Welcome to New Horizons!

With 300 centers in 70 countries, New Horizons is the world’s largest independent IT training company. Our innovative, award-winning learning methods have revolutionized the way students learn, retain and apply new knowledge; and we offer the largest Guaranteed-to-Run course schedule in the world.

Our real-time, cloud-based lab solution allows students to access their labs anytime and anywhere. And we offer an extensive selection of vendor-authorized training and certifications for Microsoft, Cisco, CompTIA and VMware, ensuring that students are able to train on the latest products and technologies. Over our 30-year history, New Horizons has trained over 30 million people worldwide.
Friday, November 14, 2008

Best practices for handling evidence when a computer crime occurs

As a database professional, you aren’t necessarily a legal expert. Yet, you may find yourself in a situation where you need to respond to a computer crime incident, assist with an investigation, or pass information to either an internal investigative committee or a judicial proceeding. If you don’t handle evidence properly, chances are you won’t be very successful in prosecuting the perpetrator. We’ll provide some guidelines to help manage evidence related to a computer crime.

Computer forensics defined

According to Wikipedia, computer forensics is "application of the scientific method to digital media in order to establish factual information for judicial review." This process often involves investigating computer systems to determine whether they are or have been used for illegal or unauthorized activities.

If a data-related crime is committed, you may work with a computer forensics expert, who will:

  1. Identify sources of evidence.
  2. Preserve the evidence.
  3. Analyze the evidence.
  4. Present the findings.
Computer forensics must adhere to the standards of evidence that are admissible in a court of law. As such, computer forensics must be techno-legal in nature rather than purely technical or purely legal.

As a DBA, you may also want to apply the principles of computer forensics to help force your organization’s established policies.

Types of evidence

Evidence is anything that proves or disproves an assertion or fact. With respect to a legal proceeding, evidence must meet these criteria:

  • Sufficiency. The evidence must be convincing and unquestionable.
  • Competency. The evidence must be legally qualified and reliable.
  • Relevancy. The evidence must be material to the case or have a bearing on the matter at hand.
As you may suspect, not all evidence is created equal. The most convincing evidence is that which can be proven directly through the five senses: hearing, smelling, seeing, touching, and tasting. This type of evidence is described below along with other (less convincing) types of evidence:

  • Direct evidence. Knowledge of the facts surrounding an incident, e.g. an eye witness’s oral testimony. The witness must have obtained the knowledge through his five senses rather than through inferences or presumptions.
  • Physical evidence. Real, tangible objects that prove or disprove a fact, e.g. an intruder’s possession of stolen data. This type of evidence links the suspect to the crime.
  • Documentary evidence. Evidence in the form of printed documentation — e.g. audit logs or video surveillance tapes. This is the most common type of evidence associated with computer crime.
  • Demonstrative evidence. Aids that prove that an incident occurred — e.g., models, exhibits, and charts. This type of evidence is typically presented to a jury to help them understand the facts.
Guidelines for handling evidence

You may be called upon to present evidence to an internal investigative team or to a court of law. In the former case, you need to be able to answer many questions regarding the evidence; in the latter case, you need to demonstrate credibility. To prepare for either situation, you should be familiar with established guidelines for handling evidence.

Collecting evidence

If you’re involved in the investigating an incident, you’ll need to gather as much evidence as you can. It’s critical that you start the process early because, in all likelihood, the individual who committed the crime will try to conceal their involvement. As time passes, the evidence is susceptible to tampering or even destruction. Here are some actions you can take immediately upon discovering an incident:

  • Print copies of audit logs, as they may be subpoenaed. A backup of the database or transaction logs may also be helpful.
  • Secure all types of removable media (CDs, USB flash drives, floppy disks, etc.).
  • Look for relevant physical evidence on the desk and surrounding areas. It can be helpful to take photos of the target system from several different angles both inside and outside the machine. If possible, use a Polaroid camera; otherwise, the defense team can claim the photos were altered during film development.
Identifying evidence

While you’re collecting evidence, it’s critical that you identify each item and its relation to the crime scene. You should be as methodical as possible and elicit the help of another individual who can serve as a witness to your actions. As you collect each piece of evidence, label it and record information about it in a log book. The information you log should minimally include the following entries:

  • Item name and description.
  • Name of individual who discovered it.
  • Date, time, and location of discovery.
  • Make, model, and serial number if available.
  • Identifying marks on the item.
  • Any perceivable physical damage to the item.

Tip:
Besides being a backup for missing labels, the log book can help you review information about the evidence prior to a formal hearing.


Protecting evidence

After you’ve collected and identified the evidence, you need to protect it from damage. Damage may result from environmental factors, such as extreme temperatures or variations in humidity, or from physical factors, such as vibration or electromagnetic fields. The best way to protect evidence is to handle it with anti-static gloves (as opposed to latex gloves).

Transporting evidence

If you need to transport the evidence, make sure that you use proper packing techniques. Even if the evidence is in a sealed bag or other type of container, avoid using foam peanuts, as doing so increases the chances that the evidence becomes tainted. Use solid foam padding to wrap the evidence container, and then store the container in a sturdy cardboard box. Label the box contents, using the log book entries you created earlier in the process.

Storing evidence

In addition to storing evidence in sealable anti-static bags and packaging it appropriately, you should keep it in a secure room. The evidence room should have minimal traffic, restricted access, camera monitoring, and entry logging capabilities.

Chain of custody

Another component of managing evidence is the concept of chain of custody. Chain of custody refers to an accounting of all persons and events related to the handling of the evidence from the time it is first collected to the time it’s submitted to the court. Here’s a list of critical steps in the chain of custody process:

  1. Record each item collected as evidence.
  2. Record who collected the evidence along with the date and time of collection.
  3. Write a description of the evidence in your log book.
  4. Put the evidence in containers; tag the containers with the name of the person who collected the evidence as well as the date and time.
  5. Record all hash values in the documentation.
  6. Securely transport the evidence to a protected storage facility.
  7. Obtain a signature from the person who accepts the evidence at the storage facility.
  8. Provide controls to prevent access to the evidence while it’s in storage.
  9. Securely transport the evidence to the court for legal proceedings.

Special considerations for digital media

In crimes involving stolen data, magnetic and optical discs become key pieces of evidence. Here are some practical guidelines for protecting evidence related to digital media:

  • Don’t power down a system before you perform a RAM memory dump.
  • Never use diagnostic tools or utilities to analyze a system; doing so can compromise the true state of the data at the time the crime was discovered.
  • Use a bit-level, sector-based imaging utility to capture the state of the data; make several copies of the drive and analyze only the copies.
  • Don’t restart the machine and boot back into the operating system, as this can also change the true state of the media.
Related Courses

  • Computer Hacking Forensics Investigator
  • Forensics Bootcamp
Print this post
Posted by New Horizons at 9:36 AM 0 comments
Labels: , , , ,

0 comments:

Post a Comment

Subscribe to: Post Comments