Best Evidence

Previous page
Table of content
Next page

Computer evidence has special considerations when presented in a court of law. For non-electronic evidence, the Federal Rules of Evidence define "best evidence" as the original writing, recording, or photograph as opposed to a copy. Duplicates of the original data are not admissible unless the original is destroyed , unavailable, or unobtainable for specific reasons.

The typing of information and copying of data from an outside source now qualifies as an original writing, recording, or photograph in its electronic form. To handle computer evidence, an exception was made to the best evidence rule permitting paper copies that represented the electronic form to be admitted as documentary evidence in court. Written records of system contents could then be used in lieu of the actual equipment, eliminating the need for a mainframe and terminals to demonstrate that a particular file was present. This permits the investigator to submit printouts of actual activity where applicable , although a visual demonstration may be of great value in getting a point across.

A second clarification to the best evidence rule regarding electronic evidence concerns the definition of a duplicate. The original copy of a hard disk may be unavailable. Or the act of booting the disk in its original environment will alter it, making the original no longer valid. For this reason, full forensic duplicates are now permitted for electronic evidence. Duplicates are bitstream, sector-by-sector images of electronic equipment. As the electronic items and a visual representation of them are the actual evidence, there is no specific requirement that the disk itself be presented. Current case law permits the use of forensic duplicates as fully qualified substitutions as long as:

  1. They are from the indicated source.

  2. They were acquired using proven tools and techniques.

  3. They have not been altered since the time of acquisition.

Tip 

Tools such as dd, SafeBack, and EnCase, when used according to proper procedures, have all been court tested .

image from book
EVIDENCE STORAGE

Two common questions are what specific evidence to store in an investigation and how to store it. There are three main ways to store electronic evidence as used in an investigation:

  • Store the entire computer system itself.

  • Store the hard disk or other drives from the computer system.

  • Store a bitstream copy of the hard disk on write-protected media.

Making the determination of what to store is a question of policy, storage space, and operational impact. An organization should have a policy that specifies what specifically should be stored and for how long. This should also include how the data is stored, where it is stored, who has access to it, and ultimately how it is disposed of. Policy may be altered by the circumstances and outcome of the particular incident. For example, cases involving potential civil or criminal litigation may require more stringent or longer storage than cases with a "no findings" outcome. Given the current best evidence thinking, there is little legal reason to store the actual computer or hard disk itself provided that an authenticated bitstream copy is available with the appropriate procedural documentation on the acquisition.

Storage space is likewise a consideration. The acquisition of a dozen or more computers in a large case is not unheard of, and the machines may be large servers. Most companies are unwilling to lease an evidence warehouse specifically for this purpose, however. In many cases, an evidence safe in a locked room may be the only viable option. This precludes the storage of large amounts of equipment. Yet there is at least one valid reason to make space for entire systems: the potential unavailability of the hardware in the future. If there will be a need to reconstruct the hardware one day (for example, if the hardware used a proprietary storage device that was not acquired to another media), this warrants serious consideration.

Operational impact is always a concern when performing an investigation. The operational impact of removing a computer system or hard drive for an extended period, be it minutes or years , might outweigh any storage benefits of having the original media.

Barring the concerns noted previously, storing a bitstream copy of all evidence as a base copy is the best approach. The media should be write-protected to ensure that it cannot be altered. It must be of archival quality as some media, notably early CDs and DVDs, have longevity issues, as do many magnetic tapes. It must be a long- lasting format as well, for if the format is proprietary and the reading hardware dies, all of the evidence may be rendered unusable.

image from book
 

Previous page
Table of content
Next page
Windows Forensics. The Field Guide for Corporate Computer Investigations
Windows Forensics: The Field Guide for Corporate Computer Investigations
ISBN: 0470038624
EAN: 2147483647
Year: 2006
Pages: 71
Authors: Chad Steel
BUY ON AMAZON
Java I/O
OpenSSH: A Survival Guide for Secure Shell Handling (Version 1.0)
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
Lean Six Sigma for Service : How to Use Lean Speed and Six Sigma Quality to Improve Services and Transactions
FileMaker 8 Functions and Scripts Desk Reference
Python Programming for the Absolute Beginner, 3rd Edition
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy