Computer forensic techniques must ensure that data collected during electronic discovery can be used as evidence in a court of law.
On TV, crime scenes are typically filled with people — uniformed officers, detectives and others interested in the investigation. While that may make for good drama, it could potentially damage a real-life case. Activity within the crime scene can destroy sensitive physical evidence and hamper the investigation.
The same holds true for electronic evidence. Electronic evidence must be carefully preserved so that computer forensic investigators can do their work.
In fact, electronic evidence is in many ways more complex than physical evidence. While it’s easy to touch, see and photograph physical devices, it’s obviously impossible to do that with file systems and other residual data. Electronic evidence can easily be tainted without proper handling practices.
Chain of Custody
The processes that help preserve electronic evidence can be summed up in the term “chain of custody.” First, the computer forensic investigator must gain possession of the electronic media with proper authority. The owner of the data must voluntarily surrender the data, or a court order or subpoena must be in place.
Next, the investigator must make sure that no damage is done or change is made to the original media. Something as simple as turning on a computer can alter the file system and render the evidence useless in a court of law.
Evidence is preserved by the application of sound chain-of-custody processes. The chain of custody in electronic discovery is not just the starting point of every case — it’s the backbone of every case. It is potentially the most crucial element that will support the ultimate findings.
Preserving the Data
The chain of custody includes both the physical devices themselves and the electronic evidence potentially stored on them. As with physical evidence, special handling and preservation practices are used to reduce the risk of tampering or destruction.
However, computer forensic investigation techniques go further due to the nature of electronic evidence. In the field, investigators use special gloves, grounding, and storage and shipment containers to prevent damage by electrostatic discharge. The scene is documented, and all investigative activities and evidence are carefully logged.
In the lab, the team builds its own workstations using special disk controllers and hard drives that allow data to be copied from the suspect computer without altering it in any way. Locked cages and fire-proof vaults are used to protect against theft and other hazards.
In an increasing number of cases, it’s not possible to seize the actual equipment. In those cases, on-scene media bit stream images verified using cryptographic hashing algorithms for subsequent off-site analysis are created. Nevertheless, strict chain-of-custody processes must be followed.
Following the Rules
All of this effort has one goal — to ensure that the electronic evidence can be used in court. Computer forensic investigators must be able to certify the authenticity and integrity of the data to meet evidentiary rules.
The evidence itself is almost never questioned — it’s difficult to deny allegations that are spelled out in the data. However, opposing counsel will often challenge the authenticity of your data or claim a broken chain of custody.
Many computer forensic investigations occur outside the realm of law enforcement to support or defend against civil lawsuits, or to meet regulatory requirements. Although a wrongful discharge or theft of intellectual property claim may not involve the same kind of “crime scene” as a murder, evidentiary rules still must be carefully followed.
One of the cardinal rules of computer forensics is to treat all investigations as though you were going to refer the case to law enforcement. First, it´s necessary to clear the scene and don’t allow anyone in the area until the investigation is complete. Then, a precise set of procedures are followed to ensure that the evidence collected can be used in a court of law.
ABOUT THE AUTHOR: Cheryl Cooper
Cooper works for a private detective agency with specialization in computer technology and digital media; specifically, computer crime and computer misuse investigations, digital forensics, mobile phone and PDA forensics, data and password recovery, and secure disposal of digital media. They can provide computer forensic investigative services and support to corporate security and the legal community.
Copyright Ispirian Computer Forensics
More information about Ispirian Computer Forensics
Disclaimer: While every effort has been made to ensure the accuracy of this publication, it is not intended to provide legal advice as individual situations will differ and should be discussed with an expert and/or lawyer. For specific technical or legal advice on the information provided and related topics, please contact the author.