Reading‐04 - LPouliot/Soph-Spring-FOR-100-Digital-Forensics GitHub Wiki
Research/Reference for Module 4 Homework
Videos
How did the Enigma Machine work?
Hacker Breaks Down 26 Hacking Scenes From Movies & TV | WIRED
Cyber law, hacktivism, extradition and 'oppressive' response
Chapter 5 | The Admissibility of Evidence
The Admissibility of Evidence
When an archaeologist makes a new discovery, the burden of proof falls on the researcher to show beyond a shadow of a doubt that the discovery is authentic and genuine. The same holds true of the gems the digital investigator uncovers during an investigation. It isn’t sufficient that we find the smoking gun.
We have to find it in a manner that the courts find acceptable, or it will be dismissed. Another difference is that the investigator has to prove that the evidence is not only genuine, but relevant. Relevance is a function of admissibility. Whether or not evidence is admissible in court depends on a surprising number of factors.
Throughout this book, the mantra has been document, document, and then document how you documented. Perhaps it hasn’t been said quite so succinctly, but still, documentation is the key to everything. This chapter will discuss what makes evidence admissible and how the investigator can assure that the work accomplished makes its way into court.
What Makes Evidence Admissible?
Any information or exhibits that are to be presented in a court case, whether it be civil or criminal, will be subjected to scrutiny by both sides as well as by the judge in order to determine whether or not that evidence meets the general guidelines for admissibility. If the court will allow the evidence to be presented, it is admissible. A number of factors go into making this decision. Some of the questions that will be asked are:
-
Is the evidence relevant?
-
Is the evidence authentic and credible?
-
Is the evidence competent?
All three of these conditions must be met before the material will be allowed in court. So to clarify matters as much as possible, a detailed discussion of each one is in order. In considering any of these questions, a concept of American law known as the exclusionary rule must be kept in mind at all times. This basic tenet of American law states that if evidence is collected in violation of the law, or in violation of a person’s constitutional rights, that evidence must be excluded from all court proceedings.
Environmental Law Publishing (2010) has posted a rather complex flowchart that helps determine the admissibility of evidence. The diagram takes into consideration various factors involved when a court would or would not allow evidence. A simplified version of this flowchart, limited to those conditions likely to be encountered in a digital examination, is seen in Figure 5.1.
Is the Evidence Relevant?
“The fundamental rule governing the admissibility of evidence is that it must be relevant” (Wilson v. R 1970). If relevance cannot be established, the discussion can stop right here. None of the other factors covered in this chapter will be . . . well, relevant. The evidence will immediately be disallowed.
To be considered relevant, the evidence in question must satisfy two conditions. First and foremost, it must be material. Material means that it directly relates to the case being presented. If the prosecution is trying to prove that a man is guilty of bank fraud and presents files from his computer showing that he visited pornography sites with regularity, this is going to raise an instant objection from the defense.
The second condition of relevance is that the material is probative. That means it proves something that will help get at the truth of the situation. This works hand in hand with the material aspect of relevance. If the suspect possesses several account numbers for accounts that do not belong to him, it proves that he was showing an interest in other people’s business matters. The history of pornography sites proves something, but nothing that is material to the case.
Is the Evidence Authentic?
There are several things to examine in order to establish the authenticity of evidence as well. We must consider the credibility of the information presented. It must be factual information and not a person’s opinion, with the exception that an expert witness may be called upon to express an opinion based on professional experience or specialized training.
Is the Material an Opinion?
Strictly speaking, digital evidence will not fall under the category of an opinion. The material either exists or it doesn’t. However, the interpretation of material found may be subject to this test. As an investigator, collect anything of relevance. Let the legal team sort out this issue.
Is the Material Credible?
In order to ascertain that material presented as evidence is authentic, it falls to the investigator to demonstrate that the materials collected came from precisely where it is claimed. There can be no suspicion that the evidence has been tampered with or altered in any way. A good chain of custody is mandatory.
The information must be specifically associated to the circumstances and to the person linked to the events. It must be produced and attested by an individual who can verify that these associations exist.
Most of all, the information must be truthful and accurate. A statement under oath that a carrot is an apple does not make it so. Evidence presented that directly presents a statement or other evidentiary material may be treated like any other witness’s statement.
It can be considered hearsay if it is not possible to get the originator of the material to testify as to its accuracy. In the case of scientific evidence, the witness must be able to defray any doubts that might arise regarding the accuracy of the process used to obtain the evidence. The digital investigator needs to be very familiar with the tools used to extract evidence.
Is the Evidence Competent?
For evidence to be competent, it must not be prejudicial in any way. It must be free of any statutory constraints. It must satisfy all constitutional constraints. And it must not be hearsay.
Prejudice
Any information not directly related to the case at hand that has the potential effect of swaying a jurist’s opinion in the matter, one way or the other, is considered prejudicial. This is why a prior criminal record is rarely allowed as evidence.
A person who is being tried for robbing a liquor store is unduly prejudiced if the prosecution shows that she was convicted three times for shoplifting. If considered unfairly prejudicial, even evidence germane to the case may be excluded. Federal Rule 403 says that the probative value of the evidence must not be outweighed by the danger of unfair prejudice (FRE, Rule 403, 2011).
Statutory Restraints
Some information cannot be presented as evidence because of the protected nature of the information. Privileged information is generated in a variety of ways. Chapter 16, “Litigation and Electronic Discovery,” will cover this subject in more detail. For now suffice it to say that if information collected constitutes communication between a person and a priest, a doctor, or a lawyer, it is going to get kicked out of court.
Constitutional Constraints
The rights of the people are guaranteed under the Constitution. It is one of the fundamental tenets of our society. If evidence is obtained as a result of a blatant violation of those rights, it cannot be admitted as evidence, no matter how solidly it proves the case. Anybody who has seen Dirty Harry in action knows all about that. The First and Fourth Amendments to the Constitution are the amendments most frequently cited in evidence hearings, but circumstances can easily bring others into play.
Some court decisions have stated that forcing a suspect to reveal a password violates the Fifth Amendment as it applies to self-incrimination. In March 2012, a federal judge ordered Ramona Fricosu to provide an unencrypted copy of encrypted information from her hard drive (United States v. Fricosu 2012). The judge, Robert Blackburn, ruled that requiring the suspect to unencrypt the hard drive was not a violation of Fifth Amendment rights (Hunt and Varner 2012).
This ruling seemingly contradicts the decision handed down in U.S. v. John Doe (2012) where evidence was disallowed because the defendant had been forced to reveal the password to an encrypted drive. Which interpretation is correct is likely to be determined by the Supreme Court. As of this writing, Fricosu is still under appeal. The moral of these two stories is that it isn’t up to the investigator to decide what is right and what is wrong. Let the legal minds fight it out, and until a decision is handed down, do nothing that could compromise the evidence.
Hearsay
Hearsay is any statement that is made outside of the proceedings by any person (or thing, as we will see later on) who is not under oath at the time the statement is made. Courts take a dim view of “he said–she said” arguments on the witness stand. The Law Commission in 1995 had this to say about hearsay: “Where a representation of any fact is made otherwise than by a person, but depends for its accuracy on information supplied by a person, it should not be admissible as evidence of the fact unless it is proved that the information was accurate” (Sommer 1998)
For every rule, there are exceptions, and the hearsay rule is no exception. Several of the hearsay exceptions related to oral testimony are not relevant to this discussion and will be ignored. Exception No. 6, Records of a Regularly Conducted Activity, specifically relates to digital investigation. This includes records created by the business in the course of regular business activity as well as automatically generated records, such as log files (FRU 2012).
The Exclusionary Rule
Protection under the Fourth Amendment includes searches of a person’s possessions as well as his home. This includes his automobile, briefcase, cell phone, and any other object that could be classified as a “container.” The Fifth Amendment prevents people from being forced to testify against themselves.
