Forensic Investigation

This section of the CSCC website will cover the best practices for collecting digital evidence either for a civil or criminal case. It is important to first note that if you are using this site for an active investigation to please consult with your prosecuting attorney, Crown attorney, corporate general counsel, or the attorney who retained you to learn more about managing evidence for your investigation. We are in no way digital forensics and incident response experts we are doing this to provide some information as to what you could possibly encounter during a forensic investigation and for educational purposes only. If you are about to begin a forensic investigation please be aware that you may have to comply with certain laws on the collection of digital evidence. These rules include:

Adhering to the Fourth Ammendment https://www.law.cornell.edu/constitution/fourth_amendment Where as a public entity (ex: law enforcement) you may not search and seize computer evidence without probable cause and a proper warrant; if you are a private entity like a business, as long as you have policies covering possible investigations into your employees’ computer activity and an acceptable use policy you should be good to go.
- It is important to note that during your investigation, if you find any evidence of criminal activity (ex: fraud or child pornography) stop collecting evidence immediately. Contact the proper authorities immediately. Your case has turned into one of a criminal nature and must follow certain legal procedures to continue on.
Federal Rules of Evidence (FRE) https://www.law.cornell.edu/rules/fre
2013 Hawaii Revised Statutes Title 33. Evidence 626. Hawaii Rules of Evidence http://law.justia.com/codes/hawaii/2013/title-33/chapter-626
Department of Justice standards for collecting digital evidence for criminal investigations http://www.justice.gov/sites/default/files/criminal-ccips/legacy/2015/01/14/ssmanual2009.pdf (SHA-1) 644B75989A33F9C675A8EA8C16BD88C23829C132

General Tasks for Investigators

Identify digital information and artifacts which could be used as evidence.
Collect, preserve, and document evidence.
Analyze, identify, and organize evidence.
Rebuild evidence or repeat a situation to verify that the results can be reproduced reliably.

Digital evidence can be difficult to handle because it can easily be damaged or lack credibility. The most important step in digital forensics is collecting evidence. Depending on the type of case a person is handling, that can also mean that there could be extra steps involved in collecting evidence. One good example is when it comes to computer crimes. Often times there is evidence in volatile memory like RAM. In this case, it is very important to do memory forensics first before making a duplicate image of the hard drive. After you have created the images of the hard drive, it is important to create a hash to serve as proof of its authenticity. The two most used hash algorithms when authenticating digital evidence are MD5 and SHA1. Hashing a drive image creates a unique string that can be compared to the original’s hash to prove that there were no changes made to the original drive. Another problem with digital evidence is hearsay. Hearsay is testimony given by a person other than those who have actually witnessed an event. FRE Article VIII, Rule 802, Rules 803, and 804 have more than 20 exceptions for when hearsay can be used. The following exceptions include:

Business records, including those of a public agency
Certain public records and reports
Evidence of the absence of a business record or entry
Learned treatises used to question an expert witness
Statements of the absence of a public record or entry

These exceptions are very important when establishing whether a digital record is admissible in court. There is also a distinction between computer-generated records and computer-stored records. Computer-generated records involve data that is created either via some algorithm or process which a person does not usually create. Computer-stored records are electronic data that a person creates and stores on a digital device. Computer-generated records are considered authentic if the program that created the output is functioning properly. Computer-stored records must be proven to be authentic and trustworthy in order to be considered admissible evidence. Computer-stored records must also satisfy an exception to the hearsay rule. The business record exception is often used in this digital forensics cases. For computer-stored data you must prove that a person created that data and that it was not altered when the evidence was acquired or afterwards. It is important to note that in some cases circumstantial evidence can be used to support evidence that may be considered hearsay. One example is includes prosecuting the author of malware that has severely impacted someone’s systems. The code by itself proves nothing, but if you can show metadata, coding patterns, or regularly used author’s names – it could still serve as strong supporting evidence. This can also be applied to anonymous emails and instant messaging services. Investigators should also remember the term co-mingling. This is when evidence may be stored alongside innocent information. Innocent information is common business data or communication which does not pertain to the case. Co-mingling can be a problem when evidence is mixed up with a businesses confidential information. This information can be proprietary processes, patented designs, business strategies, or important dialogues which are in danger of becoming public when collected for evidence. At this point the business should immediately consort with their privacy officer, public relations officer, and or upper management. When something is entered into evidence knowledge of contents is made public record, and unless that information can be segregated from the evidence a judge may have to order that evidence be sealed in order to keep it confidential. Best evidence rule emphasizes that nothing is better than the original document, photograph, or recording in proving the authenticity of a document. Article X Rule 1001 and 1003 state that a duplicate is anything which accurately reproduces the original, and the duplicate can be used to represent the original in evidence as long as the original’s authenticity is not challenged. Another important concept is that the FRE allows the use of printouts as evidence instead of producing the physical hard drives in court. The FRE also allows duplicates instead of originals when the duplicate is “produced by the same impression as the original…by mechanical or electronic re-recording… or by other equivalent techniques which accurately reproduce the original.” This is especially useful if for say the hard drive experiences a hardware failure while in possession. Acquiring the hard drive may not always be possible. In certain situations an investigation could be occurring within major networks where a very large number of computers and hard drives could be involved. The scenario here is to get a technical guide from within that company’s IT team to show you where evidence most likely is resting. This is far more practical than bringing down an entire company’s infrastructure and causing the company to go out of business.