Computer Forensics and Investigations - PDF

Summary

This chapter from a textbook introduces the field of computer forensics, covering data collection, examination, and relevant legal issues. It explains the role of a computer forensic examiner and the importance of careful handling of digital evidence. Examples illustrate the application of these techniques in various contexts. The chapter also discusses legal cases where computer forensics played a huge role.

Full Transcript

© mirjanajovic/DigitalVision Vectors/Getty Images

CHAPTER
15

Computer Forensics and
Investigations

OMPUTER FORENSICS IS the scientific process of collecting and examining
C data stored on, received from, or transmitted by an electronic device. It is a
demanding area of study. New technologies that store data are created every day.
People who choose to work in this area must constantly study these new
technologies. They must learn how to collect and examine data from devices that
use the new technology. Computer forensics is also a rapidly expanding profession.
The U.S. Department of Labor estimates higher-than-average job growth for people
in this career.1
Copyright © 2020. Jones & Bartlett Learning, LLC. All rights reserved.

This chapter introduces basic concepts about computer forensics. It also
discusses the role of the computer forensic examiner. Finally, it reviews legal issues
surrounding how digital evidence is gathered and used.

Chapter 15 Topics
This chapter covers the following topics and concepts:
What computer forensics is

Grama, J. L. (2020). Legal and privacy issues in information security. Jones & Bartlett Learning, LLC.
Created from westerngovernors-ebooks on 2025-02-11 04:13:48.
 What a computer forensic examiner does
What the general rules for collecting, handling, and using digital
evidence are
What some legal issues regarding the seizure of digital evidence are

Chapter 15 Goals
When you complete this chapter, you will be able to:
Define computer forensics
Explain the role of a computer forensic examiner
Explain why digital evidence must be carefully handled
Describe why chain of custody is important
Explain the laws that affect the collection of digital evidence
Describe concerns regarding the admissibility of digital evidence
Copyright © 2020. Jones & Bartlett Learning, LLC. All rights reserved.

Grama, J. L. (2020). Legal and privacy issues in information security. Jones & Bartlett Learning, LLC.
Created from westerngovernors-ebooks on 2025-02-11 04:13:48.
 What Is Computer Forensics?
Computer forensics is the scientific process for examining data stored on, received
from, or transmitted by electronic devices. The data is examined to find evidence
about an event or crime. Law enforcement uses computer forensics to investigate
almost any type of crime. Consider the following:

Illinois state prosecutors used cell phone records and data gathered by computer
forensic examiners to convict a defendant of murdering two people. The defendant
had used his computer to search “hire a hit man.” He had also searched for
directions from his home to the victim’s home. The case was unique because
almost no physical evidence existed to link the defendant to the murders. A judge
sentenced him to life in prison.
A Hong Kong shipping company pleaded guilty to violating U.S. pollution laws and
was fined $10 million. A ship operated by the company ran into the San Francisco
Bay Bridge and spilled more than 50,000 gallons of fuel into the San Francisco
Bay. Computer forensic examiners found that someone on the ship altered its
computerized navigation charts after the crash.
The U.S. Department of Justice charged nine foreign nationals with stealing more
than 31 terabytes of data from U.S. colleges and universities, companies, and
government agencies. Computer forensic examiners found that the hackers used
several different tactics to gain access to the stolen data.

Computer forensics has many different names. It is also called system or digital
forensics, computer forensic analysis, computer examination, data recovery, and
sometimes inforensics (information forensics). These terms are used
interchangeably. This chapter uses the term computer forensics.

NOTE
Copyright © 2020. Jones & Bartlett Learning, LLC. All rights reserved.

The word forensics is from the Latin word forensis, which means “belonging to the forum.” It refers to the
types of arguments used in a court or public forum to prove or disprove past theories or arguments.

Computer forensic examiners use specialized software and tools to collect and
study data stored on electronic devices. The evidence collected is called digital
evidence or just electronic evidence. Computer forensics includes all the steps
through which this evidence is collected, preserved, analyzed, documented, and
presented.2 The goal of computer forensics is to find evidence that helps
investigators analyze an event or incident.
Computer forensic examiners study and collect electronic data for many reasons.
They do not just investigate crimes. Other computer forensics uses include:

Grama, J. L. (2020). Legal and privacy issues in information security. Jones & Bartlett Learning, LLC.
Created from westerngovernors-ebooks on 2025-02-11 04:13:48.
 Individuals—People may hire computer forensic examiners to find evidence to
support tort claims. They can find digital evidence about sexual harassment or
discrimination. Examiners also can uncover evidence for any type of civil litigation.
They also can find evidence to support a criminal defense case.
Military—The military uses computer forensics to gather intelligence information
to support its operations. It also uses computer forensics to prepare for and
respond to cyberattacks.
Organizations—Organizations use computer forensics the same ways that
individuals use it. Computer forensic examiners also can investigate employee
wrongdoing. They can look for embezzlement or theft of intellectual property (IP).
They also can look for unauthorized use of information technology (IT) resources
and attempts to harm them. An organization’s incident response (IR) program can
include forensic activities.
Colleges and universities—Many colleges and universities offer programs in
computer forensics. Some may have forensic research programs. They also use
computer forensics for the institution’s own IR activities.
Data recovery firms—Data recovery firms use computer forensics to rescue data
for their clients. They also advise clients how to keep data safe from loss.

