Collecting Legally Defensible Online Evidence

Collecting

Legally Defensible

Online Evidence

January 2008 Creating a standard framework for Internet Forensic Investigations

Todd G. Shipley, CFE, CFCECEO and President Vere Software Detective Sergeant (Retired) Reno, Nevada Police Department

w w w . V e r e S o f t w a r e . c o m

[COLLECTING LEGALLY DEFENSIBLE ONLINE EVIDENCE] January 2008

Vere Software|© 2008. All Rights Reserved Worldwide. 1

Table of Contents

BACKGROUND ............................................................................................................................ 2

WHO CONDUCTS INVESTIGATIONS ON THE INTERNET? ....................................................... 2

CURRENT INVESTIGATIVE METHODOLOGIES ........................................................................ 4

LEGAL BACKGROUND FOR CONDUCTING INVESTIGATIONS ON THE INTERNET ................ 7

LAW ENFORCEMENT INTERNET INVESTIGATIVE COSTS ..................................................... 10

CONCLUSION ............................................................................................................................ 17

APPENDIX A PERTINENT U. S. CASE LAW REGARDING INTERNET INVESTIGATIONS ..... 19

REFERENCES............................................................................................................................. 22


2 © 2008. All Rights Reserved Worldwide| Vere Software

BACKGROUND Collecting evidence from computers, networks, cellular telephones and assorted digital storage devices has

rapidly become a standard practice in law enforcement investigations commonly referred to as digital

forensics. The collection of digital evidence from the Internet or “Internet forensics” is a discipline of digital

forensics that deals with the securing of data as evidence from the Internet. Investigating alleged criminal

activity committed on the Internet has been conducted almost since the Internets’ inception. The

investigation and collection of online evidence has been an ongoing challenge for those tasked with that

collection. The factors that contribute to the challenge include:

The rapid changes in technology and the ability of investigators to keep up with that technology,

The investigators lack of education of the Internet and the techniques required to investigate it,

The inability to properly collect Internet based evidence,

The lack of tools specifically designed for this purpose, and

The inability to present the evidence collected in an understandable manner to those not familiar with the specifics of the Internet.

Internet forensics is a unique discipline within digital forensics. The uniqueness comes from the geographic

location of the crime scene. Internet investigators access data on computers without knowing the physical

location of that data. This makes Internet forensics singularly unique amongst the forensic disciplines.

WHO CONDUCTS INVESTIGATIONS ON THE INTERNET? Conducting investigations on the Internet has generally been thought of as the sole domain of law

enforcement. Certainly there are enough crimes to investigate from child exploitation to auction fraud. Law

enforcement has taken an aggressive role in the lead to stop child exploitation online as evidenced by

continued funding from the Department of Justices’ Office of Juvenile Justice and Delinquency Prevention

(OJJDP) of the Internet Crimes Against Children’s (ICAC) Task Forces nationwide. Millions of dollars from

the federal budget have been dedicated to these task forces and additional millions have been specifically

dedicated to the National Center for Missing and Exploited Children (NCMEC) and its important programs.1

1 www.icactraining.org and www.ncmec.org



Many additional law enforcement investigators, from local agencies to the highest levels of the federal

government, are investigating a variety of crimes committed on the Internet, from prostitution to network

hacking. Still, law enforcement investigators are not the only ones conducting investigations online. Many

other fields require the collection of evidence either for a judicial function or merely need to verify their

actions to a superior.

The legal system in the United States and elsewhere in the world has certain requirements for the

introduction of information as evidence in any civil or criminal

proceeding. According to Wikipedia “Digital evidence or

electronic evidence is any probative information stored or

transmitted in digital form that a party to a court case may use

at trial”.2 With more and more information stored on the

Internet, and accessible to the average user, more and more

information of “probative” value will be located there. That

being said, information from the Internet will be used by

attorneys needing to conduct due diligence investigations for their clients. Anyone conducting any type of

research for a civil proceeding of any kind uses the Internet. Research conducted by licensed private

investigators for a client is commonly accomplished through the use of tools found on the Internet.

Companies conducting investigations into Intellectual Property (IP) theft commonly use the Internet to

track the misuse of their companies IP. Additionally, those conducting competitive intelligence find much of

what they need through the use of the Internet. These are only a few examples of the kind of occupations

who use the Internet to conduct their investigations, quite a few of them being non‐law enforcement or

crime oriented investigations. In fact, the larger use of the Internet as an investigative tool is probably done

by many personnel other than those in law enforcement.

The online investigative situation is no different around the world. According to Abhaya Induruwa,

Department of Computing, Canterbury Christ Church University, UK, in a presentation during the Second

International Workshop on Digital Forensics and Incident Analysis, Samos, Greece, 27 – 28 August 2007, “of

around 140,000 police officers in the UK, barely 1,000 have been trained to handle digital evidence at the

basic level and fewer than 250 of them are currently with Computer Crime Units or have higher level

2 http://en.wikipedia.org/wiki/Digital_evidence

“There is a public expectation that the Internet will be

subject to routine ‘patrol’ by law enforcement agencies”. APCO Good Practice Guide for Computer‐Based Electronic

Evidence



forensic skills.” With that being said, in the UK according to the Association of Chief Police Officers (ACPO)

Good Practice Guide for Computer‐Based Electronic Evidence, “As a result, many bodies actively engage in

proactive attempts to monitor the Internet and to detect illegal activities.”

