Marshall University

Marshall Digital Scholar

Computer Sciences and Electrical Engineering Computer Sciences and Electrical Engineering
Faculty Research

10-2010

Refining the Digital Device Hierarchy

F. Chevonne Dancer

David Dampier

Follow this and additional works at: https://mds.marshall.edu/wdcs_faculty

Part of the Computer Engineering Commons, and the Forensic Science and Technology Commons
 REFINING THE DIGITAL FORENSICS HIERARCHY
F. Chevonne Dancer1 and David A. Dampier2
1, 2
Department of Computer Science and Engineering, Mississippi State University, Mississippi State
University, MS 39762

Abstract
Smartphones are increasing in popularity due to functionality, portability, convenience and affordability.
Because of this, examiners must acquire and analyze these devices when criminal activity is suspected to
have occurred. In order to obtain this information, it has to be extracted in a way that is repeatable and
testable. There are several process models available for use, but the ad-hoc approach is on the rise. The
dilemmas are that ad-hoc approaches and the forensic investigative process models available are not
well suited for the examination of such devices. These approaches may cause the validity of investigator
skill and methods to fall under scrutiny. To address this, there is a need for an investigative framework
tailored to the unique qualities of smartphones. To accomplish this, the hierarchy of digital forensics
should be understood. “Computer forensics” and “digital forensics” are used synonymously in literature,
but wrongfully so. This paper highlights the differences in computer forensics, digital forensics,
computer crime, and digital crime while proposing a revised hierarchy of the forensics discipline.