Most electronic devices hold some type of data. Computer forensics can study any
of them. Potential sources of digital evidence include:

Computer systems—This includes laptop and desktop computers, as well as
servers. It also includes the hardware and software that the system uses. This
category also includes peripheral devices that can be attached to computer
systems. These devices enhance the user experience. They may include
keyboards, microphones, web cameras, and memory card readers.
Storage devices—This includes internal and external hard drives, as well as
removable media such as floppy disks, Zip disks, compact discs (CDs), digital
versatile discs (DVDs), thumb flash drives, and memory cards.
Mobile devices—This includes cell phones and smartphones. It also includes
Copyright © 2020. Jones & Bartlett Learning, LLC. All rights reserved.

tablets, personal digital assistants (PDAs), and pagers. Global positioning system
(GPS) devices hold data as well. Digital and video cameras, and audio and video
multimedia devices, also fall into this category.
Networking equipment—This includes network hubs, routers, servers, switches,
and power supplies. Networking equipment can be wired or wireless.
Other potential sources—Any device with computer capabilities can potentially
hold digital evidence. For example, many office devices have data storage ability.
This includes copiers and fax machines, answering machines, printers, and
scanners. Entertainment devices store data as well. They include digital video
recorders (DVRs), digital audio recorders, and video game systems. Surveillance
equipment is included in this category. This category includes any device not

Grama, J. L. (2020). Legal and privacy issues in information security. Jones & Bartlett Learning, LLC.
Created from westerngovernors-ebooks on 2025-02-11 04:13:48.
 already mentioned that can store data. Any Internet of Things (IoT) device can
also potentially hold digital evidence because these devices collect data via
sensors and transmit it via the internet. Fitness trackers, medical devices,
environmental sensors, and even industrial equipment all have data that can be
used as digital evidence.

People’s dependence on electronic devices to live their lives continues to grow.
Therefore, computer forensics as a special area of study also grows. Computer
forensic examiners are not always experts in collecting data from every possible type
of electronic device. They often focus on certain types of devices. In addition, most
computer forensic examiners focus their skills in specific areas. The three main
areas of computer forensics are:

Media analysis
Code analysis
Network analysis

Media analysis focuses on collecting and examining data stored on physical media.
This includes computer systems and storage devices. It also includes mobile
devices. When people think about computer forensics, they most often think about
media analysis. This type of analysis discovers normal and deleted data. It also finds
encrypted, hidden, and password-protected data. This chapter focuses mostly on
media analysis concepts. These concepts apply to other types of computer forensic
analysis as well.
Code analysis, also called malware forensics, focuses on reviewing
programming code. This area looks for malicious code or signatures from viruses,
worms, and Trojans. It looks for the signature of anything that has modified a system
without permission. A signature is the executable part of a malicious code. The need
for code analysis continues to grow as malware types change. A 2019 report
estimated a rise of almost 14 percent in different types of malware during that year.3
Copyright © 2020. Jones & Bartlett Learning, LLC. All rights reserved.

NOTE

Most antivirus programs use signatures to help them detect malware on a computer system.

Network analysis focuses on collecting and examining network traffic. An
examiner reviews transaction logs and uses real-time monitoring to find evidence.
Organizations often use this type of analysis to investigate incidents.
Some computer forensic examiners also might have specialties within these
three major categories. For example, some examiners might specialize in email
forensics. Email forensics, which includes a combination of media and network
analysis, is used to find the sender, recipient, date, time, location information, and

Grama, J. L. (2020). Legal and privacy issues in information security. Jones & Bartlett Learning, LLC.
Created from westerngovernors-ebooks on 2025-02-11 04:13:48.
 contents of email messages. This is a hot area as almost 94 percent of all malware
was delivered via email in 2019.4 As technology advances, it is not unusual to find
examiners with very specialized skills. FIGURE 15-1 shows examples of different
computer forensic categories.

FIGURE 15-1
Computer forensic categories.
Copyright © 2020. Jones & Bartlett Learning, LLC. All rights reserved.

Grama, J. L. (2020). Legal and privacy issues in information security. Jones & Bartlett Learning, LLC.
Created from westerngovernors-ebooks on 2025-02-11 04:13:48.
 What Is the Role of a Computer Forensic
Examiner?
Computer forensics is a fairly new field. It is only a few decades old, but is growing
quickly. In 1984, the U.S. Federal Bureau of Investigation (FBI) began creating
software programs to collect computer evidence.5 In 1990, the International
Association of Computer Investigative Specialists (IACIS) was formed. The IACIS,
the oldest computer forensic professional group, was the first group dedicated to
computer forensics.6
The first international conference on computer forensics was held in 1993. In
1995, the International Organization on Computer Evidence (IOCE) was formed.
Although the IOCE no longer exists, it created some of the earliest guiding principles
for computer forensic examiners. In the United States, the Scientific Working Group
on Digital Evidence (SWGDE) was created in 1998 to participate in IOCE efforts.7

NOTE

The scientific method is a way to answer questions in a repeatable and verifiable way. It is a formal
method of investigation.

