DIGITAL EVIDENCE TOOL BOX

Transcription

1 DIGITAL EVIDENCE TOOL BOX Toolbox Page 1 of 23

2 Introduction This guide is meant to provide a basic understanding of the industry standards, best practices and practical applications for the use of digital evidence by legal professionals. Purpose The purpose of this guide is to assist the legal profession to achieve a standard level of knowledge about digital evidence and the need for rapid assessment, identification and preservation in accordance with the best practices, industry standards and the rules of evidence. TABLE OF CONTENTS What is Digital Evidence 3 Standards & Best Practices 7 ISO Quality System for Digital Forensics 8 Rules of Evidence Legal Standards 9 Minimum Professional Standards 10 Computer Forensics 11 Audio/Video Evidence 13 Mobile Device Forensics 14 Call Detail & Cell Site Analysis 16 Location Data Evidence 17 Internet & Social Networking Evidence 18 Retention Schedules & Sample Letters of Preservation 19 Service Provider Subpoena Guide & Samples 20 Discovery Motions & Samples 21 Digital Evidence Work Sheets & Flow Charts 22 Toolbox Page 2 of 23

3 WHAT IS DIGITAL EVIDENCE? Digital evidence is information stored or transmitted in binary form that may be relied on in court. Digital evidence has a wider scope, can be more personally sensitive, is mobile and requires different training and tools compared with physical evidence. Types of Electronically Stored Information (ESI) Device Users Multi-media (photos, videos or audio files) Documents or spreadsheets Text messages Internet browsing history (searches, sites visited, typed addresses, bookmarks) Program files and Applications Deleted files and programs Encrypted files and folders File sharing Application data Social networking data Mobile device backups File metadata Toolbox Page 3 of 23

4 Locations of Digital Evidence Computers Mobile devices Audio/Video systems Gaming systems Social networking sites Internet service providers Common Digital Forensics Scenarios In criminal cases Theft of intellectual property such as customer lists or trade secrets Preservation orders/e-discovery Employment issues Fraud or embezzlement Inappropriate computer usage Divorce Loss of data Data Integrity Digital evidence should never be accessed as this can change data such as dates and times. Operating a computer or accessing files can change the metadata and change the evidence. Steps should be taken to ensure the integrity of the data acquired; this may include one or more of the following: Hash values (e.g., MD5, SHA-1 and SHA-256) Stored on read-only media (e.g., CD-R and DVD-R) Sealed in tamper-evident packaging Metadata Metadata is data that describes data. File metadata may be stored on the media or device which contains the file or within the file itself. Examples of metadata are creation of dates/times, author, file name, the path or location of the file. Metadata is usually created automatically by the operating system of the device on which the file was created or in some cases may be input by the user. Toolbox Page 4 of 23

5 Commercial Forensic Software Tested and reviewed commercial software technology solutions have been developed AND designed to preserve digital evidence in its original form and to authenticate it for admissibility in court. Forensic Data Acquisition The first step for investigation of digital evidence begins with the preservation of evidence through the forensic acquisition process. The forensic acquisition process is to create a verified forensic copy of the electronic data to be examined. Methods of acquiring evidence should be forensically sound and verifiable; method deviations shall be documented. Assessment Forensic examiners assess digital evidence with respect to the scope of the case to determine the course of action to take. Acquisition Examination is best conducted on a copy of the original evidence. The original evidence should be acquired in a manner that protects and preserves the integrity of the evidence. Examination The purpose of the examination process is to extract and analyze digital evidence. Extraction refers to the recovery of data from its media. Analysis The interpretation of the recovered data displayed in a logical and useful format. Toolbox Page 5 of 23

6 Documenting and Reporting Actions and observations should be fully documented throughout the forensic process. Digital Forensic Discipline The American Academy of Forensic Sciences (AAFS) identifies digital forensics as a forensic science and the processes of all forensic sciences are fundamentally the same: Detection, Preservation, Collection, Examination, Analysis and Reporting Each phase in the process must be performed in such a manner so as to preserve the integrity of the evidence and assure its admissibility. Pursuant to the best practices and industry standards, the examination of digital evidence should be conducted in accordance with a quality management system such as ISO For more information see the sections on Standards & Best Practices and ISO Quality System Toolbox Page 6 of 23

