Both questioned document examination and computer forensics belong to a branch of forensic science known as “trace evidence,” which owes its existence to the work of the French investigator Edmond Locard. Locard’s famous Exchange Principle may be glossed as follows: “a cross-transfer of evidence takes place whenever a criminal comes into contact with a victim, an object, or a crime scene.” Locard, a professed admirer of Arthur Conan Doyle who worked out of a police laboratory in Lyons until his death in 1966, pioneered the study of hair, fibers, soil, glass, paint, and other small things forgotten, primarily through microscopic means. His life’s work is the cornerstone of the stark dictum underlying contemporary forensic science: “Every contact leaves a trace.” This is more, not less, true in the delicate reaches of computer systems. Much hacker and cracker lore is given over to the problem of covering one’s “footsteps” when operating on a system uninvited; conversely, computer security often involves uncovering traces of suspicious activity inadvertently left behind in logs and system records.
Marcos Novak asserts the following, for example: “Everything that is written and transmitted via electronic media is erasable and ephemeral unless stored or reinscribed (emphasis added).” My contention would be that the subordinating conjunction “unless” is called upon to do a great deal of unrealistic work. Practically speaking, most things that are written and transmitted via electronic media are stored and reinscribed. A simple e-mail message may leave a copy of itself on a half a dozen different servers and routers on the way to its destination, with the potential for further proliferation via mirrors and automated backup systems at each site. As storage costs continue to plummet, the trend will no doubt be to save more and more data so that the variety of ephemera routinely written to disk becomes ever more granular. Likewise, even the popular myth that RAM is always absolutely volatile, gone forever at the flip of a switch, proves false; there are at least experimental techniques for recovering data from RAM semiconductor memory. While it may be technically possible to create the conditions in which electronic writing can subsist without inscription and therefore vanish without a trace, those conditions are not the medium’s norm but the special case, artificially induced by an expert with the resources, skill, and motive to defeat an expert investigator.
Mechanisms, New Media and the Forensic Imagination, Matthew G. Kirschenbaum.