Top Banner
Electronic Evidence, Electronic Records Management, and Computer Forensics
48

Electronic Evidence, Electronic Records Management, and Computer Forensics

Jan 03, 2016

Download

Documents

deanna-sandoval

Electronic Evidence, Electronic Records Management, and Computer Forensics. Introduction. Legal actions can also expose a companies’ information assets - PowerPoint PPT Presentation
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Electronic Evidence, Electronic Records Management, and Computer Forensics

Electronic Evidence, Electronic Records Management, and Computer

Forensics

Page 2: Electronic Evidence, Electronic Records Management, and Computer Forensics

Introduction

• Legal actions can also expose a companies’ information assets

• In a legal action, if opposing party enters a discovery request (an official request for access to information that may be considered as evidence) such as e-mail or other electronic data– Company required by law to retrieve and produce

that evidence

Page 3: Electronic Evidence, Electronic Records Management, and Computer Forensics

Intro (2)

• Cost could be huge if company has to sort through several years’ worth of email and files to remove confidential material

• Courts now impose severe sanctions, including criminal penalties, for improper destruction of electronic documents

• term: e-evidence: when electronic documents are used as evidence

• It is info stored electronically on any type of computer device that can be used as evidence in a legal action

Page 4: Electronic Evidence, Electronic Records Management, and Computer Forensics

Intro (3)

• In 2003, email evidence has become so prevalent it had become known as evidence-mail

• Most corporate employment cases now have some “smoking email” component to it

• In legal actions involving evidence mail or other e-evidence it is as powerful as a smoking gun or DNA testing and as hard to refute or deny

• term: computer forensics: the discovery, recovery, preservation, and control of electronic documents for use as evidence

• They read in class pg. 138 case on point

Page 5: Electronic Evidence, Electronic Records Management, and Computer Forensics

Electronic Evidence

• All computer based activities leave some sort of electronic trace

• Discuss the trace of:– email

– invoices

– viruses

– hacker attacks

• Could find them as contents of emails or files• Could find them as audit trails found in log files

Page 6: Electronic Evidence, Electronic Records Management, and Computer Forensics

Electronic Evidence (2)

• could find meta-data - descriptions or properties of data files or email

– examples are dates/times an email or file was created or accessed

• When subpoenaed in a legal action they become e-evidence

• Reinforces need for AUP enforcement and user training to ensure compliance

• Read last paragraph of pg. 139 Case on Point

• Note: email is specifically targeted for evidence in federal civil litigation cases b/c highly placed executives and employees discuss issues candidly, even if they are discussing confidential, incriminating, or criminal issues

Page 7: Electronic Evidence, Electronic Records Management, and Computer Forensics

Discovery of Electronic Business Records for Use as Evidence

• With few exceptions email communication and business documents are business documents

• The five requirements are listed at top of pg. 140 in Legal Brief

• Business Record examples: PP.O’s, human resource files, vendor reports, sales reports, and inventory/production schedules

Page 8: Electronic Evidence, Electronic Records Management, and Computer Forensics

Discovery (2)

• Federal Rules of Evidence dictate that business records are subject to discovery

• Discovery is legal process whereby each party learns (or collects) as much info as possible about an opponent prior to a trial

• Any party in a legal action against a company or its employees can request discovery of info stored on computers, PDAs, cell phones, faxmachines, voice mail, or any other electronic devices or communication systems

Page 9: Electronic Evidence, Electronic Records Management, and Computer Forensics

Consequences of Failing to Comply w/ Discovery Requests

• Hundreds of US companies face discovery requests each day

• Failure to comply will bring additional legal problems• How do you handle things that you do not want to do?• What would you do if faced with a discovery request?• Must respond to discovery request by specified date

or face more serious legal problems

Page 10: Electronic Evidence, Electronic Records Management, and Computer Forensics

Discovery Failure Consequences

• One risk is obstruction of justice : a crime punishable by prison time

• Spoliation is another which is the intentional destruction of evidence

• Spoliation is so serious that most lawyers would rather face a smoking gun than spoliation

• Law specifies that companies cannot destroy what they can reasonably expect to be subpoenaed

Page 11: Electronic Evidence, Electronic Records Management, and Computer Forensics

Consequences (2)

