Forensic Investigation
This section of the CSCC website will cover the best practices for collecting digital evidence either for a civil or criminal case. It is important to first note that if you
are using this site for an active investigation to please consult with your prosecuting attorney, Crown attorney, corporate general counsel, or the attorney who retained you to learn more about managing evidence for your investigation. We are in no way digital forensics and incident response experts we are doing this to provide some information as to what you could possibly encounter during a forensic investigation and for educational purposes only. If you are about to begin a forensic investigation please be aware that you may have to comply with certain laws on the collection of digital evidence. These rules include:
General Tasks for Investigators
Digital evidence can be difficult to handle because it can easily be damaged or lack credibility. The most important step in digital forensics is collecting evidence. Depending on the type of case a person is handling, that can also mean that there could be extra steps involved in collecting evidence. One good example is when it comes to computer crimes. Often times there is evidence in volatile memory like RAM. In this case, it is very important to do memory forensics first before making a duplicate image of the hard drive. After you have created the images of the hard drive, it is important to create a hash to serve as proof of its authenticity. The two most used hash algorithms when authenticating digital evidence are MD5 and SHA1. Hashing a drive image creates a unique string that can be compared to the original’s hash to prove that there were no changes made to the original drive. Another problem with digital evidence is hearsay. Hearsay is testimony given by a person other than those who have actually witnessed an event. FRE Article VIII, Rule 802, Rules 803, and 804 have more than 20 exceptions for when hearsay can be used. The following exceptions include:
- Adhering to the Fourth Ammendment
https://www.law.cornell.edu/constitution/fourth_amendment
Where as a public entity (ex: law enforcement) you may not search and seize computer evidence without probable cause and a proper warrant; if you are a private entity like a business, as long as you have policies covering possible investigations into your employees’ computer activity and an acceptable use policy you should be good to go.
- It is important to note that during your investigation, if you find any evidence of criminal activity (ex: fraud or child pornography) stop collecting evidence immediately. Contact the proper authorities immediately. Your case has turned into one of a criminal nature and must follow certain legal procedures to continue on.
- Federal Rules of Evidence (FRE) https://www.law.cornell.edu/rules/fre
- 2013 Hawaii Revised Statutes Title 33. Evidence 626. Hawaii Rules of Evidence http://law.justia.com/codes/hawaii/2013/title-33/chapter-626
- Department of Justice standards for collecting digital evidence for criminal investigations http://www.justice.gov/sites/default/files/criminal-ccips/legacy/2015/01/14/ssmanual2009.pdf (SHA-1) 644B75989A33F9C675A8EA8C16BD88C23829C132
General Tasks for Investigators
- Identify digital information and artifacts which could be used as evidence.
- Collect, preserve, and document evidence.
- Analyze, identify, and organize evidence.
- Rebuild evidence or repeat a situation to verify that the results can be reproduced reliably.
Digital evidence can be difficult to handle because it can easily be damaged or lack credibility. The most important step in digital forensics is collecting evidence. Depending on the type of case a person is handling, that can also mean that there could be extra steps involved in collecting evidence. One good example is when it comes to computer crimes. Often times there is evidence in volatile memory like RAM. In this case, it is very important to do memory forensics first before making a duplicate image of the hard drive. After you have created the images of the hard drive, it is important to create a hash to serve as proof of its authenticity. The two most used hash algorithms when authenticating digital evidence are MD5 and SHA1. Hashing a drive image creates a unique string that can be compared to the original’s hash to prove that there were no changes made to the original drive. Another problem with digital evidence is hearsay. Hearsay is testimony given by a person other than those who have actually witnessed an event. FRE Article VIII, Rule 802, Rules 803, and 804 have more than 20 exceptions for when hearsay can be used. The following exceptions include:
- Business records, including those of a public agency
- Certain public records and reports
- Evidence of the absence of a business record or entry
- Learned treatises used to question an expert witness
- Statements of the absence of a public record or entry