The alleged witches of Salem had their constitutional rights violated when they were forced to confess under duress. It is a pity for them that the Constitution had not yet been written. Lastly, the Sixth Amendment guarantees a person the right to counsel. The latter does not affect the digital investigator as often but should be kept on the back burner as a possible problem to deal with.
When a search or seizure of property is done in violation of a suspect’s constitutional rights, the exclusionary rule dictates that any evidence from such a search or seizure must be excluded as evidence. A key factor to consider here is that only a search and seizure performed by an agent of the government can be considered a violation of a suspect’s constitutional rights. There will be more on that when we talk about digital vigilantes later in this chapter.
Some version of the exclusionary rule has existed in U.S. legal doctrine since even before America was an independent country. Chief Justice Mansfield wrote in 1769 that the courts should disregard any evidence that was provided under duress, regardless of how convincing that evidence might be (Davies 2003).
Disregarding evidence obtained during an illegal search was affirmed by the Supreme Court in 1914 (Weeks v. U.S. 1914). This trial centered on an alleged scam to sell lottery tickets by mail. During this era, state-run lotteries did not exist, and any form of such activity was illegal. Law enforcement officials searched Weeks’s home and found the evidence they needed to prosecute.
Justice Day, writing for the majority, stated that “there was involved in the order refusing the application a denial of the constitutional rights of the accused.” The Supreme Court ruling reversed the decisions of the lower courts affirming Weeks’s conviction.
Keeping Evidence Authentic
For the most part, relevance and competence are matters for the legal minds to argue out. Verifying that the data is authentic, and keeping it that way throughout the entire cycle of the investigation, from instigation to conclusion, is the job of the investigative team. The process of documentation (to be discussed in greater detail in Chapter 17, “Case Management and Report Writing”) is a key component to having your evidence accepted in court.
There are three areas of discussion that need to be addressed. First of all, it is necessary to keep the search of all information systems legal and within the scope of authorization. Searching a computer system is no different than searching a home. Unless the owner has given explicit permission for the search to be conducted, some form of legal authorization, such as a court order, a warrant, or a subpoena, will be required. Chapter 3, “Search Warrants and Subpoenas,” covered this subject in greater detail.
While doing the search, there are additional concerns to keep in mind. What is the plain view doctrine, and how does it impact your work? Are there multiple users who regularly make use of the computer system being searched? Does your authorization define a specific scope for the search to be conducted?
Plain View Doctrine
Generally speaking, the plain view doctrine is a rule that specifies that a search and seizure of evidence can be done without a warrant any time that the official making the search finds evidence of a crime that is clearly visible without the need for an entry or a search.
Court decisions have specified that there can be no reasonable expectation of privacy regarding an item that is located in a way anyone can see (Horton v. California 1990). The classic example of this situation is when a police officer pulls a driver over for a speeding violation and sees a baggie full of white powder on the front seat.
This premise easily comes into play during any digital investigation, and the investigator needs to tread carefully when it does. What would the correct approach be if, while searching for evidence of mail fraud, the investigator finds child pornography “in plain sight”? Mantei (2011) identifies three categories under which the plain view doctrine might impact the digital investigator:
-
The inadvertence approach
-
The prophylactic test approach
-
The computers as containers approach
These different approaches were defined based on different court rulings that have occurred over the years. While the following discussion focuses primarily on how the government handled specific criminal cases, the principles will apply to any forensic evidence.
The Inadvertence Approach
Did the investigator come across the evidence “in plain view” accidentally or as the result of a systematic search? Defining plain view under this standard is based on a decision handed down by the U.S. Federal Circuit Court in U.S. v. Carey. In this historic case, the investigators were given permission by the owner of the computer to perform a search.
Despite having consent, the officers obtained a search warrant for evidence regarding the sale and distribution of controlled substances. During the search, police officers found a number of files with sexually suggestive file names. After viewing several of these files, they found files containing child pornography. Additional charges of transporting and possessing goods containing or including child pornography were filed against the defendant.
Initially, the courts allowed the files as evidence, citing that the evidence had been obtained while executing a legally obtained search warrant. On appeal, the Tenth Circuit overturned this decision. Using the officers’ own testimony as a guide, the court pointed out that the files used to indict Carey were not found “in plain view” inadvertently, but rather after a systematic search consuming a substantial amount of time. The first files seen, which prompted the search, while pornographic in nature, did not contain child pornography and therefore were not evidence that a crime had been committed. In any case, the files were not regarding the sale and distribution of controlled substances.
This approach was further fortified in U.S. v. Mann (2010), where child pornography was discovered during an investigation into criminal voyeurism. While a large number of files were admitted as evidence, files flagged with known file filter (KFF) alerts were disallowed as evidence because the court decided that a KFF comparison identified the file as child pornography and therefore the investigators should have known they were outside of the scope of their investigation. A new warrant would have been required to search for child pornography.
The Prophylactic Test
In a nationally publicized case, U.S. v. Comprehensive Drug Testing, Inc., the Ninth Circuit outlined a series of rules that evidence must pass in order to be considered “in plain view.” In searching for records specific to certain professional athletes named in a warrant, a directory containing targeted files was seized and transported offsite for analysis.
During this time, the names of other nationally recognizable athletes were discovered in the directory listings. The defense filed a FRCP 41(g) motion to have the evidence returned to the defendant and removed as evidence due to an unlawful search and seizure. The Ninth Circuit granted this motion and defined the following rules for applying plain view.
The government had to “forswear reliance on the plain view doctrine or similar doctrine,” and if the government refused to accept a waiver of that nature, the judge “should order that the seizable and non-seizable data be separated by an independent third party under the supervision of the court, or deny the warrant altogether.” The decision stated that the government also had to state the “actual degree of such risks” that failure to immediately execute a warrant will result in the destruction data (U.S. v. Comprehensive Drug Testing, Inc. 2008).
This completely contradicts the Fourth Circuit’s decision that a computer search must “by implication, authorize at least a cursory review of each file on the computer” (U.S. v. Williams 2010a). The backlash to U.S. v. Comprehensive was such that in a later document, the Ninth Circuit clarified that these were to be considered guidelines and not rules to be followed. However, at least for the time being, courts have different precedents from which to act. Each must be considered.
Computers as Containers
In 2010, police officers obtained a search warrant that allowed them to search and seize computers belonging to Karol and Curtis Williams. The warrant specified “computer systems and digital storage media, videotapes, videotape recorders, documents, [and] photographs” (U.S. v. Williams 2010b). The purpose of the warrant was to investigate a complaint from a local church that they had received e-mails threatening young boys attending their Sunday school classes.
During the subsequent search, investigators discovered thousands of images of young boys. Thirty-nine of these images were classified as pornographic, and as a result of the search, Williams was indicted on child pornography charges. In Williams’s defense, he claimed that the search of his computers represented a violation of his Fourth Amendment rights because the search of his computers exceeded the scope of the warrant as issued.
In rejecting Williams’s appeal, the Fourth Circuit pointed out that the warrant authorized the search of each of the data storage devices or media specified in the warrant. Because the warrant instructed investigators to search for any evidence supporting the church’s complaint, the court decided that in order to ascertain the evidentiary value of any given file, that file had to be opened and viewed.
In the decision, the Fourth Circuit correctly pointed out that file names and extensions were invalid search constants because either one could be changed to conceal the actual contents of the file. The computer system was compared to “filing cabinets or other closed containers” (U.S. v. Williams, 2010b). Once a warrant was issued for the container, each item in the container could be examined.
Dealing with Multiple Users
For many years, operating systems (OSs) have been designed from the ground up to support multiple users. Each OS maintains separate user profiles to manage preferences and separate containers for storing user files (Figure 5.2). Legal issues face any investigator searching a computer system used by more than one person.