• Must retain all relevant docs and edocuments when they know or should know that they might become necessary as evidence in future

• A problem: companies must retain records (emails too) which might be destroyed when backup tapes get reused

Page 12: Electronic Evidence, Electronic Records Management, and Computer Forensics

Preserving and Disclosing E-Evidence

• When Org receives electronic discovery request they must preserve potential evidence

• If they don’t, could be charged w/ obstruction of justice• Next step is disclosure, requires locating all sources

and locations of electronic data and getting it into readable format– Locating data on desktops, laptops, PDAs, network hard

disks, removable media, etc– Fig 9.1 lists common locations for Recovery of E-

Documents or Email p. 142

Page 13: Electronic Evidence, Electronic Records Management, and Computer Forensics

Federal Rules of Civil Procedure- “The Rules”

• Rule 34 amended to include Electronic Records– Amendment to rules 34 of Federal Rules of Civil

Procedure made electronically stored information subject to “subpoena and discovery” for use in legal proceedings

Page 14: Electronic Evidence, Electronic Records Management, and Computer Forensics

ERM and AUP

• Read in Class and discuss this paragraph

Page 15: Electronic Evidence, Electronic Records Management, and Computer Forensics

Computer Forensics p 146

• Is the discovery, recovery, preservation, and analysis of digital documents, electronic media, or audit logs of computer/online activities

• You look at the range of cases in which it is used (bottom of pg. 146)

• You read cyberbrief on pg. 147

• You read the list of what can be revealed and recovered on pg. 147

Page 16: Electronic Evidence, Electronic Records Management, and Computer Forensics

Handling E-evidence: The 3 C’s

• Use of computer forensics by law enforcement is increasing for criminal cases and by lawyers in civil cases

• For e-evidence to be admissible it must be recovered and handled in a way that complies w/ the rules of evidence

• Orgs may find and retrieve computer-data easily

Page 17: Electronic Evidence, Electronic Records Management, and Computer Forensics

The 3 C’s (2)

• To be used in a civil case though, retrieving and preserving the e-evidence is more complex than just finding it

– To be used in court, might be necessary to have created an exact duplicate copy of the files for proof that the e-evidence had not been altered

– An expert may be needed for computer forensic investigations

– May be wise to hire an objective outside investigator to prevent accusations that company is deliberately trying to malign an employee

Page 18: Electronic Evidence, Electronic Records Management, and Computer Forensics

The 3 C’s (3)

• There are legal protocols to follow to ensure that e-evidence is admissible

• Operations used to collect, analyze, control, and present e-evidence cannot modify the original item in any manner

• Any alteration to primary source of evidence could contaminate it and render it inadmissible in court

• The 3 C’s are:– Care, Control, and Chain of Custody

Page 19: Electronic Evidence, Electronic Records Management, and Computer Forensics

Care and Control

• First steps are most important• Everyone who touches e-evidence can

contaminate it• To ensure care and control of e-evidence is

maintained, investigators must know what they are doing before they do it

• Files and digital audit trails must be kept safe and secured

Page 20: Electronic Evidence, Electronic Records Management, and Computer Forensics

Chain of Custody

• A legal guideline to ensure that the material presented in court as evidence is the same as the evidence that was seized

• Requires documentation that the evidence is still in its original state

• Maintaining the chain of custody of eevidence is more difficult than for physical evidence because it is more easily altered

Page 21: Electronic Evidence, Electronic Records Management, and Computer Forensics

Eliminating Electronic Records

• You Read!

Page 22: Electronic Evidence, Electronic Records Management, and Computer Forensics

Read and go over questions at end of chapter on pg. 151

Page 23: Electronic Evidence, Electronic Records Management, and Computer Forensics

Electronic Crime Scene Investigation

A Guide for First Responders

U.S. Department of Justice

National Institute of Justice Guide

http://www.ojp.usdoj.gov/nij

Click publications

Search NIJ publications for title above

Page 24: Electronic Evidence, Electronic Records Management, and Computer Forensics

I. The Overview

• The Latent Nature of Electronic Evidence– E-evidence is stored or transmitted by an electronic

device

– It is latent is the same sense that fingerprints or DNA are latent

– In natural state we cannot see what is contained in they physical object that holds our evidence

