LEGAL ASPECTS OF COLLECTING AND PRESERVING COMPUTER FORENSIC EVIDENCE

Some of the most common reasons for improper evidence collection are poorly written policies, lack of an established incident response plan, lack of incident response training, and a broken chain of custody. For the purposes of this chapter, the reader should assume that policies have been clearly defined and reviewed by legal counsel, an incident response plan is in place, and necessary personnel have been properly trained. The remainder of this chapter focuses on the procedure a private organization should follow in collecting computer forensic evidence to maintain chain of custody.

Definition

What is a chain of custody? In simple terms, a chain of custody is a roadmap that shows how evidence was collected, analyzed, and preserved in order to be presented as evidence in court. Establishing a clear chain of custody is crucial because electronic evidence can be easily altered. A clear chain of custody demonstrates that electronic evidence is trustworthy. Preserving a chain of custody for electronic evidence, at a minimum, requires proving that:

• No information has been added or changed

• A complete copy was made

• A reliable copying process was used

• All media was secured^[v]

  Note

  Proving this chain is unbroken is a prosecutor’s primary tool in authenticating electronic evidence.

Legal Requirements

To collect evidence, certain legal requirements must be met. These legal requirements are vast, complex, and vary from country to country. However, there are certain requirements that are generally agreed on within the United States. U.S. Code Title 28, Section 1732 provides that log files are admissible as evidence if they are collected in the regular course of business. Also, Rule 803(6) of the Federal Rules of Evidence provides that logs, which might otherwise be considered hearsay, are admissible as long as they are collected in the course of regularly conducted business activity. This means you’d be much safer to log everything all the time and deal with the storage issues, than to turn on logging only after an incident is suspected. Not only is this a bit like closing the barn door after the horse has fled, it may also render your logs inadmissible in court.

Another factor in the admissibility of log files is the ability to prove that they have not been subject to tampering. Whenever possible, digital signatures should be used to verify log authenticity. Other protective measures include, but are not limited to, storing logs on a dedicated logging server and/or encrypting log files. Log files are often one of the best, if not only, sources of evidence available. Therefore, due diligence should be applied in protecting them.

One other generally accepted requirement of evidence collection is a user’s expectation of privacy. A key to establishing that a user has no right to privacy when using corporate networks and/or computer systems is the implementation of a log-on banner. CERT Advisory CA-1992-19 suggests the following text be tailored to a corporation’s specific needs under the guidance of legal counsel:

• This system is for the use of authorized users only. Individuals using this computer system without authority, or in excess of their authority, are subject to having all of their activities on this system monitored and recorded by system personnel.

• In the course of monitoring individuals improperly using this system, or in the course of system maintenance, the activities of authorized users may also be monitored.

• Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity, system personnel may provide the evidence of such monitoring to law enforcement officials.

Furthermore, security policy can play a key role in establishing a user’s expectation of privacy. The Supreme Court ruling in O’Connor verses Ortega, 480 U.S. 709 (1987), implies that the legality of workplace monitoring depends primarily on whether employment policies exist that authorize monitoring and whether that policy has been clearly communicated to employees. To prove that the policy has been communicated, employees should sign a statement indicating that they have read, understood, and agreed to comply with corporate policy and consent to system monitoring.

Evidence Collection Procedure

When the time arrives to begin collection of evidence, the first rule that must be followed is do not rush. Tensions will probably be high and people will want to find answers as quickly as possible. However, if the investigators rush through these procedures, mistakes will be made and evidence will be lost.

The investigation team will need to bring certain tools with them to the incident site. They will need a copy of their incident-handling procedure, an evidence collection notebook, and evidence identification tags. Depending on the type of incident and whether the team will be able to retrieve an entire system or just the data, they may also need to bring tools to produce reliable copies of electronic evidence, including media to use in the copying process. In some cases, legal counsel will want photographs of the system(s) prior to search and seizure. If this is something your legal counsel wants as part of the evidence, then also include a Polaroid camera in the list of tools.

Policy and procedure should indicate who is to act as incident coordinator. When an incident is reported, this individual will contact the other members of the response team as outlined in the Incident Response Policy. Upon arrival at the incident site, this individual will be responsible for ensuring that every detail of the incident-handling procedure is followed. The incident coordinator will also assign team members the various tasks outlined in the incident-handling procedure and will serve as the liaison to the legal team, law enforcement officials, management, and public relations personnel. Ultimate responsibility for ensuring that evidence is properly collected and preserved, and that the chain of custody is properly maintained, belongs to the incident coordinator.