Computer forensic examiners find evidence on electronic devices and collect it
for both civil and criminal cases. They must collect this evidence in a scientific
manner, regardless of the underlying case. They also must have a full understanding
of various technologies, hardware, and software. An examiner helps answer who,
what, where, when, why, and how.
A computer forensic examiner must have the following traits:

A sound knowledge of computing technologies
Use of the scientific method to conduct repeatable and verifiable examinations
Copyright © 2020. Jones & Bartlett Learning, LLC. All rights reserved.

Understanding of the laws of evidence and legal procedure
Access to computer forensic tools and the skill to use them
Outstanding record-keeping skills

No matter how careful they are, people always leave traces of their activities when
they interact with other people and with their surroundings. This is a basic principle
of forensic science known as Locard’s exchange principle. It applies to both the
digital world and the physical world. If people attempt to steal electronic information
or delete incriminating files, they leave electronic traces of their activities. For
example, log information can document these activities. A computer forensic
examiner needs to know how to find this trace evidence material, which is used to

Grama, J. L. (2020). Legal and privacy issues in information security. Jones & Bartlett Learning, LLC.
Created from westerngovernors-ebooks on 2025-02-11 04:13:48.
 help prove a person’s actions in a computer system.
Computer forensic examiners do more than turn on a computer and search
through files. They must perform complex data recovery procedures. In particular,
they must:

NOTE

Dr. Edmond Locard was a forensics pioneer who lived from 1877 to 1966. He argued that scientific
methods should be applied to criminal investigations. He believed that when people or objects interact,
they transfer physical evidence to one another. Forensic scientists recover that evidence, then study and
learn from it.

Protect the data on any electronic device.
Avoid deleting, damaging, or altering data in any way on any electronic device.
Make exact copies of electronic data without altering the original device.
Discover normal, deleted, password-protected, hidden, and encrypted files.
Study data to create timelines of electronic activity.
Identify files and data that may be relevant to a case.
Fully document all evidence-collection activities.
Provide expert testimony on the steps taken to recover digital evidence.

Computer forensic examiners must have special skills beyond those of the traditional
information security professional. The law requires that computer forensic examiners
be competent at what they do. Examiners can show that they are competent by
earning advanced degrees. They also can become certified. Because the profession
is still relatively new and evolving rapidly, there are many computer forensic
certifications to choose from. Both independent organizations and vendors offer
them.
States and courts struggle with how to make sure computer forensic
examinations are done only by competent examiners. Courts rely on legal principles
and trial rules to screen examiners before they testify. Sometimes states create laws
that govern the activities of these examiners. Often, computer forensic examiners
Copyright © 2020. Jones & Bartlett Learning, LLC. All rights reserved.

are governed under the broad terms of a state’s private detective laws.
Many states regulate private detectives and investigators. They require a private
detective to have a state-issued license before he or she can conduct investigations.
These laws were created before computer forensics existed as a separate field. The
broad language of these laws can pull computer forensic examiners within the scope
of these regulated professions. This is not unusual.

Computer Forensic Examiner Certifications
There are many independent and vendor-specific computer forensic credentials. An examiner must weigh
which credential best suits his or her career path. The following are popular credentials:

Grama, J. L. (2020). Legal and privacy issues in information security. Jones & Bartlett Learning, LLC.
Created from westerngovernors-ebooks on 2025-02-11 04:13:48.
 Certified Computer Examiner (CCE)—The International Society of Forensic Computer Examiners
(ISFCE) offers the CCE. The ISFCE has offered the CCE, a vendor-neutral certification, since 2003.
CCE holders have basic knowledge of forensic examination procedures. You can learn more at
http://www.isfce.com/.
Certified Computer Forensics Examiner (CCFE)—The Information Assurance Certification Review
Board (IACRB) offers the CCFE, which is also vendor neutral. CCFE candidates must take a written
exam and a practical application test. There are nine subject-matter areas in the CCFE exam. You can
learn more at http://www.iacertification.org/index.htm.
Certified Forensic Computer Examiner (CFCE)—The IACIS offers the CFCE. However, only law
enforcement personnel may earn it. It is vendor neutral. CFCE candidates must pass an intensive
practical exam. You can learn more at http://www.iacis.com/.
GIAC Certified Forensic Analyst (GCFA)—The Global Information Assurance Certification (GIAC)
program offers the GCFA. Similar to the CCE and CCFE, this certification also tests practical
knowledge. It is vendor neutral. GIAC offers several certifications related to digital forensics. You can
learn about GIAC at http://www.giac.org/.
Some forensic software vendors offer certifications for their products. For example, EnCase is a popular
forensic tool sold by Guidance Software. It offers the EnCase Certified Examiner (EnCE) credential. The
EnCE exam has a written section and a practical section. The practical section covers use of the EnCase
forensics program. You can learn more at https://www.opentext.com/products-and-solutions/services/training-
and-learning-services/encase-training/examiner-certification.

