This sections borrows heavily from EC-Council (2017).

1.1 Electronic Evidence

Electronic evidence is data relevant to an investigation that is transferred by or stored on an electronic device. This type of evidence is found when data on any physical device is collected for examination. Electronic evidence has the following properties:

  • It may be hidden, similar to fingerprint evidence or DNA evidence.
  • It can be broken, changed, damaged, or cracked by improper handling. Therefore, precautions must be taken to document, gather, safeguard, and examine these types of evidences.
  • It expires in a finite time.

1.2 First Responder

The term first responder refers to a person who first arrives at a crime scene and accesses the victim’s computer system once the incident has been reported. The first responder may be a network administrator, law enforcement officer, or investigating officer. Generally, the first responder is a person who comes from a forensic laboratory or an agency responsible for initial investigation.

The first responder needs to have complete knowledge of computer forensic investigation procedures. He or she preserves all evidence in a simple, protected, and forensically sound manner. The first responder must investigate the crime scene in a lawful manner so that any evidence obtained would be acceptable in a court of law.

The following are the main responsibilities of the first responder:

  • Identifying the crime scene: Upon arrival at the crime scene, the first responder identifies the scope of the crime scene and establishes a perimeter. The perimeter may be an area, room, several rooms, or even an entire building, depending on whether the computers are networked. The first responder should list the computer systems involved in the incident.
  • Protecting the crime scene: Like any other case, a search warrant is required for the search and seizure of digital and electronic evidence. Therefore, the first responder should protect all computers and electronic devices while waiting for the officer in charge.
  • Preserving temporary and fragile evidence: In the case of temporary and fragile evidence that could change or disappear, such as screen information and running pro- grams, the first responder does not wait for the officer in charge. Instead, he or she takes immediate photographs of this evidence.
  • Collecting all information about the incident: The first responder conducts preliminary interviews of all persons present at the crime scene and asks questions about the incident.
  • Documenting all findings: The first responder starts documenting all information about the collected evidence in the chain-of-custody document. The chain-of-custody document contains information such as case number, name and title of the individual from whom the report is received, address and telephone number, location where the evidence is obtained, date and time when the evidence is obtained, and a complete description of each item.
  • Packaging and transporting the electronic evidence: After collecting the evidence, the first responder labels all the evidence and places it in evidence storage bags, which protect it from sunlight and extreme temperatures. These bags also block wireless signals so that wireless devices cannot acquire data from the evidence. The storage bags are then transported to the forensic laboratory.

1.3 Chain-of-Custody

Chain-of-custody is described as a written description created by individuals who are responsible for the evidence from the beginning until the end of the case (EC-Council, 2017). It is important to safeguard and preserve the evidence so that it can be used later for legal inquiry.

A chain-of-custody document contains the following information about the evidence obtained:

  1. Case number
  2. Name, title, address, and telephone number of the person from whom the evidence was received
  3. Location where obtained
  4. Reason for obtaining the evidence
  5. Date/time evidence was obtained
  6. Item number/quantity/description
  7. Name of the evidence
  8. Color
  9. Manufacturing company name
  10. Marking information
  11. Packaging information

Table 1 Simple Chain-of-Custody Document

Laboratory or Agency name

 

 

 Case Number:

 

 

 
Name and title from who received

 

 

 

 Address and telephone number

 

 

 

 
Location from where evidence obtained

 

 Reason of evidence obtained

 

 

 

 Date/Time of evidence obtained
Item Number Quantity Description of Items

 

 

 

 

 

 

1.4 Digital Evidence and the Law

1.4.1 Legal Considerations Before Starting an Investigation

One important thing an investigator needs to keep in mind while dealing with cases involving computer crime is to have synchronization with the local district attorney. In some cases, the local district attorney asks for more documentation concerning the chain of evidence after a case is prepared and is ready for trial. In these situations, it can become very difficult to recreate the chain. Therefore, to avoid these situations, an investigator should be aware of what the local district attorney wants and act accordingly. Some important legal points an investigator should keep in mind are:

  • Ensuring the scope of the search
  • Checking for possible issues related to the federal statutes applicable (such as the Electronic Communications Privacy Act of 1986 [ECPA] and the Cable Communications Policy Act [CCPA], both as amended by the USA PATRIOT Act of 2001, and the Privacy Protection Act of 1980 [PPA]), state statutes, and local policies and laws

1.4.2 Other Legal Issues

Digital evidence should be admissible in a court of law and meet relevant evidence laws. It must be free of tampering and must be fully accounted for from the time of collection to the time of presentation in court. To present a case in court, all information gathered during the investigation must be properly documented. To avoid inadmissibility in court, the laws concerning digital evidence should be strictly adhered to. Forensic experts must do the following:

  • Adhere to the chain of custody
  • Be thoroughly equipped with the knowledge of law that is applied in that jurisdiction
  • Present evidence that is:
    • Authentic
    • Accurate
    • Whole
    • Acceptable
    • Admissible

Experts should test their evidence against the requirements to make sure it can be presented before a court of law. All evidence collection and analysis procedures should also be repeat- able, so that in case of any doubt the procedures can be demonstrated in court.

References

  • Bohm, R. (2006). McJustice”: On the McDonaldization of Criminal Justice. Justice Quarterly. 23, 1, pg. 127 to 146.
  • EC-Council (2017). Computer Forensics: Investigation Procedures and Response, 2nd Edition, Cengage Learning, ISBN: 9781305883475, 1305883470
  • Neubauer, D.W. & Fradella, H.F. (2017). America’s Courts and the Criminal Justice System, 17th Edition. Cengage, Boston.
  • Risen, J., & Lichtblau, E. (2005, Dec 16). Bush Lets U.S. Spy on Callers Without Courts. Retrieved from NewYorkTimes.com: http://www.nytimes.com/2005/12/16/politics/bush-lets-us-spy-on-callers-without-courts.html
  • Ritzer, G. & Stepnisky, J. (2017). Sociological Theory. Sage Publishing, California.
  • Sammons, J. (2012). The Basics of Digital Forensics: The Primer for Getting Started in Digital Forensics. Syngress, Massachusetts.
  • Thomas, J.H. & Bossler. (2016). Cybercrime in Progress. Routledge, New York.
  • Zatyko, K. (2007). Commentary: Defining Digital Forensics, Accessed 2/14/2018
  • https://www.forensicmag.com/article/2007/01/commentary-defining-digital-forensics

© 2019. NSU Socio-Cybersecurity Project. All Rights Reserved