Digital Evidence is right here right now. It is all around you. Given that eight out of ten families now have personal computers and 99% of businesses have computers you must be prepared for Digital Evidence.
Once you identify the locations where this media is stored you must be aware of the proper means to obtain that digital media. It is not as simple as just removing the Hard Drive and copying files off of the computer. There are "best practices" in place that deal with Computer Forensics, Electronic Discovery and how these very closely related skill sets are performed. Computer Forensics, Electronic Discovery and Data Recovery are all essentially the same. However, they take on different meanings in different arenas. Computer Forensics has been known historically as a tool that law enforcement uses to obtain digital evidence in criminal investigations related to the Internet, hacking and child pornography. It is also widely used to track a hacker once he has entered a system via the footprints that are left digitally on the Hard Drives of the systems that have been compromised.
Electronic Discovery is used most commonly for lawyers that spend a lot of time in litigation. In the Discovery Process there are many items, most commonly created on word processors and personal computers. Every time a document is created on a personal computer, there is an imprint, if you will, of that document that remains on that computer Hard Drive itself. Even if that document or file is deleted, that document still remains in what is called "slack space" or "unallocated space" on the Hard Drive. You need to have a Computer Forensics Expert that is very well trained and skilled in recovering these files and who must be able to testify to how he or she retrieved those files as an Expert Witness in a court of law. If you do not properly remove the documents, the deleted files, the encrypted files from the digital media, your Electronic Evidence most likely will be thrown out of court and you could be subject to civil liability yourself.
A scenario that we have run into time and time again in an investigating computer crime is in a non-specific office environment where an employee is found to be downloading pornographic images or proprietary information onto his or her computer. Once this has been identified, it is important for the investigator to find out through corporate security or human resources if this employee had signed a Non-Disclosure Agreement. There should also be an agreement which made them (employee) aware that anything they do on their computer is the business of the company, where he or she is employed. In other words, if an employee is downloading pornographic materials on the company's time and on the company's computer, that computer can be seized at any time without a Search Warrant. That computer is the property of the company that employs that person. Most companies now have policies in place so when an employee is hired; they go through a number of steps that deal with workplace violence, sexual harassment and specifically now, pornography. The company also puts the employee on notice that the employee's email may be monitored and their web surfing may be monitored. Once the employee has been identified as a suspect in this crime, it is best to allow law enforcement to intercede if the company wishes to file criminal charges. In my experience, many companies will want to keep the investigation in house. However, in the case of child pornography, failure to report this to law enforcement can create some unforgiving problems for the company. Once the computer is seized or removed from the network, it will need to be forensically examined for evidence.
As you evaluate the need for conducting a Forensic Analysis to discover Electronic Evidence, there are a number of different resources that you can go to that will provide "best practices" information for you. The United States Secret Service Website has a P.D.F. Manual that will outline the "best practices" for search and seizing Electronic Evidence. It is a fabulous book to use as a resource but it will not take the place of a skilled and trained Forensic Examiner.
http://www.secretservice.gov/electronic_evidence.shtml
After you completed, "the taking of the computer or just the digital media," you must ensure that it is properly taken care of, packaged, and transported to its ultimate storage area. Always maintain a proper chain of custody that you will be able to testify to sis months to two years down the road. You must remember digital media is very sensitive to heat, cold and magnetism, as well as large radios like the radios in the back of a police car, etc. You must also be cognizant that static can create havoc with your digital medial. Essentially, a small bit of static that you may create by walking across the floor and then touching a Hard Drive, may ruin the media on that Hard Drive.
Computer Crime cases can be very difficult to investigate. There is a substantial amount of Electronic Evidence that can be found during an investigative process. Many individuals, even the ones that are very technically savvy, do not understand how information is written to the digital media. They do not understand that simply reformatting a Hard Drive does not completely erase the data that is on the Hard Drive. They do not understand that if they delete a file it is not deleted from the Hard Drive. The operating system simply tells the Hard Drive that, the space formerly occupied by that document is now ready to be re-written to. To completely wipe a Hard Drive one must use specific tools and wipe the Hard Drive a minimum of three times. In wiping the Hard Drive, I am speaking about writing generic X's and O's or 1's and O's or F6's throughout the entire Hard Drive. This is done three times so that any information that may be on the Hard Drive is written over and cannot be recovered. The Department of Defense and the Department of Justice specifications are seven wipes, and the National Security Agency is eleven wipes. In my experience in conducting Forensics and wiping drives myself, I have found that wiping a drive three times will suffice. You must verify on your own so you are comfortable with the end results.
You must also know that on Web Based Servers like Hotmail and Yahoo, that the information that people provide to obtain those e-mail addresses is not verifiable. Anyone can create an anonymous e-mail account on Yahoo and Hotmail and it makes it very difficult to trace. The only way to trace those addresses would be via subpoena and/or search warrant to the ISP through law enforcement sources. However, during a Forensic Examination of a computer in using software such as EnCase (Guidance Software), you can use scripts that will carve out or parse HTML, as well as e-mail on the Hard Drive. This will narrow your search and minimize your time in conducting Forensic Analysis. There are also different areas that you can look at depending on the Operating System, which may have password storage, PST files, Outlook, or other address books that may give you indications of who the subject has been communicating with. You can also recover Word documents, Excel Spreadsheets, Quickbooks, and Quicken files that will also provide you with ledgers in drug cases, child pornography exchanges cases, and theft of trade secret cases where financial exchanges have been made.
These are all sources that are very valuable to investigators in conducting these types of investigations. I certainly wish you the best of luck and stay safe.
David Townsend, CEO, eFor, Incorporated. 2880 N. Tracy Blvd, Suite 5, Tracy Ca. 95376 800.861.0732, www.eforinc.com.