Chapter 4

The business-record exception, for example, allows...

"records of regularly conducted activity," such as business memos, reports, records, or data compilations. Business records are authenticated by verifying that they were created "at or near the time by, or from information transmitted by, a person with knowledge ..." and are admissible "if the record was kept in the course of a regularly conducted business activity, and it was the regular practice of that business activity to make the record"

For the plain view doctrine to apply, three criteria must be met:

1. The officer is where he or she has a legal right to be 2. Ordinary senses must not be enhanced by advanced technology in any way, such as with binoculars 3. Any discovery must be by chance

In Horton v. California (496 U.S. 128, 1990), the court eliminated the requirement that the discovery of evidence in plain view be inadvertent (unintended). Previously, "inadvertent discovery" was required, which led to difficulties in defining this term. The three-prong Horton test requires the following:

1. The officer must be lawfully present at the place where the evidence can be plainly viewed 2. The officer must have a lawful right of access to the object 3. The incriminating character of the object must be "immediately apparent"

Laws in only ____ of the world are based on English or Dutch common law

40%

Why are evidence rules critical?

A civil case can quickly become a criminal case, and a criminal case can have civil implications larger than the criminal case

Explain "Determining who is in charge"

A company needs an established line of authority to specify who can instigate or authorize an investigation. Private-sector investigations usually require only one person to respond to an incident or crime scene. Processing evidence usually involves acquiring an image of a suspect's drive. In law enforcement, however, many investigations need additional staff to collect all evidence quickly. For large-scale investigations, a crime or incident scene leader should be designated. Anyone assigned to a large-scale investigation scene should cooperate with the designated leader to ensure that the team addresses all details when collecting evidence

Explain "Using additional technical expertise"

After you collect evidence data, determine whether you need specialized help to process the incident or crime scene. For example, suppose you're assigned to process a crime scene at a data center running Windows servers with several RAID drives and high-end Linux servers. If you're the lead on this investigation, you must identify the additional skills needed to process the crime scene, such as enlisting help with a high-end server OS. Other concerns are how to acquire data from RAID drives and how much data you can acquire. RAID servers typically process several terabytes of data, and standard imaging tools might not be able to handle such large data sets

Explain "Determining the tools you need"

After you have gathered as much information as possible about the incident or crime scene, you can start listing what you need at the scene. Being overprepared is better than being underprepared, especially when you determine that you can't transfer the computer to your lab for processing. To manage your tools, consider creating an initial-response field kit and an extensive-response field kit. Using the right kit makes processing an incident or crime scene much easier and minimizes how much you have to carry from your vehicle to the scene.

What is Unrelated Information?

Also called innocent information, it is often included with the evidence you're trying to recover. It might be personal records of innocent people or confidential business information, for example

Why is it difficult to demonstrate that a specific person created a record?

Because records recovered from slack space or unallocated disk space usually don't identify the author. The same is true for other records, such as anonymous e-mails or text messages. To establish authorship of digital evidence in these cases, attorneys can use circumstantial evidence, which requires finding other clues associated with the suspect's computer or location

Explain "Preparing the investigation team"

Before you initiate the search and seizure of digital evidence at incident or crime scenes, you must review all the available facts, plans, and objectives with the investigation team you have assembled. The goal of scene processing is to collect and secure digital evidence successfully. The better prepared you are, the fewer problems you encounter when you carry out the plan to collect data.

____ requires finding other clues associated with the suspect's computer or location

Circumstantial evidence

____ records are data the system maintains, such as system log files and proxy server logs. They are output generated from a computer process or algorithm, not usually data a person creates

Computer-generated

____ records, such as system logs or the results of a mathematical formula in a spreadsheet, aren't hearsay

Computer-generated

____ records are electronic data that a person creates and saves on a computer or digital device, such as a spreadsheet or word processing document

Computer-stored

____ records that a person generates are subject to rules governing hearsay

Computer-stored

What is Commingled Data?