Another software vendor that offers a certification is AccessData. AccessData offers
a product called the Forensic Toolkit, but is better known as FTK. AccessData offers
the AccessData Certified Examiner (ACE) credential, which tests knowledge of the
FTK tool. The ACE exam is a multiple-choice test. You can learn more at
https://accessdata.com/training/computer-forensics-certification.
Some states require computer forensic examiners to have a private detective
license. Examples include Illinois,8 Michigan,9 Oregon,10 and Texas.11 In Texas, the
law is interpreted very broadly. It actually includes computer technicians and
computer repair personnel within the scope of its law.
Some states do not include computer forensic examiners within their private
detective licensing laws. North Carolina12 and Virginia13 are examples. North
Carolina law states that any person who performs computer forensic services in
order to collect evidence is not a private investigator. The North Carolina law also
excludes examiners who provide expert testimony, as well as any person who
Copyright © 2020. Jones & Bartlett Learning, LLC. All rights reserved.

engages in network or system vulnerability testing.
In 2008, the American Bar Association (ABA) issued a report and resolution on
computer forensic examiners. The ABA asked states to stop requiring computer
forensic examiners to get a private detective license. It said that the role of private
detectives is different from that of computer forensic examiners. It also stated that
courts have broad discretion to make sure that digital evidence used in trials is
reliable. Because the courts have that discretion, the ABA argued that there is no
need to license computer forensic examiners.14

Grama, J. L. (2020). Legal and privacy issues in information security. Jones & Bartlett Learning, LLC.
Created from westerngovernors-ebooks on 2025-02-11 04:13:48.
 Collecting, Handling, and Using Digital
Evidence
Computer forensic examiners find evidence on electronic devices and use this
evidence to help reconstruct past events or activities. They use the evidence to gain
a better understanding of a crime or event. It can be used to show possession and
use of digital data. This section discusses how computer forensic examiners collect
digital evidence. It focuses on how this evidence is collected in a criminal
investigation. You need to keep in mind that almost the same process will be used in
a civil investigation. An organization’s IR process also will be similar.
A computer, or any electronic device, can play one of four roles in computer
crime:

NOTE

Computer forensic examiners should always collect digital evidence in a reliable (forensically sound)
manner. The nature of the underlying investigation does not matter. The examiner should always use a
reliable and repeatable process.

To commit a crime—Unauthorized access to data (hacking) and online fraud are
two examples where a computer is used to commit a crime.
To facilitate a crime— Cyberstalking, identity theft, phishing scams, and software
piracy are examples of crimes facilitated, or aided, by computers.
As a target of crime—Denial of service (DoS) and distributed denial of service
(DDoS) attacks, computer viruses, and communications sabotage are examples of
crimes where the computer itself is the target of the crime.
As a witness to crime—Computerized record-keeping systems may provide
evidence of an underlying crime or event.
Copyright © 2020. Jones & Bartlett Learning, LLC. All rights reserved.

If the computer forensic examiner knows how the computer was used, he or she will
be able to tailor the examination to that use.

FYI
It is important that evidence used in a court case be admissible because a judge or jury can consider only
admissible evidence when they decide cases. Evidence that is invalid for some reason is called
inadmissible evidence and cannot be presented to a judge or jury. A judge or jury who accidentally hears
about that evidence cannot consider it later in deliberations. Admissible evidence is good evidence,
whereas inadmissible evidence is bad evidence.

The examiner must gather evidence in a way that makes it admissible in court.

Grama, J. L. (2020). Legal and privacy issues in information security. Jones & Bartlett Learning, LLC.
Created from westerngovernors-ebooks on 2025-02-11 04:13:48.
 Evidence is useful only if it is admissible. To be admissible, evidence must be
collected in a lawful way. It also must be collected in a scientific manner. For digital
evidence, this means that a computer forensic examiner conducts a repeatable and
verifiable examination of an electronic device. The examiner must use established
practices and procedures. The examiner also must be able to explain the results of
his or her work to a client, judge, or jury in a clear way.

The Investigative Process
Different law enforcement agencies and organizations may use different
investigative processes. The process used can depend on the type of case, as well
as the urgency of the case. The process also can depend on the agency or
organization that performs the investigation. In general, the investigative process has
the following basic steps:

Identification
Preservation
Collection
Examination
Presentation

This basic process is used by both law enforcement agencies and other
organizations to identify, collect, and preserve digital evidence.

Identification
During the identification step, the computer forensic examiner learns about the
crime, event, or activity that is being investigated. He or she must identify the types
of electronic devices that may be involved and prepare to conduct the investigation.
The examiner must make sure that he or she has all the tools needed to conduct the
investigation. A computer forensic examiner’s approach to a case may depend
heavily on its facts and circumstances.
Copyright © 2020. Jones & Bartlett Learning, LLC. All rights reserved.