Figure 5.2 When multiple users access the same computer, each will have a separate profile.
It is not at all uncommon for computers owned by corporate entities or other organizations to be used by more than one person. Even privately owned computers are likely to be configured with multiple user accounts. My Macintosh at home has accounts for my wife, both of my children, me, and even my sister-in-law.
Any time multiple users are involved, the issue of privacy becomes somewhat convoluted. How to deal with search warrants and subpoenas is also impacted when there exists the possibility that any given file on the system could have been created by any one of several people.
Whether legal or civil in nature, each case revolves around the concept of an individual’s “reasonable expectation of privacy.” If your warrant specifies User A, how does a general search of the hard disk preclude the possibility that files from User B will be discovered and viewed?
A password-encoded account that is managed on the local computer is a strong suggestion that users have a reasonable expectation of privacy. However, on most networks, passwords are managed by the network operating system and not on local security accounts.
When this happens, while each computer onto which a user logs on will have a profile for that account, it is not necessarily true that files created, modified, or downloaded by that user will be stored in a profile-specific location. Such inconsistent behavior exacerbates the problems faced by the digital investigator.
These difficulties can be a little different, depending on whether the search is being conducted on the basis of the consent search doctrine or in response to a warrant or subpoena. Since warrants and subpoenas are covered in Chapter 3, “Search Warrants and Subpoenas,” only the consent search doctrine will be discussed in this section.
The Consent Search Doctrine
As has already been discussed at great length, the whole reason behind the necessity for search warrants is the Fourth Amendment. This particular document guarantees that citizens do not need to fear unreasonable searches or seizure of their property. Only by way of a legally executed warrant could a government official search a citizen’s property.
The Supreme Court has spent the last couple of centuries fine-tuning the definition of “unreasonable.” The courts defined a two-component test of any situation to ascertain the level of reasonability. First of all, does the individual have a “subjective expectation of privacy”? And secondly, would society in general be “prepared to recognize [it] as reasonable” (Katz v. U.S. 1967)?
One exception to the Fourth Amendment, carved out early in the game, was that any time the owner voluntarily consented to having his or her property searched, any evidence discovered as a result of that search was considered to be legally obtained. Subsequent court cases even determined that it did not necessarily have to be the actual owner of the property that granted consent for the search.
U.S. v. Matlock (1974) determined that anyone who possessed “common authority” over a property could grant consent to its search. In this decision, the court was quite clear that vested interest in the property extended beyond the concept of ownership. If the owner shared common access with a roommate or a family member, then that person also had the authority to grant permission to search those areas to which the person was granted access.
Such common authority is not without limitations. U.S. v. Block specified that while a person might have the authority to enter a room, this did not automatically render the authority to search everything within the room. The case in point involved a mother who granted permission for police to search the footlocker of her 23-year-old son.
While she did have the authority to grant access to the room, because as owner of the house she automatically had that privilege, she could not grant permission to search a locked footlocker owned by her son. The line of demarcation was that she did not own the footlocker, did not have permission to open it, and subsequently did not have “access.”
CASE LAW: U.S. V. FRANK GARY BUCKNER
In 2003, police entered the home of Frank Gary Buckner with the verbal consent of Buckner’s wife, Michelle. At this time, Ms. Buckner said for the officers “to take whatever [they] needed” and that she “want[ed] to be as cooperative as she could be” (U.S. v. Frank Gary Buckner 2007). The officers seized the computer belonging to Mr. Buckner and transported it offsite for forensic analysis.
Evidence found on the computer led to 20 counts of wire fraud and 12 counts of mail fraud. The defense tried to have evidence derived from the computer search suppressed, contending that since the computer was password-protected and nobody could sign on to the computer or view the files without knowing the password, then only he could give permission for a search of the computer. The motion to suppress was denied and Buckner filed a conditional plea of guilty.
The condition of his plea reserved the right for him to appeal based on the denial of his motion to suppress. On appeal, Buckner did not challenge the right of police to seize the computer. He did, however, contend that the search of the computer without a warrant was unconstitutional and therefore the evidence was obtained illegally.
In its decision, the U.S. Court of Appeals determined not only that Ms. Buckner had common authority over the computer but also that apparent authority existed for her to grant permission to the officers to search the computer. The motion to suppress was affirmed and Buckner lost the appeal.
The natural question that arose from these decisions was: Who has “apparent authority” to grant permission for a search? While the concept of common authority is clearly defined, to what extent must the investigator go to determine that a person granting permission actually has the authority to do so?
Illinois v. Rodriguez set the precedent for that decision in 1990. In this landmark decision, police responded to a call at the residence of Dorothy Jackson, who complained that Rodriguez was assaulting her daughter. According to police records, Ms. Jackson gave the officers every reason to believe that she had the authority to allow police to search the property. In the ensuing search, illegal contraband was discovered, which led to the arrest of Rodriguez. No warrant was issued because the police assumed none was needed in the presence of consent.
Rodriguez argued at his trial that Jackson did not have the authority to consent to such a search, since she no longer lived in the apartment and had not done so for several weeks. The argument was initially successful, and the lower court ruled on behalf of Rodriquez.
The case wound its way all the way to the Supreme Court, where Justice Scalia, writing for the majority option, cited that Fourth Amendment rights are not violated when law enforcement “reasonably (though erroneously) believe that the person who has consented to their entry is a resident of the premises” (Illinois v. Rodriquez 1990).
So after this lengthy and possibly meandering discussion of what constitutes permission, how does this affect the digital investigation? The question of multiple accounts on a computer was asked in 2001. In a situation where one individual granted permission to search a computer, it was made clear to the investigating officers that there was another user on the computer, that both users had a password-protected account, and that both maintained their own file folders.
The court decided that permission by one user on a shared system did not give police the right to search the files of the other user (Trulock v. Freeh 2001). The court analogized this to the locked footlocker in U.S. v. Block. Reference this to the earlier section, “Computers as Containers.”
A distinct problem is manifested when investigators use generic forensic tools to search for files on the hard disk. As discussed in Chapter 8, “Finding Lost Files,” many of the search tools are run against a forensic image of an entire drive. These tools do not necessarily know what files are owned by which users.
Unlike encryption, which renders a file unreadable to general text searches, files that are only managed by password security are readily found by tools such as Encase, FTK, and such. While some of the more advanced versions of these tools are able to identify which user owns any particular file, the majority do not. Open-source or generic utilities such as strings or GREP and file carving utilities like Scalpel are unable to distinguish between users.
In U.S. v. Andrus (2007), McKay, the justice presiding, defines two legal issues key to any search of a system involving multiple users. The first questions whether or not users exhibit a determined attempt to keep their data private. Use of encryption and password-protected files is strongly indicative that they do. The second issue at stake is whether the investigating entity is employing any form of technology that allows the search to go beyond its authorized scope.
Using Encase as an example, McKay notes that software is capable of ignoring password protection in the process of finding and opening files. He concludes that investigators are then under the obligation to inquire into the level of access and what authority the person granting permission has over the system (U.S. v. Andrus 2007). A person with full administrative privileges on the system can obviously change any password on the system in order to gain access. But does the ability by necessity grant the right?
Defining the Scope of the Search
Regardless of whether the search for evidence is inspired by civil or criminal action or whether it is being conducted with consent or the result of a court order, it remains true that there will be a specific limit to the extent of the search.
A search warrant will outline specific parameters that define the scope. Law enforcement officials are learning that a search scope that is too loosely defined will almost certainly lead to an appeal. Judges are more cognizant of this as well. In a civil investigation or an internal operation, it is up to the legal team to define the scope of the desired search.
Search warrants must be specific. Specificity is defined by two factors. The first is particularity. Particularity means that the warrant must clearly state what is being sought in the context of the search. A warrant that authorizes the search and seizure of “computers and storage media under the control of the defendant” would be considered overly broad if the “defendant” was a corporate entity.