INTRODUCTION are sufficient. One of those struggles has been

the development of a standard vocabulary. As a
Due to the increase in the use of result, we find that “computer forensics” and
smartphones, the need has arisen to be able to “digital forensics” are often used synonymously
examine these devices forensically and due to their similar definitions. The authors
accurately. In order to accomplish this task, a believe that this is done in error because by
thorough understanding of the functionality of definition, as well as they are alike, they are
the devices as well as the methods and tools dissimilar. Kruse and Heiser define computer
used is necessary. Before this can be achieved, forensics as
the forensics community must evaluate the
current state of the discipline. The authors “ involving the preservation,
believe that this re-evaluation begins with identification, extraction,
definitively identifying important terms that will documentation, and interpretation of
assist in understanding where smartphones lie in computer data” (Kruse II and Heiser,
the hierarchy of the discipline. 2001).
Digital forensics is defined by Palmer as
Computer Forensics vs. Digital Forensics
“the use of scientifically derived and
Computer forensics is an innovative area of
proven methods toward the preservation,
computer science that is also referred to as
collection, validation, identification,
digital forensics in various literatures. Due to its
analysis, interpretation, documentation,
infancy, researchers, law enforcement, and those
and presentation of digital evidence
tenured in the field have faced significant issues
derived from digital sources for the
developing standards and methodologies that
purpose of facilitation or furthering the
Journal of the Mississippi Academy of Sciences 205
reconstruction of events found to be significance of its addition is detailed in the
criminal, or helping to anticipate section on: Small Scale Digital Forensics
unauthorized actions shown to be (SSDF).
disruptive to planned operations”
(Palmer, 2001). Computer Crime vs. Digital Crime
As can be seen, the definition for digital
forensics has advanced over time to include Just as “digital forensics” and “computer
potential evidentiary data from all technological forensics” are used interchangeably throughout
devices, not just computers. Scientific proven forensics literature, “digital crime” and
methods are also an important part of the “computer crime” are as well. The authors
process because the integrity of the digital data believe that these words, although similar, are
extracted may be questioned due to its volatile not synonymous. There has been debate over
nature as well as the validity of the results of the the definition of “computer crime”. The
investigation (Kruse II and Heiser, 2001).. It is Department of Justice (DOJ) defines computer
also noticed that the activities involved in crime as:
conducting a digital forensic investigation have “any violation of criminal law
been expanded to include key processes that that involved the knowledge of
were not included in Kruse’s definition of computer technology for its
computer forensics such as collection, perpetration, investigation, or
validation, analysis, and presentation which are prosecution” (Goodman, 2001).
all imperative components of the forensics
progression. For these reasons, “computer Some see this definition as too abstract
forensics” should be a category of forensics because it could potentially include crimes that
encompassed by “digital forensics”. have nothing to do with computers being used
or targeted for the commission of a crime. As
The authors agree with Carrier and Spafford an example, a criminal could use the computer
(Carrier, 2006) on how the area of digital to assist in locating potential victims with the
forensics should be divided with one exception, intention of committing a heinous act against
the addition of Small Scale Digital Device them. Under the DOJ definition, this crime
Forensics (SSDDF). Digital forensics includes would be categorized as a computer crime
any investigative technique applied to any whether it is a terrorist bombing, stalking, or
technology and is therefore divided into four assault. But this classification would not be
major areas: accurate because neither of the crimes
 Computer forensics: Collecting, mentioned above uses a computer to commit
analyzing, and preserving evidence on the act. In this situation, the computer would
computers, laptops, notebooks, etc. contain vital evidentiary data that would assist
 Small Scale Digital Device in proving that the suspected party had specific
Forensics: Collecting, analyzing, and preserving knowledge of the location of each victim. So
evidence on small digital devices this definition of computer crime is not as
 Network forensics: Collecting, thorough as is needed for this discipline.
analyzing, and preserving evidence that is Kruse and Heiser defined computer crime
spread throughout a network by categorizing it in two different classes,
 Software forensics: Linking software either the computer itself is the object of the
or malicious code to its author. offense, or the computer is used to commit the
The addition of SSDDF is vital and the offense. If the computer is the object of the
206 October, 2010, Vol 55 No 4
offense, it is the target of the aggressor. On September 26, 2007, Lan Lee and Yuefi Ge
Examples of this would be a user deliberately were indicted on charges of conspiracy to
destroying the monitor by defacing it, pouring commit economic espionage. Their plan was to
liquid in the chassis, physically misusing the steal trade secrets related to computer chip
peripherals, or physically taking a weapon and design from their employer and pass them off as
damaging it. The destruction of the computer their own creations. The two formed a company
does not always have to be physical in nature. called SICO Microsystems in order to develop
One could embed malicious code on the the products and market them to other
computer with the intentions of causing some companies for compensation. Neither suspect
unexpected action to occur. has been prosecuted, but they both face up to 15
years in prison and a fine of $500,000.
When a computer is used to commit an
