After you understand how to identify computer evidence and you know what equipment you can access, you are ready to begin collecting it. The steps you take in the collection process determine whether the evidence will be useful to you once the investigation is complete. You must ensure your evidence was acquired properly and is pristine. This section discusses several concepts necessary to ensure that collected evidence will be valid for later use.
All evidence presented in a court of law must exist in the same condition as it did when it was collected. Simply put, evidence cannot change at all once you collect it; the evidence must be in pristine condition. You'll be required to prove to the court that the evidence did not change during the investigation. Yes, you'll have to provide your own evidence that all collected evidence exists, without changes, as it did when it was collected. The documentation that chronicles every move and access of evidence is called the chain of custody . The chain starts when you collect any piece of evidence.
chain of custody
Documentation of all the steps that evidence has taken from the time it is located at the crime scene to the time it's introduced in the courtroom. All steps include collection, transportation, analysis, and storage processes. All accesses of the evidence must be documented as well.
The chain of custody is so named because evidence has the potential to change each time it is accessed. You can think of the path evidence takes to the courtroom as a chain in which each access is a link in the chain. If any one link breaks,
(i.e., breaks the integrity of the evidence), the whole chain breaks at that point. The court expects the chain of custody to be complete and without gaps. You demonstrate a complete chain of custody by providing the evidence log that shows every access to evidence, from collection to appearance in court. A complete chain of custody log also includes procedures that describe each step. For example, an entry might read 'checked out hard disk drive serial number BR549 to create a primary analysis image.' You should also include a description of what 'creating a primary analysis image' means. The defense will examine the chain of custody documents, looking for any gaps or inconsistencies. Any issue with the chain of custody has the real potential of causing the court to throw out the evidence in question. Once that happens, the evidence you have collected becomes useless and your credibility will probably be questioned.
Each step in the chain of custody must have specific controls in place to maintain the integrity of the evidence. The first control could be to take pictures of the evidence's original state. This, of course, is only applicable for real evidence. Once you photograph and/or document the initial state of the entire scene, you can begin to collect evidence.
From the very first step, you must list all procedures you use in the collection process and be ready to justify all your actions. For example, when you collect a disk drive for analysis, you must carefully follow standard practices regarding disk identification, removal, handling, storage, and analysis. Each step in the evidence collection and handling process must have at least one associated control that preserves the state of the evidence.
Continuing our disk drive evidence example, you must use proper handling techniques when handling disk drives , and you must also document each step in the process. Before you start, you want to take precautions against disk drive damage. Such precautions might include:
Grounding to prevent static discharge
Securing and padding the work surface to prevent physical shock
Noting power requirements to protect against inadvertent power- related damage
You'll also need to implement and document all controls that prevent accidental changes to the evidence. These precautions might include:
Implementing a write blocker to prevent accidental writes to the media
Generating a snapshot of the media using a hash or checksum before any analysis
Using analysis tools that have been verified to run using read-only access
Needless to say, you need to plan each step of the way. At each step, make sure at least one control is in place to ensure your evidence stays pristine and unaltered. The upcoming section titled 'Leave No Trace' will cover some specific controls; however, the preceding list gives you an idea of the level of detail that is required to satisfy a court of law that the evidence has not changed since it was collected.
The following steps are an example of how to handle a disk drive you suspect contains evidence:
After you have determined that you need to analyze a hard disk drive, the first step is to seize the drive. You must fully document the entire process, including:
Source location, time, and person who performed seizure actions
Packing and transportation method
Destination location, time, and person who transferred the item to secure storage
Description of storage facilities, including procedures to ensure evidence security
After seizing the drive, mount it in read-only mode and make a copy of the drive for analysis. Make sure you:
Document the process of mounting the device
Describe the precautions taken to prevent changes to the media
List all of the steps in the copy process
Compare your copy of the drive to the original to ensure you have an exact copy. Make sure you:
Describe the process and tools used to compare drive images
After you have a clean copy of the original drive, you can begin your analysis.
The previous steps are illustrated in the following graphic.
The computer forensics expert is often called on to save the day, even when that 'day' occurred over a year and a half ago.
