Dos and Don'ts for Digital Evidence
Print Issue: June 2005
One Friday afternoon, the information technology director of a major telecommunications provider (we’ll call him Jim) rushed up to the office of the company’s president (whom we’ll call Tom). Jim was carrying a corporate notebook computer that had previously been used by an employee who had just been terminated. Jim quickly related to Tom that while reconfiguring the computer—standard procedure before reissuing it to another employee—the IT staff had found what appeared to be child pornography on it.
Tom recognized that a company computer containing child pornography was an important issue, but he was in a hurry to leave for a ski trip. He took the notebook and slipped it into his briefcase. Tom would never, of course, have dreamed of treating other contraband—say, a bag full of cocaine found on company premises—in the same way. But he did not view the digital evidence in the same light.
Two days later, while enjoying his ski weekend at a cabin several states away, Tom decided to take a look at the computer. Using the administrator password Jim had provided, Tom logged into the notebook and reviewed the user files. He found graphic files that appeared to constitute child pornography. After viewing several of the pictures with disgust, he shut down the notebook and put it back into his briefcase, unaware that he had done anything wrong.
Tom intended to notify law enforcement when he returned to the office on Monday. Unfortunately, by then he had tainted the evidence and violated the law. Not only had he broken the chain of custody and raised questions about whether the evidence could have been tampered with, he had also taken possession of child pornography, which is contraband, and by transporting it across state lines, he had committed at least two felonies under Title 18 of the U.S. Criminal Code.
This is not a fictional account. It really happened, and similar scenarios have likely played out in many other organizations. The problem is that business executives are still unaware of the rules governing digital evidence handling.
Security professionals should initiate an education campaign at their own organizations well before any incident results in the mishandling of vital evidence in a cybercrime. The following key elements should be considered.
Who investigates. The first step is to decide who should investigate matters involving corporate information systems. The initial thought many managers have is to give the job to the information technology (IT) division. However, this is a mistake. An investigator should be impartial—that is, someone who does not have a vested interest in the findings. Asking IT to investigate an issue that involves its department’s equipment, software, user policies, and security measures is a violation of this basic rule.
Large companies may have a dedicated digital forensics department that does not fall under the management purview of IT. Companies without this in-house expertise should bring in a qualified consultant with credentials in both investigations and digital forensics. A perfect consultant would be someone who is a Certified Protection Professional (CPP), with a private or public investigations background and certification in digital forensics.
For an example of the latter, the International Association of Computer Investigative Specialists (IACIS), which is a group of law enforcement officers and information security professionals, offers Certified Forensic Computer Examiner and Certified Electronic Evidence Collection Specialist certifications. To obtain these, professionals must complete significant computer-crime coursework as well as the examination of several items of electronic evidence, complete with full reports of findings.
When bringing in a consultant from outside the company, it is critical to check state and local laws first, as many jurisdictions require that digital forensic examiners who are not company employees be qualified and licensed as private investigators.
Expert witness. Another important consideration when selecting an investigator is how well the investigator will present himself or herself in court. For example, can this person clearly explain technical details to a lay audience, as will be necessary during a trial? And how much experience does this investigator have in testifying in a courtroom setting? If the investigator you select has never testified in court, you may be at a significant disadvantage, especially if facing seasoned counsel.
When selecting a consultant, be aware that there is no general certification process for anyone to go through to become an expert witness. Any person who will be a witness in a case and who wishes to be considered for expert status in any given discipline must submit his or her background and experience to the court for examination. The person must be willing to be examined by the judge and legal counsel if requested. This process is repeated in each new case unless counsel agree to stipulate the expert’s background and experience.
After a review of the proposed expert witness’s credentials and examination under oath (if required), the presiding judge will rule on whether that person is qualified to testify as an expert. This process is sometimes known as expert-witness certification and has led to the belief that individuals are somehow “certified” as expert witnesses. However, the certification that is rendered only applies to the court (rather than just the trial) in which it was rendered and does not result in some expert-witness credential being attached to the individual witness.
