Digital evidence provided by computer forensics can yield amazing results: find deleted materials, recover lost documents, establish a timeline of events, expose intentions, uncover crimes, and others. The breadth and depth of the field will only continue to grow as electronic devices proliferate into every aspect of life. As the demand for forensic experts, tools, and resources has increased, the field has accepted four basic principles that govern an investigation. These principles are taken from the ACPO Good Practice Guide for Digital Evidence.
The first guideline is to preserve the integrity of the original hardware – whether it be a computer, laptop, tablet, cell phone, or any other electronic device or document. We do this by making a copy of the data so that we can perform our investigations without contaminating or compromising the integrity of the original device.
During the majority of the investigation, typically the original device is locked away in as pristine of a condition as possible or given back to the client according to their preference. This is an important protocol for two reasons. First, from a legal perspective, preserving the integrity of evidence is crucial for any future civil or criminal litigation. It’s one thing to discover evidence and it’s another to present that evidence in an acceptable and compelling way in court. The second reason we do this is to allow examiners to run state-of-the-art forensic programs that could damage or be limited by the original device. These dynamic and highly specialized programs can search and seize hidden, deleted, and encrypted material.
Locking the original device away is not always possible. If a company has had an employee delete data from a server, it could possibly shut the company down if a forensic examiner took the server. If this is the case, then every aspect of the electronic device should be documented and photographed and the method of data collection documented.
Principle 2: In circumstances where a person finds it necessary to access original data, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
The second guideline for computer forensics concerns situations where the original data must be accessed directly. This can be for any number of reasons. But whatever the reason, it is crucial to have someone who is both credentialed and competent to perform the required task in order for the data to be permissible in court.
One of the biggest dangers in a computer forensics investigation is contaminating evidence. Just as investigators at a crime scene must be careful to touch only what is necessary and wear proper equipment while doing so, there are similar ways electronic investigators can accidentally “leave a digital fingerprint” or “wipe away” evidence. The key here is to realize that all digital evidence is subject to the same scrutiny and regulations that apply to physical evidence. If one must access the device directly, all actions taken must be documented and as well as the reasons for taking such actions.
Principle 3: An audit trail or other record of all processes applied to digital evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
The third important protocol for any investigation is to document each and every step made by examiners. Just as a scientific study must be repeated before it is considered fact, a forensic inquiry must be able to be reproduced by an independent, third-party group before it is granted full validity. Documenting the investigation is particularly important because it also establishes the integrity of the operation. Any information discovered must be presented simultaneously with an explanation for how the evidence was obtained and documentation of processes used. All information must be eventually verified with the original before used in a legal proceeding.
Principle 4: The person in charge of the investigation has overall responsibility for ensuring that the law and these principles are adhered to.
The fourth principle of computer forensics is establishing a proper chain of command. Whoever is in charge of the investigation must accept the responsibility for ensuring proper protocol and documentation. Having an experienced examiner not only ensures deep and through investigation, but also helps to corroborate the evidence with proper retrieval, documentation, and presentation.