Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 9 Electronic Evidence, Electronic Records Management, and Computer Forensics.

Published byLaureen Ryan Modified over 8 years ago

Similar presentations

Presentation on theme: "Chapter 9 Electronic Evidence, Electronic Records Management, and Computer Forensics."— Presentation transcript:

1 Chapter 9 Electronic Evidence, Electronic Records Management, and Computer Forensics

2 Introduction Legal actions can also expose a companies’ information assets In a legal action, if opposing party enters a discovery request (an official request for access to information that may be considered as evidence) such as e-mail or other electronic data –Company required by law to retrieve and produce that evidence

3 Intro (2) Cost could be huge if company has to sort through several years’ worth of email and files to remove confidential material Courts now impose severe sanctions, including criminal penalties, for improper destruction of electronic documents term: e-evidence: when electronic documents are used as evidence It is info stored electronically on any type of computer device that can be used as evidence in a legal action

4 Intro (3) In 2003, email evidence has become so prevalent it had become known as evidence-mail Most corporate employment cases now have some “smoking email” component to it In legal actions involving evidence mail or other e- evidence it is as powerful as a smoking gun or DNA testing and as hard to refute or deny term: computer forensics: the discovery, recovery, preservation, and control of electronic documents for use as evidence They read in class pg. 138 case on point

5 Electronic Evidence All computer based activities leave some sort of electronic trace Discuss the trace of: –email –invoices –viruses –hacker attacks Could find them as contents of emails or files Could find them as audit trails found in log files

6 Electronic Evidence (2) could find meta-data - descriptions or properties of data files or email –examples are dates/times an email or file was created or accessed When subpoenaed in a legal action they become e-evidence Reinforces need for AUP enforcement and user training to ensure compliance Read last paragraph of pg. 139 Case on Point Note: email is specifically targeted for evidence in federal civil litigation cases b/c highly placed executives and employees discuss issues candidly, even if they are discussing confidential, incriminating, or criminal issues

7 Discovery of Electronic Business Records for Use as Evidence With few exceptions email communication and business documents are business documents The five requirements are listed at top of pg. 140 in Legal Brief Business Record examples: PP.O’s, human resource files, vendor reports, sales reports, and inventory/production schedules

8 Discovery (2) Federal Rules of Evidence dictate that business records are subject to discovery Discovery is legal process whereby each party learns (or collects) as much info as possible about an opponent prior to a trial Any party in a legal action against a company or its employees can request discovery of info stored on computers, PDAs, cell phones, faxmachines, voice mail, or any other electronic devices or communication systems

9 Consequences of Failing to Comply w/ Discovery Requests Hundreds of US companies face discovery requests each day Failure to comply will bring additional legal problems How do you handle things that you do not want to do? What would you do if faced with a discovery request? Must respond to discovery request by specified date or face more serious legal problems

10 Discovery Failure Consequences One risk is obstruction of justice : a crime punishable by prison time Spoliation is another which is the intentional destruction of evidence Spoliation is so serious that most lawyers would rather face a smoking gun than spoliation Law specifies that companies cannot destroy what they can reasonably expect to be subpoenaed

11 Consequences (2) Must retain all relevant docs and edocuments when they know or should know that they might become necessary as evidence in future A problem: companies must retain records (emails too) which might be destroyed when backup tapes get reused

12 Preserving and Disclosing E- Evidence When Org receives electronic discovery request they must preserve potential evidence If they don’t, could be charged w/ obstruction of justice Next step is disclosure, requires locating all sources and locations of electronic data and getting it into readable format –Locating data on desktops, laptops, PDAs, network hard disks, removable media, etc –Fig 9.1 lists common locations for Recovery of E- Documents or Email p. 142

13 Federal Rules of Civil Procedure- “The Rules” Rule 34 amended to include Electronic Records –Amendment to rules 34 of Federal Rules of Civil Procedure made electronically stored information subject to “subpoena and discovery” for use in legal proceedings

14 Unsettled Legal Issues add Complexity and Risk Have class read this section on pg. 143 and then discuss the following –What would you do as a system manager to prepare for this possibility? –Think of earlier in the semester when communicating possible consequences to your boss -- does this material alter your response in justifying a cybersecurity program - Do you now have stronger examples to use in your discussion with your boss

15 Other Legal Issues w/ Significant Consequences p 144 Class Read the two bullets and then close their books and I read after they have closed their books Steve, Click to see what page to read pg. 144 Legal Brief After first few sentences when employee is fired what does class think? Read 2nd paragraph too

16 Electronic Records Management (ERM) p 144 DEFN: ERM is a “systemic review, retention, and destruction of documents received or created in the course of business.” Consists of range of policies, procedures, classification schemes, and retention and destruction schedules for electronic records ER retention and destruction policies can reduce costs and disruptions significantly ERM reduces costs when info can be promptly found, preserved, and protected against accidental deletion Disruptions avoided when process works smoothly and normal backup procedures can go on w/o bringing company info systems to a halt.

