Technical Tuesday – 3 April 2012 – Does Locard’s Exchange Principle Apply in Digital Forensics? by Ken Zatyko

Posted by on Apr 3, 2012 in Events Archive | No Comments

In this presentation, we present a challenge question for today’s cyber experts, cyber scientists, and cyber analysts.  Does Locard’s Exchange Principle apply in digital forensics? The dramatic increase in cybercrime and the repeated cyber intrusions into critical infrastructure demonstrate the need for improved security. The Executive Office of the President noted on May 12, 2011 “cyber threat is one of the most serious economic and national security challenges we face as a nation.” (www.whitehouse.gov). We believe addressing whether or not Locard’s Exchange Principle applies to digital forensics is a fundamental question that can guide or limit the scientific search for digital evidence.  Locard’s Exchange Principle is often stated in forensics publications “every contact leaves a trace…” Essentially Locard’s Exchange Principle is applied to crime scenes in which the perpetrator(s) of a crime comes into contact with the scene. The perpetrator(s) will both bring something into the scene, and leave with something from the scene.  In the cyber world, the perpetrator may or may not come in physical contact with the crime scene, thus, this brings a new facet to crime scene analysis. According to the World of Forensic Science, Locard’s publications make no mention of an “exchange principle,” although he did make the observation “Il est impossible au malfaiteur d’agir avec l’intensité que suppose l’action criminelle sans laisser des traces de son passage.” (It is impossible for a criminal to act, especially considering the intensity of a crime, without leaving traces of this presence.). The term “principle of exchange” first appears in Police and Crime-Detection, in 1940, and was adapted from Locard’s observations. The field of digital forensics can be strictly defined as “the application of computer science and investigative procedures for a legal purpose involving the analysis of digital evidence after proper search authority, chain of custody, validation with mathematics, use of validated tools, repeatability, reporting, and possible expert presentation. (Zatyko, 2007).” Furthermore, digital evidence is defined as information stored or transmitted in binary form that may be relied on in court. (National Institute of Justice, 2004). However, digital forensics tools and techniques have also been used by cyber analysts and researchers to conduct media analysis, compile damage assessments, build timelines, and determine attribution. According to the Department of Defense Cyber Crime Center’s training program (found at www.dc3.mil/dcita/courseDescriptions/cac.php), cyber analysts require knowledge on how network intrusions occur, how various logs are created, what is electronic evidence, how electronic artifacts are forensically gathered, and the ability to analyze data to produce comprehensive reports and link analysis charts. Our hypothesis is that Locard’s Exchange Principle does apply to cyber crimes involving computer networks such as identity theft, electronic bank fraud, or denial of service attacks, even if the perpetrator does not need to physically come in contact with the crime scene. Although the perpetrator may make virtual contact with the crime scene through the use of a proxy machine, we believe he will still “leave a trace” and digital evidence will exist. This presentation will explore with audience input “where in the cloud is digital evidence found” and new ways it can lead to attribution. It will explore what new standards and techniques are needed to find these digital traces. Read ahead information can be found at http://www.dfinews.com/article/digital-forensics-cyber-exchange-principle.

Presented by: Ken Zatyko of Assured Information Security

Ken Zatyko was previously the Director of the Department of Defense Computer Forensics Laboratory where he led the largest, accredited, internationally recognized, leading edge computer forensics laboratory. He supervised over ninety personnel who completed over 900 cases, analyzed many terabytes, and provided expert testimony in over seventy military and federal trials. Previously Ken served as the United States Air Force’s focal point and war planner for counterintelligence support to force protection, criminal, computer crime, and fraud investigations for 9th Air Force. Mr. Zatyko is currently the Vice President of Maryland Operations with Assured Information Security. More info on AIS can be found at www.ainfosec.com. Ken can be reached at zatykok@ainfosec.com.