|< Day Day Up >|| |
Computers should now be considered a primary source of evidence in almost every case. With businesses and individuals relying on computers for data processing, scheduling and communications, it is possible to discover anything from background information to the “smoking gun” document by investigating what is on your opponent’s computer systems.
With that in mind, this chapter began the discussion with consideration of the process of information discovery. The fact that information discovery only deals with logical evidence (electronic data) means that you can avoid much of the tedium required by search and seizure to ensure evidence integrity and the chain of custody. Nevertheless, as you have seen, there are strong similarities between the two processes throughout their respective basic rules and planning stages.
For information discovery, where the basics are concerned, the investigator is occupied with safeguarding the chain of custody. During the planning stage, emphasis is given to understanding the information being sought after. Back-ups of discovered information files are critical to the overall process, and tools such as revision-control software can be very handy for this task.
With regards to the basics of the information discovery process, establishing and protecting the chain of custody for logical evidence should be straightforward!
The three basic rules of thumb should act as guides for any information discovery. Each rule has a parallel in the world of physical search and seizure.
The notable difference between searching for physical evidence and searching for logical evidence is that, in the latter, there is much less structure.
Because the format and location of information varies tremendously from case to case, how information is discovered depends on the circumstances of the case and the imagination of the investigator.
Once information is found, however, rigorous methods are applied to its handling and processing.
Computer forensics may be applied: search and seizure and information discovery. Although different in their implementations, both of these areas share a few prominent common principals. These include the important concept that evidence should always be backed-up and digitally authenticated prior to forensic work. Both approaches require that everything the investigator does be carefully documented. In addition, for both areas, the evidence preservation lab plays an important role as a secure, controlled environment for computer forensics work and evidence storage. Without such a facility, the investigator will have a difficult (if not impossible) time maintaining the chain of custody while examining and holding evidence.
The use of secure case-management software is highly desired because it lends structure, efficiency, and safety to the gathering and management of case notes and data.
In a venue where law enforcement authorities are investigating a computer crime, there is a measurable chance that a case could find its way to court. Within a corporation or other organization, however, things are vastly different.
Companies loathe being involved in litigation—even in situations where it appears the law is on their side!
It’s no surprise that legal fees and bad publicity can take a mighty toll on the “bottom line.” For this reason, much of what the corporate computer fraud and abuse investigator does is for naught.
It’s easy for a corporate investigator to become frustrated and even disillusioned with his or her work when he or she sees good cases ending up on the wayside due to fears of bad PR. Such feelings must be contained, as they will quickly result in laziness and incomplete work on the part of the investigator.
Most of the computer crime cases handled by the corporate investigator won’t end up in litigation; however, this does not apply to all cases!
Even a seemingly low-profile case can take a sudden twist and end up garnering the attention of the CEO.
Because practically any case can turn into a matter for litigation, the corporate investigator needs to treat all cases with a proper and reasonable amount of attention.
The following is a provisional list of actions for discovery of electronic evidence. The order is not significant; however, these are the activities for which the research would want to provide a detailed description of procedures, review, and assessment for ease of use and admissibility. A number of these discovery of electronic evidence topics have been mentioned in passing already:
Do not alter discovered information.
Always back-up discovered information.
Document all investigative activities.
Accumulate the computer hardware and storage media necessary for the search circumstances.
Prepare the electronic means needed to document the search.
Ensure that specialists are aware of the overall forms of information evidence that are expected to be encountered as well as the proper handling of this information.
Evaluate the current legal ramifications of information discovery searches.
Back-up the information discovery file or files.
Start the lab evidence log.
Mathematically authenticate the information discovery file or files.
Proceed with the forensic examination.
Find the MD5 message digest for the original information discovery file or files.
Log all message digest values in the lab evidence log.
When forensic work is complete, regenerate the message digest values using the back-ups on which work was performed; log these new values along-side the hashes that were originally generated. If the new values match the originals, it’s reasonable to conclude that no evidence tampering took place during the forensic examination of the information file(s)
Briefly compare the physical search and seizure with its logical (data-oriented) counterpart, information discovery.
|< Day Day Up >|| |