As system administrators do we really have to worry about collecting evidence? Maybe not… BUT what if you’re asked by your company’s general counsel (an authorized requester) to collect all non business data (emails and files) from an employee’s laptop? AND what if you come across some adult porn. You start copying the images onto a USB thumb drive… You then find a folder on their desktop with a bunch of saved emails titled “I missed you last night”… Well that seems like personal emails… Let me copy that over… You dig around a bit more and come across label “Desktop Images” containing a bunch of JPEGs. You double click the first image and it’s a picture of a clearly under-aged minor having sex with the employee. Now what do you do? Call the attorney IMMEDIATELY! This laptop is not evidence in a criminal matter. Possible charges could include possessing child pornography and sex with a minor for starters.
Anyone who has ever watched police show knows… “Don’t touch anything… you’ll leave fingerprints behind!” Pretty basic stuff. Most of us know about bloodstains and DNA evidence. Thank you OJ! We know about carpet fibers and lost articles of clothing. We know about tire tracks. This list goes on and on but do we really know how to secure digital evidence? Well luckily for us the National Institute of Justice (part of the U.S. Department of Justice) publishes many helpful documents that can better help us understand the dos and don’ts of collecting digital evidence.
NOTE: the National Institute of Justice is research and development arm of the DOJ.
Browsing through some of the NIJ’s white papers, I came across a document that all system administrators should read… Electronic Crime Scene Investigation: A Guide for First Responders, Second Edition. It can be found at: www.ncjrs.gov/pdffiles1/nij/219941.pdf
The guide is pretty straight forward. It offers up some fairly common sense checklist combined with a lot of “Oh yeah, I probably would have forgot that” reminders.
So what did I learn from reading the guide?
Always have a digital camera with you… Sure many cell phones have cameras built in but you’ll need something with a bit more resolution. Take pictures of everything… Why not it doesn’t cost your anything!
Look around for cell phones and MP3 players… They can contain data as well as their intended purposes. Be careful though! You want to make sure that you don’t overstep the authority provided by your authorization. Even if it’s not a criminal investigation… you could violate a persons right to privacy (the 4th amendment rights) even if there’s no expectation of privacy!
There are some that say turn everything off… power down the computer. You may need to do that if files are being deleted. BUT powering down the computer may not always be the best thing to do. Check and see what’s on the screen first. What you’re looking for may be right in front of your nose.
Chapter 7 of the guide details for you the types of evidence you may need (both physical and digital) for various types of crimes! I think the real learning from going over the lists is opening your mind (Why would medical records be next to the computer?)… use our common sense (Well there’s a box a 100 SIM cards and a box of cell phones next to the computer)… keep your eyes open (Let me grab that USB thumb drive too).
The First Responders guide is a great place to start… The NIJ has plenty of other white papers if you find this one interesting. They can be found at: http://www.ojp.usdoj.gov/nij/
BTW, getting back to the opening paragraph… Always image the drive off first! Always work from a copy! You’ll change the time stamps on the originals if you don’t 
Comments
Leave a comment Trackback