Chapter 5: Evidence Collection and Data Seizure

 < Day Day Up > 



Chapter 5: Evidence Collection and Data Seizure

Evidence is difficult to collect at the best of times, but when that evidence is electronic an investigator faces some extra complexities. Electronic evidence has none of the permanence that conventional evidence has, and it is even more difficult to form into a coherent argument. The purpose of this chapter is to point out these difficulties and what must be done to overcome them. Not everything is covered here—it should be used as a guide only, and you should seek further information for your specific circumstances.

Note 

No legal advice is given here—different regions have different legislation. If in doubt, always ask your lawyer—that’s what they’re there for.

WHY COLLECT EVIDENCE?

Electronic evidence can be very expensive to collect—the processes are strict and exhaustive, the systems affected may be unavailable for regular use for a long period of time, and analysis of the data collected must be performed. So, why bother collecting the evidence in the first place? There are two simple reasons—future prevention and responsibility.

Future Prevention

Without knowing what happened, you have no hope of ever being able to stop someone else (or even the original attacker) from doing it again. It would be analogous to not fixing the lock on your door after someone broke in. Even though the cost of collection can be high, the cost of repeatedly recovering from compromises is much higher, both in monetary and corporate image terms.

Responsibility

There are two responsible parties after an attack—the attacker, and the victim. The attacker is responsible for the damage done, and the only way to bring them to justice (and to seek recompense) is with adequate evidence to prove their actions.

The victim, on the other hand, has a responsibility to the community. Information gathered after a compromise can be examined and used by others to prevent further attacks. They may also have a legal obligation to perform an analysis of evidence collected, for instance if the attack on their system was part of a larger attack.



 < Day Day Up > 

 < Day Day Up > 



COLLECTION OPTIONS

Once a compromise has been detected, you have two options—pull the system off the network and begin collecting evidence or leave it on-line and attempt to monitor the intruder. Both have their pros and cons. In the case of monitoring, you may accidentally alert the intruder while monitoring and cause them to wipe their tracks any way necessary, destroying evidence as they go. You also leave yourself open to possible liability issues if the attacker launches further attacks at other systems from your own network system. If you disconnect the system from the network, you may find that you have insufficient evidence or, worse, that the attacker left a dead man switch that destroys any evidence once the system detects that it’s off-line. What you choose to do should be based on the situation. The “Collection and Archiving” section later in the chapter contains information on what to do for either case.



 < Day Day Up > 

 < Day Day Up > 



OBSTACLES

Electronic crime is difficult to investigate and prosecute—investigators have to build their case purely on any records left after the transactions have been completed. Add to this the fact that electronic records are extremely (and sometimes transparently) malleable, and that electronic transactions currently have fewer limitations than their paper-based counterparts—and, you get a collection nightmare.

Computer transactions are fast, they can be conducted from anywhere (through anywhere, to anywhere), can be encrypted or anonymous, and have no intrinsic identifying features such as handwriting and signatures to identify those responsible. Any paper trail of computer records they may leave can be easily modified or destroyed, or may be only temporary. Worse still, auditing programs may automatically destroy the records left when computer transactions are finished with them.

Because of this, even if the details of the transactions can be restored through analysis, it is very difficult to tie the transaction to a person. Identifying information such as passwords or PIN numbers (or any other electronic identifier), does not prove who was responsible for the transaction—such information merely shows that whoever did it either knew or could get past those identifiers.

Even though technology is constantly evolving, investigating electronic crimes will always be more difficult due to the ease of alteration of the data and the fact that transactions may be done anonymously. The best you can do is to follow the rules of evidence collection and be as assiduous as possible.



 < Day Day Up >