17 ERM (2) DuPont Study Found that more that more than 50% of documents the company had collected for discovery requests between 1992 and 1994 should never have been retained DuPont estimated that it cost the company between $10million and $12 million over those three years in unnecessary retention and production costs

18 ERM Guide for Employees p. 145 I’ll read this one line at a time and then lets discuss in class ideas that come up Keep in mind –Your current practices –Practices w/ regard to electronic information that your current or past employer has used Don’t need to tell us their names Have there been changes over the years at the companies you have worked for?

19 ERM and AUP Read in Class and discuss this paragraph

20 Computer Forensics p 146 Is the discovery, recovery, preservation, and analysis of digital documents, electronic media, or audit logs of computer/online activities You look at the range of cases in which it is used (bottom of pg. 146) You read cyberbrief on pg. 147 You read the list of what can be revealed and recovered on pg. 147

21 Handling E-evidence: The 3 C’s Use of computer forensics by law enforcement is increasing for criminal cases and by lawyers in civil cases For e-evidence to be admissible it must be recovered and handled in a way that complies w/ the rules of evidence Orgs may find and retrieve computer-data easily

22 The 3 C’s (2) To be used in a civil case though, retrieving and preserving the e-evidence is more complex than just finding it –To be used in court, might be necessary to have created an exact duplicate copy of the files for proof that the e- evidence had not been altered –An expert may be needed for computer forensic investigations –May be wise to hire an objective outside investigator to prevent accusations that company is deliberately trying to malign an employee

23 The 3 C’s (3) There are legal protocols to follow to ensure that e-evidence is admissible Operations used to collect, analyze, control, and present e-evidence cannot modify the original item in any manner Any alteration to primary source of evidence could contaminate it and render it inadmissible in court The 3 C’s are: –Care, Control, and Chain of Custody

24 Care and Control First steps are most important Everyone who touches e-evidence can contaminate it To ensure care and control of e-evidence is maintained, investigators must know what they are doing before they do it Files and digital audit trails must be kept safe and secured

25 Chain of Custody A legal guideline to ensure that the material presented in court as evidence is the same as the evidence that was seized Requires documentation that the evidence is still in its original state Maintaining the chain of custody of eevidence is more difficult than for physical evidence because it is more easily altered

26 Eliminating Electronic Records You Read!

27 Read and go over questions at end of chapter on pg. 151

28 Electronic Crime Scene Investigation A Guide for First Responders U.S. Department of Justice National Institute of Justice Guide http://www.ojp.usdoj.gov/nij Click publications Search NIJ publications for title above

29 I. The Overview The Latent Nature of Electronic Evidence –E-evidence is stored or transmitted by an electronic device –It is latent is the same sense that fingerprints or DNA are latent –In natural state we cannot see what is contained in they physical object that holds our evidence –We need equipment and SW to see the evidence

30 Latent Nature (2) E evidence is by its very nature fragile Can easily be altered, damaged, or destroyed by improper handling or improper examination Special precautions should be taken to document, collect, preserve, and examine this type of evidence Failure to do so may render it unusable or lead to an inaccurate conclusion

31 The Forensic Process Eevidence poses special challenges for its admissibility in court To meet these challenges, proper forensic procedures must be followed These include but are not limited to four phases: –Collection –Examination –Analysis, and –Reporting

32 Collection This phase involves the search for, recognition of, collection of, and documentation of electronic evidence This phase can involve real-time and stored information that may be lost unless precautions are taken at the scene

33 Examination This process helps to make the evidence visible and explain its origin and significance Should document the content and state of the evidence in its totality This documentation allows all parties to discover what is contained in the evidence Includes search for info that may be hidden or obscured

34 Examination (2) Once information is visible, process of data reduction can begin This separate the “wheat” from the “chaff.” This part of the examination is critical

35 Analysis Differs from examination in that it looks at the product of the examination for its significance and probative value to the case A technical review that is the province of the forensic practitioner, while analysis is performed by the investigative team In some agencies, the same person or group will perform both these roles

