Question

Explain, with detailed examples, how Locard’s Exchange Principle will influence the forensic examination of a Solaris Server.

Answer 1

Explain, with detailed examples, how Locard’s Exchange Principle will influence the forensic examination of a Solaris Server.

Answer

Locard’s Exchange Principle is often cited in forensics publications, “Every contact leaves a trace.” Essentially Locard’s Exchange Principle is applied to crime scenes in which the perpetrator(s) of a crime comes into contact with the scene.

The perpetrator(s) will both bring something into the scene, and leave with something from the scene. In the cyber world, the perpetrator may or may not come in physical contact with the crime scene, thus, this brings a new facet to crime scene analysis. According to the World of Forensic Science,Locard’s publications make no mention of an “exchange principle,” although he did make the observation It is impossible for a criminal to act, especially considering the intensity of a crime, without leaving traces of this presence.

Locard’s Exchange Principle does apply to cyber crimes involving computer networks, such as identity theft, electronic bank fraud, or denial of service attacks, even if the perpetrator does not physically come in contact with the crime scene. Although the perpetrator may make virtual contact with the crime scene through the use of a proxy machine, we believe he will still “leave a trace” and digital evidence will exist.

To illustrate the application of Locard’s Exchange Principle to a cyber crime, we take the example of use of the Autopsy Forensic Browser and Sleuthkit utilities to extract information regarding the installation of a rootkit in Solaris system.

One could contend that during this type of cyber crime Locard’s Exchange Principle does not apply. The rationale is that because a human is not at the crime scene there is no trace evidence from the human on the computer or digital media at the scene. However, in actuality ,the data recovered from the forensic image of the server is correlated with data from IDS logs and the file HISTORY tracks the changes in the functionality of the rootkit.

Thus, in this example, there is a trace at and from the scene.It may involve finding the trace evidence at other physical locations than just the one scene of the crime. The key logger could be added software or hardware or both, but in both cases it remains behind for an investigator to discover. This examination typically involves bits and bytes of information.