Digital Evidence

Properly Documenting Results
Intelligence personnel must save the search results that satisfy the research objective. Saving the results enables the analyst or collector to locate the information later as well as properly cite the source of the information in intelligence reports and databases. While printing a hard copy is an option, a soft copy (electronic) record of the search results provides a more portable and versatile record.

Also, some intelligence organizations have software tools specifically designed for creating a complete record of the webpage content and metadata.

The following are some basic techniques for saving an electronic record of the search results.

1. Bookmark the link to the webpage using the “bookmarks” or “favorites” option on the Internet browser.
2. Save Content. Save all or a portion of the webpage content by copying and pasting the information into a text document or other electronic format such as a field within a database form.
3. The naming convention for the soft copy record should be consistent with unit electronic file management standards. As a minimum, the record should include the URL and retrieval date within the file.
4. Download audio, image, text, video, and other files to the workstation. The naming convention for the soft copy record should be consistent with unit electronic file management standards.
5. Save Webpage as .mht, .pdf, .doc, .html—or other specified format—that creates a complete, stable record of the webpage content. It may be necessary to include the date and time in the file name in order to ensure a complete citation for the information.
6. Record Source. As a minimum, record the author or organization, title, publication or posting date, retrieval date, and URL locator of the information in a citation format that is consistent with the American Psychological Association and Modern Language Association style manuals.
7. Identify Intellectual Property that an author or an organization has copyrighted, licensed, patented, trademarked, or otherwise taken to preserve their rights to the material. Some webpages list the points of contact and terms of use information at the bottom of the site’s homepage. When uncertain, intelligence personnel should contact their supporting attorney’s office before publishing information containing copyrighted or similarly protected intellectual property.

Rules of Evidence
Before delving into the investigative process and computer forensics, it is essential that the investigator has a thorough understanding of the Rules of Evidence. The submission of evidence in any type of legal proceeding generally amounts to a significant challenge, but when computers are involved, the problems are intensified.

Special knowledge is needed to locate and collect evidence and special care is required to preserve and transport the evidence. Evidence in a computer crime case may differ from traditional forms of evidence inasmuch as most computer-related evidence is intangible in the form of an electronic pulse or magnetic charge. Before evidence can be presented in a case, it must be competent, relevant, and material to the issue, and it must be presented in compliance with the rules of evidence. Anything that tends to prove directly or indirectly that a person may be responsible for the commission of a criminal offense may be legally presented against in court. Proof may include the oral testimony of witnesses or the introduction of physical or documentary evidence. By definition, the evidence is any species of proof or probative matter, legally presented at the trial of an issue, by the act of the parties and through the medium of witnesses, records, documents, and objects for the purpose of inducing belief in the minds of the court and jurors as to their contention. In short, the evidence is anything offered in court to prove the truth or falsity of a fact in issue. This section describes each of the Rules of Evidence as it relates to computer crime investigations.

Types of Evidence
Many types of evidence exist that can be offered in court to prove the truth or falsity of a given fact. The most common forms of evidence are direct, real, documentary, and demonstrative.

1. Direct evidence is oral testimony, whereby the knowledge is obtained from any of the witness’s five senses and is in itself proof or disproof of a fact in issue. Direct evidence is called to prove a specific act (e.g., an eyewitness statement).
2. Real Evidence, also known as associative or physical evidence, is made up of tangible objects that prove or disprove guilt.
3. Physical evidence includes such things as tools used in the crime, fruits of the crime, or perishable evidence capable of reproduction. The purpose of the physical evidence is to link the suspect to the scene of the crime. It is the evidence that has a material existence and can be presented to the view of the court and jury for consideration.
4. Documentary evidence is evidence presented to the court in the form of business records, manuals, and printouts, for example. Much of the evidence submitted in a computer crime case is documentary evidence.
5. Demonstrative evidence is evidence used to aid the jury. It may be in the form of a model, experiment, chart, or an illustration offered as proof.
6. When seizing evidence from a computer-related crime, the investigator should collect any and all physical evidence, such as the computer, peripherals, notepads, or documentation, in addition to computer-generated evidence.
   

The four types of computer-generated evidence are:

1. Visual output on the monitor;
2. Printed evidence on a printer;
3. Printed evidence on a plotter; and
4. Film recorder (i.e., a magnetic representation on disk and optical representation on CD).
   