36 Reporting A written report that outlines the examination process and the pertinent data recovered completes the examination Examination notes must be preserved for discovery or testimony purposes

37 II. The Introduction General forensic and procedural principles should be applied when dealing w/ electronic evidence –Actions taken to secure and collect electronic evidence should not change that evidence –Persons conducting examination of electronic evidence should be trained for the purpose –Activity relating to the seizure, examination, storage, or transfer of electronic evidence should be fully documented, preserved, and available for review –W/o having the necessary skills and training, no responder should attempt to explore the contents or recover data from a computer

38 What is Electronic Evidence p 6 Electronic evidence is info and data of investigative value that is stored on or transmitted by an electronic device It is often latent in the same sense as fingerprints or DNA evidence It can transcend borders w/ ease and speed It is fragile and can be easily altered, damaged, or destroyed It is sometimes time-sensitive

39 How is Eevidence handled at the Crime Scene Precaution should be taken in the collection, preservation, and examination of Eevidence Handling Eevidence at crime scence normally consists of: –Recognition and identification of the evidence –Documentation of the crime scene –Collection and preservation of the evidence –Packaging and transportation of the evidence This document recommends that every agency identify local computer experts before they are needed. These expers should be “on call” for situations that are beyond the technical expertise of the first responder or department

40 Electronic Devices: Types and Potential Evidence (Chap1) We know: many electronic devices require continuous power to maintain information such as battery or AC power Data can be lost by unplugging the power source or allowing the battery to discharge

41 Sample of Ideas from Chap 1 User-Created Files may contain important evidence of criminal activity Address books and database files may prove criminal association, Still or moving pictures that may be evidence of pedophile activity, Communications between criminals such as by e-mail or letters. Also, drug deal lists may often be found in spreadsheets Address books, audio/video files, calendars, db files, documents or text files E-mail files, image/graphics files, Internet bookmarks/favorites, spreadsheet files

42 Computer-Created Files (chap 1 samples) Backup files, configuration files Cookies Hidden files History files Log files Printer spool files Swap files System files Temporary files And more (don’t forget digital watches and GPS systems!)

43 Chap 2 Investigative Tools and Equipment Documentation Tools –Cable tags, indelible felt tip markers, stick-on labels Disassembly and Removal Tools –Flat-blade and philips-type screwdrivers, hex-nut drivers –Needle-nose pliers, secure-bit drivers, small tweezers Package and Transport Supplies –Antistatic bags, antistatic bubble wrap, cable ties –Evidence bags and tape, –Packaging tape and materials, sturdy boxes of various sizes –Avoid materials that can produce static electricity (like styrofoam or styrofoam peanuts)

44 Investigative Tools and Equipment (2) Other Items –Gloves –Hand truck –Large rubber bands –Magnifying glass –Printer paper –Flashlight (small) –Unused floppy diskettes???? –Other ideas class?

45 Chapter 3 Securing and Evaluating the Scene First responder should take steps to ensure the safety of all persons at the scene and to protect all evidence both traditional and electronic After securing scene and all persons, first responder should visually identify potential evidence, both conventional and electronic, and determine if perishable evidence exists Evaluate the scene and formulate a search plan

46 Perishable Data Should be protected Perishable data may be found on pagers, call ID boxes, electronic organizers, cell phones, and other similar devices Keep in mind that any device containing perishable data should be immediately secured, documented, and/or photographed It is off, leave it off. If it is on, leave it on Identify telephone lines attached to devices such as modems and caller ID boxes Document, disconnect, and label each telephone line from the wass rather than the device, when possible Look for other communication lines and LAN/ethernet connections

47 Collecting Evidence Keyboards, mouse, disks, CDs, or other components may have latent fingerprints or other physical evidence that should be preserved Chemicals used in processing latent prints can damage equipment and data and should be collected after electronic evidence recovery is complete

48 Chapter 4: Documenting the Scene This creates a permanent historical record of the scene It is done throughout the investigation Important to be accurate in recording the location and condition of computers, storage media, and other electronic devices and conventional evidence Makes notes of position of mouse and other components of system (what might mouse on LHS signify?)

49 Documentation (2) Document condition and location of computer system including power status (off, on, sleep) –Look for status lights, listen to fan, if computer is warm but not on indication that it was recently turned off) Photograph entire scene to create visual record (w/ 360 degrees of coverage) Photograph front of computer as well as monitor screen make notes of what appears on monitor –Active programs may require videotaping Be careful about moving a running computer, why?

