Collecting, Handling, and Using Digital Evidence
Computer forensic examiners find evidence on electronic devices and use this evidence to help reconstruct past events or activities. They use the evidence to gain a better understanding of a crime or event. It can be used to show possession and use of digital data. This section discusses how computer forensic examiners collect digital evidence. It focuses on how this evidence is collected in a criminal investigation. You need to keep in mind that almost the same process will be used in a civil investigation. An organization’s IR process also will be similar.
A computer, or any electronic device, can play one of four roles in computer crime:
NOTE
Computer forensic examiners should always collect digital evidence in a reliable (forensically sound) manner. The nature of the underlying investigation does not matter. The examiner should always use a reliable and repeatable process.
- To commit a crime—Unauthorized access to data (hacking) and online fraud are two examples where a computer is used to commit a crime.
- To facilitate a crime— Cyberstalking, identity theft, phishing scams, and software piracy are examples of crimes facilitated, or aided, by computers.
- As a target of crime—Denial of service (DoS) and distributed denial of service (DDoS) attacks, computer viruses, and communications sabotage are examples of crimes where the computer itself is the target of the crime.
- As a witness to crime—Computerized record-keeping systems may provide evidence of an underlying crime or event.
If the computer forensic examiner knows how the computer was used, he or she will be able to tailor the examination to that use.
FYI
It is important that evidence used in a court case be admissible because a judge or jury can consider only admissible evidence when they decide cases. Evidence that is invalid for some reason is called inadmissible evidence and cannot be presented to a judge or jury. A judge or jury who accidentally hears about that evidence cannot consider it later in deliberations. Admissible evidence is good evidence, whereas inadmissible evidence is bad evidence.
The examiner must gather evidence in a way that makes it admissible in court. Evidence is useful only if it is admissible. To be admissible, evidence must be collected in a lawful way. It also must be collected in a scientific manner. For digital evidence, this means that a computer forensic examiner conducts a repeatable and verifiable examination of an electronic device. The examiner must use established practices and procedures. The examiner also must be able to explain the results of his or her work to a client, judge, or jury in a clear way.
The Investigative Process
Different law enforcement agencies and organizations may use different investigative processes. The process used can depend on the type of case, as well as the urgency of the case. The process also can depend on the agency or organization that performs the investigation. In general, the investigative process has the following basic steps:
- Identification
- Preservation
- Collection
- Examination
- Presentation
This basic process is used by both law enforcement agencies and other organizations to identify, collect, and preserve digital evidence.
Identification
During the identification step, the computer forensic examiner learns about the crime, event, or activity that is being investigated. He or she must identify the types of electronic devices that may be involved and prepare to conduct the investigation. The examiner must make sure that he or she has all the tools needed to conduct the investigation. A computer forensic examiner’s approach to a case may depend heavily on its facts and circumstances.
Preservation
During the preservation step, computer forensic examiners must secure the crime scene and any electronic devices. This means that they must make sure that no one tampers with the scene or electronic devices. This is to make sure that suspects and witnesses do not have a chance to access, destroy, or modify digital evidence. Examiners also must make sure that no one can access electronic devices remotely once they are seized. All of these actions make sure that potential digital evidence cannot be altered. This step is very important because once digital evidence is altered, it is difficult, if not impossible, to reverse the results.
Chain of Custody
The chain of custody is an important evidentiary concept. Courts and attorneys use a chain of custody document to help prove that evidence is admissible. This document shows who obtained evidence, where and when it was obtained, who secured it, and who had control or possession of it. It is used to prove that evidence is reliable.
Evidence is reliable when it is not destroyed, changed, or altered. It cannot be modified after it is originally collected. A court may find that evidence is not admissible in court if its chain of custody is poorly documented or incomplete. A chain of custody protects the integrity of evidence.
A chain of custody documents how evidence is collected, used, and handled throughout the lifetime of a particular case. It is a journal that records every interaction that a person or object has with the evidence.
In some instances, the examiner may not be able to take electronic devices away from the crime scene. In these instances, they must collect data on-site, which requires additional expertise. This might happen in cases where evidence is located on an organization’s business computers. It also might be the case if the computers belong to a witness and not to a criminal suspect. Sometimes the examiners may not be able to seize electronic devices if there is a concern that the devices are being used as part of a larger ongoing criminal activity that is being investigated.
Computer forensic examiners also should learn about the operation of the electronic devices they will be examining. They will want to gather information from people at the scene to learn how the devices are used. They should try to learn logon names and passwords for access to the devices. They also should try to discover the type of internet access used by each electronic device and programs used on each device. It is also important for examiners to know whether devices are encrypted, or whether they are equipped with software that could destroy evidence.
This step also includes documenting the crime scene. Examiners must record the location of all electronic devices. They also should note whether the device is on or off. They should record the condition of all devices. Examiners also should record the content of any display screens before electronic devices are moved. The crime scene can be documented using video, photos, and written notes. The documentation created at this step is important for creating a chain of custody.
