Its application to cyber crime brings a new and exciting dimension to the famous Locard Exchange Principle.

“…This is evidence that does not forget. It is not confused by the excitement of the moment. It is not absent because human witnesses are. It is factual evidence. Physical evidence cannot be wrong, it cannot perjure itself, it cannot be wholly absent. Only human failure to find it, study it, and understand it, can diminish its value.”¹

“Artifacts of electronic activity in digital devices are detectable through forensic examination, although such examination might require access to computer and network resources involving expanded scope that may involve more than one venue and geolocation.” (Zatyko and Bay, 2011)

In this article we present a challenging question for today’s digital forensic experts, cyber scientists, and cyber analysts. Does Locard’s Exchange Principle apply in digital forensics? The dramatic increase in cyber crime and the repeated cyber intrusions into critical infrastructure demonstrate the need for improved security. The Executive Office of the President noted on May 12, 2011, “cyber threat is one of the most serious economic and national security challenges we face as a nation.”² We believe addressing whether or not Locard’s Exchange Principle applies to digital forensics is a fundamental question that can guide or limit the scientific search for digital evidence.

Locard’s Exchange Principle is often cited in forensics publications “every contact leaves a trace…” Essentially Locard’s Exchange Principle is applied to crime scenes in which the perpetrator(s) of a crime comes into contact with the scene. The perpetrator(s) will both bring something into the scene, and leave with something from the scene. In the cyber world, the perpetrator may or may not come in physical contact with the crime scene, thus, this brings a new facet to crime scene analysis. According to the World of Forensic Science, Locard’s publications make no mention of an “exchange principle,” although he did make the observation “Il est impossible au malfaiteur d’agir avec l’intensité que suppose l’action criminelle sans laisser des traces de son passage.” (It is impossible for a criminal to act, especially considering the intensity of a crime, without leaving traces of this presence.) The term “principle of exchange” first appears in Police and Crime-Detection, in 1940, and was adapted from Locard’s observations.

The field of digital forensics can be strictly defined as “the application of computer science and investigative procedures for a legal purpose involving the analysis of digital evidence after proper search authority, chain of custody, validation with mathematics, use of validated tools, repeatability, reporting, and possible expert presentation.”³ Furthermore, digital evidence is defined as information stored or transmitted in binary form that may be relied on in court.⁴ However, digital forensics tools and techniques have also been used by cyber analysts and researchers to conduct media analysis, compile damage assessments, build timelines, and determine attribution.