Computer Forensics: Evidence Management
Evidence Management: protecting the evidence is paramount
Computer data retrieval specialists carry a heavy responsibility. Their job is to track and recover electronic data from computers, mobiles and other e-devices often wiped clean of information and then to piece those data bits together to convict the bad guys. It’s a 007-who-dunnit job of epic technological proportions. Protecting the evidence is paramount. Data is already often fragmented, well-hidden or wiped. Additional losses or poor evidence management could mean a lost court case or sufficient challenges in court to significantly hurt outcomes. But specialists often work in the dark, without clear guidelines on how to do their work in order to ensure a conviction or even acceptance of their recovered materials by the courts. They also have a dual mandate. First, they must protect the hardware used in the alleged criminal activity, and second, they must glean through that hardware’s logs, media files and other contained elements to find information that can lead to arrests, charges and convictions.
Protocols to retrieve, collect and protect recovered data are not regulated
The processes, protocols and procedures to recover data and how they should be protected, stored and managed once retrieved are as yet un-regulated. That may seem surprising given the extensive measures police departments undertake to protect material evidence, and how much electronic data is now the focus of criminal activity. It’s more surprising, though, given the extraordinary potential magnitude of online crime to unleash unprecedented devastation that is difficult to even begin to get our heads around in terms of costs and other losses. Losses can be so devastating that, in at least one account of the 17 worst data breaches in recent memory, data breach cost was assessed in terms of the damage to the companies, people and insurers involved rather than by the size or even number of e-records infiltrated.[1] This kind of measurement illustrates how the right breach—even a tiny one—can unleash a butterfly effect of whirlwind proportions. And although we might consider monetary losses—such as Target ($110M) or Yahoo ($3B)—to be the worst kind of breach, unexpected infiltrations can cause much more trauma. The theft of 20 years’ data from AdultFriendFinder in 2015, and as part of a second, larger breach of its parent company, Friend Finder Networks in 2016, for example, not only cost huge money, but destroyed lives.[2], [3] Getting the data collection right and managing that evidence so it passes legal scrutiny calls for highly specialized training, excruciating attention to detail, and intense accuracy in report preparation and evidence presentation.
How forensic specialists collect, secure and process the evidence
Forensic specialists look to ensure their data collection is forensically sound and legally defensible. They are often recovering data from sex crimes, financial crimes, or other serious infractions that end in legal prosecution and will require their materials (or them) to appear in a court of law. So whether by an inside management team or one that comes from the outside, forensic specialists secure their data using meticulous processes.
Evidence management best practices follow procedures similar to law enforcement agencies, utilizing methods police also follow at the scene of a physical crime. They include 1) securing the physical area, 2) collecting, packaging and cataloguing relevant physical materials, 3) placing hardware in a secure area, and, 4) creating a chain of custody.
One of the specific challenges that forensic specialists face is the dual charge in ensuring the integrity not only of the physical devices involved, but also the e-data contained, generated and distributed. Several steps ensure that the evidence cannot be altered, stolen or damaged. First, digital specialists make a forensic image copy of the e-data; second, they never work from the originals, ensuring the data remains intact. Third, forensic specialists create a hash function so e-data cannot be tampered with or changed. These are some of the methods of rigorous collection, recovery and record keeping that are key to successful prosecution. Then the real search begins: to find, retrieve, and piece together the data crumbs that reveal the criminal tale.
The Future of Evidence Management
Working as a forensic examiner takes a combination of two sometimes seemingly contradictory skills: hard core computer knowledge that results in successful data recovery and collection, and communication skills that tell the story of the collection well enough to convince judges and juries of their authenticity and legitimacy. These kinds of skills require specific training and practice and years of working with computers to develop the intuition that leads to success in the field. The work can be difficult as much of it involves pornography and other ugly crimes that can leave examiners traumatized by their experiences and what they have seen. The reward can be successful prosecution of those involved in serious crimes and extending the use and legitimacy of the collection and protection of e-data for other crimes in the future.
Footnotes
[1] Armerding, Taylor. 26 January 2018. The 17 Biggest Data Breaches of the 21st Century. Retrieved from https://www.csoonline.com/article/2130877/data-breach/the-biggest-data-breaches-of-the-21st-century.html
[2] Lewis, Dave. 23 May 2015. The Human Cost of the Adult Friend Finder Data Breach. Retrieved from https://www.csoonline.com/article/2926172/data-breach/the-human-cost-of-the-adult-friend-finder-data-breach.html
[3] Whittaker, Zack. 21 November 2016. AdultFriendFinder Network Finally Comes Clean To Members About Hack. Retrieved from http://www.zdnet.com/article/adultfriendfinder-finally-comes-clean-with-users-about-site-hacks/