Collection
The collection step also is known as the “bag and tag” step. During this step, computer forensic examiners must collect the electronic devices. These devices require special collection, packaging, and transportation in order to preserve potential evidence. Examiners will collect electronic devices in different ways depending upon the device and its power status. They will follow different rules for devices that are on and devices that are off.
FYI
Slack space is the space between the end of a data file and the end of the disk space that is allocated to store it. Data does not always fill the whole space that is allocated to it. Residual information can be left over when a smaller file is written into space that used to be occupied by a larger file. This leftover data may be located in the slack space. Computer forensic examiners look at the slack space because it might contain meaningful data.
Can a Person Be Compelled to Provide His or Her Encryption Key or Password?
Many information security professionals advise their clients to use passwords, passcodes, biometric features, or other “locks” on their electronic devices to help keep the client’s personal information safe. Often times these passwords are used to encrypt and decrypt computing devices as well.
In cases where electronic devices are seized for evidence, these locks and encryption keys can be a problem for a computer forensic examiner. Can the government compel a data owner to provide a password, passcode, or encryption key for an electronic device? Does requiring a suspect to provide this information violate the person’s Fifth Amendment self-incrimination protections?
The U.S. Supreme Court has held that the Fifth Amendment protects communications that are compelled, testimonial, and incriminating in nature.15 For instance, a defendant can potentially incriminate himself or herself if compelled to disclose information—such as a password or passcode—needed to access an electronic device. Under this established case law, a defendant usually does not have to share the contents of his or her mind.
The heart of the issue is whether providing a password, passcode, biometric identifier, encryption key, or some other unlocking mechanism is testimonial. Case law in this area continues to develop rapidly and there is a lot of uncertainty among the courts. At the time that this text was written, general rules of thumb that can be gleaned from case law include:
- Passwords, passcodes, and other electronic device locking mechanisms that are stored in a person’s mind are more likely to receive protection under the Fifth Amendment. Compelling a person to share this information is testimonial—it forces the person to share a fact that could be used against him or her.
- Passwords, passcodes, and other electronic device locking mechanisms that are based on biometric identifiers (e.g., biometric device locking mechanisms) are less likely to receive protection under the Fifth Amendment. Compelling the production of this type of information is not testimonial because the information is something that a person is. The Fifth Amendment does not protect a person against the collection of physical features or acts. A person can be compelled to provide a blood sample, stand in a line-up, or provide a handwriting sample because these actions are not testimonial. Many courts have held that compelling a person to open his or her electronic device protected with a biometric device locking mechanism (e.g., fingerprint or facial identification) is not unconstitutional.
These general rules highlight a tension between protections afforded by the law, protections afforded by technology, and user convenience. Although biometric device locking mechanisms provide tremendous convenience for the user, the data stored on devices protected in this way may not be afforded legal protection from government searches. Some smartphone manufacturers are trying to merge the best of both worlds by creating features to quickly disable biometric device locking mechanisms in situations where the device owner might be worried that a law enforcement officer will try to force the owner to unlock his or her device. Some people refer to these disabling features as “the cop button.” When these features are used, all biometric device locking mechanism features are disabled and the smartphone reverts to requiring a password or passcode to unlock the device. Under current law, to best protect the contents of electronic devices from exposure in criminal legal proceedings, the devices should be protected by the longest password or passcode that the device allows.
This same analysis and the general rules shared in this section will likely be applied to passwords, passcodes, and biometric device locking mechanisms for internet-enhanced applications and services. Device users must weigh the risk of incriminating data exposure with convenience. Although it may be convenient to protect a password manager application on a smartphone with fingerprint or facial identification, such applications may contain hundreds of passwords. Where possible, those types of applications should always be protected with a strong password or passcode (that is different from the device password or passcode).
This particular topic of the law continues to evolve. You can expect judges to continue to define the scope of the Fifth Amendment in these situations. Because this is an area of federal constitutional law, the U.S. Supreme Court has the power to make a decision on the issue.
For example, in most instances, a cell phone must be kept powered on in order to preserve data stored on the device. However, it must be protected from any incoming calls or text messages that could change the data on it. The cell phone must be packaged and transported in a special evidence bag once it is collected. These special evidence bags, called Faraday bags, keep a cell phone shielded from incoming calls or from connecting to wireless networks. This is so that data stored on it cannot be changed by an incoming call or wireless network connection. A computer forensic examiner also must make sure that the collected cell phone has an additional power supply to maintain evidence that could be lost if its battery runs out.
During this step, examiners must be aware of other kinds of evidence that could be on electronic devices. For example, a keyboard or mouse could contain fingerprints or other physical evidence related to the case. Computer forensic examiners must work with other forensic technicians to make sure that this type of physical evidence is not destroyed.
As a practical matter, examiners must document how all electronic devices are configured. The cables and peripheral devices that are hooked up to each computer will need to be tagged. Examiners also must collect any manuals or other materials about the electronic devices that are located near the crime scene.
