by ISPs and cellphone companies in relation to their consumer-customers and similar techniques are used by large companies for their employees.  The ISP has a pool of IP addresses which it “leases” to its customers on as-needed basis.   One consequence is that an individual customer of an ISP may have had, over a period of time, several different IP addresses;  moreover any single IP address may have been used by several customers .

ISPs maintain records, at least for a while, of which subscriber, at any one time had a specific IP address.

Thus to identify a person from , for example, a web-server log of IP addresses,  one must first identify the ISP who “owns” the general range of IP addresses and then ask/demand the name of the subscriber who held that specific address at the relevant time.  Police in the UK would do this via a Production Order under Sch 1PACE 1984 and s 22 RIPA 2000.   In civil cases,  parties can ask for a court order under CPR 31.17 once litigation is commenced or a Norwich Pharmacal Order prior to litigation.  (The replacement for IP V4 allows for many more addresses so that this last stage may eventually become unnecessary)

It is important to realise that this process only identifies the subscriber to the ISP service, not necessarily the individual user as there may be several users in the home and office all connected to the same “hub” device which links the premises to the ISP.

As with many forms of digital evidence it is all too easy to jump to the wrong conclusions!