Collecting Evidence

Examining the contents of target hard drives and other related media must be driven by the needs of the investigation. In short, this is another one of those "bang for the buck" priority matters. With the average workstation having more than 60 Gb of storage capacity, it is virtually impossible to completely examine every file and byte of stored or deleted information from a practical standpoint.

Data stored centrally on a network server may contain incriminating e-mail, but it also stores irrelevant e-mail of innocent third parties that have a reasonable expectation of privacy. Investigators sifting through messages considered private or privileged might find themselves the object of civil suits and depending on the circumstances criminally prosecuted. Seizing electronic evidence where communications are considered privileged, as e-mail exchanges between clergy and their parishioners, medical doctors and their patients , attorneys and their clients , and husbands and wives, can also result in the materials being excluded from legal actions. At times, determining if media contain privileged communications is an issue decided by the presiding judge; consequently, it is a matter for judicial hearings listening to arguments and evidence from opposing sides.

Evidence Prioritization

In relative terms, 24 Gb of printed data would amount to a stack of paper roughly 500 feet high. Obviously, it would require a large team of investigators to catalog and understand such a large amount of information. Computer forensic examiners must follow standards of evidence collection and analysis in the pursuit of their cases.

Despite the fact examiners may have a legal right to examine and search every file in the system, time constraints or legal limitations may not permit it. Therefore, the examination of files is practically limited to those identified as being case-relevant having evidentiary value. However, there is a voice in opposition to merely looking at the case-relevant files ignoring other evidence in the examination process. For example, an investigator viewing files containing stolen intellectual property should not ignore the files where the subject stored financial information about laundering the financial proceeds of that stolen property. Investigators must prioritize their efforts looking for relevant case-related information and perform sufficient examinations so they are convinced that all files do not contain anything of further evidentiary value.

Examining Computer Evidence

In physical terms, computer evidence generally consists of central processing units, storage media, monitors , printers, routers, firewalls, switches, logs, and software. Evidence stored on physical items is considered latent and needs to be essentially "lifted" to another medium for collection, examination, and preservation. Collection, examination, and analysis are performed on this recovered media and must remain unchanged if going to be considered of evidentiary value.

Often senior managers ask why copied media must remain unaltered if it is going to be used in legal proceedings . The answer is not simple. In the most basic terms, opposing legal sides routinely challenge the media's authenticity and if it is discovered the content has been changed, it feeds arguments that the evidence was intentionally or accidentally altered rendering it useless. Judges and juries have been convinced that although the content was slightly altered by the collection or examination process, the argument was sufficiently enlarged by opposing lawyers that they chose to exclude the digital evidence from their deliberations. Consequently, if digital evidence is to have full evidentiary impact, it must remain unaltered.

To further support this concept, review the following quote from the Federal Rules of Evidence for year 2002:

• Rule 1001. Definitions

  • The following definitions are applicable :

    1. Writings and recordings. - ''Writings'' and ''recordings'' consist of letters , words, or numbers , or their equivalent, set down by handwriting, typewriting, printing, photocopying, photographing , magnetic impulse, mechanical or electronic recording, or other form of data compilation.

    2. Photographs. - ''Photographs'' include still photographs, x-ray films , video tapes, and motion pictures.

    3. Original. - An ''original'' of a writing or recording is the writing or recording itself or any counterpart intended to have the same effect by a person executing or issuing it. An ''original'' of a photograph includes the negative or any print therefrom.

       If data are stored in a computer or similar device, any printout or other output readable by sight, shown to reflect the data accurately, is an "original''.

    4. Duplicate. - A "duplicate'' is a counterpart produced by the same impression as the original, or from the same matrix, or by means of photography, including enlargements and miniatures, or by mechanical or electronic re-recording, or by chemical reproduction, or by other equivalent techniques which accurately reproduces the original.

• Rule 1002. Requirement of Original

  • To prove the content of a writing, recording, or photograph, the original writing, recording, or photograph is required, except as otherwise provided in these rules or by Act of Congress.

• Rule 1003. Admissibility of Duplicates

  • A duplicate is admissible to the same extent as an original unless

    1. A genuine question is raised as to the authenticity of the original or

    2. In the circumstances it would be unfair to admit the duplicate in lieu of the original.

These rules permit investigators to use forensic software and other tools to reconstruct an accurate representation of the original data stored on the system. This means the data copied from the target computer may be introduced if it can be proven that this data is a fair and accurate representation of the original.

Of course, opposing sides are going to attack the integrity of the collected evidence; for this reason, it is imperative that when collecting evidence, no one exceeds her expertise, as it could render evidence useless.

Policies and Procedures

Policies and procedures provide instructions and structures and apply to the examination of computers and related media. Their adherence ensures quality and good practices by investigators making sure their efforts are planned, performed, monitored , and recorded. Formalized procedures ensure the integrity and quality of the work performed. Policies should require electronic examinations to be performed on forensically sound copies of the original evidence. This principle is based on the fact that bit-by-bit copies can be made of original digital evidence resulting in exact and true copies of the original.

Policies and procedures must dictate that investigative methods used recovering digital information from computers are valid and reliable. These methods must be technologically and legally acceptable ensuring all relevant information is recovered and preserved. Duplication methods must be legally defensible so nothing in the original was altered when it was forensically copied and that forensic copy is an exact duplicate of the original down to the last bit.