– We need equipment and SW to see the evidence

Page 25: Electronic Evidence, Electronic Records Management, and Computer Forensics

Latent Nature (2)

• E evidence is by its very nature fragile• Can easily be altered, damaged, or destroyed by

improper handling or improper examination• Special precautions should be taken to document,

collect, preserve, and examine this type of evidence

• Failure to do so may render it unusable or lead to an inaccurate conclusion

Page 26: Electronic Evidence, Electronic Records Management, and Computer Forensics

The Forensic Process

• Eevidence poses special challenges for its admissibility in court

• To meet these challenges, proper forensic procedures must be followed

• These include but are not limited to four phases:– Collection

– Examination

– Analysis, and

– Reporting

Page 27: Electronic Evidence, Electronic Records Management, and Computer Forensics

Collection

• This phase involves the search for, recognition of, collection of, and documentation of electronic evidence

• This phase can involve real-time and stored information that may be lost unless precautions are taken at the scene

Page 28: Electronic Evidence, Electronic Records Management, and Computer Forensics

Examination

• This process helps to make the evidence visible and explain its origin and significance

• Should document the content and state of the evidence in its totality

• This documentation allows all parties to discover what is contained in the evidence

• Includes search for info that may be hidden or obscured

Page 29: Electronic Evidence, Electronic Records Management, and Computer Forensics

Examination (2)

• Once information is visible, process of data reduction can begin

• This separate the “wheat” from the “chaff.”• This part of the examination is critical

Page 30: Electronic Evidence, Electronic Records Management, and Computer Forensics

Analysis

• Differs from examination in that it looks at the product of the examination for its significance and probative value to the case

• A technical review that is the province of the forensic practitioner, while analysis is performed by the investigative team

• In some agencies, the same person or group will perform both these roles

Page 31: Electronic Evidence, Electronic Records Management, and Computer Forensics

Reporting

• A written report that outlines the examination process and the pertinent data recovered completes the examination

• Examination notes must be preserved for discovery or testimony purposes

Page 32: Electronic Evidence, Electronic Records Management, and Computer Forensics

II. The Introduction

• General forensic and procedural principles should be applied when dealing w/ electronic evidence– Actions taken to secure and collect electronic evidence should not

change that evidence– Persons conducting examination of electronic evidence should be

trained for the purpose– Activity relating to the seizure, examination, storage, or transfer

of electronic evidence should be fully documented, preserved, and available for review

– W/o having the necessary skills and training, no responder should attempt to explore the contents or recover data from a computer

Page 33: Electronic Evidence, Electronic Records Management, and Computer Forensics

What is Electronic Evidence p 6

• Electronic evidence is info and data of investigative value that is stored on or transmitted by an electronic device

• It is often latent in the same sense as fingerprints or DNA evidence

• It can transcend borders w/ ease and speed• It is fragile and can be easily altered, damaged, or

destroyed• It is sometimes time-sensitive

Page 34: Electronic Evidence, Electronic Records Management, and Computer Forensics

How is Eevidence handled at the Crime Scene

• Precaution should be taken in the collection, preservation, and examination of Eevidence

• Handling Eevidence at crime scence normally consists of:– Recognition and identification of the evidence– Documentation of the crime scene– Collection and preservation of the evidence– Packaging and transportation of the evidence

• This document recommends that every agency identify local computer experts before they are needed.

• These expers should be “on call” for situations that are beyond the technical expertise of the first responder or department

Page 35: Electronic Evidence, Electronic Records Management, and Computer Forensics

Electronic Devices: Types and Potential Evidence (Chap1)

• We know: many electronic devices require continuous power to maintain information such as battery or AC power

• Data can be lost by unplugging the power source or allowing the battery to discharge

Page 36: Electronic Evidence, Electronic Records Management, and Computer Forensics

Sample of Ideas from Chap 1

• User-Created Files may contain important evidence of criminal activity

• Address books and database files may prove criminal association,

• Still or moving pictures that may be evidence of pedophile activity,

• Communications between criminals such as by e-mail or letters. • Also, drug deal lists may often be found in spreadsheets• Address books, audio/video files, calendars, db files, documents

or text files• E-mail files, image/graphics files, Internet bookmarks/favorites,

spreadsheet files

Page 37: Electronic Evidence, Electronic Records Management, and Computer Forensics

Computer-Created Files (chap 1 samples)

• Backup files, configuration files• Cookies• Hidden files• History files• Log files• Printer spool files• Swap files• System files• Temporary files• And more (don’t forget digital watches and GPS systems!)

