What Every Businessperson and Lawyer Needs to Know About Forensic Digital Evidence
- Knowing to look
- Digital forensic collection
- But wait! There’s more.
There's been an incident. What should I consider?
“Seal off this area. Now!”
“Why the rush?”
“But we’re trying to limit our costs!”
"Which systems should be imaged?"
“Who you gonna call?”
Digital evidence. It’s everywhere. Consider the ubiquitous nature of electronics: in our society, interaction with electronic devices is inevitable. Most of us interact with them hundreds, if not thousands, of times a day. And most of those devices are “smart” enough to retain information about who you are, and where you were, when you interacted.
Add to this the massive amounts of digital information office workers deal with every day: emails, the web, calendars, word processors, spreadsheets, and security systems. It’s a vast amount of information. And, all of these systems collect “digital fingerprints” when they are used. This leads to large amounts of “indirect” information available to anyone who knows to look for it.
Knowing to look
Imagine the time before we knew fingerprints were unique. Crime scenes held fingerprints and other forensic information, which was all literally overlooked. Footprints and blood evidence were examined. But since science didn’t know about blood types until about 100 years ago, even this important evidence was missed.
This is the current state of much digital evidence. It might be there, it might not. Most people vaguely consider its usefulness. And since this is new technology, many people are frequently clumsy in their methods of dealing with it.
But in almost all cases, the digital evidence is there. And we must be careful in handling it, because it is more fragile than other evidence. Even the simple act of turning a computer “on” can change and possibly destroy potentially useful digital evidence.
So, sticking with our analogy of a physical crime scene, what would you do if you wanted to preserve as much physical evidence as possible?
You would leave it alone; You wouldn’t pick anything up. You wouldn’t touch anything. If you could avoid it, you wouldn’t even walk into the room. You would do everything to preserve all of that physical evidence exactly as it was at the time the crime was committed.
The same principles apply to digital forensic evidence. If a computer is likely to hold evidence in its files then that device must not be disturbed. Simply opening files in their related applications (for example, in Microsoft Word) changes them, even if you “Don’t Save”.
“Why the rush?”
Only someone who knows technology and the law can adequately protect that valuable digital forensic evidence.
You need to get that computer into the hands of a digital forensics expert ASAP. And unlike many other tasks related to preparing the case, time is critical. Any delay leaves that evidence vulnerable. It would be like not putting up the police tape around a physical crime scene. If you let people walk through, your evidence gets compromised or lost.
“But we’re trying to limit our costs!”
Until you know you’re going to court, of course you don’t want to spend much money. The case might settle, money could be saved.
But, consider this: if the opposing counsel sees an immediate, aggressive move to gathering as much digital forensic evidence as possible, you’re more likely to get a settlement offer. A proactive digital forensics strategy clearly demonstrates that you are not only serious, but you’re aware of the importance of digital evidence. If your opposition is also up-to-date on the role of digital forensics, they will appreciate your savvy. If they are not technically inclined, they will likely be unclear, perhaps even intimidated, about what digital evidence there is, and what may be done with it. It’s a bit of a win-win for you.
From a technical perspective, it’s easy to understand the importance of moving quickly to secure any digital evidence. Generally speaking, digital evidence in user files is easily accessed, stable and reliable. But, many cases will hinge on authentication of files or timelines, reconstructed from file access and use. This type of evidence is not only difficult to locate and isolate, it is also fragile. The longer the computer in question is regularly used, the more this important evidence will degrade. And the more it degrades, the greater the chance relevant information will be lost, and the more difficult and costly recovery will be. There is the added risk of being found to have destroyed evidence. Not a good thing.
Digital forensic collection
There is a prudent way to limit costs early on, however: Digital forensic collection. This means collecting the evidence first, while leaving the detailed data analysis for later, when it becomes clear the case will likely go to trial.
Most digital forensic evidence is drawn from the hard disk drives of the computers in question. A “bit-level” image of a hard drive is an exact duplicate of the drive at the time the image is taken. You can take a bit-level image early, and use it later, if necessary. This phase of a digital forensic investigation is usually less than one quarter of the overall cost.
Which systems should be imaged?
Alright then, move quickly and you’ll end up covering your angles. But, how broad do you cast your digital net? Is imaging all the office computers sufficient? What if home computers were involved? What about online backups, web searches, and mail servers? How far do you go?
Well, the answer comes from the cost ratio mentioned previously: If there is a 25% chance that a system could carry relevant digital forensic evidence, then capture an image of it. You can defer the decision to analyze the data until later.
Simply being aware of the importance of digital forensic data is not enough. Emerging caselaw puts the onus to preserve digital evidence on all parties, as soon as there is a reasonable belief that litigation will be likely. And preservation orders must be obeyed.
Unfortunately, not many companies are prepared for this scenario. Several have been heavily fined as a result. The best way to protect all involved is too seek the guidance of a digital forensic specialist at the earliest sign of possible litigation.
Call Someone who
Your chosen digital forensics consultant needs to be qualified across many platforms: Windows, Mac, Linux, servers, web services, and even security systems. A digital forensics expert who is certified on just one product may not be “expert” enough to do the job thoroughly. You need depth on your bench.
The other role for your forensics consultant is as trusted advisor: Prudent advice about the timing of forensic collection and analysis will always be needed. And there will probably come a time when you need guidance regarding your own firm’s handling of electronic data.
Lastly, your digital forensics consultant should be someone you’d be comfortable presenting in court as an expert witness.
As is often the case, price may not be indicative of quality. So, you should consider these questions when evaluating any digital forensic consultant:
- Do they have their own dedicated digital forensics lab?
- Do they know the law?
- Do they follow the accepted protocols and procedures?
- Are they able to keep and present an acceptable chain of custody?
- Are they able to balance the costs against the various parameters of timing and scope involved in a digital forensic investigation?
- Can they deal with the wide scope of systems and hardware?
- Have they ever served as an expert witness?
- How long have they been in business?
- How quickly are they able to react?
- Are they familiar with discovery and preservation strategies and case law?
At the end of the analysis, you need to chose your digital forensic examiner very carefully. Using the information above will help avoid the most common errors.