CURRENT INVESTIGATIVE METHODOLOGIES

Current law enforcement investigative methodologies for the Internet are varied and many. Some agencies

have dedicated the necessary resources to conduct investigations and still many others have ignored the

Internet and the crime conducted there, either out of ignorance or negligence. No standard process

currently exists to guide an investigator, at any level within the government (local, state or federal), military

or those investigating the Internet for a corporation. This has

caused a lack of understanding among those assigned these tasks,

and have caused the development of a variety of practices within

this community. To add to the lack of consistent practices, the

lack of specialized tools in this area has driven the adoption of

tools specifically designed for other purposes. These tools have

sometimes provided the investigator with insufficient support for

Best Evidence practices. However, investigators ever adapting to

their changing world, proceeded ahead and have put many

criminals in prison based on their ability to collect evidence from the Internet with tools not designed for

evidence collection.

The most significant adoption of standardized investigative methods for Internet evidence collection is with

the Internet Crimes Against Children (ICAC) Task Forces (TF’s). Since their inception in the late 1990’s, The

ICAC TF’s have grown from a few task forces to over 46 across the United States. The managing working

group of the task forces has standardized the methods they use for investigating child exploitation on the

Internet. These standards guide the task force members and dictate appropriate actions during online child

predator investigations.

Many federal agencies invest personnel resources in the investigation of crime committed on the Internet.

For example the Federal Trade Commission (FTC) investigates identity theft, the Federal Bureau of

Investigation investigates terrorism, the Secret Service investigates credit card fraud and the Immigration

The law enforcement guide “Electronic Crime Scene

Investigation, A Guide for First Responders” is the first in a series of guides funded by the National Institute of Justice (NIJ), U.S. Department of

Justice



and Customs Enforcement investigates counterfeit pharmaceutical sales over the Internet. Amongst all of

these agencies, no common standard methodology exists for these online investigations.

The National Institute of Justice (NIJ), a division of the Office of Justice Programs (OJP), Department of

Justice, through the Office of Law Enforcement Standards (OLES) at NIST (the National Institute of

Standards and Technology) started producing guides for law enforcement regarding the investigation of

technology. The first in the series “Electronic Crime Scene Investigation, A Guide for First responders” was

an initial guide that exposed many in law enforcement to basic techniques for dealing with computers at

crime scenes. The project began in May 1998, and the technical working group met, reviewed, and

compiled material until the guide was published in 2001. Subsequent texts in the series include

“Investigations Involving the Internet and Computer Networks”, “Digital Evidence in the Courtroom: A

Guide for Law Enforcement Prosecutors” and “Forensic Examination of Digital Evidence: A Guide for Law

Enforcement”.

In the United Kingdom the Association of Chief Police Officers has looked at digital evidence from the

computer forensic perspective and outlined in their pamphlet entitled “Good Practice Guide for Computer‐

Based Electronic Evidence”3, four basic principles for the handling of digital evidence:

Principle 1: No action taken by law enforcement agencies or their agents should change data

held on a computer or storage media which may subsequently be relied upon in court.

Principle 2: In circumstances where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.

Principle 3: An audit trail or other record of all processes applied to computer‐based electronic

evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.

Principle 4: The person in charge of the investigation (the case officer) has overall responsibility

for ensuring that the law and these principles are adhered to.

3 http://www.7safe.com/electronic_evidence/ACPO_guidelines_computer_evidence.pdf

T

I

A

t

t

T

I

I

I

T

c

a

E

R

c

[COLLEC

6 ©

The APCO gu

nternet”. Ho

APCO gives le

that the Inter

that some vo

The use of

nvestigation

nvestigators

nternet is to

The current m

collecting evi

and refined.

Evidence (TW

Responders”

collection, ex

CTING LEG

2008. All Ri

uide discusse

owever, unlik

ess than clea

rnet is essen

olatile data m

undercover

s, which are

.” The gene

consult thei

methods of c

dence from

Early in the d

WGDE) that p

outlined a fo

xamination, a

GALLY DEF

ights Reserve

es the collec

ke the previo

ar direction o

tially a large

may require c

r investigatio

e detailed in

ral advice in

r force’s Com

collecting dig

hard drives.

digital eviden

roduced the

our stage pro

analysis and

FIG

FENSIBLE

ed Worldwid

ction of onlin

ous clear guid

on the actua

computer n

apturing live

on techniqu

n the “Manu

n the guide f

mputer Crime

ital evidence

Over the pas

nce process d

document “

ocess for dea

reporting of

GURE 1 DIGITAL F

ONLINE E

e| Vere S

ne evidence

dance on ho

l collection o

etwork and t

e website con

ues is gover

ual of Stand

for an inves

e Unit.

e are based o

st decade, a s

development

“Electronic Cr

aling with dig

the digital ev

ORENSIC FOUR ST

EVIDENCE]

Softwar

in its sectio

w to handle

of evidence f

that data of i

ntent.

rned by the

ards for the

stigator wish

on law enforc

standard in t

t, the NIJ Tec

rime Scene In

gital evidence

vidence.

TAGE PROCESS

] January 2

re

on entitled “

digital evide

from the Inte

interest resid

e National

e Deploymen

ing to collec

cements earl

that process

chnical Work

nvestigation,

e. Those four

2008

“Crime scene

ence from co

ernet. They r

des on comp

Standards i

nt of Covert

ct evidence

y experience

has been de

ing Group on

, A Guide for

r stages are

es on the

omputers,

recognize

puters but

n Covert

t Internet

from the

es in

veloped

n Digital

r First

Tn

S

t

p

r

s

S

o

d

e

s

m

c

b

c

4

5

ss

[COLLEC

This process wnine (see figu

Several attem

the listed pro

processes ha

reporting of

similar mann

LEGAL B

Since the Inte

of crimes onl

daily discussi

exists anywh

systems in m

most digital e

computer fo

businesses r

communicati

http://www.u Computer Forscience is attribsolving puzzles,

CTING LEG

was later enure 2):

mpts have be

ocesses have

arkens back

the digital e

er.