Page 38: Electronic Evidence, Electronic Records Management, and Computer Forensics

Chap 2 Investigative Tools and Equipment

• Documentation Tools– Cable tags, indelible felt tip markers, stick-on labels

• Disassembly and Removal Tools– Flat-blade and philips-type screwdrivers, hex-nut drivers– Needle-nose pliers, secure-bit drivers, small tweezers

• Package and Transport Supplies– Antistatic bags, antistatic bubble wrap, cable ties– Evidence bags and tape, – Packaging tape and materials, sturdy boxes of various sizes– Avoid materials that can produce static electricity (like styrofoam

or styrofoam peanuts)

Page 39: Electronic Evidence, Electronic Records Management, and Computer Forensics

Investigative Tools and Equipment (2)

• Other Items– Gloves

– Hand truck

– Large rubber bands

– Magnifying glass

– Printer paper

– Flashlight (small)

– Unused floppy diskettes????

– Other ideas class?

Page 40: Electronic Evidence, Electronic Records Management, and Computer Forensics

Chapter 3 Securing and Evaluating the Scene

• First responder should take steps to ensure the safety of all persons at the scene and to protect all evidence both traditional and electronic

• After securing scene and all persons, first responder should visually identify potential evidence, both conventional and electronic, and determine if perishable evidence exists

• Evaluate the scene and formulate a search plan

Page 41: Electronic Evidence, Electronic Records Management, and Computer Forensics

Perishable Data

• Should be protected• Perishable data may be found on pagers, call ID boxes,

electronic organizers, cell phones, and other similar devices• Keep in mind that any device containing perishable data should

be immediately secured, documented, and/or photographed• It is off, leave it off. If it is on, leave it on• Identify telephone lines attached to devices such as modems and

caller ID boxes• Document, disconnect, and label each telephone line from the

wass rather than the device, when possible• Look for other communication lines and LAN/ethernet

connections

Page 42: Electronic Evidence, Electronic Records Management, and Computer Forensics

Collecting Evidence

• Keyboards, mouse, disks, CDs, or other components may have latent fingerprints or other physical evidence that should be preserved

• Chemicals used in processing latent prints can damage equipment and data and should be collected after electronic evidence recovery is complete

Page 43: Electronic Evidence, Electronic Records Management, and Computer Forensics

Chapter 4: Documenting the Scene

• This creates a permanent historical record of the scene

• It is done throughout the investigation• Important to be accurate in recording the location

and condition of computers, storage media, and other electronic devices and conventional evidence

• Makes notes of position of mouse and other components of system (what might mouse on LHS signify?)

Page 44: Electronic Evidence, Electronic Records Management, and Computer Forensics

Documentation (2)

• Document condition and location of computer system including power status (off, on, sleep)– Look for status lights, listen to fan, if computer is warm but not on

indication that it was recently turned off)

• Photograph entire scene to create visual record (w/ 360 degrees of coverage)

• Photograph front of computer as well as monitor screen make notes of what appears on monitor– Active programs may require videotaping

• Be careful about moving a running computer, why?

Page 45: Electronic Evidence, Electronic Records Management, and Computer Forensics

Chapter 5: Evidence Collection

• How to shut down a computer and remove power

Page 46: Electronic Evidence, Electronic Records Management, and Computer Forensics

Chapter 6: Packaging, Transportation and Storage

• Preparing a computer for transportation and storage

Page 47: Electronic Evidence, Electronic Records Management, and Computer Forensics

Chapter 7: Forensic Examination by Crime Category

• Lists of things to look for based on types of possible criminal activity pg. 37

Page 48: Electronic Evidence, Electronic Records Management, and Computer Forensics

Conclusion

• Remember, this document is available online at the DOJ webiste mentioned above

• You might find other interesting materials at this web site as well related to cyber security and IT

• OK, based on the chapter 9 material we discussed guides to ERM here is one for the state of GA– http://www.usg.edu/usgweb/busserv/series/index.phtml

• Also– http://osulibrary.oregonstate.edu/archives/handbook/