The question of where to begin comes up in every case. And the answer many times is dependent on the need in the particular case.
If the case is a civil case, the process of identifying and then getting and collecting evidence is the first step. The expert should be able to assist with motion language to make sure that the evidence is made available and also be able to outline, if needed, the processes and procedures that will be used to collect the evidence in a forensically sound manner.
For example, the expert can provide a protocol or set of requirements that can be included in production motions to ensure that the evidence is properly collected. This is particularly important when you are using third parties to collect and copy digital evidence, or if the other side is producing the evidence using their own experts or personnel.
10.2.1. Sample protocol for evidence collection by a third or opposing party
The following protocol shall govern the collection, copying, and preservation of evidence to be produced by the plaintiff:
1. All media shall be copied in a forensically sound manner in compliance with accepted best practices for the handling, copying, verification, and preservation of digital evidence.
a. No computer or other device shall be operated, previewed, copied, or otherwise “powered on” without proper write-blocking hardware or software in place to protect the original evidence.
b. All collection, handling, and copying of digital evidence shall be performed by a properly trained forensics examiner with specific experience and training for the type of device that is to be copied; computers and computer storage media shall be handled and copied by trained computer forensics examiners; cell phones and mobile devices shall be handled and copied by trained cell phone forensics examiners.
c. Any type of digital evidence that requires that a representative of plaintiff or defendant, or a third party, assist in the collection and copying of said evidence, such as NetApp shares and snapshots, server file shares, mail stores, backup volumes, and so forth, shall be performed under the supervision of a trained digital forensics examiner.
d. All forensic copies shall be made using a standard forensic collection tool, which may include but is not limited to FTK Imager, EnCase, Helix, Forensic Talon, or Tableau. Any such tool used must have the capability of generating a verification hash for the evidence copied.
e. All forensic copies shall be delivered in a standard encapsulated format such as the Expert Witness (E01) Format, EnCase Logical Format (L01), Access Data’s Logical Format (AD1), or the Linux DD format.
f. Mobile devices such as cell phones and GPS units shall be copied using forensic tools designed for the specific purpose of analyzing such devices in a forensically sound manner. Forensic tools for this can include but are not limited to Paraben’s Device Seizure, Susteen’s SecureView, XRY, Cellebrite, CellDek, or Blackthorn. Any tool to be used for the forensic copying of mobile devices shall be disclosed and approved by the supervising digital forensics examiner prior to collection of any mobile device data.
g. In the event those copies cannot be made in the following formats due to technical issues, the supervising digital forensics examiner shall be notified as to the reason and propose an alternative collection method to be employed.
2. Documentation Requirements
a. A complete chain of custody shall be created and maintained for all evidence collected.
b. An acquisition report shall be created for all evidence collected, by item, and shall include at a minimum the following information:
i. The name and contact information of the person who performed the collection and copying of the evidence.
ii. The qualifications of the person who performed the collection and copying of the evidence.
iii. The acquisition hash values in MD5 and/or SHA1 format for each item of evidence collected.
iv. The specific process used for the collection and copying of each item of evidence, including the manufacturer, name, and version of the tool used for both hardware and software tools.
v. The method used to protect the evidence, including the make and manufacturer of the write-blocking method employed.
vi. The origination of the evidence item including the originating location (server, computer, cell phone), device name and serial or asset tag number, file path(s), manufacturer, make and model of the device, and the corresponding custodian name or owner of the data.
vii. The name and contact information of any person who assisted in the collection or copying of the device.
The reason such a protocol is critical is that many times, especially in small civil cases, one side may decide to use a non-expert to perform collections. In many cases, the person handling the collection and examination of evidence had no training or experience in forensics, did not use any forensic tools for protecting the evidence or making forensic copies, and modified the evidence during the collection and examination process. Rarely does this come to light until you get to court and the person’s qualifications are revealed to be that they “helped out neighbors and friends with recovering their lost family pictures, removing viruses, and generally fixing their computers.”
When you get contaminated evidence in a case like this, it becomes a much larger job for your expert to sort out what has been done, and verification of the evidence and facts may become impossible.
Once the evidence is collected, the expert may be required to write an affidavit outlining the processes and procedures used and documenting the chain of custody. Alternatively, your expert may be required to prepare an affidavit challenging the methods used and the chain of custody for evidence collected and produced by the opposing side.
In a criminal case, the expert should be able to discuss the case with you and assist with motions and subpoenas for getting either a copy of the evidence, or in the case of an Adam Walsh Act contraband case, motions to get access to a copy of the evidence for analysis.
For example, in a criminal case where there is a serious risk of contamination, to the point where the issue will be brought up at trial as part of your defense argument, then an expert can assist you in assessing the risk of tampering and also to prepare a motion that will allow your expert to make a new forensic copy of the evidence in question for comparison to the forensic evidence provided by law enforcement. However, this will add significant expense to the case due to the additional work that must be performed to make new forensic copies and compare them to the copies made by law enforcement. Not only would you need to justify the additional expense to whoever is paying for the expert’s services, but you will probably meet stiff resistance from the prosecution in getting such a motion approved by a judge.
At this point, you may need an affidavit from your expert to support the motion and/or testimony at a pre-trial hearing by your expert to explain why it is necessary to recopy what the prosecution has already provided.
Different types of evidence will require different language specific to obtaining that evidence. For instance, the subpoena language to get the proper records from a
cell phone provider is very different from the language needed to get forensic copies of computers and cell phones in the hands of law enforcement.
For example, to obtain call detail records from a cellular carrier, you will need to specify exactly what you want to get in the subpoena response. In a case involving cell tower locations for a cellular phone, just getting the call detail records is not enough to properly perform an analysis. You will also need to have language in your subpoena to obtain engineering and maintenance information about the cell towers of interest. Motion language for call detail records and cell tower information is covered in
Chapter 24.
In the case of cell phones, there are still many police departments and law enforcement agencies that do not have the resources to examine cell phones. If this is true in your case, it is doubly important to get any cell phones properly collected and examined by your expert before they are damaged in some way or returned to the owner.
In any of the cases, the expert should already have or be able to write the technical language needed to obtain evidence and assist you with this process.