Preservation
During the preservation step, computer forensic examiners must secure the crime
scene and any electronic devices. This means that they must make sure that no one
tampers with the scene or electronic devices. This is to make sure that suspects and
witnesses do not have a chance to access, destroy, or modify digital evidence.
Examiners also must make sure that no one can access electronic devices remotely
once they are seized. All of these actions make sure that potential digital evidence
cannot be altered. This step is very important because once digital evidence is
altered, it is difficult, if not impossible, to reverse the results.

Grama, J. L. (2020). Legal and privacy issues in information security. Jones & Bartlett Learning, LLC.
Created from westerngovernors-ebooks on 2025-02-11 04:13:48.
 Chain of Custody
The chain of custody is an important evidentiary concept. Courts and attorneys use a chain of custody
document to help prove that evidence is admissible. This document shows who obtained evidence, where
and when it was obtained, who secured it, and who had control or possession of it. It is used to prove that
evidence is reliable.
Evidence is reliable when it is not destroyed, changed, or altered. It cannot be modified after it is originally
collected. A court may find that evidence is not admissible in court if its chain of custody is poorly
documented or incomplete. A chain of custody protects the integrity of evidence.
A chain of custody documents how evidence is collected, used, and handled throughout the lifetime of a
particular case. It is a journal that records every interaction that a person or object has with the evidence.

In some instances, the examiner may not be able to take electronic devices away
from the crime scene. In these instances, they must collect data on-site, which
requires additional expertise. This might happen in cases where evidence is located
on an organization’s business computers. It also might be the case if the computers
belong to a witness and not to a criminal suspect. Sometimes the examiners may not
be able to seize electronic devices if there is a concern that the devices are being
used as part of a larger ongoing criminal activity that is being investigated.
Computer forensic examiners also should learn about the operation of the
electronic devices they will be examining. They will want to gather information from
people at the scene to learn how the devices are used. They should try to learn
logon names and passwords for access to the devices. They also should try to
discover the type of internet access used by each electronic device and programs
used on each device. It is also important for examiners to know whether devices are
encrypted, or whether they are equipped with software that could destroy evidence.
This step also includes documenting the crime scene. Examiners must record the
location of all electronic devices. They also should note whether the device is on or
off. They should record the condition of all devices. Examiners also should record
the content of any display screens before electronic devices are moved. The crime
scene can be documented using video, photos, and written notes. The
documentation created at this step is important for creating a chain of custody.
Copyright © 2020. Jones & Bartlett Learning, LLC. All rights reserved.

Collection
The collection step also is known as the “bag and tag” step. During this step,
computer forensic examiners must collect the electronic devices. These devices
require special collection, packaging, and transportation in order to preserve
potential evidence. Examiners will collect electronic devices in different ways
depending upon the device and its power status. They will follow different rules for
devices that are on and devices that are off.

FYI

Grama, J. L. (2020). Legal and privacy issues in information security. Jones & Bartlett Learning, LLC.
Created from westerngovernors-ebooks on 2025-02-11 04:13:48.
 Slack space is the space between the end of a data file and the end of the disk space that is allocated to
store it. Data does not always fill the whole space that is allocated to it. Residual information can be left
over when a smaller file is written into space that used to be occupied by a larger file. This leftover data
may be located in the slack space. Computer forensic examiners look at the slack space because it might
contain meaningful data.

Can a Person Be Compelled to Provide His or Her Encryption Key or
Password?
Many information security professionals advise their clients to use passwords, passcodes, biometric features,
or other “locks” on their electronic devices to help keep the client’s personal information safe. Often times
these passwords are used to encrypt and decrypt computing devices as well.
In cases where electronic devices are seized for evidence, these locks and encryption keys can be a problem
for a computer forensic examiner. Can the government compel a data owner to provide a password,
passcode, or encryption key for an electronic device? Does requiring a suspect to provide this information
violate the person’s Fifth Amendment self-incrimination protections?
The U.S. Supreme Court has held that the Fifth Amendment protects communications that are compelled,
testimonial, and incriminating in nature.15 For instance, a defendant can potentially incriminate himself or
herself if compelled to disclose information—such as a password or passcode—needed to access an
electronic device. Under this established case law, a defendant usually does not have to share the contents
of his or her mind.
The heart of the issue is whether providing a password, passcode, biometric identifier, encryption key, or
some other unlocking mechanism is testimonial. Case law in this area continues to develop rapidly and there
is a lot of uncertainty among the courts. At the time that this text was written, general rules of thumb that can
be gleaned from case law include:
Passwords, passcodes, and other electronic device locking mechanisms that are stored in a person’s
mind are more likely to receive protection under the Fifth Amendment. Compelling a person to share
this information is testimonial—it forces the person to share a fact that could be used against him or
her.
Passwords, passcodes, and other electronic device locking mechanisms that are based on biometric
identifiers (e.g., biometric device locking mechanisms) are less likely to receive protection under the
Fifth Amendment. Compelling the production of this type of information is not testimonial because the
information is something that a person is. The Fifth Amendment does not protect a person against the
collection of physical features or acts. A person can be compelled to provide a blood sample, stand in a
line-up, or provide a handwriting sample because these actions are not testimonial. Many courts have
held that compelling a person to open his or her electronic device protected with a biometric device
Copyright © 2020. Jones & Bartlett Learning, LLC. All rights reserved.