A legal factor of computer-generated evidence is that it is considered hearsay. The magnetic charge of the disk or the electronic bit value in memory, which represents the data, is the actual, original evidence. The computer-generated evidence is merely the computer output used in the regular course of business, the evidence shall be admitted.

Best Evidence Rule
The Best Evidence Rule, which had been established to deter any alteration of evidence, either intentionally or unintentionally, states that the court prefers the original evidence at the trial, rather than a copy, but judges will accept a duplicate under these conditions:

1. Original lost or destroyed by fire, flood, or other acts of God. This has included such things as careless employees or cleaning staff.
2. Original destroyed in the normal course of business.
3. Original in possession of a third party who is beyond the court’s subpoena power._
   

This rule has been relaxed to allow duplicates unless there is a genuine question as to the original’s authenticity, or admission of the duplicate would, under the circumstances, be unfair.

Exclusionary Rule
Evidence must be gathered by law enforcement in accordance with court guidelines governing search and seizure or it will be excluded as stated in the Fourth Amendment. Any evidence collected in violation of the Fourth Amendment is considered to be “Fruit of the Poisonous Tree,” and will not be admissible.

Furthermore, any evidence identified and gathered as a result of the initial inadmissible evidence will also be held to be inadmissible. Evidence may also be excluded for other reasons, such as violations of the Electronic Communications Privacy Act (ECPA) or violations related to provisions of Chapters 2500 and 2700 of Title 18 of the United States Penal Code.

Private Citizens are not subject to the Fourth Amendment’s guidelines on search and seizure but are exposed to potential exclusions for violations of the ECPA or Privacy Act. Therefore, internal investigators, private investigators, and GERT team members should take caution when conducting any internal search, even on company computers. For example, if there is no policy explicitly stating the company’s right to electronically monitor network traffic on company systems, internal investigators would be well-advised not to set up a sniffer on the network to monitor such traffic. To do so may be a violation of the ECPA.

Hearsay Rule
Hearsay is second-hand evidence — evidence that is not gathered from the personal knowledge of the witness but from another source. Its value depends on the veracity and competence of the source.

Under the Federal Rules of Evidence, all business records, including computer records, are considered hearsay, because there is no first-hand proof that they are accurate, reliable, and trustworthy. In general, hearsay evidence is not admissible in court. However, there are some well-established exceptions (e.g., Rule 803) to the hearsay rule for business records.

Business Record Exemption to the Hearsay Rule
Federal Rules of Evidence 803(6) allow a court to admit a report or other business document made at or near the time by, or from information transmitted by, a person with knowledge, if kept in the course of regularly conducted business activity, and if it was the regular practice of that business activity to make the [report or document], all as shown by the testimony of the custodian or other qualified witness, unless the source of information or the method or circumstances of preparation indicate lack of trustworthiness.
To meet Rule 803 (6) the witness must:

1. Have custody of the records in question on a regular basis;
2. Rely on those records in the regular course of business; and
3. Know that they were prepared in the regular course of business.
   

Audit trails meet the criteria if they are produced in the normal course of business. The process to produce the output will have to be proven to be reliable. If computer-generated evidence is used and admissible, the court may order disclosure of the details of the computer, logs, and maintenance records with respect to the system generating the printout, and then the defense may use that material to attack the reliability of the evidence. If the audit trails are not used or reviewed —at least the exceptions (e.g., failed login attempts) — in the regular course of business, they do not meet the criteria for admissibility.

Federal Rules of Evidence 1001(3) provide another exception to the Hearsay Rule. This rule allows a memory or disk dump to be admitted as evidence, even though it is not done in the regular course of business.

This dump merely acts as a statement of fact. System dumps (in binary or hexadecimal) are not hearsay because they are not being offered to prove the truth of the contents, but only the state of the computer.

Chain of Evidence: Custody
Once evidence is seized, the next step is to provide for its accountability and protection. The chain of evidence, which provides a means of accountability, must be adhered to by law enforcement when conducting any type of criminal investigation, including a computer crime investigation. It helps to minimize the instances of tampering. The chain of evidence must account for all persons who handled or who had access to the evidence in question. The chain of evidence shows:

1. Who obtained the evidence;
2. Who secured the evidence; and
3. Who had control or possession of the evidence.
   

It may be necessary to have anyone associated with the evidence testify at trial. Private citizens are not required to maintain the same level of control of the evidence as law enforcement, although they are well-advised to do so. Should an internal investigation result in the discovery and collection of computer-related evidence, the investigation team should follow the same, detailed chain of evidence as required by law enforcement. Should the case go to court, this will help to dispel any objection by the defense that the evidence is unreliable.