One team member will be assigned the task of maintaining the evidence notebook. This person will record the who, what, where, when, and how of the investigation process. At a minimum, items to be recorded in the notebook include:

• Who initially reported the suspected incident along with time, date, and circumstances surrounding the suspected incident

• Details of the initial assessment leading to the formal investigation

• Names of all persons conducting the investigation

• The case number of the incident

• Reasons for the investigation

• A list of all computer systems included in the investigation, along with complete system specifications. Also include identification tag numbers assigned to the systems or individual parts of the system

• Network diagrams

• Applications running on the computer systems previously listed

• A copy of the policy or policies that relate to accessing and using the systems previously listed

• A list of administrators responsible for the routine maintenance of the system

• A detailed list of steps used in collecting and analyzing evidence. Specifically, this list needs to identify the date and time each task was performed, a description of the task, who performed the task, where the task was performed, and the results of the analysis.

• An access control list of who had access to the collected evidence at what date and time^[vi]

  Note

  A separate notebook should be used for each investigation. Also, the notebook should not be spiral-bound. It should be bound in such a way that it is obvious if a page or pages have been removed.

This notebook is a crucial element in maintaining chain of custody. Therefore, it must be as detailed as possible to assist in maintaining this chain.

Another team member (or members) will be assigned the task of evidence collection. To avoid confusion, the number of people assigned this task should be kept to a minimum. This member (or members) should also be highly proficient with the copying and analysis tools listed later in the chapter. This person will then tag all evidence and work with the person responsible for the evidence notebook to ensure that this information is properly recorded. Next, the person will also be responsible for making a reliable copy of all data to be used as evidence. The data will include complete copies of drives on compromised or suspect systems, as well as all relevant log files. Also, this can either be done on-site or the entire system can be moved to a forensics lab, as needs dictate.

A simple file copy is not sufficient to serve as evidence in the case of compromised or suspect systems. A binary copy of the data is the proper way to preserve evidence.

The Unix dd command and the product Encase™ are two examples of acceptable tools. Two copies of the data should be made using an acceptable tool. The original should be placed in a sealed container. One copy will be used for analysis and the other copy can be put back in the system so the system can be returned to service as quickly as possible.

Once all evidence is collected and logged, it can be securely transported to the forensics lab. A detailed description of how data was transported and who was responsible for the transport along with date, time, and route, should be included in the log. It is required that the evidence be transported under dual control.

Storage and Analysis of Data

Finally, the chain of custody must be maintained throughout the analysis process. One of the keys to maintaining the chain is a secure storage location. If the corporation uses access control cards and/or video surveillance in other parts of the building, consider using these devices in the forensics lab. Access control cards for entering and exiting the lab will help verify who had access to the lab at what time. The video cameras will help to determine what they did once they were inside the lab. At a minimum, the lab must provide some form of access control; a log should be kept detailing entrance and exit times of all individuals. It is important that evidence never be left in an unsecured area. If a defense lawyer can show that unauthorized persons had access to the evidence, it could easily be declared inadmissible.

Pieces of evidence should be grouped and stored by case along with the evidence notebook. In an effort to be as thorough as possible, investigators should follow a clearly documented analysis plan. A detailed plan will help to prevent mistakes (which could lead to the evidence becoming inadmissible) during analysis. As analysis of evidence is performed, investigators must log the details of their actions in the evidence notebook. The following should be included as a minimum:

• The date and time of analysis

• Tools used in performing the analysis

• Detailed methodology of the analysis

• Results of the analysis^[vii]

Again, the information recorded in the evidence notebook must be as detailed as possible to demonstrate the trustworthiness of the evidence. A trial lawyer well versed in the technological world, who knows how to ask the right questions, may find that the method or circumstances of preparation indicate lack of trustworthiness (under Fed. R. Evid. 803(6), to such a degree that a court will sustain, or at least consider, a challenge to the admissibility of the evidence). A properly prepared evidence notebook will help to defeat such a challenge.

Once all evidence has been analyzed and all results have been recorded in the evidence notebook, a copy of the notebook should be made and given to the legal team. If the legal team finds sufficient evidence exists to take legal action, it will be important to maintain the chain of custody until the evidence is handed over to the proper legal authorities. Legal officials should provide a receipt detailing all of the items received for entry into evidence.

^[v]Franklin Witter, “Legal Aspects Of Collecting And Preserving Computer Forensics Evidence,” Branch Banking & Trust, 2501 Wooten Blvd., MC 100-99-08-25, Wilson, North Carolina 27893

^[vi]Ibid.

^[vii]Ibid.