offense, then the target is one other than that Mark Wayne Miller faces a minimum of
physical computer itself. Because of this, 35 years to life in prison for one count of the
various legal issues may arise. For instance, one Sexual Exploitation of Children in Dayton,
could use the computer to launder money, OH. Miller successfully persuaded minors to
spread viruses, commit software piracy, conduct themselves inappropriately on a
blackmail victims, sabotage individuals, or webcam for his viewing pleasure. Without the
recreate legal documents which are all illegal knowledge of the minors, Miller would also
activities. No matter what resources are used to eavesdrop on them by obtaining their
accomplish these tasks, they are illegal. As an passwords through phishing and then using the
example, one can send a threatening email over password to access their webcam through
the network using a specific computer which is special software. In order to lure the girls, he
against the law. But it would still be illegal if would assume the identity of a teenage male in
the same person was to write the threatening chat rooms and engage them in conversation.
note and personally deliver it to the intended He was arrested on November 28, 2005 by the
victim. Although there are no laws pertaining to U.S. Marshals and remains in their custody.
computers in place to assist in deterring these In 2004, Larry Lee Ropp was indicted on
types of crimes, there are punishments in place charges of federal wiretapping for installing an
for the illegal actions committed using electronic device on a company computer that
computers such as blackmail, money recorded every key stroke taken by an
laundering, and forging documents. employee. This was the first of such a case in
There are instances where the computer the United States. Ropp faced a maximum of 5
is used as an avenue to gain information that years in federal prison.
will assist the suspect in the commission of a Although these crimes are not considered
crime. Although it is not against the law to computer crimes, they are still a part of the
conduct research via the Internet, a well digital forensic process because evidence was
developed forensic investigation can uncover located on a computer that supported the
these actions and extract evidence that can indictment of each suspect. With that, the
support or refute the position of the prosecutor. authors believe that there are three types of
Following are several cases involving the use of computer crime: crimes against computers,
computers to assist in committing a criminal act crimes committed using computers, and crimes
(Department of Justice). One will notice that the committed with the assistance of computers.
charges against each suspect are not considered The definition of a computer-assisted crime is
computer crimes, but a computer assisted each when a computer is used to aide in the
in the commission of their crimes.
Journal of the Mississippi Academy of Sciences 207
commission of a crime by performing Small Scale Digital Forensics (SSDF)
information searches and storing information Due to the vast number of digital devices
pertinent to the crime in memory either with the ability to perform various
actively or passively. The idea of computer- functionalities, digital forensics further
assisted crimes is vital to this research mainly categorizes devices by their physical size and
because of the technology chosen as the focus. operability as follows: computers, storage
“Digital crime” is not as often used in literature devices, and obscure devices. Examples of
as “computer crime”, but the authors feel this is devices that are classified as computers are
due to the non-standard vocabulary. At its laptops, tablet PCs, desktop computers, and
infancy, researchers in this area of computer notebooks. A storage device would be a
science developed preliminary definitions that peripheral that stores digital data such as a
did not keep pace with the evolving flash drive, iPod, or external hard drive. An
technologies. As technology advances, these obscure device would be a Play Station
definitions must be altered to accommodate Portable (PSP), Nintendo Gameboy, and any
those changes. Surprisingly, in the systematic other portable gaming device (Kruse II and
review process, the authors found no sufficient Heiser, 2001).
definition for “digital crime”, so an attempt to Mislan refined the device categories above by
provide clarity is as follows: introducing the SSDD category described as
Digital crime “a small form factor device which
 Involves the use of any digital technology utilizes permanent or temporary
to commit a criminal offense. memory in conjunction with embedded
chips to perform a variety of tasks”
 Involves any digital technology that is the (Harrill and Mislan, 2007).
target of a crime.
He established that the SSDD category
 Involves the use of any digital technology to would contain five sub-categories assisting in
obtain or store information for the exclusive determining which device belonged in which
purpose of committing a crime. category. The five sub-categories are
 Involves the unauthorized access, Embedded Chip Devices, PDAs, Cellular
unauthorized use, dishonest manipulation or Telephones, Audio/Video Devices, and
theft of information from any digital Gaming Devices. These devices are all small
technology. and dynamic in nature which has made them
difficult to evaluate and examine. From this
Following the same logic used when comparing category comes a sub-area of digital forensics
definitions of “computer forensics” and “digital called Small Scale Digital Device Forensics
forensics”, “digital crime” would encompass (SSDDF), which was established in order to
“computer crime” because the first three provide the examiner with the capability to
statements are derived from the definition of investigate technologies developed after the
“computer forensics”. The difference is the invention of the computer and future devices.
word “computer” is changed to “digital This area focuses on the five sub-categories of
technology” in order to encompass all SSDD. To provide a starting point for
technologies whether past, present, or future. investigations, the devices in each category
have to be classified with respect to the internal
components of each.