In this case, it would be necessary to identify which computer or computers were being sought and the specific media. That same description might be sufficient in a search of a private individual’s residence. It is always the decision of the legal counsel as to what items to search and not that of the investigator.
The second factor is breadth. Under the breadth factor, the scope of the warrant is limited to the probable cause upon which the original warrant is based. In other words, if the probable cause is in regard to income tax evasion, the searchers cannot confiscate pornographic material. If such evidence is found in plain sight, in order to seize the materials, a new warrant should be requested defining the new scope.
In a civil or internal investigation, the scope will be defined by the person or committee making the assignment. Civil litigation is generally preceded by a discovery meeting in which each side states what documentation it expects the other side to produce. E-discovery and its related processes are covered in more detail in Chapter 16, “Litigation and Electronic Discovery.”
Internal investigations are usually subject to less regulatory oversight. As such, instructions may be very well defined or they may be very loose. It is important to make sure everybody is on the same page before the investigation starts. Regardless of the situation, any time the search looks like it is taking the investigator outside of the defined scope, the time has come to take a step back and find out if additional guidance is in order.
When the Constitution Doesn’t Apply
Much of the discussion in this chapter has been based on criminal investigations. Since these are cases that are prosecuted by government entities, the watchful eye of the Constitution rules every step. There are situations, however, when the courts cannot enforce constitutional law. In civil cases involving private individuals, the FRCP applies, which has a different set of rules for introducing evidence (See Chapter 16). Another situation that clouds the issue of constitutionality is evidence provided by the digital vigilante.
Civil Litigation and Internal Investigation
Internal corporate investigations are generally not impacted by constitutional limitations. However, a word of caution is in order. In the event that such an inquiry leads to the discovery of criminal activity and subsequent charges, any deficiencies in the investigation will be called into question. Legal counsel should be consulted in any situation where future prosecution is a possibility. Since this subject is covered in Chapter 16, there is little need to duplicate the material here.
Digital Vigilantes
People have long had a perverse admiration for the vigilante. Most of the super-heroes charging through the theaters are vigilantes. The law can’t act because its hands are tied by legal issues, or by their own incompetence or lack of concern. So a dedicated private citizen with special powers takes the law into his own hands. Vigilantes go far back into history. Where would merry old England have been without Robin Hood?
The realm of digital investigation is not without its share of these types of people. Well-trained hackers make the news when they break into a bank system and make off with thousands of credit card numbers. Not so much is heard when a hacker breaks into a system and produces evidence of a major crime in progress. Police have informants everywhere—even on the Net. But is the evidence uncovered by a vigilante admissible as evidence in court?
While law enforcement has made great strides in combating cybercrime in the past few years, it still has a way to go. According to Brenner (2007), the reason for this is our current model of law enforcement, because the assumptions it makes about crime do not hold true to digital criminology. The whole concept of “jurisdiction” makes no sense when there are no border guards to find contraband in the electronic luggage.
When credit card information is stolen from an online store in Boston, but the perpetrator pressed the Enter key that initiated the crime in Pakistan, who goes after the bad guy, and which courts handle the civil case? Brenner suggests that the actions of vigilantes should be encouraged, although she argues that they should be controlled—deputized as it were. But how would that impact the constitutionality of the actions?
When Is the Private Search Constitutional?
Consider this case as an introduction to the discussion. In U.S. v. Bradley Joseph Steiger (2003), the defendant was arrested and charged with multiple counts of possessing child pornography and receiving it by way of interstate and foreign commerce. The evidence that led to law enforcement obtaining a police warrant came from an anonymous tip provided in an e-mail from a person who identified himself only as Unknownuser.
Steiger attempted to have the evidence uncovered as a result of that warrant suppressed because Unknownuser was working as an agent for the government and as such had searched his computer illegally in violation of the Wiretap Act. Additionally, law enforcement failed to include the fact that the evidence provided by Unknownuser was obtained illegally when they applied for their search warrant.
In denying these motions to suppress, Justice Goodwin of the Eleventh Circuit made two observations regarding a search by private individuals. The first was that a search conducted by a private individual, whether legally conducted or not, did not implicate the Fourth Amendment. The second observation was that the court had to decide whether or not a private citizen was acting as an agent for the government when conducting the search. The latter decision is based on the answers to two questions.
Did the government know of, and authorize, the search? In Steiger, the answer was that it clearly did not. The search was conducted long before the government was made aware that a violation had occurred. Had an authorized agent of either a state or federal government agency suggested that Unknownuser conduct the search, then the hacker would have clearly been working as a government agent, whether paid or unpaid. The additional inference is that, had such an agency been aware that Unknownuser was going to perform such a search before the fact, their acquiescence to the search would render the hacker as a government agent.
Was the private individual’s primary purpose to assist the government or to further its own ends? It is very difficult to ascertain the motives of a person. In light of the fact that this particular search was done prior to law enforcement being aware of a violation, there was no evidence to support a claim that the hacker’s motive was to help the U.S. government.
A third question addressed by the decision that was related to the issuance of a warrant rather than the legality of the search focused on whether a warrant is legal if the affidavit uses illegally obtained information in submitting the request. Responding to this challenge, Goodwin wrote, “Because information obtained by a private person is not subject to the Fourth Amendment’s exclusionary rule, a statement that the anonymous source had hacked into Steiger’s computer to obtain that information would not have affected the magistrate’s finding of probable cause” (U.S. v. Bradley Joseph Steiger 2003).
When Is the Warrant Legal?
he concept was revisited in 2007 with a new twist. An anonymous caller told police of a Sprint PCS Web site that displayed images similar to those in Steiger. The caller gave the agent the user ID and password for the site in the course of the conversation. The agent who received the call had no trouble accessing the Web site and downloaded the images as evidence to present in his request for a warrant. The warrant led to a search of the defendant’s apartment, which uncovered sufficient evidence for an arrest. The defendant voluntarily confessed when confronted with the evidence.
At trial, the defendant moved to have the evidence suppressed, based on the fact that while the tipster was not covered by Fourth Amendment restrictions, the agent who viewed the site clearly was. The site was password protected; therefore, downloading the images in the process of requesting a warrant was a violation of the defendant’s rights. The evidence found while searching the apartment, as well as the defendant’s confession, defense claimed, should be suppressed as being the “fruit of a poisonous tree.”
The motion was denied. While the court conceded that the password protection employed on the site demonstrated the defendant’s expectation of privacy, the fact that the defendant freely shared the user name eroded that expectation. In the decision, the court wrote, “For example, there can be no reasonable expectation of privacy in matters voluntarily disclosed or entrusted to third parties, even those disclosed to a person with whom one has a confidential business relationship” (U.S. v. Kendra D’Andrea 2007).
Vigilantes Today
Law enforcement continues to use digital vigilantes in the same manner as they have used street informants for years. Additionally, not all such informants are actively looking for criminal activity. In U.S. v. Barth, the District Court decided that while a person has a reasonable expectation of privacy regarding their computer files, that privacy is lost when the computer is dropped off to a computer repair facility for service. The rationale is that in order to service the computer, the technicians have to be able to access the contents. If they reveal what they’ve found to law enforcement officials, no violation of the Fourth Amendment has occurred.
In the corporate environment, a situation arises in which all employees sign employee policy forms acknowledging that they are aware that the organization may, at its discretion, monitor their activities and even search their computers. Management or IT personnel who subsequently turn over material they find to law enforcement officials do not violate any laws.
A civilian group called Perverted Justice exposed hundreds of alleged pedophiles on a Web site after their members posed as underage girls and agreed to meet for a secret tryst. They avoid the implications of being considered agents of the government by enforcing a simple rule. They never contact the police. If the police contact them about a specific individual posted on their Web site, they happily provide any information they can.