Examination
During the examination step, computer forensic examiners will want to make duplicate images of any electronic storage media. This is called imaging. One thing to remember is that a forensic duplicate image is not the same as a file copy or system backup copy. This type of image is an exact copy of the storage media. It includes deleted files, slack space, and areas of the storage media that a normal file copy would not include. A forensic duplicate image is a bit-by-bit copy of the original storage media.
Computer forensic examiners use special tools called write blockers to create forensic duplicate images. These tools keep examiners from altering the original storage media. Write blockers can be either hardware- or software-based. They work similar to a one-way flow valve in plumbing in that they only allow data to move in one direction. Most examiners will make two or more duplicate images of the original storage media. One copy is a working copy that they will use to look for evidence. The other is a control copy that can be used if something goes wrong with the first copy.
A forensic duplicate image must be verified against the original storage media. This makes sure that the duplicate image is identical to the original and that nothing has changed on the original media or the image. Examiners verify the images using a cryptographic equation called an algorithm. They will apply the algorithm to the original media to create a hash, the value that is the result of the cryptographic equation on the image. The examiner will apply the same algorithm to the duplicate image to create another hash.
The examiner can prove that the duplicate image accurately represents the original media if the hashes are the same. If the hashes are different, the images are not the same. Different hashes mean that the imaging process was faulty or some sort of change took place between the original media and the duplicate image. Hashes are used to measure the integrity of the original media and the forensic duplicate. If the hashes do not match, then the data has changed somehow.
NOTE
The output of a hashing algorithm is sometimes called a checksum.
Computer forensic examiners need to know how to collect two very different types of data. Persistent data is stored on a hard drive or other storage media and is preserved when an electronic device is turned off. Volatile data, in contrast, is stored in memory and exists in registries, the cache, and random access memory (RAM), as well as the connections that one electronic device might have with another while both devices are powered on. Volatile data is lost when an electronic device is turned off, so examiners must know when this data must be collected and how to do it.
Computer forensic examiners search for relevant information on the duplicate image. They have checklists of items that they review and look for. In general, they might look at:
- File access history (when were files created, edited, and last accessed)
- File download history
- Internet browsing history
- Attempts to delete or conceal files or other data
- Email communications
- Instant message or internet chat logs
- Image files
- Files containing address books or other contact information
- Documents containing financial or medical information
Examiners produce a report of files or data that might be relevant to the investigation. They must use examination procedures that are auditable. That means that an independent party can verify and repeat all of the same steps and receive the same results.
Presentation
Computer forensic examiners must be able to report on their findings and describe how they gathered digital evidence. They often have to explain how they collected this evidence if a case goes to trial. Examiners are usually considered expert witnesses when they testify in a court case. Expert witness testimony is governed by the Federal Rules of Evidence.16 Expert witnesses must show that their activities followed a scientific methodology. A court assesses this process to make sure that evidence offered at trial is reliable.
The test for measuring the reliability of a scientific methodology is called the Daubert test. It was first discussed in a U.S. Supreme Court case called Daubert v. Merrell Dow Pharmaceuticals.17 This test is important to computer forensics. It comes into play because of the tools that examiners use to collect digital evidence. An expert witness is a person; therefore, the software tools used by examiners cannot be expert witnesses. Thus, examiners must testify on behalf of the tools.
The American Academy of Forensic Sciences
The American Academy of Forensic Sciences (AAFS) recognizes computer forensics as a scientific discipline. The AAFS, one of the most well-known professional organizations for forensic scientists, has members from many different forensic disciplines. Its goals are to promote integrity and advance cooperation in the forensic sciences.
The AAFS has different sections for different areas. For example, it created a digital and multimedia sciences section in February 2008. The digital and multimedia sciences section was the first new AAFS section in 28 years. Members must show active participation in computer forensic activities. All AAFS members have ethical rules that they must follow.
You can learn more about the AAFS at http://www.aafs.org.
The use of a tool must satisfy the Daubert test to show that the digital evidence gathered by the tool is reliable. The Daubert test asks the following questions to determine reliability:
- Has the tool been tested?
- Is there a known error rate for the tool?
- Has the tool been peer reviewed?
- Is the tool accepted in the relevant scientific community?
The examiner will testify about how the tool works. The examiner also will testify about his or her qualifications as a computer forensic examiner. Finally, the examiner will testify about the process the examiner used to collect the digital evidence. The court will use the Daubert test to decide whether to admit the evidence collected by the examiner.
Ethical Principles for Forensic Examination
Computer forensic examiners all follow some common principles. The IOCE created one of the first sets of ethical principles for computer forensics examiners in 1999. The IOCE principles included:
- Examiners should not change digital evidence after they seize it.
- If original digital evidence must be accessed, the person accessing it must be competent.
- All digital evidence handling must be fully documented and available for review.
- Each person who handles digital evidence is responsible for it while it is in his or her possession.
- Any agency that handles digital evidence must comply with these principles.18
These basic principles are followed in different forms by other organizations. For example, the CCE credential requires CCE holders to follow a code of ethics. That code of ethics has terms that are similar to the principles stated originally by the IOCE. You can read the code of ethics at https://www.isfce.com/ethics2.htm.