Chapter 5: Evidence Collection and Data Seizure

Evidence is difficult to collect at the best of times, but when that evidence is electronic an investigator faces some extra complexities. Electronic evidence has none of the permanence that conventional evidence has, and it is even more difficult to form into a coherent argument. The purpose of this chapter is to point out these difficulties and what must be done to overcome them. Not everything is covered here—it should be used as a guide only, and you should seek further information for your specific circumstances.

WHY COLLECT EVIDENCE?

Electronic evidence can be very expensive to collect—the processes are strict and exhaustive, the systems affected may be unavailable for regular use for a long period of time, and analysis of the data collected must be performed. So, why bother collecting the evidence in the first place? There are two simple reasons—future prevention and responsibility.

Future Prevention

Without knowing what happened, you have no hope of ever being able to stop someone else (or even the original attacker) from doing it again. It would be analogous to not fixing the lock on your door after someone broke in. Even though the cost of collection can be high, the cost of repeatedly recovering from compromises is much higher, both in monetary and corporate image terms.

Responsibility

There are two responsible parties after an attack—the attacker, and the victim. The attacker is responsible for the damage done, and the only way to bring them to justice (and to seek recompense) is with adequate evidence to prove their actions.

The victim, on the other hand, has a responsibility to the community. Information gathered after a compromise can be examined and used by others to prevent further attacks. They may also have a legal obligation to perform an analysis of evidence collected, for instance if the attack on their system was part of a larger attack.