In this week’s readings (Chapter 3 and 4 of the text), you first learn what digital evidence is, not in the physical sense but in the legal sense, and then what steps you should take to identify and collect it.
As you read in Chapter 3, there are four basic classifications of evidence that can be applied to items of potential investigative value:
Testimonial Evidence – Testimony or a statement provided by an individual detailing what they observed or experienced (through any of their senses). For example, a witness may have heard tires screech and a loud crash but not actually have seen the accident. In this example, even though he didn’t actually see the crash, witness’s testimony is still valuable – it can help pinpoint the time of a crash, determine the number of vehicles involved, or speak to the lighting conditions or weather conditions were at the time of the accident. Testimonial evidence can be significant as either direct or corroborating evidence. In addition, expert testimony can be provided that allows a subject matter expert (vetted and accepted by the court) to offer opinions and interpretations (e.g., context) of other evidence that has been or will be presented.
Real Evidence – Physical evidence. Examples would be a murder weapon, a hard disk drive, fingerprints, blood or other bodily fluids, clothing, stolen property, etc.
Documentary Evidence – Documents (such as records, checks, or photographs) that are like real evidence in that it may be a physical item (e.g., printed material), but documentary evidence is also the results of the analysis of documents or records to show a pattern of behavior. For example, you examine (and create) potential documentary evidence each time you balance your checkbook.
Demonstrative Evidence – Evidence that utilizes or requires a demonstration, such as the use of a chart or map, to help prove what happened. Demonstrative evidence is most often created by an expert witness; an example might be using a dummy to show how a person was standing when he was shot, or it could be a flow chart showing how money was moved between different accounts.
All four types of evidence could be, and frequently are, used together in court to prove or disprove the facts of a case.
1. You are a digital forensic examiner and have been asked to examine a hard drive for potential evidence. Give examples of how the hard drive (or the data on it) could be used as (or lead to the presentation of) all four types of evidence in court. If you do not believe one or more of the types of evidence would be included, explain why not.
Another part of Chapter 3 discusses search and seizure or the ability to retrieve evidence. Over the past two weeks, many of you have mentioned search warrants in your discussions. The Fourth Amendment to the U.S. Constitution (and the Supreme Court’s subsequent interpretations thereof) requires that before a search can be conducted and evidence can be seized, the Government must obtain a search and seizure warrant (based on probable cause) from an impartial magistrate. However, there is no requirement for a private person or organization to obtain a search warrant or work under the same constraints. Further, the line can be blurred, as a private person or organization that searches property or seizes evidence (not needing a warrant) could subsequently turn it over to the Government. In fact, they could do so even if the search was not legal under the Constitution, or even if they did not have the right to enter the place to be searched or committed civil trespass. Although it may seem counterintuitive and like a severe violation of individual rights, the only time the Fourth Amendment applies to a private party is if the private party is acting as an agent for the Government or law enforcement (such as a Government contractor or a citizen asked by a police detective to gather information for a specific purpose or investigation).
There are, of course, exceptions to the requirements on the Government to obtain a search warrant prior to searching or seizing evidence. For example, the Government would not need a search warrant when a person with proper authority gives consent to conduct the search (e.g., the company CEO gives permission to search company servers for company data). Another exception is when there are exigent circumstances present that, if the time was taken to obtain a proper warrant, could result in the destruction of evidence or harm to another person; however, it should be noted that searches undertaken due to exigent circumstances must be followed-up with a legally obtained warrant as soon as the exigent circumstance has been effectively neutralized). Exigent circumstances could come into play in a digital evidence case when (for example) the owner of a computer likely containing digital evidence knows of the investigation and could delete the evidence from his storage devices before a warrant could be obtained. However, while the storage devices could most likely be seized without a warrant to prevent data destruction, this exigent circumstance is not a valid reason to conduct a forensic analysis of the storage media and a warrant should be obtained immediately.
If evidence is not seized properly it may not be admissible in court. Therefore, it is important to know the rules governing what you can and cannot do (whether you are a private entity or an instrument of the Government), as well as being able to explain why you took the steps you did in order to sufficiently your actions (from a legal perspective). This is also helpful in minimizing any potential civil liability.
After you seize a computer or device and have obtained the proper authority to conduct a search of the contents, you must then be able to testify that your next steps were forensically sound and within the scope of your search authority (whether granted by consent or warrant). Unless special precautions are taken, you risk changing digital data on a device each time you access it. For this reason, it is important you avoid conducting an analysis of an original (evidence) device (such as the suspect’s hard drive removed from his computer), but instead make a forensically sound copy (i.e., a bit-for-bit copy of the original made without altering the original data, often accomplished with the use of a tool called a write-blocker) suitable for examination.
Chapter 4 discusses common tasks facing a digital investigator, such as identifying different types of devices you should look for when conducting a search, as well as preservation and analysis of those devices.
2. You have been asked to assist a law enforcement team serving a search warrant related to a child pornography investigation. You are the digital forensic expert for the team, and, as such, have been assigned the task of identifying and collecting the digital evidence at the search location.
A. What steps should you take before the search?
B. For what types of evidence should you be alert when searching the residence?
C. What types of items would you seize?
This week your text focuses on the techniques and tools you would use to collect, preserve, and analyze digital evidence. While this class does not focus as heavily on the highly technical aspects of digital forensics (e.g., using the tools, techniques, processes to collect, preserve and analyze digital evidence), it does stress how to be prepared for the digital evidence process, as it fits into the criminal justice system.
Of course, it is critical that computer forensic examiners understand processes such as capturing volatile data, recognizing and collecting digital evidence, analyzing the evidence once it is collected, etc.; however, what I want you to focus on this week is why and how processes designed to identify, seize, collect, preserve, and analyze digital evidence relates to the criminal justice process.