Admissibility of Evidence
The admissibility of computer-generated evidence is, at best, a moving target. Computer-generated evidence is always suspect because of the ease with which it can be altered, usually without a trace. Precautionary measures must be taken to ensure that computer-generated evidence has not been tampered with, erased, or altered.
To ensure that only relevant and reliable evidence is entered into the proceedings, the judicial system has adopted the concept of admissibility:

• Relevancy of Evidence: Evidence tending to prove or disprove a material fact. All evidence in court must be relevant and material to the case.
• Reliability of Evidence: The evidence and the process to produce the evidence must be proven to be reliable. This is one of the most critical aspects of computer-generated evidence.
  

Evidence Life Cycle
The evidence life cycle starts with the discovery and collection of the evidence. It progresses through the following series of states until it is finally returned to the victim or owner:

• Collection and identification.
• Storage, preservation, and transportation.
• Presented in court.
• Returned to the victim (i.e., the owner).
  

Collection and Identification
As the evidence is obtained or collected, it must be properly marked so that it can be identified as being that particular piece of evidence gathered at the scene. The collection must be recorded in a logbook identifying that particular piece of evidence, the person who discovered it, and the date, time, and location discovered. The location should be specific enough for later recollection in court.

When marking evidence, these guidelines should be followed:

• The actual piece of evidence should be marked if it will not damage the evidence by writing or scribing initials, the date, and the case number if known. This evidence should be sealed in an appropriate container, then the container should be marked by writing or inscribing initials, the date, and the case number if known.
• If the actual piece of evidence cannot be marked, the evidence should be sealed in an appropriate container and then that container marked by writing or inscribing initials, the date, and the case number, if known.
• The container should be sealed with evidence tape and the marking should be over the tape, so that if the seal is broken it can be noticed.
• When marking glass or metal, a diamond scriber should be used. For all other objects, a felt tip pen with indelible ink is recommended. Dependent on the nature of the crime, the investigator may wish to preserve latent fingerprints. If so, static-free nitrile gloves should be used if working with computer components, instead of standard latex gloves.
  

Storage, Preservation, and Transportation

• Documents and disks (e.g., hard, floppy, and optical) should be seized and stored in appropriate containers to prevent their destruction. For example, hard disks should be packed in a static-free bag within a cardboard box with a foam container. It may be best to consult with the system administrator or a technical advisor on how to best protect a particular type of system, especially mini-systems or mainframes.
• Finally, evidence should be transported to a location where it can be stored and locked.
  

Sometimes, the systems are too large to transport, thus the forensic examination of the system may need to take place on-site.

Evidence Presented in Court
Each piece of evidence that is used to prove or disprove a material fact must be presented in court. Here are guidelines for handling evidence during the trial:

• After the initial seizure, the evidence is stored until needed for trial. Each time the evidence is transported to and from the courthouse for the trial, it must be handled with the same care as with the original seizure. In addition, the chain of custody must continue to be followed. This process will continue until all testimony related to the evidence is completed. Once the trial is over, the evidence can be returned to the owner.
  

Returned to Victim
The final destination of most types of evidence is the original owner. Some types of evidence, such as drugs or paraphernalia, are destroyed after the trial. Any evidence gathered during a search, even though maintained by law enforcement, is legally under the control of the courts. Even though a seized item may be the victim’s and may even have the victim’s name on it, it may not be returned to the victim unless the suspect signs a release or after a hearing by the court. However, many victims do not want to go to trial. They just want to get their property back.

Many investigations merely need the information on a disk to prove or disprove a fact in question, thus there is no need to seize the entire system. Once a schematic of the system is drawn or photographed, the hard disk can be removed and then transported to a forensic lab for copying.

Mirror copies of the suspect disk are obtained by using forensic software and then one of those copies can be returned to the victim so that he or she can resume business operations.

Copyright © 2011– Present, McAfee Institute, LLC, and Respective Authors. All rights reserved. This manual and its contents are protected under U.S. and international copyright laws. Unauthorized reproduction, distribution, or modification is strictly prohibited.