Another group, Artists Against 419, go after scam artists. They go after phishing sites and other fraudulent sites, and have used questionable tactics in their war against cybercrime. The list of individuals and organizations that fight crime in digital costumes instead of masks and capes grows every year. The legal battle as to whether their results are legally admissible as evidence continues.
Chapter 6 | First Response and the Digital Investigator
First Response and the Digital Investigator
The actions that are taken—or are not taken—in the first hours of any investigation are often the ones that will later help or hinder the search for evidence. Far too often, the first people on the scene know too little about collecting and archiving digital evidence, and they do more harm than good. In recent years, law enforcement agencies around the world have spent a great deal of time and money training personnel to deal with digital information at the scene of a crime in a more effective manner.
. In 2001, the U.S. Department of Justice (DOJ) published a paper entitled Electronic Crime Scene Investigation: A Guide for First Responders as a preliminary set of guidelines for law enforcement to follow when first on the scene. While some of the recommendations contained in the paper have subsequently been superseded by updated recommendations, for the most part it is still recommended reading for all law enforcement personnel.
Forensics and Computer Science
Due to the popularity of several television shows featuring the forensic end of law enforcement, the public has developed an almost jaundiced eye toward the subject. In fact, the term CSI effect was coined to describe the public perception that all hard drives could be analyzed, all passwords cracked, and all DNA evidence analyzed in 60 minutes or less. Another misconception is that every investigator involved in digital forensics is a computer scientist. This is not always the case, nor is it necessary for it to be.
Defining Digital Forensics
The word forensic is derived from the Latin word forensis, meaning “public.” This Latin term is the same root as of the word “forum.” The Merriam-Webster Online Dictionary (2009) defines the word forensic as “belonging to, used in, or suitable to courts of judicature or public discussion and debate.” The astute reader immediately notices that there is nothing about science or computers in the definition.
Further reading will show that in addition to digital forensics and forensic science, there are also fields such as entomological forensics, forensic psychiatry, etymological forensics, and a plethora of other terms related to presenting information regarding specific areas of study to the courts. For the purposes of this book, the definition of digital forensics will be the one used by Marcella and Menendez in their book Cyber Forensics: A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes
They define computer forensics as a discipline that combines elements of law and computer science in order to collect and analyze computer data from a variety of computer systems, networks, storage devices, and other devices using digital communications as the source and flow of information in a way that is admissible as evidence in a court of law (Marcella and Menendez 2008, 5).
While this book will deal with internal investigations as well as civil and criminal enquiries, the philosophy will always remain the same. If the job is important enough for the client to engage the services of a forensics professional, it is important enough that the case should hold up in court if it should come to that. Prepare every case as if it will appear before a judge.
Computer Science and Digital Forensics
Analyzing stores of digital information does require a substantial knowledge about how computer systems work, how file systems work, and how operating systems (OSs) access and store data. It does not, however, presuppose that every digital forensic investigator (DFI) is qualified as a computer scientist. The knowledge required to extract deleted files and trace e-mails across the planet is completely different from the knowledge required to design a microchip, write the code for an OS, or design and build a file server.
The digital investigator will do well to have a strong understanding of file systems. Good hardware skills are in order so that hard disks can be removed without damage and information extracted from firmware stored on devices in the computer. Without a solid foundation in basic networking skills, it will not be possible for the DFI to track the actions of an individual breaking into a corporate network over a TCP/IP connection.
The best way to understand the difference between a computer scientist and the digital investigator is that the scientist knows a great deal about a specifically defined body of knowledge, while the DFI must have a familiarity with a wide range of subject matter. So while the argument goes on about whether or not digital forensics is a science, suffice it to say that to be a good DFI, a person must be a scientist, an artist, a craftsman, as well as a very good detective.
Locard’s Exchange Principle
Edmond Locard was a scientist living in Lyon, France, who first postulated in the early part of the twentieth century that everything that enters a crime scene does two things. It leaves part of itself behind, and it takes part of the scene with it. Paul L. Kirk further refined that principle in his book Crime Investigation: Physical Evidence and the Police Laboratory, when he said:
- Wherever he steps, whatever he touches, whatever he leaves, even unconsciously, will serve as a silent witness against him. Not only his fingerprints or his footprints, but his hair, the fibers from his clothes, the glass he breaks, the tool mark he leaves, the paint he scratches, the blood or semen he deposits or collects. All of these and more bear mute witness against him. This is evidence that does not forget. It is not confused by the excitement of the moment. It is not absent because human witnesses are. It is factual evidence. Physical evidence cannot be wrong, it cannot perjure itself, it cannot be wholly absent. Only human failure to find it, study and understand it, can diminish its value. (Kirk 1953)
While the French scientist and the famed professor of criminology from the University of California, Berkeley, were both referring to physical evidence, the principles they espouse hold just as true to the digital world as they do the physical. Every file copied to a hard disk changes the electrical charges on the disk’s platter, makes changes to the file system, alters and creates files, and even makes changes in the registry. When a knowledgeable criminal goes to great efforts to disguise these changes, all that happens is that more changes occur.
The indisputable fact that investigators must constantly keep in the backs of their minds is that actions they perform can have the same effect if they are not careful. One primary law reigns supreme in the world of digital investigation. Do Not Change the Evidence. This concept will be repeated again and again throughout this book.
Comparing Digital Evidence to Physical Evidence
Casey (2001) states that there are two types of evidence: that which possesses class characteristics and that which possesses individual characteristics. Class characteristics define an aspect shared by a large group of similar objects or people. Individual characteristics are traits unique to a particular sample. For example, if there are two white 2007 Saturn Sky convertibles parked side by side in a lot, the drivers might have trouble distinguishing which vehicle is theirs.
However, one of them has a New York license plate, and the other is from Massachusetts. As a group, both vehicles qualify as “cars.” Two class characteristics that they share are that they are both Saturn Skys and they are both white. The license plate gives each one an individual characteristic.
Why does the white color not qualify as an individual characteristic? If it was the only white Saturn Sky in the world, it most certainly would. Even if the investigator could point out that there were only ten white Saturn Skys in the whole world, and only four are in the United States, the color would still qualify. But with nearly 20% of this specific make and model on the road being white, the color only gives us a more narrowly defined class characteristic.
Additionally, evidence can be patent, or it can be latent. These terms are most commonly used when describing transient evidence, such as fingerprints; but they can apply to virtually any evidence. Patent evidence is something easily seen, picked up, handled, and photographed.
Using fingerprints as an example, a patent fingerprint is the big, gooey thumbprint in blood that every investigator dreams of finding but never does. The more common latent fingerprint is the one that is only picked up by the observant eye and must be dusted, lifted, and processed before it can be identified.
The vast majority of digital evidence is latent. Even the documents that might appear to be patent on the outset are latent. Just because a Microsoft Word document opens easily in a wide variety of word processing applications for anybody in the world to read does not make it patent evidence. There are two reasons for that. First, the document does not open by itself.
It requires a rather complex computer application to be launched by the user or the computer, then the application has to load the document, and second, it can be read on the screen. Or someone can print it out. Once it is printed on paper, the paper document can be considered evidence—but it cannot be considered the same piece of evidence as the electronic version. That is a key difference. Why?:
-
The paper document contains none of the metadata of the electronic file.
-
It does not prove who created the document.
-
There is no indication on when the document was created.
-
Judges and juries cannot see if the printed document was modified since its creation.
-
The electronic file could contain additional information concealed in either the metadata, in steganographically concealed form, or tucked into the structure of the file.
-
The paper document does not indicate what computer housed it when it was discovered or how many times it has been copied from computer to computer.
Physical and digital evidence differ in several other substantial aspects as well. A key difference is in longevity and stability. Over the past few years, several people have been released from prison based on comparisons of DNA samples that were several years old. Earl Washington was released in 2000 after serving 16 years in prison. The DNA samples from 1984 proved that he did not commit the crime for which he was convicted (ACLU 2003). More recently, viable samples of DNA were taken from skeletons of Vikings over 1,000 years old (Melchior et al. 2008).
