Chapter 5: Legal Matters

Legal Functions: More than Speeding Tickets

It is a well-worn cliché in the Information Age: criminals are on the cutting edge of technology while law enforcement officers are trailing far behind. The truth of the matter is this is not the case. Many venues are connected using state-of-the-art communications networks between individual law officers, their cars, and their precinct offices. At any moment, the officer can observe a license plate, touch the keys on her laptop, connect to the NCIC (National Crime Information Center), determine if the car has been reported stolen, and obtain a criminal history of its registered owner. Private and corporate investigators have advanced skills that allow them to access compromised workstations and servers, create forensic copies of relevant media, and quickly search for incriminating files.

Most law enforcement agencies and many investigators from the private sector are members of or have access to computer crimes task forces composed of officers and analysts from local, state, and federal agencies. Computer crimes task forces allow resource and jurisdiction pooling, so that qualified investigators and analysts are available to collect electronic evidence, analyze it, and provide credible testimony in legal proceedings. These same task forces have developed liaisons with private businesses that permit them to coordinate prevention and investigative efforts. Consequently, task force members are fully aware that evidence is more likely to be found on magnetic media than on multi-column ledger paper.

White-collar criminals have been known to use computer systems to steal an organization's trade secrets and transmit them to waiting competitors using the victim's own e-mail network. Drug dealers use spreadsheet software to track their purchases, assets, earnings, and persons owing them money. Even terrorists use computers to track their targets, financing, training manuals, contacts, and to communicate via the Internet.

In fact, one common definition of computer crime is criminal acts facilitated in any way by computers and computer-related equipment. Using computer networks can provide criminals and others with low-cost, easy access to victims and the means by which they can conceal their acts. Regardless of the degree of computer involvement in unlawful behavior, investigators must not forget their basic evidence collection training and guard against becoming overwhelmed by the magnitude of technical aspects relating to electronic evidence. Investigations of unlawful or abusive acts must be conducted with deliberation and good judgment.

The difference between investigating an ordinary unlawful act and one facilitated by technical equipment is very little when reduced to its basic doctrine: the investigator's skill in collecting and managing evidence and delivering credible testimony. It does not matter whether the investigation supports criminal, civil, or administrative actions; handling evidence must follow the same careful and deliberate process.

If electronic evidence is properly collected, analyzed, preserved, and followed by credible testimony, most legal challenges of alteration and mishandling can be avoided. In short, investigators must exercise a sound understanding of procedures and laws while preserving individual rights.

Investigators are aware of the extreme volatility of digital evidence and the importance of not changing its content by even one bit if they intend to deliver credible testimony. Evidence collection is not the time for experimentation or guesswork.

Opposing attorneys will pounce on an investigator's lack of training and experience, using seemingly brutal examination tactics to discredit or detect weakness in testimony. For example, under vigorous examination at a deposition, an investigator can usually count on being questioned relative to experience delivering a forensically sound copy of the target media. If the investigator cannot recount her training, practices, and correct procedures, every question will focus attention on her inadequacies to the detriment of her credibility.