Not all experts on technical subjects need to pass muster before the courts as expert witnesses; sometimes it is sufficient for them to testify merely as a fact witness, but that is probably not sufficient for the forensic investigator, who will be key to the presentation of a cybercrime case in court.
If the investigator cannot qualify as an expert witness, he or she will be limited to answering questions of fact and not allowed to offer any opinions as to how events unfolded. Clearly, a fact witness is of more limited value to the prosecution of a court case than an expert witness.
When to report. Another question that needs to be considered is when to call in law enforcement. Although the line is one that must be clearly drawn in corporate policy, there are some situations where the need for the police is clear. For example, if an employee is suspected of improperly accessing the company’s proprietary data (say, payroll records), law enforcement does not need to be notified; but if the employee is suspected of embezzling the funds of a public company, law enforcement would need to be called.
Whenever contraband (such as child pornography) is detected, the police must be notified. It may be embarrassing for a company to have it known that an employee was collecting, trading, and viewing child pornography, for instance. However, it’s better to bite the bullet than it is to compound the problem by failing to report it to the authorities. Remember that, as in the opening example, if a company executive has possession of the contraband and does not take immediate action to notify the police, then the executive is committing a felony.
The best course of action when considering this question is advance planning. It’s a good idea for the security director or other appropriate representative to meet with local law enforcement representatives in advance of any incident to discuss when the police would want to be notified. Many police departments have dedicated high-technology crime units that are happy to work with companies on a mutually agreeable response plan.
The company should also make contacts with other law enforcement agencies that have expertise in investigating cybercrimes. For example, the U.S. Secret Service’s Electronic Crimes Task Force has dozens of local chapters that bring together law enforcement investigators with private-sector security managers. Having an agreed-to and coordinated response plan can also help ensure that the evidence collected will be admissible when the time comes for the case to go to court.
How to proceed. Once your company has decided who will investigate and has defined the rules of engagement regarding the police, it must establish detailed incident response and investigation policies, procedures, and guidelines. Key areas to be addressed under investigative authority are employees’ expectations regarding privacy versus the company’s authority to search an employee’s work area, and the legality of seizing items of possible investigative value.
Searches. The company should have a clear policy statement in the employee handbook that lets workers know that everything at the work site is company property, including the employee’s office or personal workspace, hard copy files, and all electronic devices and data. The policy should make clear that any such property can at any time be monitored, searched, or taken by the company without specific notification beyond the general policy statement and without prior permission.
That type of published policy plays an important role when it comes to legally defending the searching of an employee’s workspace. It puts employees on notice that they should have no expectation of privacy in the workplace, an issue that may be raised if the company’s actions are challenged in court. The expectation of privacy as interpreted by the courts often comes down to the reasonableness of an employer’s search balanced against the employee’s right to be secure against unreasonable invasions of privacy. It is vital to be able to justify the actions of the investigator.
For example, a laptop computer can’t fit in a purse, so making an employee empty her purse while you are searching for a missing laptop may violate a reasonable privacy standard regardless of company policy. However, considering the compactness of current digital storage devices—a ballpoint pen that has a built-in USB storage capacity of 256 MB (about 90,000 printed pages) can be purchased at any local office supply store—means that having an employee turn out his pockets when looking for filched corporate documents may be perfectly reasonable.
Seizures. If a search turns up something, the next question is whether you can take possession of it to examine as possible evidence. In the corporate world, if the item belongs to the company, and you are an authorized company investigator (employee or consultant), you can seize it.
If the item belongs to an employee or a third party and the employee doesn’t want to give it up, you may want to consider bringing in the police. Forcing someone to relinquish personal property, such as an iPod that you fear may contain stolen company data, is a situation best handled by law enforcement.
Another issue is the technical aspect of how to seize the information. A common mistake that I have seen dozens of times is having the office “computer wizard” do the seizure.
To many who are not trained in forensics, a digital seizure is simply a matter of taking out a hard drive or copying a file. Nothing could be further from the truth. Just as traditional crime scene technicians lift unseen fingerprints, collect overlooked fibers, and sketch the crime scene, digital detectives also follow a specific process.
Chain of custody. After the investigator obtains the evidence, another common mistake often occurs: the chain of custody is not properly maintained. For an item to be admissible in court, it must have a known chain of custody.
