Computer Forensics: Digital Evidence [Updated 2019]
Introduction
Digital forensics is a new and rapidly evolving field of forensic study. Its techniques can be used in civil, administrative, and criminal proceedings in order to collect, validate, identify, analyze, interpret, document and present digital evidence. Digital evidence is information derived from devices in a way that allows it to be used in a legal proceeding. In order to be admissible in a court of law, digital evidence must follow a set of rules. In this article we explore the ethical issues that should be considered when evaluating digital evidence and how can evidence shape an investigation.
Learn Digital Forensics
What Ethical Issues Need to Be Considered When Evaluating Digital Evidence?
Evidence is something tangible that proves a fact. Digital evidence is evidence in electronic form. It can take a variety of forms (media, information, transaction) and can come from many sources (computers, smartphones, wearables, printers, home routers). Before collecting evidence, the digital forensics examiner must ensure that he has the legal authority to identify, collect, and preserve digital evidence. The constant challenge of digital forensic examination is its fragility. Digital evidence loses its value if it is not properly collected, preserved, and protected. Depending on data persistency and volatility, digital evidence can be classified from less fragile to very fragile. Volatile data is stored in main device memory; network connections can be altered or eliminated rapidly. Persistent data stored on device media can still be tampered with or overwritten. These technical issues combined with legal missteps can affect the admissibility of digital evidence. Admissible is the most basic attribute of digital evidence. Admissible evidence must be properly collected and relevant to a case in order to be used in court and a judge, jury, or tribunal may use it in order to decide a case. In order for digital evidence to be admissible, it must be also authentic and reliable. A forensic examiner must be able to show that the evidence, in its original state, relates to the incident in a relevant way. The authenticity of the evidence is proved by demonstrating its provenance. Evidence that is not reliable is not admissible. Evidence collection and analysis procedures must be trusted on the evidence’s authenticity and veracity. The validity of evidence is meant by proving that a tool used in forensic examination meets standards and to ensure its correctness. Finally, the presented evidence and its source should be clearly understandable and believable to a jury. The credibility is established by demonstrating the tools used to collect and preserve evidences, the guidelines used, and the controlling standards.
How Can Evidence Shape an Investigation?
Digital forensics involves acquiring and analyzing digital information for use as evidence in criminal, administrative, civil, or intellectual property cases. The following section points out how digital evidence can shape an investigation in these areas.
Administrative Investigations
Relying on the nature of the action, administrative investigation might become a criminal matter despite the fact that it is not criminal in nature, if information is developed to prove a fact such as corruption or misbehavior of employees, which are the most common issues on this type of investigation. Examples of misbehavior of employees are accusations of sexual harassment, profiling, bribe taking, stalking, and racial discrimination. Misbehavior may also be a form of corruption, such as unauthorized phone calls, short working days, office supplies expropriation, and private use of a government vehicle. To find digital evidence, administrative investigation involves the inspection of networks and computer systems of the employee in question. That may include computer hardware, email, and work management applications. In addition to workplace, evidence can also be found in external sources, such as social media. Evidence can also be derived from the employee’s address book, calendar, phone logs, and timesheets. Clerks, analysts, police officers, peace officers, detectives, special and private investigators perform administrative investigations at times. The results of such investigations are reviewed by an administrative law judge if the case takes on a criminal nature.
Criminal Investigations
The difference between a crime and a tort must be established. While torts involve disputes between individuals, crime involves a breach of law where the public or a member of the public is affected. The violation of a criminal statute leads to punishment such as imprisonment or fines.
Crime and torts are handled in differ manners, from a digital forensic investigator’s perspective, while a volitional act, harmful or offensive contact to the plaintiff, and causation are elements that define a tort. Intent, conduct, concurrence, and causation define a criminal action. The digital evidence examiner should support these elements and must be aware also of the definition of a crime.
