Evidence

Clues to the identity of a hacker often exist in cyberspace and in the real world if the investigator knows where to look. Finding these clues is often difficult. They may be scattered across the Internet. Hackers often attempt to cover their tracks, making it more difficult to find evidence.

In cyberspace, evidence is often fleeting. The records of online events, which are important in solving a crime, are often not retained long enough to be available when someone finally realizes that the information is needed. The information which is maintained often has limited value as evidence.

^[80] "UK Web Host Downed by DDoS Attack," The Register , 30 January 2002.

Records Collection

Any information that is collected under normal operations or in accordance with written policy and procedures can be used as evidence. Evidence is often contained on backups and system and security logs. It is important that a written log detailing when and by whom backups are taken is kept. You may be able to collect information that the police cannot. You may, in compliance with policy, capture keystroke information which is admissible as evidence, but a law officer may not be able to tell you to collect this information due to Fourth Amendment (due process) issues. This is why it is important to consult an attorney and law officers to determine when to bring law officers into a security incident.

Records as Evidence

Electronic records are, for the most part, acceptable and on a par with their paper counterparts. Federal, state, and local laws and regulations specifically allow for the use of records stored electronically . State and Federal rules of evidence and civil procedure allow "non-original" Records to be admitted into evidence as if they were originals . In fact, recent passage of the Electronic Signatures in National and Global E-Commerce Act at the Federal level and the Uniform Electronic Transactions Act in various states makes clear that e-records are here to stay and cannot be denied their legal legitimacy .

For any business record to be admissible hearsay, it has to pass the Business Records Exemption. This requires that records be created in the ordinary course of business documenting an activity that is usually memorialized in a record, at about the same time that the event, documented in the record, took place.

Collection of Evidence

You should make it a practice to sufficiently identify and secure your backups. This will not only help in the prosecution, but it will also increase your confidence that when you recover from your backup, it is the correct one and has not been tampered with. Some states have passed laws providing for the protection of proprietary information from being revealed in open court .

When you are collecting evidence during and after an attack, you need to date and sign all printouts and keep a detailed log describing where, when, and how the information was found. Generally, online evidence by itself will not be sufficient to prosecute . However, it will be sufficient to get a search warrant which may uncover other evidence.

In contrast, corporations must be careful of the way in which they interview suspected wrongdoers. If corporate officials conduct interviews of employees under threatening or coercive conditions, it is possible these interviews may not be valuable to a future legal action. Additionally, many jurisdictions have whistle -blower statutes which protect the informing employee from reprisals from his or her employer for providing information to authorities. Forceful interviews may also be construed as witness tampering, thereby constituting a criminal act on the part of the interviewers. It's a good idea to consult with your company's legal and human resources departments before interviewing an employee about suspected unlawful behavior.

Chain of Custody

Central to evidentiary trustworthiness and credibility is that the record can be accounted for during its life ” a record sometimes referred to as the Chain of Custody. Records that are out of the control (and, practically speaking, incapable of being altered) of the person with an interest in changing its content are less likely to be intentionally altered . Therefore, records have greater potential evidentiary benefit because they are less likely to be successfully attacked as fabricated. Simply put, a record that could be changed at any time, by any person, for any reason, is easier to attack as lacking credibility than a record that is stored at about the time the underlying transaction took place and is retained on a medium designed to minimize intentional or accidental alteration.

In one case, the Court considered excluding electronic records because the testimony "demonstrated a weakness in the security measures" taken by a bank to control access to computer terminals. There is a need to have security procedures in place for all records, including those stored on WORM. However, the fact that records are stored on a medium that promotes record security tends to decrease the likelihood of an attack to record integrity based upon lax record control.

Trustworthiness of Evidence

It goes without saying that all companies that retain records want to be able to use them for whatever purpose may be needed in the future. That should not be an issue for most business uses.

To the extent a record is not capable of being altered after it is stored (or alteration is very difficult, as is the case with WORM), that tends to provide confidence that the record will be trustworthy when accessed in the future. However, records lacking trustworthiness may be an issue when used in any formal proceeding such as an audit, investigation, or lawsuit. While an attack on record trustworthiness will not occur in every case, there is a need to maximize the likelihood that records are acceptable and usable for whatever purpose, whenever they are needed. If companies go through the trouble of methodically retaining records, they should be confident in their ability to use them to protect or support the company's business activities and legal positions .

Data Reduction

The amount of information collected by information systems, especially during an attack, is often overwhelming. Information is logged by computer systems, applications, network devices, and security systems. Most of these systems log information at a very detailed level. A simple connection to a system may generate dozens of log entries in a number of different logs. Some of these details may be needed to illustrate exactly how a vulnerability was compromised, but the log information will have to be reduced to be able to show the larger picture of what happened during the attack.

To create a complete picture, it is usually necessary to compare and correlate information from a number of sources. It is likely that the information from these sources may have discrepancies in the way that it identifies individual or system ” inconsistent naming, inconsistent time, etc.

It is likely that someone will have to prepare reports summarizing information extracted from logs and other resources of online information into a form that is understandable to a layman. Most law enforcement officers, lawyers , judges, and jurors are not necessarily going to be very computer-literate, so the evidence will have to be presented in a way that is understandable and explainable. The procedures used to reduce the data will also have to be well-documented to show that the report is accurate and complete.

Presentation of Evidence

During the process of examining various types of computer evidence, the examiner may well have to explain how specific evidentiary items arrived as found in their current condition or status. The examiner will sooner or later find himself explaining a process to an attorney, or even in court.