BACKGROU

ernet went p

line. The col

ion. Digital e

here that th

many of the n

evidence is c

rensics5. The

ely on com

on.

utica.edu/acadrensics “ ... is thbutable to com, which is wher

GALLY DEF

Vere

hanced with

FIG

een made to

e in the digit

to the NIJ’

evidence. Cu

UND FOR C

public in 199

llection of di

evidence is a

here are ele

ewer autom

ommonly co

e area of dig

mputers to s

emic/institutehe art and scie

mputer forensicsre the art come

FENSIBLE

e Softwa

the Abstract

GURE 2 DIGITAL F

further defi

tal forensic c

’s TWGDE’s

urrent online

CONDUCT

94, law enfor

gital evidenc

as common t

ctronic devi

obiles. Comp

ollected. A lar

gital discover

store compa

es/ecii/publicatence of applyins, most succeses in”. ‐ Chris L

ONLINE E

are|© 200

t Digital Fore

FORENSIC NINE ST

ne this proc

community. T

four stages

e investigatio

TING INVES

rcement offic

ce has morph

today as any

ces, from c

puters have

rge industry

ry of electro

any data an

tions/articles/Ang computer scsful investigatoL.T. Brown, Com

EVIDENCE

08. All Rights

ensics Model4

TAGE PROCESS

ess, but few

The common

s, the collec

ons should fo

STIGATION

cers have inv

hed from an

y other “stan

ellular telep

become the

has arisen to

onic evidence

d rely on e

A04A40DC‐A6Fcience to aid thors possess a nmputer Eviden

] January 2

s Reserved W

4 which incre

have gained

nality of all o

ction, exami

ollow these f

NS ON THE

vestigated an

uncommon

ndard” evide

phones to th

standard ele

o support the

e alone has

email as an

F6‐F2C1‐98F94he legal processnose for investice Collection a

2008

Worldwide.

eased the sta

d the accepta

of the digita

ination, ana

four basic st

E INTERNE

nd collected

concept to a

ence. Digital

he global po

ectronic devi

e emerging s

grown imme

everyday m

4F16AF57232Ds. Although pleigations and a and Preservatio

7

ages to

ance that

l forensic

lysis and

tages in a

ET

evidence

a topic of

evidence

ositioning

ce where

science of

ensely as

means of

D.pdf enty of skill for on, 2006



The legal system in the United States has been looking at the

changing landscape of legal cases by the inclusion of digital

evidence as a normal part of civil and criminal cases. The U.S.

Federal Court system instituted changes in the Federal Rules of

Civil Procedures (FRCP) during December 2006, to clarify

“electronically stored information” and its place in the courts as

evidence.6 A large body of case law is building around digital evidence and its introduction in both criminal

and civil cases in the United States. Recently the most significant case in the area of digital evidence has

been the Lorraine v. Markel American Insurance Co.7. In this case, the magistrate denied the admission of

electronic stored information (ESI), but outlined how the evidence should have been properly admitted.

The decision outlines more than any other existing case, clear guidance for the admission of electronic

evidence in a Federal civil case. What this does for law enforcement and those collecting data as evidence

from the Internet is to layout a partial roadmap for development of a standard methodology for Internet

forensics and its successful admission in court. In the decision, Judge Grimm acknowledges “The process is

complicated by the fact that ESI comes in multiple evidentiary “flavors,” including e‐mail, website ESI,

internet postings, digital photographs, and computer‐generated documents and data files.” Of particular

note is Judge Grimms discussion of ESI authentication including the use of Hashing (digital fingerprints), ESI

meta‐data, as well as the collection of the data in its “native format”.

The United States Department of Justice (DOJ) early in this field developed guidelines for dealing with

digital evidence. 8 The DOJ Computer Crime and Intellectual Property Section produced the reference guide

“Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations.” This has

been the basis for law enforcement across the U.S. when dealing with digital evidence. In addition,

Guidance Software9 has maintained a running text of the applicable case law as a reference tool for

everyone in this digital evidence field entitled the “Encase® Legal Journal”.

6 http://www.blackwellsanders.com/pdf/FRCP_White_Papers.pdf 7 Lorraine v. Markel Am. Ins. Co., 241 F.R.D. 534 (D. Md. 2007) 8 http://www.usdoj.gov/criminal/cybercrime/s&smanual2002.htm 9 www.guidancesoftware.com

Recently the most significant case in the area of digital

evidence has been the Lorraine v. Markel American Insurance Co

Justice



A review of the current applicable case law reveals a complicated field that has developed around certain

concepts of evidence collection and preservation. Basic premises of digital evidence collection include the

collection of the data in a manner consistent with the law, verification of the data collected and

maintenance of a proper chain of custody of evidence collected. Digital evidence, although electronic bit

and bytes on some storage media, is extremely important to the average law enforcement investigation.

Specialized tools for its collection and examination have become the standard in the field of digital

evidence.

Guidance Software’s “Encase®”, a digital evidence examination and collection software program, is an

example of an evidence collection tool accepted by courts (as

exampled in recent prosecutions in Ohio State v. Anderson and

Texas State v. Willard 10). Additional tools in this field are

regularly used to automate and simplify the evidence collection

process. These tools include AccessData’s11 Forensic ToolKit

(FTK) and Technology Pathways’12 ProDiscover that are also

used by many in the digital evidence collection process. In the Ohio case State v. Anderson, the conviction

of the defendant was upheld using Encase® and the Texas case, State v. Willard, the court specifically

validated the reliability of Encase® as used in the case.

