CCJS 321 digital forensics

CCJS 321 digital forensics

In weeks 1-3, you have learned what digital evidence is, not in the physical sense but in the legal sense, and then what steps you should take to identify and collect it.

To summarize the evidentiary information from the readings, there are four basic classifications of evidence that can be applied to items of potential investigative value:

Testimonial Evidence – Testimony or a statement provided by an individual detailing what they observed or experienced (through any of their senses). For example, a witness may have heard tires screech and a loud crash but not actually have seen the accident. In this example, even though he didn’t actually see the crash, witness’s testimony is still valuable – it can help pinpoint the time of a crash, determine the number of vehicles involved, or speak to the lighting conditions or weather conditions were at the time of the accident. Testimonial evidence can be significant as either direct or corroborating evidence. In addition, expert testimony can be provided that allows a subject matter expert (vetted and accepted by the court) to offer opinions and interpretations (e.g., context) of other evidence that has been or will be presented.

Real Evidence – Physical evidence. Examples would be a murder weapon, a hard disk drive, fingerprints, blood or other bodily fluids, clothing, stolen property, etc.

Documentary Evidence – Documents (such as records, checks, or photographs) that are like real evidence in that it may be a physical item (e.g., printed material), but documentary evidence is also the results of the analysis of documents or records to show a pattern of behavior. For example, you examine (and create) potential documentary evidence each time you balance your checkbook.

Demonstrative Evidence – Evidence that utilizes or requires a demonstration, such as the use of a chart or map, to help prove what happened. Demonstrative evidence is most often created by an expert witness; an example might be using a dummy to show how a person was standing when he was shot, or it could be a flow chart showing how money was moved between different accounts.

All four classifications of evidence could be and frequently are used together in court to prove or disprove the facts of a case.

Readings in Week 2 discussed search and seizure or the ability to retrieve evidence. Over the past two weeks, many of you have mentioned search warrants in your discussions. The Fourth Amendment to the U.S. Constitution (and the Supreme Court’s subsequent interpretations thereof) requires that before a search can be conducted and evidence can be seized, the Government must obtain a search and seizure warrant (based on probable cause) from an impartial magistrate. However, there is no requirement for a private person or organization to obtain a search warrant or work under the same constraints. Further, the line can be blurred, as a private person or organization that searches property or seizes evidence (not needing a warrant) could subsequently turn it over to the Government.

In fact, they could do so even if the search was not legal under the Constitution, or even if they did not have the right to enter the place to be searched or committed civil trespass. Although it may seem counterintuitive and like a severe violation of individual rights, the only time the Fourth Amendment applies to a private party is if the private party is acting as an agent for the Government or law enforcement (such as a Government contractor or a citizen asked by a police detective to gather information for a specific purpose or investigation).

There are, of course, exceptions to the requirements on the Government to obtain a search warrant prior to searching or seizing evidence. For example, the Government would not need a search warrant when a person with proper authority gives consent to conduct the search (e.g., the company CEO gives permission to search company servers for company data). Another exception is when there are exigent circumstances present that, if the time was taken to obtain a proper warrant, could result in the destruction of evidence or harm to another person; however, it should be noted that searches undertaken due to exigent circumstances must be followed-up with a legally obtained warrant as soon as the exigent circumstance has been effectively neutralized). Exigent circumstances could come into play in a digital evidence case when (for example) the owner of a computer likely containing digital evidence knows of the investigation and could delete the evidence from his storage devices before a warrant could be obtained. However, while the storage devices could most likely be seized without a warrant to prevent data destruction, this exigent circumstance is not a valid reason to conduct a forensic analysis of the storage media and a warrant should be obtained immediately.

If evidence is not seized properly it may not be admissible in court. Therefore, it is important to know the rules governing what you can and cannot do (whether you are a private entity or an instrument of the Government), as well as being able to explain why you took the steps you did in order to sufficiently articulate your actions (from a legal perspective). This is also helpful in minimizing any potential civil liability.

After you seize a computer or device and have obtained the proper authority to conduct a search of the contents, you must then be able to testify that your next steps were forensically sound and within the scope of your search authority (whether granted by consent or warrant). Unless special precautions are taken, you risk changing digital data on a device each time you access it. For this reason, it is important you avoid conducting an analysis of an original (evidence) device (such as the suspect’s hard drive removed from his computer), but instead make a forensically sound copy (i.e., a bit-for-bit copy of the original made without altering the original data, often accomplished with the use of a tool called a write-blocker) suitable for examination.

This aspect is also important for the chain of custody log. Regarding the seizure and analysis specifically of digital evidence, unless special precautions are taken, you risk changing digital data on a device each time to access it. For this reason, it is important you avoid conducting an analysis of an original (evidence) device (such as the suspect’s hard drive removed from his computer), but instead make a forensically sound copy (i.e. bit-for-bit copy of the original made without altering the original data, often accomplished with the use of a tool called a write-blocker) suitable for examination. The chain of custody log provides a record of the chain of people who possess the evidence, the purpose, and each time there is verification that it is in the same physical condition as when received. Your analysis report should verify that you made no changes to the data during your analysis.

In the readings, you will have read discussions of common tasks facing a digital investigator, such as identifying different types of devices you should look for when conducting a search; as well as the preservation and analysis of those devices.

For this week’s discussion, complete the following two scenario questions below in detail. Please discuss thoroughly and substantively in your post. Additionally, respond in a thorough, substantive, intelligent way to at least two of your fellow classmates that adds to our discussion and learning of this week’s topic!

1.) You are a digital forensic examiner and have been asked to examine a hard drive for potential evidence. Give examples of how the hard drive (or the data on it) could be used as (or lead to the presentation of) all four types of evidence in court; testimonial, real, documentary, and demonstrative. If you do not believe one or more of the types of evidence would be included, explain why not.

2.) You have been asked to assist a law enforcement team serving a search warrant related to a child pornography investigation. You are the digital forensic expert for the team, and, as such, have been assigned the task of identifying and collecting the digital evidence at the search location. Answer the following questions about your assignment.

  • What steps should you take before the search to serve the search warrant?
  • What types of evidence should you be on the alert for, when searching the residence?
  • What types of items would you seize?
< a href="/order">