Advertisement
Articles
Advertisement

Apply Locard's Exchange Principle to Digital Forensics

Thu, 01/09/2014 - 7:00pm

Locard’s Exchange Principle is often cited in forensics publications, “Every contact leaves a trace.” In the cyber world, the perpetrator may or may not come in physical contact with the crime scene, thus, this brings a new facet to crime scene analysis.

Our hypothesis is that Locard’s Exchange Principle does apply to cyber crimes involving computer networks, such as identity theft, electronic bank fraud, or denial of service attacks, even if the perpetrator does not physically come in contact with the crime scene. Although the perpetrator may make virtual contact with the crime scene through the use of a proxy machine, we believe he will still “leave a trace” and digital evidence will exist.

Breaking apart the principle into its parts and analyzing the application of Locard’s Exchange Principle, one has to determine whether or not the following occurs:

  • Are there two items?
  • Is there contact?
  • Is there an exchange of material?

To illustrate the application of Locard’s Exchange Principle to a cyber crime, we take the example of identity theft where someone’s identity is stolen and the perpetrator intends to use the stolen information for criminal gain. Let us further suppose the perpetrator steals the identity through the use of a Trojan horse and keyboard logger on the victim’s computer. One could contend that during this type of cyber crime Locard’s Exchange Principle does not apply. The rationale is that because a human is not at the crime scene there is no trace evidence from the human on the computer or digital media at the scene. However, in actuality there may be lots of digital evidence such as the Trojan horse itself, changed passwords, digital logs, and so on. Thus, in this example, there is a trace at, to, and from the scene. It may involve finding the trace evidence at other physical locations than just the one scene of the crime. The key logger could be added software or hardware or both, but in both cases it remains behind for an investigator to discover.

From: The Digital Forensics Cyber Exchange Principle by Ken Zatyko and Dr. John Bay

Advertisement

Share this Story

X
You may login with either your assigned username or your e-mail address.
The password field is case sensitive.
Loading