Each of these tools collect a variety of digital evidence based generally around data at rest on hard drives or

removable media. Data at rest is generally referred to as data that is saved to a computer storage device

and not moving through a network or residing in a computer’s memory. While Encase and ProDiscover are

both capable of collecting data across networks including volatile data contained in their memory, none of

these tools focus themselves on the collection of data specifically from the Internet. This is due to the

current theory that in order to use these digital evidence collection tools, access and control of the suspect

system to some degree is required.

10 http://www.guidancesoftware.com/support/legalresources.aspx 11 http://www.accessdata.com 12 http://www.techpathways.com

A variety of commercial and freeware tools have done the historical collection of Internet

based data.



The collection of information on the Internet outside of the control of the user (observer of the data) is

unaddressed by these tools. A variety of commercial and freeware tools have done the historical collection

of Internet based data. The tools used by law enforcement and others conducting investigations online vary

from off the shelf (OTS) software designed for other purposes to tools designed by an agency for its

individual investigators use. Numerous tools have been adopted to collect evidence from various parts of

the Internet. Many freeware (no cost to the user) and shareware programs have been used to capture

webpages as well as commercial products. Adobe13and Techsmith14 provide tools that have been

moderately successful for law enforcement and others to capture images, video and webpages. These tools

save their captures in a normal electronic file used for general use such as a PDF15, jpg16 or mpg17.

For the purpose of collecting evidence from the Internet, law enforcement has adopted these tools for

these purposes, none of which were originally intended for the collection, preservation and presentation of

the data in court. As a result, their use has caused court challenges. The concept and process of evidence

collection from the Internet, most especially in the area of child exploitation investigations, has been

validated in a number of legal cases where convictions have occurred, (References to pertinent case law is

presented in Appendix A).

LAW ENFORCEMENT INTERNET INVESTIGATIVE COSTS

Choosing to conduct investigations or collect information for evidentiary purposes from the Internet

requires an investment. That investment includes hardware costs, software costs, personnel costs, training

costs, and physical location costs. Each of these requires a commitment of resources to the task that often

is more than an agency will want to allocate.

13 www.adobe.com 14 www.techsmith.com 15 .PDF is a document file format designed by Adobe 16 .jpg is an image format standard 17 .mpg is a movie format standard

T

d

a

p

c

t

a

e

b

[COLLEC

Perso

inves

assoc

Hardw

the co

Softw

the so

Train

neede

The cost of a

different. Wh

at the local, s

problem with

conducting in

to the comm

absorbed the

enforcement

based crime.

CTING LEG

FIG

onnel Costs:

tigations on

ciated with th

ware Costs:

omputers an

ware Costs: T

oftware need

ing Costs: Th

ed to conduc

a project driv

hat has occur

state and fed

h large amou

nvestigations

munity. Man

e cost into th

t administrat

GALLY DEF

Vere

GURE 3 COSTS ASS

These are

line. These

hat salary.

These are t

nd equipmen

These are th

ded to condu

hese are the

ct investigati

ves a govern

rred nationa

deral levels. T

unts of fundin

s on the Inte

ny agencies

heir normal in

tors still lack

FENSIBLE

e Softwa

SOCIATED WITH C

e the actual

costs includ

he actual co

t required to

e actual cos

uct investigat

actual costs

ons on the In

ment’s respo

lly in the Cyb

The Federal

ng. The State

rnet is actua

that accept

nvestigations

k the overal

ONLINE E

are|© 200

CONDUCTING INVE

l costs asso

de the hour

sts associate

o investigate

ts associated

tions on the

associated w

nternet.

onse to most

bercrime are

government

e and local re

lly relatively

t the need

s budgets as

l understand

EVIDENCE

08. All Rights

ESTIGATIONS ON

ciated with

ly wage of

ed with provi

crimes on th

d with provid

Internet.

with providin

t any issue. T

na is varied

has respond

esponse has

small when

for conduct

a cost of do

ding of the

] January 2

s Reserved W

THE INTERNET

assigning p

the employ

iding the ass

he Internet.

ding the ass

ng the assign

The response

among law e

ded to portio

been more s

compared to

ting Internet

oing business

need for a

2008

Worldwide.

personnel to

ee and any

signed person

igned person

ed personne

e to Cybercr

enforcement

ons of the Cy

sporadic. Th

o the financi

t investigatio

s. However, m

response to

11

conduct

benefits

nnel with

nnel with

el training

ime is no

agencies

ybercrime

he cost of

al impact

ons have

many law

o Internet



This has caused a general tendency to ignore the communities’ victims, despite the public

acknowledgement of the amount of crime being conducted. This is evident by the International Association

of Chiefs of Police “Identifying Critical Technology Needs Technology Survey Results”18 study conducted in

2005. The survey’s respondents identified five technology priorities: communications, patrol cars,

management, forensics, and video cameras. None of the reported priority needs by the respondents

reflected the actuality of their need to respond to Cybercrime. A search on the IACP website offers little

direction for law enforcement managers and/or advice on how to deal with Cybercrime investigations other

than from an IT perspective. All too often there would appear to be a consensus in law enforcement that

Cybercrime investigations are someone else’s problem or jurisdiction.

Whole industries and professions have sprung up in response to the Cybercrime dilemma to address its

daily impact on everyone including those who do not use the Internet. Everyday companies, from the

banking industry to the newly formed “Identity Theft Protection” industry use the Cybercrime threat in

their marketing campaigns. Millions of dollars in the U.S., let alone the rest of the world, are being spent by

Americans to protect themselves from Cybercrime, which according to an FBI survey cost Americans

approximately 67 billion dollars in 2005. The fact is that more funds are being spent by the average citizen

to protect themselves from online crime than governments are spending in total to protect its own

residents from these crimes. Government’s response, although in the millions of dollars, have been

ineffective when dealing with the overall problem of Cybercrime. It isn’t just a matter of the need to have

more money being thrown at the Cybercrime problem. The need is a realization within government and law

enforcement that:

The Internet permits criminals easy access to every locked home and business online,

Cybercrime is here to stay,

Cybercrime is an activity that affects citizens on a daily basis more than any other crime category,

and

Everyday law enforcement needs to incorporate the Internet into their investigations, either as its

focus or as a tool.