7 STANDARDS & BEST PRACTICES These guides establish recommendations for how law enforcement and crime scene investigators should handle digital evidence. Evidence on cell phones, computers and other electronically stored information can be changed or destroyed if proper techniques are not used to forensically analyze the data. The prevailing governing standards are set forth by The Scientific Working Group of Digital Evidence (SWGDE) and The National Institute of Justice (NIJ). Notes Digital evidence is easily altered or destroyed. Preservation of digital evidence is time sensitive. Each phase in the process must be performed in such a manner so as to preserve the integrity of the evidence and assure its admissibility. The examination of digital evidence should be conducted in accordance with the best practices and a quality management system such as ISO For more information see the section on Standards & Best Practices Toolbox Page 7 of 23

8 ISO QUALITY SYSTEM FOR DIGITAL FORENSICS Digital forensics is defined as a subset of the forensic discipline known as Digital and Multimedia Evidence, which involves the scientific examination, analysis and evaluation of digital evidence in legal matters. This includes acquiring and preserving digital evidence in any form, as well as analyzing computers, personal digital assistants, tablets, cellular telephones and other digital devices with a processor. The standards outlined in this document were derived from digital forensics standards and guidance published by the Scientific Working Group on Digital Evidence, the National Institute of Justice, the Department of Justice Computer Crime and Intellectual Property Section, and the National Research Council. The CIGIE Quality Standards for Investigations, Federal Rules of Evidence, and case law were also referenced. International Organization Standardization - ISO ISO is an independent, non-governmental international organization that sets specifications for products, services and systems, to ensure that they follow statutory and regulatory requirements related to a product or program quality, safety and efficiency. Pursuant to the best practices and industry standards, the examination of digital evidence should be conducted in accordance with a quality management system such as ISO Notes Written quality manual. Written technical procedures. Documented equipment testing, calibration and validation. Documented examiner proficiency. For more information see the section on ISO Quality System Toolbox Page 8 of 23

9 RULES OF DIGITAL EVIDENCE LEGAL STANDARDS Before accepting digital evidence, a court will determine if the evidence is relevant, whether it is authentic, if it is hearsay and whether a copy is acceptable or the original is required. Many courts in the United States have applied the Federal Rules of Evidence to digital evidence in a similar way to traditional documents. Digital evidence tends to be more voluminous, more difficult to destroy, easily modified and time sensitive. Some courts have sometimes treated digital evidence differently for purposes of authentication, hearsay, the best evidence rule and privilege. Reliability Concerns A common attack on digital evidence is that digital media can be easily altered. However, in 2002 a U.S. court ruled that "the fact that it is possible to alter data contained in a computer is plainly insufficient to establish untrustworthiness." (U.S. v. Bonallo, 858 F.2d Court of Appeals, 9th). Authentication Concerns Federal Rules of Evidence 902 shows 12 non-exclusive methods that can be used for self-authentication of digital evidence. For more information see the section on Rules of Evidence Legal Standards Toolbox Page 9 of 23

10 MINIMUM PROFESSIONAL STANDARDS Although legal professionals dealing with digital evidence do not need to be able to convert decimals into hexadecimals or understand hash values, they must possess a basic knowledge of how data is stored on electronic media so that they can ask questions that will identify all sources of relevant information, develop viable plans and protect the interests of their clients. It is the responsibility of legal professionals dealing with digital evidence to be sufficiently knowledgeable to object competently to faulty evidence. Laying proper foundation qualifying the expert witness, as well as directing a competent line of questioning, rely heavily on the computer literacy of the lawyers involved. Basic Computer Literacy This includes an understanding of computers. This knowledge will enable lawyers to establish proper foundation and a proper line of questioning. Understanding of the Digital Forensics Process This includes basic knowledge of how easily digital evidence can be altered and what it means to have a proper chain of evidence, including storage and control. There should be sufficient knowledge of how evidence is collected on a computer hard drive (and on a network), how a hard drive is appropriately duplicated for forensic purposes and then searched by forensic tools. Digital evidence, by its very nature, is fragile and can be altered, damaged, or destroyed by improper handling or examination. Federal Rules of Evidence and How They Apply to Electronic Evidence The Federal Rules of Evidence are integral to understanding the process for admitting digital evidence. Survey of Case Law A thorough survey of other cases will provide an even more comprehensive understanding of the state of the practice regarding digital evidence as well as the understanding that the burden of ensuring digital evidence admissibility rests largely on objections to such evidence by opposing counsel. Toolbox Page 10 of 23