Confidential business data that could be included in criminal evidence (which is subject to be public)

Why is consistency important?

Consistent practices help verify your work and enhance your credibility, so you must handle all evidence consistently. Apply the same security and accountability controls for evidence in a civil lawsuit as in a major crime to comply with your state's rules of evidence or with the Federal Rules of Evidence (FRE)

____ can be a reliable working copy, but it's not considered the original

Copied evidence

Private-sector organizations include small to medium businesses, large corporations, and non-government organizations (NGOs), which might get funding from the government or other agencies. In the United States, NGOs and similar agencies must comply with state public disclosure and federal ____ laws and make certain documents available as public records

Freedom of Information Act (FOIA)

The ____ was originally enacted in the 1960s, and several subsequent amendments have broadened its laws. Some Web sites now provide copies of publicly accessible records for a fee

Freedom of Information Act (FOIA)

____ gives guidance on what procedures countries should have in place for digital evidence

ISO standard 27037

Explain "Identifying the type of OS or digital device"

If you can identify the OS or device, estimate the size of the storage device on suspect computers and determine how many digital devices you have to process at the scene. Also, determine what hardware might be involved, such as PCs or mobile devices, including smartphones, tablets, Fitbits, and laptops. Then you need to determine the OS: Microsoft, Linux, macOS, Apple iOS, Android, and so forth. For private-sector investigators, configuration management databases make this step easier. Consultants to the private sector or law enforcement officers might have to investigate more thoroughly to determine these details. You also need to consider cloud storage, which has become more widespread. Most smartphones, for example, are automatically backed up to the cloud, and people often store their files, music, and pictures in the cloud. You might need a separate warrant or subpoena to access this information

How is investigating and controlling computer incident scenes in private-sector environments much easier than in crime scenes?

In the private sector, the incident scene is often a workplace, such as a contained office or manufacturing area, where a policy violation is being investigated. Everything from the computers used to violate a company policy to the surrounding facility is under a controlled authority— that is, company management. Typically, businesses have inventory databases of computer hardware and software. Having access to these databases and knowing what applications are on suspected computers help identify the forensics tools needed to analyze a policy violation and the best way to conduct the analysis. For example, companies might have a preferred Web browser, such as Microsoft Internet Explorer, Microsoft Edge, Mozilla Firefox, or Google Chrome. Knowing which browser a suspect used helps you develop standard examination procedures to identify data downloaded to the suspect's workstation

How is digital evidence unlike other physical evidence?

It can be changed more easily. The only way to detect these changes is to compare the original data with a duplicate. Furthermore, distinguishing a duplicate from the original electronically is challenging, so digital evidence requires special legal consideration

An emergency situation under the ____ is defined as the immediate risk of death or personal injury, such as finding a bomb threat in an e-mail.

PATRIOT Act

____ can be any information stored or transmitted in digital form

Digital evidence

What is Probable Cause?

The standard specifying whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest

What if there is too much evidence or too many systems to make it practical for one team to perform the task of collecting and cataloging the digital evidence at a crime scene?

Then multiple teams may be used, but all examiners must follow the same established operating procedures, and a lead or managing examiner should control collecting and cataloging evidence. You should also use standardized forms for tracking evidence to ensure that you consistently handle evidence in a safe, secure manner

Agents and prosecutors occasionally express concern that a printout of a computer-stored electronic file might not qualify as an original document, according to the best evidence rule. In its most fundamental form, the original file is a collection of 0s and 1s; in contrast, the printout is the result of manipulating the file through a complicated series of electronic and mechanical processes. How do we address this concern?