18 http://www.theiacp.org/research/CuttingEdge/TechSurveyReport.pdf



Changing the Current Internet Investigation Paradigm

Clearly, the need exists to investigate crimes on the Internet and equally the need to collect evidence in

support of those crimes. The question becomes how is that best achieved and under what protocol. The

guidance for the proper collection of evidence from the Internet is not as well defined as that for the

general computer forensic field. Computer forensics has been establishing the digital evidence collection

process related to computers in general since the early 1990’s. Clear guidance and established practices

have been developed and are followed routinely throughout the world when dealing with digital evidence

as it applies to computer forensics. Not so clear are the procedures for the online collection of evidence

from the Internet. The complication for this comes from the real time interaction that the Internet gives the

users. Data is transmitted over the Internet through various methods. Some of these methods intentionally

use volatile data space as the transfer method, such as Instant Messaging and Chat applications. The use of

volatile memory space for these interactions allows the data not to be recorded on any computer or server

along the path of the conversation. This kind of data cannot generally be obtained through traditional

computer forensic examinations. The capture of this kind of data clearly needs to be accomplished by the

user initiating the connection. Law enforcement investigators have adopted several commercial tools for

this purpose. All are valuable tools for each intended purpose, but still adopted and used for an unintended

purpose, the collection of Internet based evidence.

The collection of evidence from the Internet needs fundamental structure to properly document the

veracity and defensibility of the data collected. Bruce Nikkel in Domain Name Forensics: A Systematic

Approach to Investigating an Internet Presence, describes the forensic advantages of collecting evidence

using command line tools. The advantages he describes are:

Each file containing evidence has a system generated time‐stamp showing the exact time of

evidence collection.

Collected evidence is transferred from the collection tools directly to the files without human

intervention.

The Whois and DNS server names are explicitly defined and logged, showing that the evidence

was collected from authoritative sources.

A complete transcript log of the evidence collection procedure is available for scrutiny.

N

c

c

l

a

c

s

G

E

S

c

p

C

b

m

[COLLEC

14 ©

Nikkel’s “for

collection pr

consistent an

ogging the e

and the add

collected. “Th

such as time

Geographical

Examining N

Scene Invest

clearly three

preservation

Collection of

be a webpag

message con

CTING LEG

2008. All Ri

ensic advan

rocess uses

nd repeatab

evidence coll

ition of verif

here is no sin

e‐stamping

l Location of

ikkel’s “fore

igation, A Gu

steps to the

, and its pres

f Internet ba

ge or items o

versations o

GALLY DEF

ights Reserve

tages” deta

tools to co

ble collection

ected to ma

fication met

ngle way to e

and hashing

Internet Hos

nsic advanta

uide for First

e proper coll

sentation.

FIGUR

ased evidenc

on a webpage

r chat conve

3. Pre

2. Pre

1. Co

FENSIBLE

ed Worldwid

il the collec

ollect the ev

n of evident

ake the evide

thods such a

enforce chai

g algorithms

sts using a M

ages” and th

t Responder

lection of Int

RE 4 PROPER INTE

e includes th

e such as im

rsations usin

esenta

eserva

ollectio

ONLINE E

e| Vere S

ction and ve

vidence with

tiary items.

ence authori

as logging ad

n of custody

s are centra

Multi‐Agent Sy

he processes

s” as well as

ternet based

RNET EVIDENCE C

he actual cap

age files, mu

ng a variety o

ation

ation

on

EVIDENCE]

Softwar

erification of

hout human

He describe

tative. The u

dd multiple

in digital for

al to all me

ystem

s detailed in

s the forensi

d evidence::t

COLLECTION STEPS

pture of cont

usic files, or

of application

] January 2

re

f Internet b

interventio

s the use o

use of autom

layers of ve

rensics, but t

ethods.” Øys

the NIJ gui

ic investigati

the collection

S

tent viewed

documents.

ns designed f

2008

ased eviden

n. This allo

of time‐stam

mated collect

rification to

the use of te

stein E. Tho

ide “Electron

ve models, t

n of the evid

by the user.

It can also b

for that purpo

nce. The

ws for a

ping and

tion tools

the data

echniques

orvaldsen,

nic Crime

there are

dence, its

. This can

be instant

ose.

P

c

P

s

o

C

i

A

i

a

g

[COLLEC

Preservation

concepts and

1. D

2. C

3. M

Presentation

simulating its

or the real tim

Currently, th

nvestigator

Against Child

mplementat

are not publ

great challen

CTING LEG

n of the Inte

d principles le

Don’t change

ollect the ev

Maintain a pro

n of the Inte

s real time co

me chat sess

e lack of sta

to make up

dren Task Fo

ion by the ta

ic. The avera

ge in front o

3

2

1

GALLY DEF

Vere

ernet based

earned from

the evidence

idence in a v

oper chain o

rnet based e

ollection. Th

ions.

FIGURE 5 P

andards for t

p collection

orces nation

ask force me

age investiga

f him.

