A summer Thursday seems to be a good day for a short recap on the best practice for electronic evidence gathering following the review of guidelines titled “Electronic evidence – a basic guide for First Responders. Good practice material for CERT first responders” issued some time ago by the European Union Agency for Network and Information Security (ENISA).
The recap needs to be short, so to the point:
- Principle 1 – Data Integrity
We need to ensure that the data has not been changed at any point throughout the process starting with capturing the data source (e.g., collection of electronic devices or granting access to the cloud repository) through the data handling and funnelling, review of the content and finally the presentation of our findings. We must bear in mind that ultimately, we might need to be able to demonstrate the data integrity in court or elsewhere e.g., using hash checksum or Cyclic Redundancy Check (CRC). If we do not take data integrity as a priority, we may put at risk the outcome of our investigation, our reputation, and the reputation of our clients.
- Principle 2 – Audit Trail
Without documenting our steps, we cannot demonstrate the audit trail, ergo we cannot support data authenticity and the chain of custody. This is particularly vital at the electronic evidence seizure step. If we do not maintain the audit trail, even if we can demonstrate hash checksum, we may not be able to prove – beyond reasonable doubt – that the compared data sets originate from the suspect ☹
Therefore, ENISA highlights that “it is of vital importance that any digital exhibit can be tracked from the moment when it was seized at the crime scene all the way to the courtroom, as well as anywhere else in between such as laboratories or storages”.
- Principle 3 – Specialist Support
I am a big technology enthusiast and frequent user of eDiscovery tools, nonetheless I would not dare the claim I can collect and prepare for review any data sets secured during internal or external forensic investigations. I am just a lawyer with forensic science background, but not a computer forensics specialist. Hence, I always advise my clients – consider reaching out to the right people to do it for you. Obviously in some instances, the process is arranged by the law firm, to maintain the client attorney privilege in respect to the process and outcome of the data collection and review, as well as the assessment of the outcome from the legal perspective.
Moreover, reaching out to the right specialists also helps to design a secure storage space for the collected electronic evidence and arrange an interface platform (GUI) for the review of collected data and documentation of outcome for the purpose of internal reporting or for the courtroom.
- Principle 4 – Appropriate Training
This principle applies for both computer forensic experts and all people involved in electronic evidence handling, including legal practitioner like me. Without the training and awareness, we may not even know where to look for data and how to organize the reliable and forensically sound process of data seizure, processing, and presentation.
- Principle 5 – Legality
Last, but not least we do not want to reach the point where we have the data and we have built a plausible story explaining the alleged wrongdoing, where all the sudden our electronic evidence gets dismissed in court due to breach of privacy law (e.g., GDPR in the EU) or otherwise challenged due to breach of other laws disabling us from accessing the data.
ENISA states that “the person in charge of the investigation has overall responsibility for ensuring that the law and the principles of digital evidence are adhered to”. If this rule is not abode by the team of investigators the effort of investigation may be lost forever. Ignoring these rules may be also costly, for our reputation and financially.
Enjoy the rest of the week!
#ediscovery #computerforensics #forensics #whitecollarcrime #whitecollarcrimeattorney #kaczmarskilegal