Collecting Evidence

Collecting Evidence

Before the information age, when investigators wanted to collect documentary evidence, by consent, search warrant, or some other legal means, they searched a suspect's wallet, pocketbook, office file cabinet, or trash containers. In today's business environment, many of these areas are still valid places for evidence; however, they pale when compared to the amount of evidence that can be found in the workstation, PDA, laptop, or other mobile device.

What Is Evidence?

The simplest way to define evidence is information, of probative value, confirming or dispelling an assertion. In more common language, evidence either supports allegations or it does not. This is a good reference for electronic evidence, found at the U.S. Department of Justice Web site available at www.usdoj.gov/criminal/cyber-crime/s&smanual2002.htm.

At this point, it may be a good idea to examine the role of computers, networks, and systems and their role as evidence:

• Computers may be used as instruments to commit unlawful acts. For example, if a person launched a denial-of-service attack directed to your E-commerce Web site, the computer used to launch this attack would be considered an instrument of the unlawful act.

• Computers may be used to store evidence of an unlawful act. For example, if an employee downloads pornography on his office workstation, storing it on the hard drive as well as removable media, the workstation and related media have the same role as a file cabinet holding the evidence.

• Organizations and their related systems can be victims of unlawful acts. For example, if an attacker gained access to a server and modified sensitive data, in this instance the organization is a victim of the unlawful act.

• Computers may be physically stolen and thereafter are considered fruits of an unlawful act. For example, a truck loaded with PDAs is hijacked. The handheld computers would be considered fruits of the crime.

In seizing, examining, and analyzing information technology, there are many relevant legal decisions impacting investigative acts. If law enforcement agents want to seize computer systems that form part of a network, unless done correctly, the resulting damaged evidence presents prosecutors with substantial barriers. So formidable are these issues, the prosecutor might decide judges and juries cannot be convinced of the case's merits. Consequently, the prosecution declines to take legal action.

For more information regarding computers and electronic evidence search and seizure, there is substantial information available at www.usdoj.gov/criminal/cyber-crime/searching.html.

Examining the contents of target hard drives and other related media must be driven by the needs of the investigation. In short, this is another one of those "bang for the buck" priority matters. With the average workstation having more than 60 Gb of storage capacity, it is virtually impossible to completely examine every file and byte of stored or deleted information from a practical standpoint.

Data stored centrally on a network server may contain incriminating e-mail, but it also stores irrelevant e-mail of innocent third parties that have a reasonable expectation of privacy. Investigators sifting through messages considered private or privileged might find themselves the object of civil suits and depending on the circumstances criminally prosecuted. Seizing electronic evidence where communications are considered privileged, as e-mail exchanges between clergy and their parishioners, medical doctors and their patients, attorneys and their clients, and husbands and wives, can also result in the materials being excluded from legal actions. At times, determining if media contain privileged communications is an issue decided by the presiding judge; consequently, it is a matter for judicial hearings listening to arguments and evidence from opposing sides.

Evidence Prioritization

In relative terms, 24 Gb of printed data would amount to a stack of paper roughly 500 feet high. Obviously, it would require a large team of investigators to catalog and understand such a large amount of information. Computer forensic examiners must follow standards of evidence collection and analysis in the pursuit of their cases.

Despite the fact examiners may have a legal right to examine and search every file in the system, time constraints or legal limitations may not permit it. Therefore, the examination of files is practically limited to those identified as being case-relevant having evidentiary value. However, there is a voice in opposition to merely looking at the case-relevant files ignoring other evidence in the examination process. For example, an investigator viewing files containing stolen intellectual property should not ignore the files where the subject stored financial information about laundering the financial proceeds of that stolen property. Investigators must prioritize their efforts looking for relevant case-related information and perform sufficient examinations so they are convinced that all files do not contain anything of further evidentiary value.