3. Pres

2. Pres

1. Colle

FENSIBLE

e Softwa

evidence in

computer fo

e if possible.

verifiable ma

f custody of

evidence mea

is could inclu

ROPER INTERNET

the proper c

standards lo

wide, have,

embers. Due

ator interest

entati

ervati

ection

ONLINE E

are|© 200

ncludes the

orensics whe

nner.

the evidence

ans the actua

ude viewing

EVIDENCE COLLE

collection of

ocally. Some

through the

to the natur

ted in the co

ion

on

EVIDENCE

08. All Rights

treatment o

n dealing wit

e.

al viewing of

chat logs or

CTION STEPS IN D

Internet bas

e organizatio

eir federal f

re of the crim

ollection of e

• Prepare ediscovery • Prepare R• Save evid

•Maintain c• Secure fro• Hash evid

• Collect evdefensibilit

] January 2

s Reserved W

of this digita

th digital evid

ffline of the e

video files o

DETAIL

sed evidence

ons such as

unding, deve

mes investiga

evidence fro

evidence for pr

Reportdence to archiv

chain of custodom other evidedence items

vidence using tty

2008

Worldwide.

al evidence u

dence.

evidence in a

of the websit

e has led the

the Interne

eloped stand

ated, those s

m the Intern

rosecution and

val media

dy of all evidenence items

echniques tha

15

using the

a manner

es visited

e average

et Crimes

dards for

standards

net has a

d

nce

t ensure



The current thought process would be to seek out training specifically designed for law enforcement

regarding the investigation of Internet based crime. This training occurs through federally funded programs

(such as SEARCH and the National White Collar Crime Center) or through a variety of colleges and

universities currently offering digital investigations programs, such as Champlain College’s Center for Digital

Investigation19.

Each program offers technical detail in the collection of evidence from the Internet. Each program has

developed its own standard for the curriculum and the process of

the collection of evidence from the Internet. All of the programs

are valuable and go a long way to bettering law enforcements

attempts at grasping the problem at hand. However, each program

has some drawbacks. The federally funded programs usually last a

week and are offered only a few times each year in various

locations, which in turn makes them almost inaccessible by the

average investigator. The post secondary programs are offered for credit within an associate or

bachelorette degree program. Champlain College is moving to an online program which will make the

training more accessible to the average investigator. The challenge remains a standard approach to the

training and evidence collection methodology. Dr. Robert DeYoung, St. Thomas University, in a paper titled

A Triad of Collaboration: Internet‐Related Investigative Considerations Prior to the Computer Forensic

Application said “A single piece of evidence is important; a second associative reference is significant; and

third occurrence is compelling.” The significance of this for the Internet Investigator is the ability to

corroborate the collection of evidence from the Internet. Multiple occurrences of associative references

can substantiate a collected piece of evidence as authentic. Those associative references to a piece of

Internet based evidence could include, Hash values of the evidence collected, date and time stamps of the

occurrence, log files of a tools actions, key logging of investigator actions, and a collection process that is

repeatable and reproducible. The collection of Internet evidence has long been a process rift with

undefined processes and completed using tools that collect data but not evidence. Adding a reproducible

process and associative references to the methodology makes the data collected as a defensible

evidentiary item.

19 http://c3di.champlain.edu/

“A single piece of evidence is important; a second associative reference is significant; and

third occurrence is compelling.” Dr. Robert DeYoung, St. Thomas

University

I

i

e

b

e

t

c

b

[COLLEC

Conclus

n the Unite

nvestigation

event. Only

become gene

environment

the collection

Following th

collection of

based eviden

1. Colle

•Evidencollectedefens

CTING LEG

ion

ed States t

s. The collec

digital evide

erally accept

for investiga

n of online ev

FIG

he lessons le

Internet bas

nce is a simpl

ection

ce not ed in ible manner.

GALLY DEF

Vere

he collectio

ction of evid

ence collecti

ted by the c

ators to seek

vidence will c

URE 6 CURRENT I

arned from

sed evidence

e standard to

In

FENSIBLE

e Softwa

n of digital

dence from

ion from co

courts. Inter

k out evidenc

cause challen

NVALIDATED MET

the field of

. The proces

o follow.

2. Preserv

•Chain ofdependainvestiganotes.•Not an e•Internetpotentia

nvalidated c

ONLINE E

are|© 200

l evidence

both compu

omputers ha

net based e

ce of crimes.

nges to the e

THOD OF COLLECT

computer fo

s outlined ab

vation

f custody ant on ators written

evidence file. t data has al for alteration

collection pr

EVIDENCE

08. All Rights

has become

uters and the

s evolved in

vidence coll

However, th

evidence.

TING INTERNET BA

orensics a sta

bove to colle

n.

rocess →

] January 2

s Reserved W

e a standar

e Internet h

nto a standa

ection has e

he use of inva

ASED EVIDENCE

andard can b

ect, preserve

3. Prese

•Invaliddata tprosecdefen•Reporaboutevidenproces

2008

Worldwide.

rd in many

as become

ard process

emerged as

alidated proc

be develope

and present

entation

dated Interneturned over to cutor and se.rts prepared unvalidated nce collection ss.

17

criminal

a regular

that has

a regular

cesses for

d for the

t Internet

U

v

d

[COLLEC

18 ©

Utilizing a de

verify and va

defensible on

The Inter

CTING LEG

2008. All Ri

FI

efined, repe

alidate infor

nline evidenc

rnet

GALLY DEF

ights Reserve

GURE 7 DEFENSIB

atable and v

mation colle

ce.

FENSIBLE

ed Worldwid

BLE EVIDENCE THR

verifiable pr

ected on the

Re

ONLINE E

e| Vere S

ROUGH ASSOCIAT

ocess law e

e Internet, c

producible c

EVIDENCE]

Softwar

TIVE REFERENCES A

nforcement,

can be assur

collection pr

] January 2

re

AND PROCESS

and any ot

red that the

rocess →

2008

ther fields w

y will have

wishing to

collected



APPENDIX A PERTINENT U. S. CASE LAW REGARDING INTERNET INVESTIGATIONS Tracing Internet Protocol Addresses

State v. Jacobs (Minn. Ct. App. April 17, 2007) 2007 Minn. App. Unpub. 360.

