|
I. General Policies
In general,
where there is consent by an individual to examine magnetic media (a
computer, diskettes, tapes, etc.) the consent should be in writing and
obtained without duress. Where there is consent by the company or organization
that owns the computer or other magnetic media, and no consent from
the individual using the computer, there should be a written policy
that clearly advises the individual that their computer is company property
and is subject to search at any time. The policy should be in writing
and signed by the employee.
Email of
interoffice mail that is not present on a file server and NOT downloaded
by the individual to whom it is addressed, cannot be downloaded or accessed
by an examiner. There is a full expectation of privacy and a court order(the
equivalent of a "wire tap" order) is necessary to examine
the data.
Email or
interoffice mail that is present on a computer that HAS been downloaded
by the individual to whom it is addressed, can be accessed by an examiner.
There is no expectation of privacy and the data can be examined if the
examiner has a legal right to examine the data on the computer.
Where there
is any doubt as to the legality of collection and examination of the
media, legal counsel should be sought and a summons, court order or
warrant be obtained.
Back to Top
II. How to collect/preserve evidence
until an expert arrives
1. Send
a preservation of evidence letter.
2. Include definitions, instructions and specific questions about electronic
evidence in your written discovery. Interrogate all parties and follow
up with a 30(b)(6) deposition of the Information Systems department.
a)
collect backup tapes
b) Collect removable media
c) Ask every witness about computer usage
d) Begin a Chain of Custody Document
Back to Top
III. This is the point to call an Expert
Computer Forensic Examiner
The evidence
maintained must be able to hold up in a court of law.
The evidence must be "trustworthy" and the person that collects
and examines the evidence must be seen as "trustworthy".
In order for this to happen an experienced Computer Forensic Examiner
must be the one to complete this task.
An expert
will never work directly on the original data. The examiner will take
a bit stream image copy and work with the copy of the data. This copies
the data sector by sector to the physical drive. The new drive will
have been wiped clean with a forensic utility deleting it of any previous
data and scanned for viruses before the bit stream image is made. The
forensic examiner should use a utility such as CHKSUM or Hash 5 algorithm
software to validate that the copy is in fact a perfect duplicate of
the original drive.
The type
of information that can be found is sometimes in the area called "slack
space". This is essentially the end of a file to the end of its
cluster, while free space is the room on the disk that is not occupied
by a file. When a file is deleted it is marked as "free space",
but the data is not actually erased. Being marked as free space means
that a new file could overwrite it. If nothing else is written to this
cluster, then the original deleted data is still there, although not
accessible through windows explorer. You need proper forensic utilities
to view this data and get the correct date and time stamps. This is
why it is essential to seize the data as soon as possible.
You should also make the client aware to keep a copy in case later on
something comes up in proceedings.
A forensic
examiner must document each step of the examination and keep detailed
notes to recall what was done at each step.
Back to Top
IV.
Maintain the Chain of Custody
The Chain
of Custody document proves that the physical location and possession
of evidence is always accounted for. Once a computer is seized, a list
of who comes in contact with the evidence is maintained. This should
include only members of the investigative unit or law enforcement. Also
the make and model of the computer should be included. If the computer
was on, a picture of what was on the screen and the surrounding area
should be photographed. If the computer is not immediately removed the
drives should be taped. All dates and times along with the person handling
the data must be included.
Back to Top
V. Printed Documents
You must
always be able to trace the document back to its source and verify authenticity.
Each must have a unique evidence number.
Back to Top
VI. Conclusion
Successfully
recovering any form of data is a cooperative effort between lawyers
and technical experts. The lawyer needs to understand the process, where
data can be stored, and how to ask for it. The goal for the lawyer is
to get authorization to access the data and supporting information.
The technical experts need to examine the data while preserving the
Chain of Custody necessary to authenticate the individual messages recovered
or data acquired.
Back to Top
|
