In today’s world, technology is nearly everywhere. Whether it’s your cell phone, your laptop, or even your watch. While this offers many new opportunities for learning, improving your health, or even making friends, it also opens up a whole new world of crime – cyber crime. Cyber crime is defined as a criminal offense committed with various forms of computer technology, or via the Internet (FindLaw, 2015). One of the most disturbing manifestations of cyber crime is the collection and distribution of child pornography, much of which happens online in the deep web. Child predators, unfortunately, now have it easier than ever to access child pornography. Thanks to advancements in cyber forensics technologies and trainings, it has also become easier to catch these criminals before they can cause too much harm.
The popular NBC reality show To Catch a Predator aired from 2004-2007 and documented a team of people who would pose as children on the Internet in order to find and capture pedophiles before they could harm real children. Pedophiles frequently turn to the Internet in order to find digital content as well as to harm children in real life. They also frequently use various means to attempt to hide any digital content they download, but thanks to data recovery software, cyber forensics investigators are able to find the hidden or deleted files so that the criminals may be prosecuted. Even if the perpetrators do not hide or delete their files, it is still very important that a trained cyber forensics analyst is the one who extracts and documents the evidence so that nothing is corrupted or mishandled that would stop the evidence from being used in court (Nelson & Phillips, 2010).
One recent case of digital child pornography is that of Jared Fogle, the former Subway spokesman frequently referred to as “Jared from Subway.” Fogle is accused of receiving “pornographic images of minors engaging in sexually explicit contact” between 2011 and April of 2015 from the former executive director of the Jared Foundation, Russell C. Taylor (Castillo, 2015). Fogle is also accused of travelling from Indiana to New York in order to pay to have sex with minors. Indiana’s Internet Crimes Against Children’s Task Force raided Jared Fogle’s home on the morning of July 7th. During the raid they confiscated media storage devices, documents, DVDs, and computers (McLaughlin, 2015).
Instances such as Jared Fogle’s happen every day around the country and around the world. When the initial raid occurred, the law enforcement officials involved would have had to be very meticulous with their collection of the evidence in order to not corrupt any of it. This would mean using write-blocking software, thoroughly documenting their recovery process, and handling physical evidence, such as SD cards or hard drives, very carefully. Depending on the circumstances of the case, data could be recovered from any devices either at the scene or at the lab. Data required at the scene would be done via a live acquisition, while data acquisition in the lab would be via either logical, sparse, or static acquisition (Nelson & Phillips, 2010). In the case of Jared Fogle, since hardware was seized from his house, investigators would have likely used logical acquisition methods in a secure lab setting.
Another crucial step of any investigation is the evidence custody form. The evidence custody form helps to track where evidence came from, where it’s gone, and who has handled it. An evidence custody form usually contains information such as the case number, investigating organization, investigator, nature of case, location evidence was obtained, description of evidence, vendor name, model number, by whom the evidence was recorded, the date and time the evidence was placed into custody, which secure container the evidence is stored in, and the item number of the evidence (Nelson & Phillips, 2010). The evidence custody form goes along with the actions that investigators must take to secure their evidence. Securing evidence is the process by which physical evidence is contained when not in use. Labeled or tagged evidence bags are a good method of securing smaller pieces of evidence, such as USB drives. Larger pieces of evidence should be stored in secure containers with tape over all openings of the containers. Evidence tape should also be placed over drive bays, insertion slots, and any other openings on the larger pieces of evidence (Nelson & Phillips, 2010).
The chain of custody is “the route the evidence takes from the time you find it until the case is closed or goes to court” (Nelson & Phillips, 2010). The chain of custody is another crucial step in any investigation, because without it evidence is never truly secure, and may not be presentable in court. It is important that every person who handles the evidence be added to the chain of custody, both for accountability and practicality reasons. In terms of accountability, the chain of custody allows blame to be assigned accurately should a piece or pieces of evidence be corrupted or otherwise damaged while in the custody of a specific person. In terms of practicality, when working with something as influential as evidence in an ongoing investigation, keeping a log of who all has had access to the evidence prevents many problems before they start.
Once the evidence is recovered, the data from the hard drives, USB drives, etc. must be analyzed. This step is what provides investigators with the hard evidence that they need to prosecute the perpetrator and to build a convincing case against him or her in the courts. The first step of the data analysis will be to make a bit-stream copy of the original drive on which the evidence was contained. A bit-stream copy is a bit-by-bit copy of the storage medium on which the evidence was contained. The closer to exact a bit-stream copy is, the more evidence investigators will be able to retrieve from it. A bit-stream image, or forensic image, is the file that contains the bit-stream copy of all data from a disk. ProDiscover is a popular forensics analysis tool that can be used to acquire and analyze data and to capture a forensic image (Nelson & Phillips, 2010). ProDiscover can also be used to analyze images to find evidence.
AcessData is a software company that has put out two very important programs that are extremely helpful in forensics investigations: FTK Imager and Registry Viewer. FTK Imager can be used to create forensic images and analyze them. Registry Viewer is used to take an in-depth look at a suspect’s registry in order to find information about the programs they were using, websites they were visiting, usernames and passwords, emails, hidden and deleted files, and many other crucial pieces of evidence. Both of these programs, or programs similar to them, can be used in cases such as Jared Fogle’s, or in any other cases involving pedophilia.
Because of the efforts of police forces, forensics investigators, and countless other workers, Jared Fogle is pleading guilty to his charges of possession of child pornography and crossing state borders to pay for sex with minors. This means that he will spend anywhere between five and thirteen years in jail because of his crimes (Castillo, 2015). Without the proper investigation process, securing of evidence, evidence tracking forms, and data analytics tools, this may have never been possible. It is because of these practices, tools, and investigators that cyber crimes are becoming harder and harder to perpetrate without being caught.