The statute of limitations for sexual harassment can range from as few as 30 days for federal employees to as long as three years in certain states. After being contacted by the senior management of a small publicly traded company located in a state that extends the statute of limitations, I boarded a flight to see if I could help locate evidence that was over 18 months old.
A senior manager for the company was being sued for sexual harassment by an employee who had left the company 18 months earlier. The employee had not made any allegations when leaving the company and had only recently filed a lawsuit. After speaking with the senior manager named in the suit, the company officials were hoping I might be able to locate proof that the romance was mutual and consensual and was not sexual harassment.
As is the norm in a majority of businesses, when the complaining employee left the company, the employee's desktop computer hard disk had been reformatted, reloaded, and the computer had been assigned to another employee. The company CIO was able to track down the computer and presented it to me to see what I could locate. By this time, the computer had been in use by another employee for almost 15 months. The senior manager's laptop computer was lost six months earlier. In addition, the company recently implemented a new installation of Microsoft Exchange and had no backup tapes of the old e-mail server.
I imaged the hard drive using the Image MASSter Solo 2 Forensics Portable Evidence Seizure Tool from Intelligent Computer Solutions and created a new case file using AccessData's Forensic Toolkit (FTK). I added the acquired image of the hard disk as evidence in the case file in FTK and then indexed the case. After this prep work, things happened quickly.
One of the strengths of FTK is its ability to quickly locate e-mails. I swiftly sorted all the e- mails by date and began reading a string of 'love letters' sent from the employee to the manager and from the manager to the employee. It was obvious from the tone of the letters that the relationship was indeed mutual. Additionally, I was able to locate calendar entries from the employee's Outlook .pst file that listed planned meeting times and locations for the couple. I found one particularly humorous and potentially case-defeating file on the computer in an e-mail attachment sent from the employee to the manager. It was a self-photographed nude picture of the employee taken using a mirror.
I located more than enough information to show the relationship was mutual. When presented with all the evidence, the employee dropped the lawsuit. This case illustrates that potential evidence can be found on computers even after long periods of time have elapsed, if the investigator takes the time and knows how to look for it.
The first item in your hands when you enter a crime scene is a camera, and the second item should be a pencil. The key to providing a chain of custody that a court will accept is meticulous documentation. You must enter notes into an evidence log, listing all information pertinent to the access of the evidence. Each and every time evidence is accessed (including initial collection) the evidence log should contain at least the following information:
Date and time of action
Initial evidence collection
Evidence location change
Remove evidence for analysis
Return evidence to storage
Personnel collecting/accessing evidence
Computer descriptive information
Computer make and model
Additional ID information
BIOS settings specific to disk drives
Disk drive descriptive information
Disk drive manufacturer and model number
Drive parameters (heads, cylinders , sectors per track)
Computer connection information (adapter, master/slave)
Preparation (static grounding, physical shock, etc.)
Contamination precautions taken
Step-by-step events within action
Inventory of supporting items created/acquired (i.e., hash or checksum of drive/files)
Complete description of action
Description of each analysis step and its results
Reason for action
Comments that are not specifically requested anywhere else in the log
Notes section can provide additional details as the investigation unfolds
This log provides the court with a chain that can be traced back to the point at which the evidence was collected. It provides the beginning of the assurance that the evidence has not changed from its original state. The next step in the process is to justify that each step in the chain was carried out according to industry best practices and standards. Once you establish that you have handled evidence in an appropriate manner and maintained the integrity of the evidence, you are ready to take it to court.
The following graphic illustrates a minimal log format. This type of log usually needs supporting documents for each line item. The minimal log format gives a brief overview of evidence handling history, and the detailed description for each line item would provide the additional details mentioned previously.
Hard disk drive, ser #123456
Seized hard drive from scene, permission provided by business owner
Hard disk drive, ser #123456
Transported HDD to evidence locker in main office
Hard disk drive, ser #123456
Removed HDD to create analysis copy
Hard disk drive, ser #123456
Returned HDD to evidence locker
Before you take evidence to court, you need to ensure it will be acceptable. In the next section, we cover the rules that govern what evidence is admissible in a court of law.