Examining Computer Evidence

In physical terms, computer evidence generally consists of central processing units, storage media, monitors, printers, routers, firewalls, switches, logs, and software. Evidence stored on physical items is considered latent and needs to be essentially "lifted" to another medium for collection, examination, and preservation. Collection, examination, and analysis are performed on this recovered media and must remain unchanged if going to be considered of evidentiary value.

Often senior managers ask why copied media must remain unaltered if it is going to be used in legal proceedings. The answer is not simple. In the most basic terms, opposing legal sides routinely challenge the media's authenticity and if it is discovered the content has been changed, it feeds arguments that the evidence was intentionally or accidentally altered rendering it useless. Judges and juries have been convinced that although the content was slightly altered by the collection or examination process, the argument was sufficiently enlarged by opposing lawyers that they chose to exclude the digital evidence from their deliberations. Consequently, if digital evidence is to have full evidentiary impact, it must remain unaltered.

To further support this concept, review the following quote from the Federal Rules of Evidence for year 2002:

• Rule 1001. Definitions

  • The following definitions are applicable:

    1. Writings and recordings. — ''Writings'' and ''recordings'' consist of letters, words, or numbers, or their equivalent, set down by handwriting, typewriting, printing, photocopying, photographing, magnetic impulse, mechanical or electronic recording, or other form of data compilation.

    2. Photographs. — ''Photographs'' include still photographs, x-ray films, video tapes, and motion pictures.

    3. Original. — An ''original'' of a writing or recording is the writing or recording itself or any counterpart intended to have the same effect by a person executing or issuing it. An ''original'' of a photograph includes the negative or any print therefrom.

       If data are stored in a computer or similar device, any printout or other output readable by sight, shown to reflect the data accurately, is an "original''.

    4. Duplicate. — A "duplicate'' is a counterpart produced by the same impression as the original, or from the same matrix, or by means of photography, including enlargements and miniatures, or by mechanical or electronic re-recording, or by chemical reproduction, or by other equivalent techniques which accurately reproduces the original.

• Rule 1002. Requirement of Original

  • To prove the content of a writing, recording, or photograph, the original writing, recording, or photograph is required, except as otherwise provided in these rules or by Act of Congress.

• Rule 1003. Admissibility of Duplicates

  • A duplicate is admissible to the same extent as an original unless

    1. A genuine question is raised as to the authenticity of the original or

    2. In the circumstances it would be unfair to admit the duplicate in lieu of the original.

These rules permit investigators to use forensic software and other tools to reconstruct an accurate representation of the original data stored on the system. This means the data copied from the target computer may be introduced if it can be proven that this data is a fair and accurate representation of the original.

Of course, opposing sides are going to attack the integrity of the collected evidence; for this reason, it is imperative that when collecting evidence, no one exceeds her expertise, as it could render evidence useless.

Policies and Procedures

Policies and procedures provide instructions and structures and apply to the examination of computers and related media. Their adherence ensures quality and good practices by investigators making sure their efforts are planned, performed, monitored, and recorded. Formalized procedures ensure the integrity and quality of the work performed. Policies should require electronic examinations to be performed on forensically sound copies of the original evidence. This principle is based on the fact that bit-by-bit copies can be made of original digital evidence resulting in exact and true copies of the original.

Policies and procedures must dictate that investigative methods used recovering digital information from computers are valid and reliable. These methods must be technologically and legally acceptable ensuring all relevant information is recovered and preserved. Duplication methods must be legally defensible so nothing in the original was altered when it was forensically copied and that forensic copy is an exact duplicate of the original down to the last bit.

Common Mistakes when Handling Evidence

These are some common mistakes when collecting and preserving evidence:

• Altering the MAC (modify, access, and create) times

• Updating or patching affected systems before responders arrive at the scene

• Using tools that alter the content of the original media

• Writing over evidence by installing software on the target media

• Performing collection and analysis exceeding training and expertise

• Failing to initiate and maintain accurate documentation including chain of custody schedules, commands on the target system, tools to recover digital evidence, and history of actions taken by the responders