11 COMPUTER FORENSICS In many ways, computerized evidence must be dealt with the same way as any other type of evidence. It is subject to the same need for inspection, the same chain of custody requirements, and the same rules of admissibility. Counsel has to inspect computerized evidence as carefully as they would a stack of documents that were seized as evidence or any other type of physical evidence. Types of Data Users Multi-media (photos, videos or audio files) Documents or spreadsheets Internet browsing history (searches, sites visited, typed addresses) Program files Deleted files Deleted programs Encrypted files and folders File sharing Application data Social networking data Mobile device backups Financial records File metadata Toolbox Page 11 of 23

12 Notes Computer evidence is time sensitive and rapid assessment, identification and preservation is recommended. The amount of data recovered through forensic process from one computer is enormous, but examiners can narrow the parameters to create a more manageable amount of data to examine. Although more cases now involve mobile devices, computers sometimes have backed up images of a user s mobile device making it a valuable source of data and should not be overlooked. For more information see the section on Computer Forensics Toolbox Page 12 of 23

13 AUDIO/VIDEO EVIDENCE Digital audio and/or video recordings may be recoverable by forensic tools if the examination is conducted before the data is overwritten or permanently deleted by the device operating system. Poor quality recordings can be enhanced using accepted methods and technology. Common Sources of Audio & Video Evidence Cell phone video Social media Digital surveillance camera system Voice mail recordings 911 dispatch recordings Police recorded witness interviews Notes System time and date could be incorrect. Videos copied at a different frame rate could drop frames. Videos copied at a different aspect ratio could distort the image. Videos should be obtained in native format with proprietary player. A second copy should also be obtained in a universal format. For more information see the section on Audio/Video Toolbox Page 13 of 23

14 MOBILE DEVICE FORENSICS Obtaining digital evidence from mobile devices can present many challenges in conducting forensically sound investigations in this constantly evolving field. Early identification of sources of evidence, not only from the device itself, but from other sources such as service providers, cloud sources and backup files can result in the successful preservation of key evidence. The best practices require rapid assessment, proper handling and preservation to prevent the permanent loss of data in cases involving all digital evidence. Types of Data Device users, settings, languages and time zone information Contacts, calendar, Multi-media (photos, videos or audio files) Location data: GPS and Cell networks MMS (Multimedia Message Service) and SMS (Short Message Service) text messages Internet browsing history (searches, sites visited, typed addresses) Installed Applications and app file system data Deleted files and programs Encrypted files and folders Social networking data Mobile device backup information (tethering information) Financial records File metadata Wi-Fi networks Connected Bluetooth devices Toolbox Page 14 of 23

15 Non-Digital Evidence Other forms of evidence are generated from mobile devices and may be used to validate forensic results such as provider billing records or be used to show location such as historic cell site analysis. Internet service providers are also a possible source of related non-digital evidence. For more information see the sections: Mobile Devices Call Detail & Cell Site Analysis Location Data Retention Schedules Subpoena Guide & Samples Toolbox Page 15 of 23

16 CALL DETAIL & CELL SITE ANALYSIS Location data is collected by obtaining historical call detail records from the cellular carrier along with a listing of the cell site locations for that carrier. This data is then analyzed for the purpose of generally placing a cell phone in a location on a map. Often historical cell site records only indicate the date, time and duration of calls, whether calls are inbound or outbound and show the originating and terminating cell sites for calls received or placed on the phone. Notes No published principles or methods governing the estimation of cell site coverage area. Many factors determine which site a device connects to, not necessarily the closest or strongest. All sites do not provide the same range and coverage can vary due to changing environmental factors. Locations identified by circles or pie shapes, bolstered by expert testimony, gives an incorrect impression. Service provider propagation maps may not reflect the state of the network during the exact time frame in question due to many changing variables. The data retention periods varies between the service providers and data types. For more information see the section on Call Detail & Cell Site Analysis Toolbox Page 16 of 23