While the Vikings from which the samples were extracted were not suspected of any crime (not recently, anyway), the incident demonstrates how long a sample can be retained and successfully used as evidence. Similarly, digital investigators need to be able to demonstrate how long the evidence they collect can remain viable in its environment. As we will see, memory does not retain evidence as satisfactorily as magnetic media.
A floppy disk from just a few years ago might be unreadable without special help. The information stored on a live computer system changes every second that the system is running. Computer data is extremely volatile and easily deleted, and can be destroyed, either intentionally or accidentally, with a few mouse clicks. It will be an amazing feat if archaeologists a thousand years from now are able to read a DVD unearthed from a radioactive ruin.
The DFI can generally retrieve a deleted file, either partially or fully, and that floppy disk can probably be read by the professional investigator. The hard part comes in proving that the evidence is reliable. As discussed in the previous chapter, evidence must be authentic and it must be relevant.
The Federal Rules of Evidence (U.S. DOJ 2008) is a 41-page document that clearly defines what evidence is, how it must be handled and presented, and a myriad of other regulations. It is imperative that the investigator understands the rules—especially as they pertain to authenticity and relevance.
Relating these two characteristics to digital evidence, remember the following: For the evidence to be authentic, the DFI must be able to prove that the information presented came from where he or she claims and was not altered in any way during examination, and that there was no opportunity for it to have been replaced or altered in the interim.
To be relevant, the information must have a bearing on the event being investigated, either directly or indirectly. If a DFI is tasked to locate pornography and in the process unearths evidence of illegal gambling, then great pains must be taken to preserve the newly found evidence while at the same time pretending it doesn’t exist. Until authorization is issued that allows the extraction of that data, it is not relevant to the case at hand.
This brings up the final issue to be discussed pertaining to evidence. In addition to its authenticity and relevance, it must be legally obtained. In Chapter 1, “The Anatomy of a Digital Investigation,” there was a brief discussion on three types of investigation—internal, civil, and criminal—and it was pointed out that different regulations and laws govern how the types of investigation may be conducted.
The criminal investigation is the most restrictive in terms of legal requirements. As mentioned before, the DFI should always treat every project as if it were a criminal investigation unless circumstances or orders dictate otherwise.
Controlling the Scene of the Crime
The first thing a DFI has to do is determine precisely what the scene of the crime actually is. At a genuine crime scene where a dozen emergency vehicles, a SWAT team, and the mayor are competing for attention, it might be pretty obvious. When conducting an internal investigation to determine whether or not a recently axed employee took confidential information with her when she left, there is no evidence of a real crime. All anyone really has is a suspicion. In either situation, there will be a specifically defined “area” that the DFI will be allowed to enter. There are protocols to follow.
Determining Who Is in Charge
Who is in charge can frequently be the most difficult question to answer—especially in internal investigations or civil litigation. As a DFI, one thing will always remain constant. Whoever is in charge, it isn’t you. Always remember that when the general walks into a room of colonels and asks, “Who’s in charge here?” the answer is always, “You, sir.” Except in this line of work, rank is not always prominently displayed, nor is it always indicative of who is in charge.
Find out as soon as possible what the chain of command is, and respect that chain. As soon as possible, the DFI should create a document that defines who has what authority, as it is defined to him or her, and include that with the case documentation.
In internal investigations, the organization contracting the services will almost certainly assign a person to conduct the investigation. This person will act as the DFI’s primary contact and work through him or her to access whatever resources are required to complete the task at hand.
Civil cases will generally be initiated by either the counsel for the plaintiff or the counsel for the defendant. In these situations, the DFI will be reporting directly to one (or more) of the attorneys representing in the case. By default, the focus of the investigation will be to prove one side’s claim over the other. Depending on which side the DFI represents, access to the data might be easy, or it might be dependent on what is released as a result of an e-discovery order.
Criminal cases can get very confusing. There must be a determination of what level of government (state or federal) or what agency has jurisdiction. Once jurisdiction is assigned, a lead investigator will be appointed. This is the person to whom the DFI will most likely report. Warrants will specify precisely what and where the DFI can search and what type of information is being sought.
Securing the Scene
The first rule of any newly developing case is Safety First. In a case involving computer crime, it is unlikely that the safety of any people is at risk; but it is not out of the question either. Consider the situation where a pedophile is actively luring a young child into a predatory situation. Securing the child would take precedence over securing the data.
Following the safety of people, the DFI must consider the safety and integrity of the computer, the data, or the network. If a network intrusion is in process, then it essential to secure critical data on the network before worrying about who is after it. Preferably, a way can be found to lock down proprietary information without alerting intruders that they have been detected.
Now is the time to secure the evidence. A rule espoused by DOJ in its first responders’ guide is this: If it is off, leave it off. If it is on, leave it on. Consider the volatile data, such as active memory, paging files, and so forth. Do not assume that only the computer systems present can hold data. The following items are very likely to have information valuable to the investigation:
-
PDAs
-
Digital music players
-
External storage devices (hard disks, flash drives, etc.)
-
Cell phones
-
Caller ID boxes
-
Answering machines
-
Digital cameras
-
Digital audio recorders
This is merely a list of the obvious devices. The astute DFI will survey the scene with a critical eye to determine if other possible sources of digital evidence exist. If one or more computers are running, it is a good idea to get a digital photograph of the screen.
Be particularly cognizant of USB drives. The BitLocker encryption used by Windows Vista (and later) adds an extra layer of security by allowing the user to configure the encryption keys to be read from a thumb drive. Such a device that doesn’t appear to have any other useable data stored on it is likely a candidate for hardware encryption keys.
If a device such as a cell phone is present and on, secure the device immediately in a Faraday bag to prevent outside intervention. A Faraday bag is an enclosure engineered of a variety of materials that work together to block all electromagnetic radiation. Do not turn the device off. Document it properly, and transport it as soon as possible to a secure place for analysis if the field investigator is not equipped to handle it on the scene.
Documenting the Scene
As part of the case documentation, it is important to have an accurate description of the scene as it was initially found. A high-quality digital video camera should be part of every DFI’s arsenal of tools. Video documentation is valuable for identifying what was at the scene when it was first uncovered. Position of user interface devices (is the mouse on the right or left side of the keyboard?) can be used as evidence later on down the road. Examine all suspect systems and make notes of the following:
-
Record the brand, make, model, and serial number of every device present.
-
Note whether the computers present are on, off, or in sleep mode.
-
Determine if the computers are part of a network.
-
Look for a modem. If present, determine whether it is connected to another system somewhere.
-
Record the status of all lights on the system. Flashing network lights can indicate a live TCP/IP connection.
-
Listen to the system for excessive hard disk activity. This could indicate an active connection or data transfer.
-
Identify any peripherals that are installed or connected. Document them whether they are to be collected or not.
-
Look for documentation specific to devices not currently present. This could suggest other devices exist somewhere that might be relevant to the investigation.
-
Photograph the back of the computer, and identify what devices are plugged into what ports.
Before the investigator leaves the scene, each person present should be added to a contact list with names, titles, phone numbers, and e-mail addresses for future contact. Provide a brief description of their role in the drama.
Identifying the Data Sources
The investigator began identifyng data sources during the documentation of the scene. The inventory of hardware taken will identify the obvious sources of potential evidence. Now it is time to look for the less obvious. Here is where the investigator finally becomes an investigator. Look for documentation for devices that do not exist.
The reason for this is to help find sources of data not present at the scene of the initial investigation. For example, there might be no sign of a digital camera, nor any memory cards for such a device present at the scene. But the presence of the owner’s manual for a professional digital camera suggests that it exists somewhere. It also suggests approaches to take while searching hard disks, DVDs, and such.
