The Evidence Can Lie - Five Ways to Botch Data Integrity In a Computer Forensic Investigation - Law
*** As technology continues to play a larger role in litigation and internal company investigations, lawyers and investigators are expected to understand the inner workings of computers and how they relate to computer conduct issues. ***
"Concentrate on what cannot lie. The evidence...," advises Gil Grissom of the popular television show "CSI: Crime Scene Investigation". While this sound bite makes for good television drama, in reality this statement is not entirely accurate. The fact is evidence can be misleading #34; if it is not properly preserved and handled during a forensic investigation of any kind.
Just like fingerprints, DNA, or other types of evidence, digital evidence is fragile and can be altered if precautions are not taken to ensure the evidence is kept as close as possible to the condition in which it was found. If data integrity is not maintained, you may risk losing critical evidence #34; or worse, impinging the credibility of any recovered data, potentially rendering it unreliable, or inadmissible in a court of law.
Below are five ways in which the integrity of evidence can be questioned, if adequate safeguards are not in place.
1. Booting a Computer and Accessing Files. Turning a computer on, opening and viewing files and installing analysis software on a hard drive are a few ways pivotal data can be changed. For example, booting a computer may cause the hard drive to be reconfigured in a way that overwrites data that would have remained more accessible if the "boot" did not occur. Additionally, tampering with files can change important metadata fields such as create dates or modified dates associated with those files.
2. Opening a Hard Drive Outside of a Cleanroom Environment. Data reliability is a key consideration in every case involving electronic evidence. A "cleanroom" is a controlled environment that ensures reliability is maintained by regulating factors that can otherwise damage sensitive evidence. If there is physical damage to the drive, the drive should always be opened in a cleanroom setting to ensure extracted data is protected from elements such as airborne particles, temperature, humidity, air pressure, airflow patterns, vibration, noise, and lighting. Opening a drive outside of this environment can damage the drive and/or supporting hardware, destroy data and void the warranty on the drive.
3. Failing to Conduct an Analysis on a Mirror Image Copy. A forensic mirror image of a hard drive is an exact, bit-by-bit copy of the drive. The mirror image copy provides a complete "snapshot" of the drive, captures both active and deleted data, and ensures the integrity of evidence is preserved. Computer forensic investigators should always conduct their investigation on the image copy, making certain metadata information is properly preserved on the original piece of media.
4. Neglecting to Maintain a Proper Chain of Custody. In any computer forensic investigation, the media at issue must be properly secured and a proper chain of custody must be maintained. Failure to do so can give the opposing party an opportunity to point out holes in your case. Or, a court may find the evidence lacks requisite reliability to be admitted into evidence. When documenting the chain of custody on a piece of media, indicate where the media has been, whose possession it has been in, and the reason for possession.
5. Ignoring Alternative Sources in the Event of Evidence Destruction. In some cases, the best piece of evidence may have been destroyed before an investigation begins. Fortunately, digital clues can materialize in multiple places. Thus, identifying all sources where critical information may be located can be vital to an investigation. For example, even if an ex-employee completely reformats a hard drive, in an attempt to cover up incriminating e-mails, those e-mails may be available from other sources. A computer forensic expert may still be able to find the e-mails from other sources, such as company back-up tapes or other media.