17 LOCATION DATA Location information from mobile devices is typically obtained using the following: 1. Cell Ping or triangulation may be used to determine the phone s real time location. 2. Stingray device may be used to determine the phone s real time location and intercept its information. 3. Wi-Fi - Bluetooth tracking is short range tracking (such as within the same room or the same building) and can be a highly accurate, but needs to be turned on. 4. Applications and web browsing used by a mobile device determines location, often using GPS, and displays the position on the map. The data is saved in the device as well as on the user s account profile. 5. Global Positioning System based on satellites which are considered extremely accurate, but weather conditions could affect accuracy. 6. Malware phone could read private data on the device or activate the device's sensors such as microphone, camera, and GPS. 7. Historic call detail records can only narrow location to the geographic coverage area of the originating and terminating cell sites, rather than pinpoint the specific location of the cell phone. For more information see the section on location data Toolbox Page 17 of 23

18 INTERNET AND SOCIAL NETWORKING EVIDENCE The internet and social media is not only useful in family and criminal litigation, but can influence personal injury, workers compensation, product liability, and commercial litigation and employment cases. Some Examples of These Sites Include: Social networks such as Facebook and LinkedIn Blog sites such as Twitter and WordPress File sharing sites such as YouTube, Pinterest, Tumblr, Instagram and Flickr Activity and review sites such as Foursquare and Yelp Web based such as AOL, Gmail and Yahoo Mail Preservation Considerations It is dynamic and can change with usage. It can be deliberately destroyed or altered. It can be altered due to improper handling and storage. When it comes to admission of social media evidence it appears that the key issue for the court is a fear of fabrication. Notes Rapid identification, assessment and preservation are the first steps in using internet social media evidence. A defined set of best practices and industry standards exists governing the preservation and analysis of internet and social media evidence. If information can be accessed through public means without deceptively requesting the information from the individual or one of the individual s friends, it is fair use. For more information see the section on Internet and Social Networking Evidence Toolbox Page 18 of 23

19 RETENTION SCHEDULES-SAMPLE LETTERS Service Provider Records Subscriber Information Call Detail Records Cell-Site Locations Call Detail Retention The retention periods varies between the service providers and data types. A complete copy of the retention schedule is available in the Digital Evidence Toolbox/Retention Schedule-Sample Letters. Letters of Preservation May extend the retention period for 90 days and be extended. Notes Rapid identification, assessment and preservation are the first steps in obtaining service provider records. Retention periods vary by provider and data type. For more information see the section on Retention Schedules-Sample Letters Toolbox Page 19 of 23

20 SUBPOENA GUIDE & SAMPLES An up to date guide for issuing subpoenas to internet and cell phone service provides, includes samples. Notes Establish ownership of a device. Authentication and Admissibility. For more information see the section on Subpoena Guide & Samples. Toolbox Page 20 of 23

21 DISCOVERY MOTIONS & SAMPLES Contents Recommended Language - Motion for Discovery of Audio & Video Evidence Recommended Language - Motion for Discovery of Computer Evidence Recommended Language - Motion for Discovery of General Digital Evidence Recommended Language - Motion for Discovery of Mobile Device Evidence Notes Industry standards recommend that a full report and copy of the original evidence file and proprietary file viewer be requested. Rapid assessment, identification and preservation are the first steps in obtaining service provider records. If information can be accessed through public means without deceptively requesting the information from the individual or one of the individual s friends, it is fair use. For more information see the section on Discovery Motions & Samples Toolbox Page 21 of 23

22 WORKSHEETS & FLOW CHARTS Contents 1. Rapid Assessment Guide For Cell Phone Evidence Preservation 2. Levels of Mobile Device Acquisition 3. NIJ Collecting Digital Evidence Flow Chart 4. Sample Consent To Search Form Digital Evidence Toolbox: For more information see the section Worksheets & Flow Charts. Toolbox Page 22 of 23

23 For more information on digital forensics and digital evidence, call now and speak with a certified expert. IRIS LLC is available 24 hours in emergency cases. Toll-free: irisllc@irisinvestigations.com Toolbox Page 23 of 23