To address this concern about original evidence, the FRE states: "[I]f data are stored in a computer or similar device, any printout or other output readable by sight, shown to reflect the data accurately, is an 'original.'" Instead of producing hard disks in court, attorneys can submit printed copies of files as evidence. In contrast, some countries and even some U.S. states used to allow only the printed version to be presented in court, not hard disks

A warrant must list which items can be seized (T/F)

True

Some businesses, such as banks, have a regulatory requirement to report crimes (T/F)

True

Some records combine computer-generated and computer-stored evidence, such as a spreadsheet containing mathematical operations (computer-generated records) generated from a person's input (computer-stored records) (T/F)

True

The plain view doctrine doesn't extend to supporting a general exploratory search from one object to another unless something incriminating is found (T/F)

True

To minimize confusion, reduce the risk of losing evidence, and avoid damaging evidence, only one team should collect and catalog digital evidence at a crime scene or lab, if practical (T/F)

True

Under the Plain View Doctrine, for the officer to seize the item, he or she must have probable cause to believe the item is evidence of a crime or is contraband. In addition, the police aren't permitted to move objects to get a better view (T/F)

True

____, section (e), defines a duplicate done in a manner, including electronic, that "accurately reproduces the original."

Rule 1001

____ states that the duplicate can be used unless the original's authenticity is challenged.

Rule 1003

In early 2017, changes were proposed to FRE Article VIII ____ and are expected to be accepted into law by December 2017. Currently, if documents are older than 20 years (referred to as "ancient documents"), no testimony of their authenticity is needed. Because of e-mails and potential advances in technology, only documents created before 1998 will fall into this category

Rule 803

Groups such as the ____ set standards for recovering, preserving, and examining digital evidence.

Scientific Working Group on Digital Evidence (SWGDE)

Explain "Identifying the nature of the case"

When you're assigned a digital investigation case, you start by identifying the nature of the case, including whether it involves the private or public sector. For example, a private-sector investigation might involve an employee abusing Internet privileges by surfing the Web excessively or an employee who has filed an equal employment opportunity (EEO), e-mail harassment, or other ethics complaint. Serious cases might involve an employee abusing company digital assets to acquire or deliver contraband. Law enforcement cases could range from a check fraud ring to a homicide. The nature of the case dictates how you proceed and what types of assets or resources you need to use in the investigation

In addition to making sure a company has a policy statement or a warning banner, how can private-sector investigators know under what circumstances they can examine an employee's computer?

With a policy statement, an employer can freely initiate any inquiry necessary to protect the company or organization. Organizations must also have a well-defined process describing when an investigation can be initiated. At a minimum, most company policies require that employers have a "reasonable suspicion" that a law or policy is being violated. For example, if a policy states that employees can't use company computers for outside business and a supervisor notices a change in work behavior that could indicate an employee is violating this rule, generally it's enough to warrant an investigation. However, some countries require notifying employees that they're being investigated if they're suspected of criminal behavior at work"

Why should you make your warrant as specific as possible?

You must do so in order to avoid challenges from defense attorneys is a good practice. Often a warrant is written and issued in haste because of the nature of the investigation

What happens if you follow police instructions to gather additional evidence without a search warrant after you have reported the crime?

You run the risk of becoming an agent of law enforcement (doing things that you don't need to do, but are doing so anyways). Instead, consult with your organization's attorney on how to respond to a police request for information. The police and prosecutor should issue a subpoena for any additional new evidence, which minimizes your exposure to potential civil liability. In addition, you should keep all documentation of evidence collected to investigate an internal company policy violation

To show that computer-stored records are authentic, the person offering the records must demonstrate that...

a person created the data and the data is reliable and trustworthy—in other words, it wasn't altered when it was acquired or afterward

The process of establishing digital evidence's trustworthiness originated with written documents and the "best evidence rule," which states that to prove the content of a written document...

a recording, or a photograph, ordinarily the original file is required

Collecting evidence according to approved steps of evidence control helps ensure that the computer evidence is ____, as does using established forensics software tools

authentic

The ____, therefore, is the document created and saved on a computer's hard disk

best evidence

For computer-stored records to be admitted into court, they must also satisfy an exception to the hearsay rule, usually the ____, so they must be authentic records of regularly conducted business activity

business-record exception

Federal and state rules of evidence govern both...

