High Tech: The Science

 [home] [the law]

1.0 Cell Phones

1.1 Basic Terminology and Functioning

Cellular phones are devices that use a cellular network to perform tasks of telecommunications, such as wireless telephony, text massages, or data transmission. When cell phones are turned on, they emit a periodic signal that enables the network to locate and identify that specific device when a call is placed or received by it. The phone is constantly searching for the best signal available to it, and thus the tower that emits the strongest signal (generally, the closest) will be the tower used by the phone.

When individuals make phone calls, or perform some other type of transaction on their cellular phone, each transaction leaves a trail on their phone and / or the network with which it operates. When cellular phones are turned on, they emit a periodic signal, which enables to the network of “cell sites” or “towers” to locate and identify that specific phone when a call is placed or received by that particular device. A cellular phone will generally use the closest tower, as it will be the one providing the best signal. This general rule, of course, has exceptions. For example, when there are significant obstructions between the phone and the closest tower the phone may use an alternate tower.

1.2 Tracing the Signal

The process by which a subscriber can be identified can be broken down to 5 steps:

  1. The customer makes a call from their cellular phone and the call signal is transmitted to the closest tower (generally) owned by the customer’s carrier;
  2. That cell tower then forwards the call to the mobile telephone switching office (MTSO) responsible for interconnecting calls with the local and long distance landline phone companies, compiling billing information and the personal information of a subscriber;
  3. The MTSO routes the call to (i) a multicarrier interconnect which then transmits it to the intended recipient OR (ii) or, if the receiving client is of the same provider a client with the same provider;
  4. The signal is then sent to the cell tower closest to the intended recipient; finally

Working backwards from where the call was received, both the subscriber that placed the call, and the recipient of the call can be identified by tracing these steps. Of course, to do so, either the sending or receiving customer must be known. The number associated cellular device can identify the sending or receiving customer, so long as there is a given time frame that can be examined. This number is then traced back to a carrier, who would be able to identify the personal characteristics (name, address, birth date, etc.) of the customer in question.

1.3 Tower Configurations

Tower configurations generally resemble a circle - although there is often large deviations in the outer edges of the coverage zone. The tower sits at the centre point emitting a signal. The signals emitted are generally divided into three equal sections.

Information can be downloaded from the towers (a “tower dump"). An example of this information is toll records that detail the activity of that tower — for a specific date and time — which includes: incoming and outgoing calls and the numbers that placed and received the call. 

2.0 Computers

Digital forensic analysis largely involves the extraction of evidence from an electronic device, such as a computer or smart phone. The digital evidence extracted from such a device can include files, images, Internet search history or electronic communications such as e-mails and text messages.

2.1 Basic Terminology

Write blocker: protects data by preventing anyone from overwriting information on a hard drive.

EnCase: a specialized program commonly used for creating backups of data.

Hash value: a code created by a mathematical algorithm that is calculated based on the exact content of the file.  Any subsequent change to the file will alter its hash value.

Encryption: the scrambling of information.

Internet service provider (ISP): An organization that provides customers with access to the Internet. 

3.0 Forensic Analysis 

3.1 Purpose and Goal of Digital Forensic Analysis

Digital forensics involves the extraction, protection and analysis of the digital information stored on an electronic device [1]. It can also include decrypting encrypted files to gain access to any evidence contained within those files. Digital evidence can be critical to proving an offence. In particular, where technology is used as the primary means of committing a crime (see e.g. Criminal Code, RSC 1985, c C-46 s. 163.1(4.1) - Accessing Child Pornography), the device may contain the only evidence of that offence. Digital devices might also contain circumstantial evidence of an offence, such as communications between a buyer and a seller in the trafficking of drugs (see e.g. the recent case R v Franko, 2012 ABQB 282 in which a cell phone contained text messages believed to be associated with the drug trade; and the earlier case, R v Giles, 2007 BCSC 1147, in which investigators sought to search a cell phone for evidence of “score sheets” that account for drug purchases, orders and accounts receivable).