Tracing Internet Protocol addresses back to a suspect using automated tools even when the suspect is attempting

hide himself, does not violate the suspects “reasonable expectation of privacy”,

U.S. v. Perez (5th Cir. April 11, 2007) 484 F.3d 735

Law enforcement obtained a search warrant based on the transmission of child pornography which was traced back to a particular IP address registered to defendant.

Validation of Undercover Communications with Defendants

People v. Richardson (2007) , [not published] Previously published at: 151 Cal.App.4th 790.

That def., unbeknownst to him, was communicating with an adult posing as a minor is immaterial since factual impossibility is not a defense.

U.S. v. Han (H.D. N.Y. 1999) 66 F.Supp.2d.

Whether the defendant was unable to complete the crime of 2423(b) because the victim was fictitious is irrelevant in addressing guilt.

U.S. v. Crow (5th Cir. 1999) 164 F.3d 229.

Motion to quash denied where individual defendant attempted to exploit [a § 2251(a) charge] was an undercover detective.

Email Authentication

U.S. v. Sidiqui (11th Cir. 2000) 235 F.3d 1318.

E‐mails introduced into evidence over defendant hearsay and improper authentication objections. Court analyzed the authentication issues under traditional evidentiary standards. (FRE 901(a) and 901(B)(4).) Contains good discussion of circumstantial evidence of authenticity but no discussion as to the technical aspects of e‐mail. As to hearsay objection, the e‐mails were considered admissions of a party. (FRE 801(d)(2)(A).)

People v. Von Gunten (2002 Cal.App.3d Dist.) 2002 WL 501612. [Unpublished.]

Defendant laid an inadequate foundation of authenticity to admit, in prosecution for assault with a deadly weapon, hard copy of e‐mail messages (Instant Messages) between one of his friends and the victim’s companion, as there was no direct proof connecting victim’s companion to the screen name on the e‐mail messages.



On line Evidence Admissibility

United States v. Brand 2005 WL 77055 (S.D.N.Y. January 12, 2005).

Chat transcript of AOL instant messages admissible since it was sufficiently similar to the charged conduct.

Hammontree v. State (Ga. Ct. App. 2007) ‐‐‐ S.E.2d ‐‐‐‐, 2007 WL 547763

Where the victim testified that she was an ‘actual participant’ in the IM conversation and confirmed its contents, the IM ‘transcript’ was properly authenticated.

U.S. v. Burt (7th Cir.,July 26, 2007) 495 F.3d 733

Logs of a Yahoo! chat were admissible when properly authenticated.

Lorraine v. Markel American Insurance Company (D.Md. May 4, 2007) 241 F.R.D. 534.

Case provides a comprehensive analysis of how to authenticate digital evidence such as digital photos, email and text messages.

People v. Hawkins (June 2002) 98 Cal.App.4th 1428.

Court addresses California Evidence Code section 1552 [printed representation of computer information or a computer program is presumed to be accurate]. Court noted "the true test for admissibility of a printout reflecting a computer’s internal operations is not whether the printout was made in the regular course of business, but whether the computer was operating properly at the time of the printout."

EEOC v. E.I dupont de Nemours & Co., 2004 WL 2347559, 65 Fed. R. Evid. Serv. 706,

Printout from Census Bureau web site containing domain address from which image was printed and date on which it was printed was admissible in evidence.

Telewizja Polska USA, Inc., v. Echostar Satellite Corp. (N.D. Ill.2004) 2004 WL 2367740 [Not Reported]

Archived versions of web site content, stored and available at a third party web site, were admissible into evidence under Federal Rule of Evidence 901. The contents of the web site could also be considered an admission of a party opponent, and thus are not barred by the hearsay rule.

U.S. v. Tank (9th Cir. 2000) 200 F.3d 627.

Authentication of screen name.

People v. Von Gunten (2002 Cal.App.3d Dist.) 2002 WL 501612. [Unpublished.]

Defendant laid an inadequate foundation of authenticity to admit, in prosecution for assault with a deadly weapon, hard copy of e‐mail messages (Instant Messages) between one of his friends and the victim’s companion, as there was no direct proof connecting victim’s companion to the screen name on the e‐mail messages.



Admission of Duplicate Digital Evidence

State v. Morris, 2005 WL 356801 (Ohio App. 9 Dist.)

During forensics analysis using EnCase a copy of the hard drive was made. Before returning the computer the expert erased all data on the original drive. At trial the copy was used as evidence. The court found that the rules of evidence permit admission of duplicates, that appellant was unable to show what type of exculpatory evidence may have been lost during the copying procedure, and that the original was not destroyed in bad faith.

Use of Automated Tools in Digital Evidence Collection

Williford v. State (2004 Tex.App.‐Eastland) 127 S.W.3d 309.

Upholding the use of EnCase as a forensic tool.

Introduction of Web Sites

EEOC v. E.I dupont de Nemours & Co., 2004 WL 2347559, 65 Fed. R. Evid. Serv. 706,

Printout from Census Bureau web site containing domain address from which image was printed and date on which it was printed was admissible in evidence.

Telewizja Polska USA, Inc., v. Echostar Satellite Corp. (N.D. Ill.2004) 2004 WL 2367740 [Not Reported]

Archived versions of web site content, stored and available at a third party web site, were admissible into evidence under Federal Rule of Evidence 901. The contents of the web site could also be considered an admission of a party opponent, and thus are not barred by the hearsay rule.