civil and criminal cases

As part of your professional growth, keep current on the latest rulings and directives on...

collecting, processing, storing, and admitting digital evidence

Private-sector investigators are concerned mainly with protecting ____, such as intellectual property

company assets

Employers are usually interested in enforcing ____, not seeking out and prosecuting employees, so typically they approve digital investigations only to identify employees who are misusing company assets

company policy

Another way of categorizing digital records is by dividing them into ____ records and ____ records

computer-generated, computer-stored

For the evidence to qualify as a business record exception to the hearsay rule, a person must have...

created the computer-stored records, and the records must be original

If a private-sector investigator finds that an employee is committing or has committed a crime, the employer can file a ____ with the police

criminal complaint

One test to prove that computer-stored records are authentic is to...

demonstrate that a specific person created the records

FRE allows ____ instead of originals when the duplicate is "produced by the same impression as the original ... by mechanical or electronic re-recording ... or by other equivalent techniques which accurately reproduce the original." Therefore, as long as bit-stream copies of data are created and maintained correctly, the copies can be admitted in court, although they aren't considered best evidence

duplicates

Computer-generated and computer-stored records must also be shown to be authentic and trustworthy to be admitted into ____

evidence

Keep in mind that ____ admitted in a criminal case might also be used in a civil suit, and vice versa

evidence

A well-defined company policy, therefore, should state that an employer has the right to...

examine, inspect, or access any company-owned digital assets

Finding evidence of a criminal act during an investigation escalates the investigation from an internal civil matter to an ____

external criminal complaint

Another concern when dealing with digital records is the concept of ____, which is a statement made while testifying at a hearing by someone other than an actual witness to the event

hearsay

When you find commingled evidence, judges often issue a ____ to the warrant, which allows the police to separate innocent information from evidence

limiting phrase

ISPs and other communication companies make up a special category of private-sector businesses. ISPs can investigate computer abuse committed by their employees but...

not by customers

With probable cause, a police officer can...

obtain a search warrant from a judge to authorize a search and the seizure of specific evidence related to the criminal complaint.

U.S. courts accept digital evidence as ____, which means digital data is treated as a tangible object, such as a weapon, paper document, or visible injury, that's related to a criminal or civil incident

physical evidence

When approaching or investigating a crime scene, you might find evidence related to the crime but not in the location the warrant specifies. You might also find evidence of another unrelated crime. In these situations, this evidence is subject to the ____

plain view doctrine

To investigate employees suspected of improper use of company digital assets, a company ____ about misuse of digital assets allows private-sector investigators to conduct covert surveillance with little or no cause and access company computer systems and digital devices without a warrant. Law enforcement investigators can't do the same, however, without sufficient reason for a warrant.

policy statement

A law enforcement officer can search for and seize criminal evidence only with ____

probable cause

After you submit evidence containing sensitive information to the police, it becomes ____

public record

When attorneys challenge digital evidence, often they...

raise the issue of whether computer-generated records were altered or damaged after they were created

Another example of not being able to use original evidence is investigations involving network servers. For example...

removing a server from the network to acquire evidence data could cause harm to a business or its owner, who might be an innocent bystander to a crime or civil wrong

To process a crime scene correctly, you must be familiar with criminal rules of ____

search and seizure

Courts understand that the original evidence might not be available, however. For example, you could make one image of the evidence drive successfully but lose access to the original drive because it has a head crash when you attempt to make a backup image. Your first successful copy then becomes ____

secondary evidence

State public disclosure laws apply to ____, but the FOIA allows citizens to request copies of public documents created by federal agencies

state records

Collecting digital devices while processing a crime or incident scene must be done ____

systematically

Computer-generated records are considered authentic if...

the program that created the output is functioning correctly

____ laws define state public records as open and available for inspection

State public disclosure

Explain the Plain View Doctrine

States that objects falling in the direct sight of an officer who has the right to be in a location are subject to seizure without a warrant and can be introduced into evidence

Like most common law nations, the United States excludes hearsay as spelled out in FRE Article VIII, Rule 802. Rules 803 and 804 cite more than 20 exceptions for when hearsay can be used. The following are some that apply to digital forensics investigations:

1. Business records, including those of a public agency 2. Certain public records and reports 3. Evidence of the absence of a business record or entry 4. Learned treatises used to question an expert witness 5. Statements of the absence of a public record or entry

What are the steps you should take if you discover evidence of a crime during a company policy investigation?