Many of the popular “all-in-one” copy/scanner/printer machines have a function known as scan once/print many. In order to perform this technological trickery, the page (or pages) being printed are stored in memory. This should be checked and recorded.
A proprietary cable hanging out of a FireWire port tells the investigator to find whatever device gets connected to that cable. In some cases, the cable can help identify the device in question.
Look around for evidence that the suspect makes use of Internet storage or operates a Web site, even if Internet data transfer is not the issue. It has become more common for people to use offsite storage for information they don’t want prying eyes to see.
Web site hosting ranges from inexpensive to free and provides several megabytes or even multiple gigabytes of storage space on the Internet service provider’s (ISP) server farm. What better way to provide global access to contraband information than to set up a secure Web site and distribute the material via unpublished Universal Resource Locators (URL)?
Interview anyone who may have useful information. The person or persons under investigation may or may not prove to be cooperative in providing passwords or locations of other data sources. However, other people can prove to be a wealth of information, especially in environments where there are multiple users and multiple systems.
I was involved in one situation where the receptionist knew the user names and passwords of each person in her office. Security is a wonderful thing. Other bits of information that may be of use would be whether or not the suspect system or systems were used by multiple individuals. What was the primary use for the system?
Carefully search the area for concealed passwords that will allow investigators to gain access to data sources. Encrypted hard disks, Web sites, Internet services, and so forth will all require password authentication for access. In another situation I worked, a sticky note with the sentence “Pick up alphabits” gained the investigators access to an encrypted drive. The actual password turned out to be @lphab1ts.
Don’t overlook a laser printer. It won’t by necessity store any useful digital information, but the transfer roller can possibly retain an image of the last document printed. This may change in the very near future. Researchers at Purdue University have proposed a process by which characteristics of specific printers can be embedded in every page created on the machine (Chiang et al. 2008).
Handling Evidence
On the scene there are a variety of evidence sources, and not all of them are digital. Prior to handling any physical evidence, confirm with the lead investigator that all preliminary processing has been completed. Depending on the level of effort going into the case, this may include photographing the scene, identifying and collecting fingerprints, and possibly collecting DNA samples. Once the DFI has the authority to begin collecting devices, there are procedures to follow to insure that the integrity of the data is not impacted.
Evidence Handling Workflow
From beginning to end, a repeatable and logical process contributes to consistent success. The acquisition of evidentiary materials is a significant step that can impact the entire case and therefore should be accomplished systematically and efficiently. The basic steps in collecting equipment are:
-
Identify the evidence.
-
Photograph the evidence in situ (if possible).
-
Document the evidence (where found, by whom, make, model, serial number, etc.).
-
Package the evidence for transport.
-
Transport the evidence.
-
Store the evidence while in possession.
All of these steps are noted in the chain of custody with time, date, location, personnel involved, and case number documented. Figure 6.1 is an illustration of the workflow used in processing evidence.
Chain of Custody
A critical function of any investigation is the continuous process of logging each and every action that is taken on or against a piece of evidence and recording every movement that evidence makes. This log of actions and movement is called the chain of custody.
From the instant an object is identified as having evidentiary value, these records become a living document that is updated with every touch. Even if an object is simply removed from a cabinet to be viewed by a supervisor, that action must be recorded. During the actual examination of the evidence, the chain of custody must match up to the procedural log (which will be discussed in more detail later in the book).
If an action is recorded in the procedural log and there is no entry in the chain of custody to show that the material changed hands from evidence storage to the investigator, the entire chain is broken. The chain of custody can be challenged, and the evidence can potentially be declared inadmissible.
In United States v. McKeever, the court defined a seven-part test for determining the usability of evidence in court. In this particular situation, the list referenced video tapes used as evidence; however, this list (now known as the McKeever test) has been used as the precedent of other forms of evidence. The seven parts of the McKeever test are (words in parenthesis added by author) as follows:
-
The recording device (or computer) was capable of making the recording.
-
The operator of the device (or computer) was competent to make the recording.
-
The recording (or data file or artifact) is authentic and correct.
-
No changes, additions, or deletions have been made to the recording (or forensic image).
-
The recording (or digital evidence) has been preserved in the manner as seen by the court.
-
The speakers (heard or seen in the recording or identified in the digital files) are identified.
-
The conversation recorded (or material stored on the computer) was made voluntarily and not induced in any way.
Digital cases do not always involve tape recordings. However, the McKeever test can be applied to any form of evidence. While chain of custody is not specifically listed, it is addressed in points 3, 4, and 5. If there is any moment in which a critical piece of evidence cannot be accounted for, a case can be made that it is not the same device or file, that alterations may have been made, or that the evidence has been tampered with or corrupted.
A good chain of custody log specifically identifies the evidence in a way that is clear to all who read the log or view the evidence. Identifying information might include data such as make, model, and serial number of the device. The log is generally accompanied by a photograph of the device when possible.
The time, date, and location at which the evidence was seized is recorded. From that point forward, every person who has any exposure to the evidence must be identified, along with the time and date of the exposure and the reason for it. Every transfer of the item from one location to another and every action taken against it must be recorded, listing the time, date, persons involved, point of origin, destination, and how transported.
Computer Systems
It is unlikely that the DFI will ever collect every computer system from a site unless the investigation centers on an individual or a very small organization. Therefore, it is likely that individual computers will be selectively seized. There may be laptop computers, standalone computers, and perhaps networked computers. Standalone computers are desktop machines or workstations that are not connected to a corporate or organizational network. This could include laptops. Network workstations can be more complex and should be treated differently.
Standalone Computers
Whether a desktop PC or a laptop, the standalone computer is identified by the fact that it is not joined to a larger network. Note that even private residences can have relatively complex networks configured these days. Therefore, it is not safe to assume that just because a computer is being seized from an individual’s house it should not be checked for network connectivity.
It could be part of a home network or linked to a corporate network via a virtual private network (VPN). A VPN is a way of configuring a network connection over the Internet, allowing people to work at home. This is a very common situation in today’s business environment.
Earlier in the chapter, it was heavily emphasized that everything about the system should be documented, including status, condition, make, model, and serial number. The DFI should make sure this process is completed before anything is touched. If the computer is on, but the monitor is off, turn the monitor on and give it time to fire up.
If the monitor is on, move on to the next step. If the desktop is visible, make a photograph of the screen as it is displayed. If the monitor is on but there is no apparent display, move the mouse slightly in an attempt to wake the system. If the system wakes, photograph the display. If not, do not push any buttons or press any keys.
Now is the time to determine if there should be any attempt to capture live information from the system. That is a very complex issue that will be discussed in more detail later on. For now, suffice it to say that if live capture is decided to be the best choice, move to that step.
If the system is to be packed up and carried away for analysis, remove the power cable from the back of the computer. Do not unplug it from the wall, and do not shut the system down gracefully. If the system is a laptop or other portable system, remove the battery (if possible). Note that many models of laptop computer offer the option of installing a second battery in a multipurpose bay. Verify if this is the situation, and if so, remove that battery as well.
Check floppy disk drives, if present, for the presence of diskettes. If found, remove the diskette from the drive, being cautious not to pollute any potential evidence such as latent fingerprints. Store the media in antistatic sleeves. Do not remove CDs or DVDs from their respective drives.
Prior to transport, place a layer of tape over the power plug connector and over all drive bays or slots. Label cables and connectors so that they can be reconnected precisely as they were when disconnected. While transporting the evidence, label it as fragile and confidential. Make sure that a chain of custody is maintained from the moment of seizure to the moment of return.