locking mechanism (e.g., fingerprint or facial identification) is not unconstitutional.
These general rules highlight a tension between protections afforded by the law, protections afforded by
technology, and user convenience. Although biometric device locking mechanisms provide tremendous
convenience for the user, the data stored on devices protected in this way may not be afforded legal
protection from government searches. Some smartphone manufacturers are trying to merge the best of both
worlds by creating features to quickly disable biometric device locking mechanisms in situations where the
device owner might be worried that a law enforcement officer will try to force the owner to unlock his or her
device. Some people refer to these disabling features as “the cop button.” When these features are used, all
biometric device locking mechanism features are disabled and the smartphone reverts to requiring a
password or passcode to unlock the device. Under current law, to best protect the contents of electronic
devices from exposure in criminal legal proceedings, the devices should be protected by the longest
password or passcode that the device allows.
This same analysis and the general rules shared in this section will likely be applied to passwords,
passcodes, and biometric device locking mechanisms for internet-enhanced applications and services.

Grama, J. L. (2020). Legal and privacy issues in information security. Jones & Bartlett Learning, LLC.
Created from westerngovernors-ebooks on 2025-02-11 04:13:48.
 Device users must weigh the risk of incriminating data exposure with convenience. Although it may be
convenient to protect a password manager application on a smartphone with fingerprint or facial
identification, such applications may contain hundreds of passwords. Where possible, those types of
applications should always be protected with a strong password or passcode (that is different from the device
password or passcode).
This particular topic of the law continues to evolve. You can expect judges to continue to define the scope of
the Fifth Amendment in these situations. Because this is an area of federal constitutional law, the U.S.
Supreme Court has the power to make a decision on the issue.

For example, in most instances, a cell phone must be kept powered on in order
to preserve data stored on the device. However, it must be protected from any
incoming calls or text messages that could change the data on it. The cell phone
must be packaged and transported in a special evidence bag once it is collected.
These special evidence bags, called Faraday bags, keep a cell phone shielded from
incoming calls or from connecting to wireless networks. This is so that data stored on
it cannot be changed by an incoming call or wireless network connection. A
computer forensic examiner also must make sure that the collected cell phone has
an additional power supply to maintain evidence that could be lost if its battery runs
out.
During this step, examiners must be aware of other kinds of evidence that could
be on electronic devices. For example, a keyboard or mouse could contain
fingerprints or other physical evidence related to the case. Computer forensic
examiners must work with other forensic technicians to make sure that this type of
physical evidence is not destroyed.
As a practical matter, examiners must document how all electronic devices are
configured. The cables and peripheral devices that are hooked up to each computer
will need to be tagged. Examiners also must collect any manuals or other materials
about the electronic devices that are located near the crime scene.

Examination
During the examination step, computer forensic examiners will want to make
duplicate images of any electronic storage media. This is called imaging. One thing
Copyright © 2020. Jones & Bartlett Learning, LLC. All rights reserved.

to remember is that a forensic duplicate image is not the same as a file copy or
system backup copy. This type of image is an exact copy of the storage media. It
includes deleted files, slack space, and areas of the storage media that a normal file
copy would not include. A forensic duplicate image is a bit-by-bit copy of the original
storage media.
Computer forensic examiners use special tools called write blockers to create
forensic duplicate images. These tools keep examiners from altering the original
storage media. Write blockers can be either hardware- or software-based. They work
similar to a one-way flow valve in plumbing in that they only allow data to move in
one direction. Most examiners will make two or more duplicate images of the original

Grama, J. L. (2020). Legal and privacy issues in information security. Jones & Bartlett Learning, LLC.
Created from westerngovernors-ebooks on 2025-02-11 04:13:48.
 storage media. One copy is a working copy that they will use to look for evidence.
The other is a control copy that can be used if something goes wrong with the first
copy.
A forensic duplicate image must be verified against the original storage media.
This makes sure that the duplicate image is identical to the original and that nothing
has changed on the original media or the image. Examiners verify the images using
a cryptographic equation called an algorithm. They will apply the algorithm to the
original media to create a hash, the value that is the result of the cryptographic
equation on the image. The examiner will apply the same algorithm to the duplicate
image to create another hash.
The examiner can prove that the duplicate image accurately represents the
original media if the hashes are the same. If the hashes are different, the images are
not the same. Different hashes mean that the imaging process was faulty or some
sort of change took place between the original media and the duplicate image.
Hashes are used to measure the integrity of the original media and the forensic
duplicate. If the hashes do not match, then the data has changed somehow.

