Understanding case information and legal issues

Let’s talk about case information and legal issues. You must get this information before you even power up your workstation to look at the digital evidence. You will have to gather information from the person requesting your services. It would be best if you asked the following questions:

• What is the nature of the investigation? For example, is it a narcotics case, homicide, or employee misconduct? As you listen to this information, you formulate your plan on how you want to proceed.
• What digital evidence do you expect to find at the scene? I’ve had responses where the investigator was only looking for a single laptop, and once we were at the scene, we found multiple laptops, multiple desktops, and many mobile devices. Just remember the information you get may not always be accurate, so you also must be prepared for that eventuality.
• What is the legal justification? For law enforcement—what is the rationale behind the search? Consent? A search warrant? It doesn’t matter whether it is written consent or a written search warrant: you need to read the search warrant and consent to understand the limits placed on the search. It may be physical limits within the scene or digital limits on what you can search for on digital devices.
• As a government and corporate digital forensic investigator, I have had limits on what I can search for or view on digital devices many times. Be aware of those limits; if you find relevant artifacts outside of the scope of the search authority, they cannot be used in the proceedings, and you may face sanctions if you do use them.
• Who are the subjects and suspects, and what roles do they play in the investigation? Now, depending on your role, you may or may not have any contact with the subjects and suspects involved. However, if you do have that ability, try talking to them. If you can have a civil conversation with them, you may get additional information about the digital containers and the data.

If you’re thinking, “We have gathered information from the first respondents, and we have gathered information on the other subjects involved; now we can jump right in and collect evidence!”—well, not yet. You want to make sure the crime scene has been adequately documented and safe. For law enforcement, this will include removing extraneous personnel from the scene, restricting access, and allowing someone to record the scene.

The easiest way is to photograph everything. They may call you to testify in a proceeding 12, 18, 24, or even more months in the future. Lawyers may ask you where a specific item was and, unless you have a photograph (or sketch) of the scene, you may not be able to answer the question.

For a corporate investigation—for example, a hidden camera found in a confidential location—what do you do? The finder’s actions may hamper your ability. For example, I investigated a hidden camera in a unisex restroom. A restroom user found the camera when the tape holding it to the bottom of the shelf released, and the camera fell to the ground. The user gave the camera to their supervisor. The supervisor opened the camera and removed the digital storage card. They then placed it into a card reader and plugged it into their computer. At least five other people handled the camera and the SD card, putting it into multiple computers before contacting me. Every time they plugged the SD card into a computer system, they changed the evidence. When you access the data on an SD card, you change the date and time stamps on the files you access. An organization has to train its members not to look at digital evidence when there is an incident and to call a professional. This will ensure that the evidence is contained in a state that allows it to be presented in a judicial or administrative proceeding.

This case required interviewing all the people involved, processing the digital camera and the SD card, and examining the five workstations. Since this was a corporate environment and, initially, law enforcement would not be involved, I took photographs of the workstations and the connections to identify the specific workstations and their users. Remember, we are in a corporate environment, and there are multiple versions of the same make and model of computers everywhere.

There will be times when you have been presented the digital evidence after someone else collected it. You still must ask questions, and the source of your answers may only be the investigative reports. You will want to know the following:

• Why was this item seized?
• Does it contain evidence of criminal activity or evidence considered exculpatory?
• Is there a chain of custody for this item?
• How many people have had access to it?
• Where was the item found?
• Was it found in a secured location or a common area of the site?
• Are there any date and time references?
• What should the investigation focus on?
• When does the investigator need the findings of the digital forensic exam?

You need to review the documentation before you start the evidence-collection process. When investigators bring you digital evidence containers such as computers, you need to ensure the search warrant authorized its seizure. There have been several cases where devices containing digital evidence were seized, but there was a grey area around the use of digital evidence.

The search warrant will come with limitations on your search. For example, if it is an illicit images investigation, you may be restricted to only viewing images. It is your responsibility to read all the judicial paperwork and understand what it authorizes and does not. Only then can you create a plan for how you stay within limits.

You also must anticipate what problems you may encounter as you conduct the digital forensic examination. For example, is there an aspect of the investigation where your training and experience could be lacking? This is not something to be ashamed of but should be acknowledged so you can reach out for help to increase your training and experience. What resources do you have available to assist you?

Once the legal portion of your preparation is done, we can move on to the next portion of the process. You must now deal with acquiring the data in a forensically sound manner.