REFERENCES 1) Setting up an Online Investigative Computer: Hardware, Connectivity and Software Recommendations‐ Daniels, Keith

http://www.search.org/files/pdf/OnlineInvComSetup.pdf

2) An Examination of Digital Forensic Models, International Journal of Digital Evidence Fall 2002, Volume 1, Issue 3‐ Reith, Mark; Carr, Clint; Gunsch, Gregg

3) Good Practice Guide for Computer‐Based Electronic Evidence, Association of Chief Police Officers’ (ACPO)

4) CIOIM Supplement: Digital Officer Safety, 2000, Parmar, S.K., Cst, N. Cowichan Duncan RCMP Det., Duncan, BC

5) Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations, July 2002, Computer Crime and Intellectual Property Section Criminal Division United States Department of Justice

6) LAW ENFORCEMENT TOOLS AND TECHNOLOGIES FOR INVESTIGATING CYBER ATTACKS, A NATIONAL NEEDS ASSESSMENT, June 2002, Vatis, Michael A., Institute for Security Technology studies at Dartmouth College

7) LAW ENFORCEMENT TOOLS AND TECHNOLOGIES FOR INVESTIGATING CYBER ATTACKS GAP ANALYSIS REPORT, February 2004, Institute for Security Technology studies at Dartmouth College

8) INTERNET CHILD SEX PREDATORS: BUILDING A CASE FOR CONVICTION, August 2004, Sarah Elizabeth Smith, Liberty Business Review Volume II Number 2, Liberty University

9) Domain Name Forensics: A Systematic Approach to Investigating an Internet Presence, August 2005, Bruce J. Nikkel, The International Journal of Digital Forensics and Incident Response, Vol. 1, No. 4

10) Geographical Location of Internet Hosts using a Multi‐Agent System, November 2006, Øystein E. Thorvaldsen, Department of Computer and Information Science Norwegian University of Science and Technology

11) Investigation of Cybercrime and Technology‐related Crime, March 2002, Dan Koenig, National Executive Institute, www.neiassociates.org/cybercrime.htm

12) E‐Evidence & Internet crimes Against Children California case Digest and Commentary, December 2007, Robert Morgester, Deputy Attorney General, Office of the Attorney General, State of California, www.cdaa.org

13) Encase Legal Journal, April 2007, Guidance Software, http://www.guidancesoftware.com/support/legalresources.aspx

14) Collecting Evidence from a Running Computer: A Technical and Legal Primer for the Justice Community, 2006, Todd G. Shipley and Henry R. Reeve, Esq., http://www.search.org/files/pdf/CollectEvidenceRunComputer.pdf

15) CYBERCRIME Public and Private Entities Face Challenges in Addressing Cyber Threats, June 2007, Report to Congressional Requesters, United States Government Accountability Office (GAO) 16) Identifying Critical Technology Needs Technology Survey Results, Fall 2005, International Association of Chiefs of

Police

17) Suggested Protocol for Discovery of Electronically Stored Information (“ESI”), 2007, The United States District Court For The District Of Maryland, http://www.mdd.uscourts.gov/news/news/ESIProtocol.pdf



About the Author

Todd G. Shipley, CFE, CFCE

President & CEO of Vere Software

As President and Chief Executive Officer of Vere Software, Todd Shipley is primarily responsible for carrying out the strategic plans and policies, and as such, has the ultimate management responsibility for all company operations. Todd is directly responsible for providing leadership; the creation of its strategic, tactical, and financial plans; developing goals and measuring performance to the approved goals; organizational and customer development; and the development of the company’s staff.

Prior to starting Vere Software, Todd G. Shipley was the Director of Systems Security and High Tech Crime Prevention Training for SEARCH, The National Consortium for Justice Information and Statistics, where he oversaw a national program that provided expert technical assistance and training to local, state, and federal justice agencies on successfully conducting high‐technology computer crimes investigations. In this position he was also the manager of the National Criminal Justice Computer Laboratory and Training Center. Mr. Shipley oversaw a variety of SEARCH’s technology crime investigation courses offered at the National Criminal Justice Computer Laboratory and Training Center in Sacramento, California, and at other sites nationwide. He also supervised the training‐provided by an experienced team of certified computer crimes investigators and information systems security professionals‐focused on systems security, computer forensics and investigations involving the Internet, local area networks and online child exploitation. As the director, he was responsible for program grant writing and applications, preparing and implementing specific program and annual budgets and management of their subsequent expenditure. Mr. Shipley has 25 years' experience in law enforcement, all with the Reno, Nevada, Police Department, where he developed subject‐matter expertise in computer forensics, online investigations and information technology security. Prior to joining SEARCH in 2004, he was a Senior Detective Sergeant managing the Department's Financial and Computer Crimes Unit, where he investigated serious fraud‐ and financial‐related offenses using basic investigative, technical and covert surveillance techniques. He was responsible for developing cyber crime and technology crime investigative policy; serving as a liaison to other law enforcement, intelligence and government agencies and industry bodies; providing department/regional training; and serving as an expert witness. His previous positions with the Department included four years as a Detective and Detective Sergeant assigned to the U.S. Attorney's Office Organized Crime Drug Enforcement Task Force, five years as a Detective investigating major property and person crimes, and eight years as a patrol officer. Since 1979 Mr. Shipley has been a member of the 152nd Security Forces Squadron of the Nevada Air National Guard, where he is a Chief Master Sergeant and served, during the current war on terror as Security Coordinator at Bagram Airfield, Afghanistan from late 2001 to early 2002. During both his military and law enforcement careers, he has received many awards and commendations. Mr. Shipley formed Nevada's First Computer Crime Investigations Unit. He is a Certified Fraud Examiner through the Association of Certified Fraud Examiners and a Certified Forensics Computer Examiner through the International Association.

Contact Todd Shipley at [email protected]



NOTES:

Documents

Collecting Legally Defensible Online Evidence