NOTE

The output of a hashing algorithm is sometimes called a checksum.

Computer forensic examiners need to know how to collect two very different
types of data. Persistent data is stored on a hard drive or other storage media and
is preserved when an electronic device is turned off. Volatile data, in contrast, is
stored in memory and exists in registries, the cache, and random access memory
(RAM), as well as the connections that one electronic device might have with
another while both devices are powered on. Volatile data is lost when an electronic
device is turned off, so examiners must know when this data must be collected and
how to do it.
Computer forensic examiners search for relevant information on the duplicate
image. They have checklists of items that they review and look for. In general, they
Copyright © 2020. Jones & Bartlett Learning, LLC. All rights reserved.

might look at:

File access history (when were files created, edited, and last accessed)
File download history
Internet browsing history
Attempts to delete or conceal files or other data
Email communications
Instant message or internet chat logs
Image files
Files containing address books or other contact information
Documents containing financial or medical information

Grama, J. L. (2020). Legal and privacy issues in information security. Jones & Bartlett Learning, LLC.
Created from westerngovernors-ebooks on 2025-02-11 04:13:48.
 Examiners produce a report of files or data that might be relevant to the
investigation. They must use examination procedures that are auditable. That means
that an independent party can verify and repeat all of the same steps and receive the
same results.

Presentation
Computer forensic examiners must be able to report on their findings and describe
how they gathered digital evidence. They often have to explain how they collected
this evidence if a case goes to trial. Examiners are usually considered expert
witnesses when they testify in a court case. Expert witness testimony is governed by
the Federal Rules of Evidence.16 Expert witnesses must show that their activities
followed a scientific methodology. A court assesses this process to make sure that
evidence offered at trial is reliable.
The test for measuring the reliability of a scientific methodology is called the
Daubert test. It was first discussed in a U.S. Supreme Court case called Daubert v.
Merrell Dow Pharmaceuticals.17 This test is important to computer forensics. It
comes into play because of the tools that examiners use to collect digital evidence.
An expert witness is a person; therefore, the software tools used by examiners
cannot be expert witnesses. Thus, examiners must testify on behalf of the tools.

The American Academy of Forensic Sciences
The American Academy of Forensic Sciences (AAFS) recognizes computer forensics as a scientific
discipline. The AAFS, one of the most well-known professional organizations for forensic scientists, has
members from many different forensic disciplines. Its goals are to promote integrity and advance cooperation
in the forensic sciences.
The AAFS has different sections for different areas. For example, it created a digital and multimedia sciences
section in February 2008. The digital and multimedia sciences section was the first new AAFS section in 28
years. Members must show active participation in computer forensic activities. All AAFS members have
ethical rules that they must follow.
You can learn more about the AAFS at http://www.aafs.org.
Copyright © 2020. Jones & Bartlett Learning, LLC. All rights reserved.

The use of a tool must satisfy the Daubert test to show that the digital evidence
gathered by the tool is reliable. The Daubert test asks the following questions to
determine reliability:

Has the tool been tested?
Is there a known error rate for the tool?
Has the tool been peer reviewed?
Is the tool accepted in the relevant scientific community?

The examiner will testify about how the tool works. The examiner also will testify

Grama, J. L. (2020). Legal and privacy issues in information security. Jones & Bartlett Learning, LLC.
Created from westerngovernors-ebooks on 2025-02-11 04:13:48.
 about his or her qualifications as a computer forensic examiner. Finally, the examiner
will testify about the process the examiner used to collect the digital evidence. The
court will use the Daubert test to decide whether to admit the evidence collected by
the examiner.

Ethical Principles for Forensic Examination
Computer forensic examiners all follow some common principles. The IOCE created
one of the first sets of ethical principles for computer forensics examiners in 1999.
The IOCE principles included:

Examiners should not change digital evidence after they seize it.
If original digital evidence must be accessed, the person accessing it must be
competent.
All digital evidence handling must be fully documented and available for review.
Each person who handles digital evidence is responsible for it while it is in his or
her possession.
Any agency that handles digital evidence must comply with these principles.18

These basic principles are followed in different forms by other organizations. For
example, the CCE credential requires CCE holders to follow a code of ethics. That
code of ethics has terms that are similar to the principles stated originally by the
IOCE. You can read the code of ethics at https://www.isfce.com/ethics2.htm.
Copyright © 2020. Jones & Bartlett Learning, LLC. All rights reserved.

Grama, J. L. (2020). Legal and privacy issues in information security. Jones & Bartlett Learning, LLC.
Created from westerngovernors-ebooks on 2025-02-11 04:13:48.
 Legal Issues Involving Digital Evidence
There are special rules for collecting and handling digital evidence. However, the
process for obtaining the electronic devices and the evidence on them in the first
place must follow established legal principles. The law asks two basic questions
about evidence:

Did the person or organization that collected the evidence have the legal authority
to do so?
Is the evidence admissible in court?