3.2 Extracting Evidence from a Suspect’s Hard Drive

Digital information is volatile and can easily be altered or erased, potentially compromising the integrity of the evidence [2]. Extracting evidence from electronic devices is therefore one of the biggest challenges for the high-tech specialist. In order to prove that digital evidence has not been altered while in police possession, an examiner will copy the information stored on an electronic device before commencing a search of the contents [3]. EnCase is a specialized program commonly used for creating backups of data [4]. The expert will also use a write blocker to protect the integrity of evidence stored on a hard drive. A write blocker protects data by preventing anyone from overwriting information on a hard drive [5].

With the hard drive safely copied, the expert will assign each file on the drive a hash value. The hash value is a code created by a mathematical algorithm that is calculated based on the exact content of the file [6]. Any subsequent change to the file will alter its hash value [7]. Therefore, as long the original and copied files have the same hash value, the Crown can demonstrate that the authorities have not altered the files [8]. Once the examiner has preserved the file integrity using this procedure, the examiner can then use a number of forensic programs to search, retrieve and decode digital evidence from the hard drive copy.

3.3 Accessing Files

3.3.1 Locating Deleted Files

Computers and other devices can provide an excellent source of evidence when a suspect does not realize that she has not fully erased her deleted files from her hard drive [9]. This is because a forensic expert can recover “deleted” files and make them available as evidence in a case. When a file is “deleted,” the file is simply altered in a way that tells the computer’s operating system that the disc space previously occupied by that document can now be replaced with a new file. Thus the original file is not actually erased at the point of deletion. Even when that disc space is overwritten with a new file, it is possible that a portion of the original file remains untouched and can be retrieved [10].

3.3.2 Decrypting Evidence

The scrambling of information, known as encryption, may prevent the expert from accessing and viewing certain protected data [11]. Some encryption is so advanced that the expert cannot unscramble the information. In that situation, any evidence stored on the device is inaccessible [12]. A variety of tools are available that can remove passwords, bypass them or recover them in order to access the protected data. Where it is not possible to defeat the encryption, investigators may be able to search for unencrypted versions of the same data in other areas of the hard drive [13].

3.4 Linking Evidence to a Specific User

When an electronic device is connected to the Internet, or where a series of devices are connected together on a common network, it is possible for someone to enter the system and use it in such a way that an innocent person is accused of doing something they did not do [14]. In order to overcome this uncertainty, investigators can refer to data logs, which contain information about when and how a computer was used. For example, if the offence involves the downloading of illegal files from the internet, the time and date stamp of when those files were downloaded can assist in narrowing the range of suspects who could have accessed them. Similar data is also logged whenever a document is printed [15]. Internet browser history can also provide valuable evidentiary information, which can also be recovered after deletion. However, investigators must be cautious with this information. Just because a website is listed in an individuals Internet history does not necessarily mean that he or she visited that website. Some websites may automatically redirect browsers to other potentially illicit websites [16].

 

1 See Robert Moore, Search and Seizure of Digital Evidence (New York: LFB Scholarly Publishing, 2005) at 183 [Moore] and Ian Kennedy, “Investigating Digital Crime” in Investigating Digital Crime, Robin Bryant ed (West Sussex, UK: Wiley, 2008) 49 at 49-50 [Kennedy].

Moore, ibid at 70.

Ibid at 13.

4 EnCase is one of the few computer systems to be challenged in U.S. courts and was found acceptable under both the Daubert and Frye tests for admissibility. See Moore, supra note 9 at 72.

5 Stephen Mason, ed, Electronic Evidence, 2d ed (Markham, Ontario: LexisNexis Canada, 2010) at 73-74 [Mason].

Moore, supra note 1 at 71.

7  Ibid.

8  Ibid at 72 (because the algorithm is created by mathematical formula, there is always the possibility of duplication, but common formula has bee shown to be more accurate than a DNA test).

Moore, supra note 1 at 68; Mason, supra note 5 at 75.

10 See Moore, supra note 1 at 66-67.

11 Ibid.

12 R v Beauchamp, 2008 CanLII 27481 (ONSC).

13  Mason, supra note 5 at 75-76.

14 Ibid at 76.

15  Ibid.

16 Ibid at 76-77.