Another important aspect of criminal investigation is exculpatory evidence. Inculpatory evidence tends to incriminate or prove guilt, while exculpatory evidence tends to prove the innocence of the defendant .A criminal investigation can be launched as a response to a complaint by a law enforcement victim, an indictment conducted by a grand jury, or the observation of a crime by law enforcement or by a non-victim citizen. In the case of a criminal investigation and based on authorized search warrant, a forensic investigator can forcibly seize a computer and other devices that may have been used for criminal purposes. This is a privilege, however, and exculpatory evidence presents limitations because of the duty to disclose it. An attorney can be consulted before publically disclosing the investigation results.
Civil Investigations
Civil investigations are proceedings in which questions of property or money need to be settled. In most civil lawsuits, two parties are arguing about an issue that relates to their legal rights. This type of investigation is used to collect proofs that are essential to deal with such disputes. A dispute has six fundamental categories:
- Lawsuits for damages
- Requests for court orders
- Civil rights actions
- Requests for declaratory judgments
- Disputes over contracts or other agreements
- Appeals from administrative decisions
Unlike a criminal investigation, which is conducted by law enforcement agents, civil investigations are conducted primarily by private investigators. Attorneys may also participate to get better results. The main concern of civil investigators is deriving evidences, which may be private or public records. When conducting the investigation, the following three general methods are used:
- Interviews and interrogations: The investigator has no authority to use coercive, threatening, or harassing means to obtain information and is not authorized to make a legal arrest.
- Physical surveillance: Listening in on conversations that take place in public between relevant subjects. Eavesdropping or recording a phone conversation is prohibited by federal law. The investigator should obtain consent from at least one of the subjects of the conversations. Visiting the physical location is also part of the investigation.
- Record checking: Records can be bank accounts, phone logs, credit reports, criminal records, and court documents.
Notice that evidence gathered by civil investigators in a legal manner is usually admissible.
The table below compares civil and criminal investigation:
Intellectual Property Investigation
Trademarks, copyrights, trade secrets, licenses, and patents are all types of intellectual property. The goal of intellectual property investigation is to prevent intellectual property theft. It is mainly about answering the question: Did the suspect steal the information? To answer the question, there are various data sources to consider. Conducting an investigation typically involves logical and physical evidence that should be legally obtained for review. Logical evidence is evidence obtained without the need to acquire a physical image of the system. Typically, it is obtained from historical Information stored in a system. Network topology, server shares, logs (proxy, VPN, phone, DNS), video systems, and access control systems are sources of logical evidence. Collecting logical evidence saves time and effort; however, it requires a privileged level of access to system. Physical evidence requires seizing the equipment used by the suspect. Proper authorization should be requested to legally access the equipments. Computers, mobile devices, and removable media are among sources of physical evidence. After collecting the evidence, a rigorous methodology should be defined to examine the evidence and finally obtain a review.
Conclusion
The purpose of this post is not to serve as an instruction manual for conducting an investigation, but rather to provide the reader with a foundational understanding of the nature of different cases and the investigation that surrounds them. To conduct an investigation, the investigator should have an in-depth knowledge about the different actors involved in the case, such as attorneys and law enforcement agents. In addition, the investigator must have the required skills to handle the case, which include physical evidence, public and private record collection, taking into consideration the proof of the evidence and the law side, legal terms, and artifacts that should be considered in the investigation.
If you'd like to check out InfoSec Institute's computer forensics class curriculum, simply fill out the form below to receive syllabus and course pricing info.
References
Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet, Eoghan Casey
Handbook of Digital Forensics and Investigation, Eoghan Casey
Legal Aspects of Digital Forensics: http://euro.ecom.cmu.edu/program/law/08732/Evidence/RyanShpantzer.pdf
U.S. Department of Justice/Computer Crime and Intellectual Property Section (2009). Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations (third ed.). Retrieved from http://www.justice.gov/criminal/cybercrime/docs/ssmanual2009.pdf
The Science of Forensic Entomology, David B. Rivers and Gregory A. Dahlem
Cyber Forensics and Admissibility of Digital Evidence
Learn Digital Forensics
http://www.supremecourtcases.com/index2.php?option=com_content&itemid=5&do_pdf=1&id=22821