50 Chapter 5: Evidence Collection How to shut down a computer and remove power

51 Chapter 6: Packaging, Transportation and Storage Preparing a computer for transportation and storage

52 Chapter 7: Forensic Examination by Crime Category Lists of things to look for based on types of possible criminal activity pg. 37

53 Conclusion Remember, this document is available online at the DOJ webiste mentioned above You might find other interesting materials at this web site as well related to cyber security and IT OK, based on the chapter 9 material we discussed guides to ERM here is one for the state of GA –http://www.usg.edu/usgweb/busserv/series/index.phtmlhttp://www.usg.edu/usgweb/busserv/series/index.phtml Also –http://osulibrary.oregonstate.edu/archives/handbook/http://osulibrary.oregonstate.edu/archives/handbook/

Download ppt "Chapter 9 Electronic Evidence, Electronic Records Management, and Computer Forensics."

Similar presentations

Electronic Evidence Joe Kashi. Todays Program Types of Electronically stored information Types of Electronically stored information Accessibility and.

Electronic Evidence Joe Kashi. Todays Program Types of Electronically stored information Types of Electronically stored information Accessibility and.
Identification and Disposition of Official University Records University of Texas at Arlington Records Management.

Identification and Disposition of Official University Records University of Texas at Arlington Records Management.
Review Questions Business 205

Review Questions Business 205
E-Discovery New Rules of Civil Procedure Presented by Lucy Isaki January 23, 2007.

E-Discovery New Rules of Civil Procedure Presented by Lucy Isaki January 23, 2007.
INFORMATION WITHOUT BORDERS CONFERENCE February 7, 2013 e-DISCOVERY AND INFORMATION MANAGEMENT.

INFORMATION WITHOUT BORDERS CONFERENCE February 7, 2013 e-DISCOVERY AND INFORMATION MANAGEMENT.
INDIANA UNIVERSITY OFFICE OF THE VICE PRESIDENT AND GENERAL COUNSEL Indiana Access to Public Records Act (APRA) Training.

INDIANA UNIVERSITY OFFICE OF THE VICE PRESIDENT AND GENERAL COUNSEL Indiana Access to Public Records Act (APRA) Training.
COEN 252 Computer Forensics

COEN 252 Computer Forensics
Evidence Collection & Admissibility Computer Forensics BACS 371.

Evidence Collection & Admissibility Computer Forensics BACS 371.
MINNESOTA GOVERNMENT DATA PRACTICES ACT How the law affects University employees and recordkeeping Susan McKinney Records & Information Management.

MINNESOTA GOVERNMENT DATA PRACTICES ACT How the law affects University employees and recordkeeping Susan McKinney Records & Information Management.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
MD5 Summary and Computer Examination Process Introduction to Computer Forensics.

MD5 Summary and Computer Examination Process Introduction to Computer Forensics.
BACS 371 Computer Forensics

BACS 371 Computer Forensics
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
Evidor: The Evidence Collector Software using for: Software for lawyers, law firms, corporate law and IT security departments, licensed investigators,

Evidor: The Evidence Collector Software using for: Software for lawyers, law firms, corporate law and IT security departments, licensed investigators,
Computer Forensics Principles and Practices

Computer Forensics Principles and Practices
1 Enterprise Security Your Information Security and Privacy Responsibilities © 2008 Providence Health & Services This information may be replicated for.

1 Enterprise Security Your Information Security and Privacy Responsibilities © 2008 Providence Health & Services This information may be replicated for.
1 E-Discovery Changes to Federal Rules of Civil Procedure Concerning Discovery of Electronically Stored Information (ESI) Effective Date: 12/01/2006 October,

1 E-Discovery Changes to Federal Rules of Civil Procedure Concerning Discovery of Electronically Stored Information (ESI) Effective Date: 12/01/2006 October,
1 Lesson 3 Computer Protection Computer Literacy BASICS: A Comprehensive Guide to IC 3, 3 rd Edition Morrison / Wells.

1 Lesson 3 Computer Protection Computer Literacy BASICS: A Comprehensive Guide to IC 3, 3 rd Edition Morrison / Wells.
Property of Common Sense Privacy - all rights reserved 01875340890 THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.

Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.
By Drudeisha Madhub Data Protection Commissioner Date: 12.08.14.

By Drudeisha Madhub Data Protection Commissioner Date:

Similar presentations

Ads by Google