Networked Computers
In a complex environment such as a corporate network or a governmental organization, it may not be possible to seize individual computers or components. At this point, live capture becomes the norm. It won’t be simply local data that serves as possible evidence. Specialized procedures and utilities are used in processing this type of environment. See Chapter 12, “Searching the Network,” for a detailed description of processes used. However, there is a good deal of information to be collected by first responders:
-
Contact information for network administrators
-
A list of affected hardware, including servers, switches, routers, and workstations
-
Copies of relevant log files, as described in Chapter 12, “Searching the Network”
-
Live analysis of current network connections, open sessions, and open files on suspect systems
-
A topographic map of the network, if available
Photographing Evidence
Items collected during first response should be photographed in exactly the place and position where they are initially found. Digital cameras should be configured to place a time-date stamp into the actual image as well as embedded in the image metadata. Demonstrating that the creation date of the image matches that of the time-date stamp displayed on the image lends credibility to the fact that investigators indeed found the materials at the time and place where they claim. The photographs may also be used to demonstrate that the device under investigation is the same one found at the scene
Documenting Evidence
At the time evidentiary materials are collected, several things should be recorded. Here is where the chain of custody starts. The chain of custody will record every movement it makes, every person who has had possession, and every place it has been stored. It starts with documenting:
-
Where the evidence was found
-
Time and date the evidence was collected
-
Who found the evidence
-
Description of the evidence
-
Make, model, and S/N of device (if applicable)
Packaging Evidence
When preparing evidence to be moved from the scene of the incident to the location where it will be stored until the conclusion of the investigation, it is essential that proper care is taken. It is not sufficient to simply throw a computer onto the back seat of a car and drive it to the lab.
Materials collected should be packaged in appropriate containers that are well padded against temperature and physical impact. Devices such as cell phones should be protected from exposure to electromagnetic waves as well. The Faraday bags mentioned earlier in the chapter are used for this purpose. Each package should be labeled, indicating to what case it relates, time and date collected, and a brief description of contents.
Transporting Evidence
How evidence is transported from the scene to its destination can be critical to the success of the case. The investigator needs to be able to demonstrate that there were no opportunities for evidence to be altered, tampered with, or otherwise compromised. When arriving on the scene, the team should be prepared with proper packaging materials for packing and transporting evidence. Critical items include:
-
Packing boxes
-
Antistatic bags
-
Antistatic bubble wrap
-
Cable ties
-
Packing tape
-
Evidence tape
-
Faraday containers
-
A hand truck
Before packaging components, be sure to label each one with the following concepts in mind. You must be able to match components to systems in order to examine them precisely as they existed in situ. If multiple users are involved, devices must be identified as to primary user. When devices are seized from multiple rooms or locations, the originating location must be listed.
-
While transporting evidence, follow these rules:
-
Electronic devices and media must be protected from electronic and magnetic interference.
-
Devices (especially computers) must be protected from impact or excessive vibration.
-
Evidence must be protected from heat and humidity.
-
Precautions must be taken to prevent loss or theft of evidence materials.
-
The chain of custody report must be rigorously maintained.
Always remember that in a contested situation, the opposition will be looking for any opportunity to discredit the procedures or practices at every step of the way.
Storing Evidence
Many of the rules of transporting evidence apply equally to the storage of evidence. As soon as any piece of evidence arrives at a storage facility, it must be inventoried, identified, and stored safely according to the type of material it represents. Be aware of how long any particular piece of evidence might reside in storage.
Devices that depend on batteries require special attention. If the batteries are allowed to die, there is a strong potential for losing valuable data. If a power adapter or alternate power supply cannot be provided, the device should be processed immediately. A high-capacity uninterrupted power supply is a good addition to the field kit.
Some devices, such as cell phones or other networked devices, might require that they be stored in a manner that prevents unauthorized access. Faraday boxes are useful for this. Some larger facilities are equipped with Faraday rooms. These allow the devices to be stored and examined without danger of outside interaction.
In all cases, evidence materials need to be protected from heat, humidity, electromagnetic exposure, and other damaging environmental conditions. This would include contaminating or oxidizing gases or particulate matter such as dust and sand. All storage lockers or rooms should be constructed from fire-retardant materials with an automated fire extinguishing system.
Wiles and Reyes (2007) list four factors that a secure evidence storage facility must meet:
-
Access to storage is limited to the evidence custodian.
-
All access to the evidence locker is rigorously documented.
-
Chain of custody for all items in possession of the facility must be rigorously maintained.
-
Some form of independently auditing the aforementioned rules exists.
Physical access to the storage area should be highly restricted. Documented rules and regulations for storage and access must be prepared and followed to the letter. Twenty-four-hour video surveillance and intrusion detection systems should be installed that meet these requirements:
-
Video capture and recording equipment is not accessible to anyone but authorized personnel.
-
Images taken by the system must be of sufficient quality to be usable.
-
Surveillance views should include all entrance and exit points for the storage area as well as the public access area.
-
Intrusion detection should be able to detect entry through doors and windows as well as catastrophic entry that would include the destruction of walls, floors, and ceilings.
-
Walls, floors, and ceilings should be hardened to deflect forced entry.
-
Air ducts and other conduits should be sized to prevent human entry.
-
Air filtration and other systems should be designed to prevent the infiltration of harmful substances.
Security systems for accessing the evidence storage areas should include some form of twin-check system. These checks can include password access, biometric recognitions (such as retinal scans or fingerprint identification), security cards, tokens, and so forth.
Destruction or Return of Evidence
The phrase “destruction of evidence” usually sends chills down the spine of a good investigator. Inadvertent destruction or spoilage of evidence is the one event that nearly all practices are designed to avoid. However, once a case is concluded, one of two things will happen to evidence materials. Either it will be returned to the original owner or it will be destroyed.
Generally speaking, courts will order the destruction of certain types of evidence, including pornography, evidence of illegal gambling, and contraband such as pirated software or other stolen intellectual property. Also, if seized hardware is ordered by the courts to be donated to another organization, all data contained by the target devices must be destroyed.
Laws can vary from state to state. It is not the responsibility of the investigator to decide whether or not to destroy evidentiary materials. Such orders would come from officers of the court in criminal cases or possibly from officers of the corporation in the case of internal investigations.
Should the request to destroy materials be made, make sure that the request comes in writing and that it is made by someone with authority to make such a request. Once the decision to destroy is finalized, it is time to select the method of destruction. Many state and federal organizations require the physical destruction of the media storing the sensitive data.
Where possible, this would include incineration. Devices such as hard drives or optical disks that either cannot be incinerated or would pose health or environmental hazards if incinerated can be destroyed in some very creative and stress-relieving methods. While working for a federal agency, I was once asked to destroy a number of hard disk drives using a large sledge hammer. Other methods include driving a spike through the disk and physically dismantling the drive.
If the device is to be reused, but the data destroyed, there are a number of data wiping utilities that can do the job effectively enough that the average user could never extract it—and that most professionals would find difficult, if not impossible, to recover. One method that is free and quite effective is the use of the dd utility.
The command dd if5/dev/urandom of5/dev/hda will overwrite the entire contents of the hard disk identified as hda by the system with random data. Repeating this operation several times, followed by a format of the drive, will sanitize the device for future use. dd if5/dev/zero of5/dev/hda is a command that will overwrite the device with zeros.
WIPE.EXE is a Windows utility for cleansing disk drives. This interesting little applet has an additional talent for deleting files selectively, and it can remove residual entries in the MFT. Also available for Windows is a freeware program called Active@KillDisk (AKD). AKD is recognized by the Department of Defense as conforming to all government standards for data destruction. This free download is currently available at http://killdisk.com/.
Linux users have several options as well. The dd utility previously mentioned works on all file systems and can be run from either a Windows or a Linux machine. Most, if not all, Linux distributions ship with a utility called Shred that deletes the inode for the file and overwrites the allocated space with zeros. A more powerful option is the Disk Scrub Utility that destroys the inode and overwrites the allocated space with one or more passes over the space.