You should all understand the need to verify what a warrant will allow you to search for and seize in a criminal case (ensuring that you do not exceed the scope and potentially compromise your case). You should also be aware of what a company’s policy or an organization’s leadership will allow you to do in a non-criminal justice investigation. In either case, you need to able to testify about all the steps you took, from the point when you were first notified of the incident or called in to collect the digital evidence, until the time you are called to testify about it. Digital evidence must not just be simply collected (e.g., picked up and put in a bag), but procedures must be put in place to preserve the evidence so the defense cannot raise reasonable doubt (in a criminal case) about the integrity or provenance of the evidence.
For this week’s discussion:
1. Describe at least 5 steps in a process to collect digital evidence to the time you testify that you consider important. Please explain why they are important.
2. You are a witness and I am asking the following question- please answer as if you are on the witness stand. Upon entering the room where the computer was located, what was the first thing you did?
3. After seizing the computer evidence, what did you do with it?
This week’s reading gives you basic technical information about passwords and encryption, and how to recover data protected by these mechanisms. There is also a section on Steganography, which literally translated means “covered writing.” When some people think of steganography, or “stego,” they think of documents or other data files being hidden in other file types (usually image/picture files). Interestingly, the use of stego goes much farther back than the use of computers. Like cryptology, steganography is used to hide something in something else. So, even though a code breaker can detect the hidden code, they may not be aware that the code actually contains a different message. Cryptography scrambles a message so that it is unreadable, but still visible, while stego camouflages data to hide it or make it undetectable. This course is not meant to teach you about the technical details of encryption or passwords or steganography (entire books are written on each of those subjects), but rather to help you understand their place in the criminal justice process.
Does a warrant give you the authority to break passwords protecting information or to decipher encrypted data? This is a very important question. As many of you have discussed, it is important to make sure you know the limits of your warrant. But while you are conducting a search with a properly executed warrant, you may come across other information that is not included in your scope but is still evidence of a crime. For example, imagine you are searching a hard drive for information related to a fraud scheme. While you are looking through the files you come across a picture that is obviously child porn, but you do not have child porn addressed in any way by your warrant. What do you do? The proper response is to stop the search and obtain another warrant for evidence related to child pornography. The same thing applies to discovering encrypted data. In your affidavit you should explain that criminals sometimes encrypt files that contain evidence. Some may even use stego techniques to hide other files.
This week I would like you to do some research on encryption and steganography. First, list five (5) examples each of how steganography and encryption or cryptology were used BEFORE the advent of computers. Then, discuss how stegonography or encryption could be used legitimately, and why this could cause you a problem as a computer forensic examiner.
This week you are reading about the forensic tools used by Computer Forensics Examiners. While the two most popular tools are Guidance Software’s EnCase and AccessData’s FTK, there are other tools that are available and should be part of your toolbox. Once you have properly identified and collected digital evidence, the next step is to analyze it. It does not really matter if you are performing analysis as part of a criminal investigation or as part of a corporate investigation; you should always follow the same protocols. An emphasis in this course is on helping you understand why using an analysis protocol is important. Remember, you should NEVER, EVER work on original evidence, if it can be avoided by any means; instead, use a forensic image. When you work on the image, you pick the tools you will use. Again, it does not matter which tool you actually use, as long as the tool is accepted by the forensic community, and you are able to testify to the tool’s validity, as well as the process you used in your examination.
During your analysis, you should document every step you take and all of your findings. Some tools have a report function that works well to capture both the identified data and the date/time of your various analyses. However, this should always be supplemented with your own notes and documentation.
This week, I would like you to discuss why you need to use a write blocker (either hardware or software) in your examinations, whether for a criminal case or a corporate case.
Also, imagine you are a computer forensic examiner receiving a suspect hard disk drive from a detective in your department. The drive was seized properly during a legally executed search warrant. The detective signs the chain of custody log and hands you the drive. Your job is to accept the drive, conduct an analysis, and maintain the drive until trial. Please explain the steps you would take, from receipt until testimony, including the reasons why you would take each step. For example, what would you check for when you sign for the drive on the chain of custody?
This final conference deals with the final issue any computer forensics examiner or any other witness to an event will face – testifying under oath to what you know. Each person who testifies is a witness and as we discussed several weeks ago, will present testimonial evidence. As an expert witness, which is how a computer forensic examiner will be generally be presented, you are not providing eye-witness testimony to a crime, but are testifying about what you as an expert found or did not find during your collection, preservation, and examination of physical evidence. When you testify on behalf of the government or defense, you will first testify on direct examination- that means the attorney who called you to the stand has to lay certain groundwork to get your testimony about your examination of the evidence before the jury.
What are some of the questions do you think you would be asked initially on direct examination?
Once the preliminary questions have been asked and answered the attorney handling the direct examination will then turn over examination to the defense. This is often done before you are allowed to answer questions about the actual evidence or case before the court. The reason this is done in this matter is that you are first being presented to the court as an expert in some field. The opposing counsel gets to cross-examine you to try to defeat your being named as an expert. Inc ases where you ahve already been determined to be an expert by the court on previous occasions, there is less chance the ooposing counsel will be successful. But, for a new examiner, the first couple of times before the court will be mor demanding as to your expertise.
What kind of questions do you think the opposing counsel will ask you? Remember on cross examination opposing counsel can ask leading questions to challenge your expertise.
After both sides had a chance to question your bone fides as an expert, the counsel wishing you to be accepted will make a motion that you be accepted as an expert. Once that is complete, you will be asked about the matter at hand.
This is also where the opposing counsel will be especially alert for any weakness ir contradictions in your testimony. How do you think it is important for you to testify to limit any contradictions?