208 October, 2010, Vol 55 No 4

 devices never relate. This is not to say that the
Digital Evidence
topology of the framework will remain the
same. Allowances for future devices will have
PC Extension to be considered.
Optical Harrill and Mislan, (2007) states that in
Magnetic order to be effective, the field of SSDDF will
Flash
have to be handled depending upon the internal
components of each device. These devices can
then be categorized and the type of forensics
applied to each device depends upon how it is
grouped. From this, it is obvious that a separate
category for small scale digital devices is
Figure 1. SSDD Framework and devices by type
necessary due to the unique attributes of each. If
separation from computers and the creation of a
Figure 1 is a revised version of the unique category was necessary for these types
Harrill et al. classification of the SSDD of devices, then a different framework for
Framework showing how devices store investigating them must be necessary as well.
information. The difference is that based upon The key processes that define a digital
device breakdown, PC extension devices, flash investigation will still have to be present in the
devices, and magnetic drives can overlap. In the process model, but approached in a different
illustration by Harrill et al., the device manner.
categories only overlap with PC Extension
devices (Harrill and Mislan, 2007). The authors Figure 2 depicts the digital forensic
would also like to point out that Harrill et. al. hierarchy as proposed by the author. The sub-
classifies notebook computers and tablet disciplines are depicted in the rounded
computers as SSDD. The digital forensic rectangles and the devices belonging to each are
framework suggested in this research by shown in the ovals. Software and network
definition does not contain any devices that are forensics are defined as sub-disciplines of
considered computers, as can be seen in Figure digital forensics, however, defining any devices
2. A computer can be categorized in all four or processes belonging to each lies outside the
groups: magnetic, PC extension, flash, and scope of this research. Because there are aspects
optical. This would mean that all four categories of each that may be categorized as part of
would overlap each other. However, the another discipline, these rounded ovals are not
illustration depicts PC extension and flash fully contained by the digital forensic discipline.
devices overlapping while magnetic and optical

Journal of the Mississippi Academy of Sciences 209

 Desktop Audio/Video
Workstation

SOFTWARE Laptop PDA NETWORK

FORENSICS FORENSICS

COMPUTER SSDD
Tablet PC FORENSICS FORENSICS Embedded
Chip

Notebook Gaming
Systems
Server Cellular
Supercomputer Telephone

Figure 2. Digital Forensic Hierarchy and Devices

CONCLUSION
LITERATURE CITED
A standard terminology in the field of digital
forensics is necessary in order for the successful Carrier, B. 2006. A Hypothesis-Based Approach
continuation of digital research. The terms to Digital Forensic Investigations.
“computer forensics” and “digital forensics” are International Journal of Digital Evidence, 2:2.
used synonymously and will continue to be used Department of Justice (DOJ). United States
Department of Justice: Computer Crime
that way until further research eliminates this
Cases. Computer Crime and Intellectual
usage. “Computer forensics” was sufficiently Property Section. [Online], Available:
used at the infancy of the discipline because www.cybercrime.gov/cccases.html.
computers were the target device in Goodman, M. 2001. Making Computer Crime
examinations, however, the term should now be Count. FBI Law Enforcement Bulletin. 70:8.
a sub-discipline. Today, interests have expanded 10-17.
to include SSDDs and other types of Harrill, D. C. and Mislan, R. P. 2007. A Small
technologies. SSDDs cannot be categorized as Scale Digital Device Forensics Ontology.
computers and therefore cannot belong to a Small Scale Digital Forensics Journal. 1:1. 1-
discipline entitled “Computer Forensics”. 6.
Simultaneously, all of the devices in question Kruse II, W and Heiser, J.G. 2001. Computer
Forensics: Incident Response Essentials.
can be categorized as digital devices so the
Addison Wesley.
proper name for this field would be “Digital Palmer, G. 2001. A Road Map for Digital Forensic
Forensics”. The authors are conducting further Research. First Digital Forensics Research
research in the field of SSDDs targeting the Workshop (DFWRS), Utica, New York, pp. 1-
smartphone. A forensic process model is being 42.
developed that deals specifically with
smartphones due to issues distinct to that device.

210 October, 2010, Vol 55 No 4