Legal principles and statutes are used to address the first question. These laws
focus on the situations where a private entity or the government can collect
information about a person.
Court rules and case law are used to address the second question. Both the
federal government and state governments have trial court rules for civil and criminal
proceedings. In addition to these rules, federal and state courts have evidentiary
rules that govern how parties introduce evidence at trials. This chapter uses the
Federal Rules of Evidence (FRE) to illustrate admissibility requirements. Many states
have their own evidence rules that are based on the FRE.
One thing to keep in mind as you review this section is that there are differences
between how law enforcement and private entities conduct investigations. Law
enforcement agencies have very specific rules that they must follow when they
collect evidence because a law enforcement agency is acting on behalf of a
government. They are agents of either the federal or a state government. In the
United States, a government cannot take some actions against its citizens without
proper authority. This is part of our “checks and balances” system of government.
For example, unless special circumstances exist, law enforcement must get
permission from a court to monitor a person’s telephone conversations.
Copyright © 2020. Jones & Bartlett Learning, LLC. All rights reserved.

The rules are different for private entities. Private entities are individuals and
organizations that are not related to a governmental agency. As long as a private
entity is acting within the rule of law, it may take certain actions to protect its own
interests. This is why an employer may monitor an employee’s telephone
conversations when the employee is using the employer’s telephone equipment. A
private entity generally has the right under the law to monitor and collect data about
its own IT resources in order to protect them.

Authority to Collect Evidence
There are many laws that define and limit the government’s ability to monitor and

Grama, J. L. (2020). Legal and privacy issues in information security. Jones & Bartlett Learning, LLC.
Created from westerngovernors-ebooks on 2025-02-11 04:13:48.
 collect data about individuals. The basic protections afforded to U.S. citizens stem
from the Constitution. The Fourth Amendment protects citizens from an intrusive
government.
Other laws further define how the government can collect and monitor data.
These laws affect the activities of computer forensic examiners. The Electronic
Communications Privacy Act,20 the Wiretap Act,21 and the Pen Register and Trap
and Trace Statute22 are discussed in this section.

The Fourth Amendment and Search Warrants
The Fourth Amendment protects people from unreasonable government search and
seizure. A search happens when a person’s reasonable expectation of privacy in a
place or thing is compromised. A seizure happens when the government interferes
with a person’s property. Interference includes taking the property or using it in such
a way that the person who owns it cannot use it.

The Silver Platter Doctrine
The difference between the government’s ability to collect evidence of a crime and a private entity’s ability to
collect evidence about that same activity is an interesting area of study. It is also a complicated area of study.
The resolution of many court cases depends on these differences. Sometimes laws create special rules for
law enforcement and private entities.
For example, the Electronic Communications Privacy Act (ECPA)19 sets out the rules for access, use,
disclosure, and interception of stored electronic communications. Electronic communications include
telephone, cell phones, computers, email, faxes, and texting. Under the ECPA, no one may access the
contents of these communications unless it is allowed somewhere else in the ECPA. The law has different
rules for the government and for private entities.
The ECPA has strict rules for the government. For example, the government cannot access any stored
electronic communications without a search warrant. To get a search warrant, the government must prove to
a court that it has probable cause to believe that criminal activity is taking place. The stored communications
must hold evidence of the criminal activity. If the government cannot prove probable cause, then it cannot
access these communications.
The ECPA has different rules for private entities. Private entities may access stored communications within
their ordinary course of business. To use this exception, the private entity must have a legitimate business
Copyright © 2020. Jones & Bartlett Learning, LLC. All rights reserved.

interest for accessing these communications. They also must show that the access occurred on equipment
provided by a communications service provider. The ECPA also allows private entities to access employee
communications if the employee gives consent. The private entity must be able to prove that it provided
notice of access to its employees and that the employees consented to it. Most courts interpret these
exceptions very narrowly.
Sometimes private entities find evidence of criminal activity. The ECPA allows most types of private entities to
lawfully disclose this evidence to law enforcement agencies. This evidence often is very useful to a criminal
investigation. Sometimes a prosecutor will want to use this evidence at a criminal trial. The evidence rule
known as the silver platter doctrine applies in these cases. This rule is called the silver platter doctrine
because the private entity gives admissible evidence to law enforcement “on a silver platter.” Law
enforcement did not need a search warrant to access the evidence because it did not collect it or direct its
collection.
The silver platter doctrine allows the admission of evidence lawfully collected by a private entity. However, the
evidence collected by the private entity must be collected and documented properly. To take advantage of the

Grama, J. L. (2020). Legal and privacy issues in information security. Jones & Bartlett Learning, LLC.
Created from westerngovernors-ebooks on 2025-02-11 04:13:48.
 silver platter doctrine, the government must show that the private entity is not affiliated with law enforcement
or a government (state or federal). The private entity must not be collecting the evidence under the direction
of law enforcement or a government. The private entity also cannot be an internet service provider (ISP).
There are special rules under the ECPA for ISPs.

The Fourth Amendment states that the government may not search or seize
areas and things in which a person has a reason