Common Mistakes when Handling Evidence

These are some common mistakes when collecting and preserving evidence:

• Altering the MAC (modify, access, and create) times

• Updating or patching affected systems before responders arrive at the scene

• Using tools that alter the content of the original media

• Writing over evidence by installing software on the target media

• Performing collection and analysis exceeding training and expertise

• Failing to initiate and maintain accurate documentation including chain of custody schedules, commands on the target system, tools to recover digital evidence, and history of actions taken by the responders

Chain of Custody Schedule

It is one of those critical elements often neglected by investigators - the chain of custody schedule. The reason it is called a schedule is that the document memorializes the history of evidence discovery, acquisition, processing and presentation.

A chain of custody schedule is a history documenting:

• Case number

• Date, time, and location the evidence was discovered

• Person who made the evidence discovery

• Date, time, and location of each person taking custody of the evidence

• Identifying number of the evidence

• Date each person accepted the evidence for storage

• Location of storage

• Each person who takes custody of the evidence for examination or presentation

Exhibit 3 is a typical chain of custody schedule example.

Exhibit 3: Chain of Custody Schedule

A copy of the chain of custody should physically accompany the evidence item with the appropriate field being completed. A copy of the chain of custody schedule should be included with the investigative report as part of the attachments.

Evidence Tags

Investigators should prepare evidence tags for all collected items. All items are tagged whether retained or returned to the owner. These are generally small gummed or self- adhesive tags that can be secured to outside of the item. Evidence tags may be attached to heat-sealed, electostatically neutral plastic bags containing magnetic media or other types of digital evidence. Storing media in this fashion secures it from static electricity, the elements, and tampering. Sealing the bag with two witnesses present signing the chain of custody schedule avoids future legal arguments challenging changes and custody.

Evidence tags should have the case number, an item number, and date-time-place information as well as the name and initials of the collecting person. In some cases, investigators have a policy that two individuals must witness the collection of evidence. Many law enforcement officers use scribes or markers placing their initials , date, time, and place on the evidence, in addition to the evidence tag, so they can positively identify it in the future. Some investigators think evidence handling is a tedious process. It is. But conscientious attention to details, accompanied by intelligent redundancy, has successfully defused many legal challenges.

Activity Log

On receiving a critical incident notification, the person receiving the call should begin an activity log. It is a complete responder activity log and includes all activities such as:

• Initial notification (Who, What, When, Where, How, Why)

• Interviews

• Management contacts and interaction

• Law enforcement contacts

• Evidence searches, seizures, and inventory

• On-the-spot evidence analysis

• Tools and commands used by responders

• Any other relevant responder activities

This log is a flowing document kept by individuals and later compiled as a single document encompassing all activities by all relevant persons. Notes should be kept, as they will be necessary as part of future legal discovery processes.

Witness Reports

Everyone that is interviewed should have his or her comments noted by the investigator and documented in the form of a written report after the interview is completed. Notes should be made of every person who is interviewed whether they have anything of value or not. Interviewees should answer the questions: who, why, when, where, what, and how. Direct the interview addressing those facts that are known to the witness directly leaving conjecture, speculation, guessing, and "gut-feelings" to the end of the interview. Witness interview reports are not supposed to be verbatim transcripts of the interview, rather they are summaries of important details. Investigators should take careful notes, because from these notes the witness' statement will be formalized into a report. Witness interview reports should be reduced to a formal document reflecting the following information:

• Witness' full name

• Witness' address and identifying information such as the beginning date of employment, business unit, supervisor, duties , etc.

• Purpose of the interview should be briefly explained to the interviewee and documented in the interview

• Identity of the investigators

• Information provided by the witnesses

• Time-date-location of the interview (It is possible that the interview report should mention the specific location of the interview such as a conference room. Current court rulings have made interviews held in hostile locations excludable.)

• Case file number

• Any evidence or materials delivered to the investigators by the witness

If the interview is very important and it is possible the witnesses may later change or recant their statements, witnesses may be requested to reduce their statements to writing. This can be accomplished in several ways, but one of the most successful is to have the witnesses write their statements in their own words. It is a prudent step to have the witnesses review their statements, making any changes they wish as to reflect their recollection of pertinent events.

Signed witness statements should be signed by the interviewee, dated, noting the time and place, and witnessed by at least two other people that must have been present during the entire interview and written statement process.

Some interviews are noted in logs where details of the interview are documented:

• Time of first contact with interviewee

• Place of interview

• Identities of those present during the interview

• Times of any person leaving or entering the interview

• Any requests from the interviewee, for example, food, restroom, union representation, or attorney

Statements used in criminal court proceedings must pass the test of "voluntariness." For example, if an employee were threatened with dismissal if she did not describe how she stole proprietary information from the company and she made a statement admitting it. It is likely this statement will not be admissible in criminal proceedings due to the coercive circumstances under which the statement was obtained.

Recorded Statements

Other types of recordings may be acceptable to memorialize witness statements. Under some circumstances, audio and video recordings may be used documenting interviews. Record the entire interview from start to finish if investigators are going to use audio/video media. This step eliminates arguments that the witness was forced or intimidated while the recording device was not operating. The recording media of the witness' statement is evidentiary. It is handled exactly like all evidence. There should be a chain of custody, evidence identification tag, and storage. In some cases, there are laws regulating audio/video recordings; consult with legal counsel before proceeding.