1. Determine whether the incident meets the elements of criminal law. You might have to consult with your organization's attorney to determine whether the situation is a potential crime 2. Inform management of the incident; they might have other concerns, such as protecting confidential business data that could be included with the criminal evidence (called "commingled data") 3. Coordinate with management and the organization's attorney to determine the best way to protect commingled data

Following are the general tasks investigators perform when working with digital evidence:

1. Identify digital information or artifacts that can be used as evidence. 2. Collect, preserve, and document evidence. 3. Analyze, identify, and organize evidence. 4. Rebuild evidence or repeat a situation to verify that the results can be reproduced reliably.

What are the steps needed to prepare for a search and seizure?

1. Identifying the nature of the case 2. Identifying the type of OS or digital device 3. Determining whether you can seize computers and digital devices 4. Getting a detailed description of the location 5. Determining who is in charge 6. Using additional technical expertise 7. Determining the tools you need 8. Preparing the investigation team

What is the difference between "real computer evidence" and "hearsay computer evidence?"

A simplified explanation of this distinction states that you can, for example, prove an e-mail was sent and perhaps opened by a logged-in user. However, you can't necessarily verify the e-mail's contents. Generally, digital records are considered admissible if they qualify as a business record

What if a company doesn't display a warning banner or publish a policy stating that it reserves the right to inspect digital assets at will?

Employees have an expectation of privacy. When an employee is being investigated, this expected privacy prevents the employer from legally conducting an intrusive investigation

Public record laws do not include exceptions for protecting sensitive company information (T/F)

False

The FRE does not treat images and printouts of digital files as original evidence (T/F)

False

What is an important challenge investigators face regarding digital evidence?

Establishing recognized standards

Attorneys might also question the authenticity of computer-generated records by challenging the program that created them. ____, for example, refers to self-authenticating evidence, which includes public documents that are sealed and signed or certified. It also includes publications such as newspapers

FRE 902

Why is it a challenge for investigators when establishing recognized standards for digital evidence?

For example, there are cases involving police raids being conducted simultaneously in many countries as well as anti-cartel investigations taking place in several locations around the world. As a result, hundreds of pieces of digital evidence, including hard drives, cell phones, and other storage devices, are seized in multiple sites. If law enforcement and civil organizations in these countries have agreed on proper procedures (generally, the highest control standard should be applied to evidence collection in all jurisdictions), the evidence can be presented in any jurisdiction confidently. Evidence collection is now even more complicated as mobile devices and cloud storage become the norm

After you discover illegal activity and document and report the crime, stop your investigation to make sure you don't violate ____ restrictions on obtaining evidence

Fourth Amendment

For all criminal investigations in the United States, the ____ limits how governments search and seize evidence

Fourth Amendment

The ____ states that only warrants "particularly describing the place to be searched and the persons or things to be seized" can be issued. Note that this excerpt uses the word "particularly." The courts have determined that it means a warrant can authorize a search only of a specific place for a specific thing. Without specific evidence and the description of a particular location, a warrant might be weak and create problems later during prosecution

Fourth Amendment

Explain "Determining whether you can seize computers and digital devices"

Generally, the ideal situation for incident or crime scenes is seizing computers and digital devices and taking them to your lab for further processing. However, the type of case and location of the evidence determine whether you can remove digital equipment from the scene. Law enforcement investigators need a warrant to remove computers from a crime scene and transport them to a lab. If removing the computers will irreparably harm a business, the computers shouldn't be taken offsite, unless you have disclosed the effect of the seizure to the judge. An additional complication is files stored offsite that are accessed remotely. You must decide whether the drives containing these files need to be examined. Another consideration is the availability of cloud storage, which essentially can't be located physically. The data is stored on drives where data from many other subscribers might be stored.