To achieve that objective, the person who originally receives evidence (either voluntarily or by seizure) must follow several steps. He or she must describe the item in detail, stating when and from where (or whom) the item was seized or received. Perhaps most important, the person must maintain positive control of the item until it is passed to the care and control of someone else.
Written chain-of-custody documentation should be kept of these transfers, to include dates and times with signatures of both parties on all entries. Any change in the condition of the item must also be documented at that time.
The most common reason given for not following chain-of-custody rules is that at the time of seizure, the company did not intend to pursue a case in court. That is the wrong approach.
An incident may not at first appear to require the involvement of law enforcement. However, six weeks later, if management finds that there is more to the case, it’s too late to begin protecting the integrity of the evidence. The chain of custody has most likely been lost, along with any chance of bringing the criminal to justice.
Company policy should require that security professionals and others who might be the first to find or seize evidence in a corporate investigation follow chain-of-custody rules from the beginning. That way, they will not preclude the option of going to court.
Evidence handling. In addition to chain-of-custody policies, companies need procedures to ensure proper evidence handling and preservation. The rules should spell out the technical and administrative controls that must apply to digital evidence to ensure that it is not altered or destroyed during the investigation.
This is most frequently accomplished by using special techniques to produce an exact or bit-stream copy of the media in question. The verified copy resulting from this process is then used by the examiner to conduct the digital forensic examination. The original evidence should never be used for examination unless there is absolutely no other option.
Rule 702. Evidence handling is especially critical in cybercrime cases, because the opposition tends to attack how evidence was found and the reliability of the examination processes used on it. This approach is most often referred to as the “Daubert test,” after the landmark 1993 U.S. Supreme Court case of Daubert v. Merrell Dow Pharmaceuticals, Inc.
The Daubert ruling held that the Federal Rules of Evidence (specifically Rule 702, which provides that “a witness qualified as an expert by knowledge, skill, experience, training or education” may be called upon to give testimony related to issues of “scientific, technical, or other specialized knowledge”) took precedence over the then controlling U.S. Supreme Court case of Frye v. United States (1923). Frye stood for the proposition that an expert opinion based on a scientific technique is inadmissible unless the technique is “generally accepted” as reliable in the relevant scientific community.
Rule 702 states that to be admissible, expert testimony must be based on sufficient facts and the product of reliable principles and methods; in addition, it states that the expert witness has applied the principles and methods reliably to the facts of the case. (In contrast with Frye, it allows for expert views that may be out of the mainstream.) Although these rules may seem simple, their implications can be extensive and expensive.
To comply with Rule 702, a digital forensic examiner must build his or her testimony on a solid foundation of science, accepted investigative procedure, and documented, repeatable processes. This means conducting tests of all hardware, software, and processes used throughout the digital forensic process.
If one is to sit as an expert in a court of law, it is not sufficient to say that a given software tool is reliable because the manufacturer said so. The tool must have been independently tested (ideally by the expert involved), and those test results must be available for examination by the court.
Scientists from the National Institute for Standards and Technology (NIST) have tested many commercially available forensic products, and the results of these tests can be helpful to the expert witness; however, I strongly recommend that the expert not rely solely on NIST’s results but actually conduct the same tests on any product that will be relied on in a trial. This heads off a challenge from a defense attorney who has had the products independently tested.
Even more important in some cases is the process used by the expert. Even with tested and proven hardware and software, the expert’s examination must follow a systematic, documented, repeatable process to stand up under the scrutiny of Rule 702.
As this brief overview shows, today’s cyber investigator must have an appreciation of both law and technology. And companies must have policies and procedures in place before an incident occurs to ensure that the law is respected and that a case can be litigated successfully when such action is merited.
Professor Dave Lang, CPP, Ed.S., is the Executive Vice President of Lang Consultants, Inc. in Leesburg, Virginia. He has over 25 years of experience in law enforcement, security, counterintelligence, and counterespionage. He also teaches graduate information assurance topics at Norwich University in Northfield, Vermont, and the American Public University in Charles Town, West Virginia.