DAMAGING COMPUTER EVIDENCE

The latter part of the 20^th century was marked by the electronic transistor and the machines and ideas made possible by it. As a result, the world changed from analog to digital. Although the computer reigns supreme in the digital domain, it is not the only digital device. An entire constellation of audio, video, communications, and photographic devices are becoming so closely associated with the computer as to have converged with it.

From a law enforcement perspective, more of the information that serves as currency in the judicial process is being stored, transmitted, or processed in digital form. The connectivity resulting from a single world economy in which the companies providing goods and services are truly international has enabled criminals to act transjurisdictionally with ease. Consequently, a perpetrator may be brought to justice in one jurisdiction while the digital evidence required to successfully prosecute the case may reside only in other jurisdictions.

This situation requires that all nations have the ability to collect and preserve digital evidence without damaging it, for their own needs as well as for the potential needs of other sovereigns. Each jurisdiction has its own system of government and administration of justice, but for one country to protect itself and its citizens, it must be able to make use of undamaged evidence collected by other nations.

Though it is not reasonable to expect all nations to know about and abide by the precise laws and rules of other countries, a means that will allow the exchange of undamaged evidence must be found. This part of the chapter also defines the technical aspects of these exchanges.

Standards

To ensure that digital evidence is collected, preserved, examined, or transferred in a manner safeguarding the accuracy and reliability of the evidence, law enforcement and forensic organizations must establish and maintain an effective quality system. Standard Operating Procedures (SOPs) are documented quality-control guidelines that must be supported by proper case records and use broadly accepted procedures, equipment, and materials.

The use of SOPs is fundamental to both law enforcement and forensic science. Guidelines that are consistent with scientific and legal principles are essential to the acceptance of results and conclusions by courts and other agencies. The development and implementation of these SOPs must be under an agency’s management authority.

Rapid technological changes are the hallmark of digital evidence, with the types, formats, and methods for seizing and examining digital evidence changing quickly. To ensure that personnel, training, equipment, and procedures continue to be appropriate and effective, management must review and update SOP documents annually.

Because a variety of scientific procedures may validly be applied to a given problem, standards and criteria for assessing procedures need to remain flexible. The validity of a procedure may be established by demonstrating the accuracy and reliability of specific techniques. In the digital evidence area, peer review of SOPs by other agencies may be useful.

Procedures should set forth their purpose and appropriate application. Required elements such as hardware and software must be listed and the proper steps for successful use should be listed or discussed. Any limitations in the use of the procedure or the use or interpretation of the results should be established. Personnel who use these procedures must be familiar with them and have them available for reference.

Although many acceptable procedures may be used to perform a task, considerable variation among cases requires that personnel have the flexibility to exercise judgment in selecting a method appropriate to the problem. Hardware used in the seizure and/or examination of digital evidence should be in good operating condition and be tested to ensure that it operates correctly. Software must be tested to ensure that it produces reliable results for use in seizure and/or examination purposes.

In general, documentation to support conclusions must be such that, in the absence of the originator, another competent person could evaluate what was done, interpret the data, and arrive at the same conclusions as the originator. The requirement for evidence reliability necessitates a chain of custody for all items of evidence. Chain-of-custody documentation must be maintained for all digital evidence.

Case notes and records of observations must be of a permanent nature. Handwritten notes and observations must be in ink, not pencil, although pencil (including color) may be appropriate for diagrams or making tracings. Any corrections to notes must be made by an initialed, single strikeout; nothing in the handwritten information should be obliterated or erased. Handwritten signatures, initials, digital signatures, or other marking systems should authenticate notes and records.

As outlined in the preceding standards and criteria, evidence has value only if it can be shown to be accurate, reliable, and controlled. A quality forensic program consists of properly trained personnel and appropriate equipment, software, and procedures to collectively ensure these attributes.

International Principles against Damaging of Computer Evidence

The International Organization on Computer Evidence (IOCE) was established in 1995 to provide international law enforcement agencies a forum for the exchange of information concerning computer crime investigation and other computer-related forensic issues. Comprised of accredited government agencies involved in computer forensic investigations, IOCE identifies and discusses issues of interest to its constituents, facilitates the international dissemination of information, and develops recommendations for consideration by its member agencies. In addition to formulating computer evidence standards, IOCE develops communications services between member agencies and holds conferences geared toward the establishment of working relationships.

In response to the G-8 Communique and Action plans of 1997, IOCE was tasked with the development of international standards for the exchange and recovery of undamaged electronic evidence. Working groups in Canada, Europe, the United Kingdom, and the United States have been formed to address this standardization of computer evidence.

During the International Hi-Tech Crime and Forensics Conference (IHCFC) of October 1999, the IOCE held meetings and a workshop that reviewed the United Kingdom Good Practice Guide and the SWGDE Draft Standards. The working group proposed the following principles, which were voted on by the IOCE delegates present with unanimous approval. The international principles developed by IOCE for the standardized recovery of computer-based evidence are governed by the following attributes:

• Consistency with all legal systems

• Allowance for the use of a common language

• Durability

• Ability to cross international boundaries

• Ability to instill confidence in the integrity of evidence

• Applicability to all forensic evidence

• Applicability at every level, including that of individual, agency, and country^[ii]

Furthermore, these international principles were presented and approved at the International Hi-Tech Crime and Forensics Conference in October 1999. They are as follows:

• Upon seizing digital evidence, actions taken should not change that evidence.

• When it is necessary for a person to access original digital evidence, that person must be forensically competent.

• All activity relating to the seizure, access, storage, or transfer of digital evidence must be fully documented, preserved, and available for review.

• An individual is responsible for all actions taken with respect to digital evidence while the digital evidence is in their possession.

• Any agency that is responsible for seizing, accessing, storing, or transferring digital evidence is responsible for compliance with these principles. ^[iii]

So, do you have a well-documented intrusion-detection response plan? In other words, if you are attacked, do you have the documentation tools that are needed to record the attack, so that you can make the proper response? Let’s take a look.

^[ii]U.S. Department Of Justice, Federal Bureau Of Investigation, J. Edgar Hoover Building, 935 Pennsylvania Avenue, NW, Washington, D.C. 20535-0001., 2002.

^[iii]Ibid.