____ often begin investigating private-sector digital crimes and then coordinate with law enforcement as they complete the investigation

Private-sector security officers

Why is preparing for search and seizure of computers or digital devices the most important step in digital investigations?

The better you prepare, the smoother your investigation will be. The following sections discuss the tasks you should perform before you search for evidence. For these tasks, you might need to get answers from the victim (the complainant) and an informant, who could be a police detective assigned to the case, a law enforcement witness, or a manager or co-worker of the person of interest to the investigation

Explain "Getting a detailed description of the location"

The more information you have about the location of a digital crime, the more efficiently you can gather evidence from the crime scene. Environmental and safety issues are the main concerns during this process. Before arriving at incident or crime scenes, identify potential hazards to your safety as well as that of other examiners. Some cases involve dangerous settings, such as a drug bust of a methamphetamine lab or a terrorist attack using biological, chemical, or nuclear contaminants. For these types of investigations, you must rely on the skills of hazardous materials (HAZMAT) teams to recover evidence from the scene. The recovery process might include decontaminating digital components needed for the investigation, if possible. If the decontamination procedure might destroy electronic evidence, a HAZMAT specialist or an investigator in HAZMAT gear should make an image of a suspect's drive. If you have to rely on a HAZMAT specialist to acquire data, coach the specialist on how to connect cables and how to run the software. You must be exact and articulate in your instructions. Ambiguous or incorrect instructions could destroy evidence. Ideally, a digital forensics investigator trained in dealing with HAZMAT environments should acquire drive images. However, not all organizations have funds available for this training.

Why can't ISPs investigate computer abuse committed by their customers?

They must preserve customer privacy, especially when dealing with e-mail. However, federal regulations related to the Homeland Security Act and the PATRIOT Act of 2001 have redefined how ISPs and large organizations operate and maintain their records. ISPs and other communication companies can be called on to investigate customers' activities that are deemed to create an emergency situation

You survey the remaining content of the subject's drive and find that he's a lead engineer for the team developing your company's latest high-tech bicycle. He placed the CP images in a subfolder where the bicycle plans are stored. By doing so, he has commingled contraband with the company's confidential design plans for the bicycle. Your discovery poses two problems in dealing with this contraband evidence. First, you must report the crime to the police; all U.S. states and most countries have legal and moral codes when evidence of sexual exploitation of children is found. Second, you must also protect sensitive company information. Letting the high-tech bicycle plans become part of the criminal evidence might make it public record, and the design work will then be available to competitors. What should you do?

Your first step is to ask your organization's attorney how to deal with the commingled contraband data and sensitive design plans. Your next step is to work with the attorney to write an affidavit confirming your findings. The attorney should indicate in the affidavit that the evidence is commingled with company secrets, and releasing the information will be detrimental to the company's financial health. When the affidavit is completed, you sign it before a notary, and then deliver the affidavit and the recovered evidence with log files to the police, where you make a criminal complaint. At the same time, the attorney goes to court and requests that all evidence recovered from the hard disk that's not related to the complaint and is a company trade secret be protected from public viewing. You and the attorney have reported the crime and taken steps to protect the sensitive data. Now suppose the detective assigned to the case calls you. In the evidence you've turned over to the police, the detective notices that the suspect is collecting most of his contraband from e-mail attachments. The prosecutor needs you to collect more evidence to determine whether the suspect is transmitting contraband pictures to other potential suspects. The detective realizes that collecting more evidence might make you an agent of law enforcement and violate the employee's Fourth Amendment rights, so she writes an affidavit for a search warrant, ensuring that any subsequent instructions to you are legal. Before collecting any additional information, you wait until you or your organization's attorney gets a subpoena, search warrant, or other court order.