Upload
todd-shipley
View
27
Download
2
Tags:
Embed Size (px)
DESCRIPTION
Collecting evidence from computers, networks, cellular telephones and assorted digital storage devices has rapidly become a standard practice in law enforcement investigations commonly referred to as "digital forensics." The collection of digital evidence from the Internet, or Internet forensics, is a discipline of digital forensics that deals with the securing of data as evidence from the Internet. Investigating alleged criminal activity committed on the Internet has been conducted almost since the Internet's inception. The investigation and collection of online evidence has been an ongoing challenge for those tasked with that collection.
Citation preview
Collecting
Legally Defensible
Online Evidence
January 2008 Creating a standard framework for Internet Forensic Investigations
Todd G. Shipley, CFE, CFCECEO and President Vere Software Detective Sergeant (Retired) Reno, Nevada Police Department
w w w . V e r e S o f t w a r e . c o m
[COLLECTING LEGALLY DEFENSIBLE ONLINE EVIDENCE] January 2008
Vere Software|© 2008. All Rights Reserved Worldwide. 1
Table of Contents
BACKGROUND ............................................................................................................................ 2
WHO CONDUCTS INVESTIGATIONS ON THE INTERNET? ....................................................... 2
CURRENT INVESTIGATIVE METHODOLOGIES ........................................................................ 4
LEGAL BACKGROUND FOR CONDUCTING INVESTIGATIONS ON THE INTERNET ................ 7
LAW ENFORCEMENT INTERNET INVESTIGATIVE COSTS ..................................................... 10
CONCLUSION ............................................................................................................................ 17
APPENDIX A PERTINENT U. S. CASE LAW REGARDING INTERNET INVESTIGATIONS ..... 19
REFERENCES............................................................................................................................. 22
[COLLECTING LEGALLY DEFENSIBLE ONLINE EVIDENCE] January 2008
2 © 2008. All Rights Reserved Worldwide| Vere Software
BACKGROUND Collecting evidence from computers, networks, cellular telephones and assorted digital storage devices has
rapidly become a standard practice in law enforcement investigations commonly referred to as digital
forensics. The collection of digital evidence from the Internet or “Internet forensics” is a discipline of digital
forensics that deals with the securing of data as evidence from the Internet. Investigating alleged criminal
activity committed on the Internet has been conducted almost since the Internets’ inception. The
investigation and collection of online evidence has been an ongoing challenge for those tasked with that
collection. The factors that contribute to the challenge include:
The rapid changes in technology and the ability of investigators to keep up with that technology,
The investigators lack of education of the Internet and the techniques required to investigate it,
The inability to properly collect Internet based evidence,
The lack of tools specifically designed for this purpose, and
The inability to present the evidence collected in an understandable manner to those not familiar with the specifics of the Internet.
Internet forensics is a unique discipline within digital forensics. The uniqueness comes from the geographic
location of the crime scene. Internet investigators access data on computers without knowing the physical
location of that data. This makes Internet forensics singularly unique amongst the forensic disciplines.
WHO CONDUCTS INVESTIGATIONS ON THE INTERNET? Conducting investigations on the Internet has generally been thought of as the sole domain of law
enforcement. Certainly there are enough crimes to investigate from child exploitation to auction fraud. Law
enforcement has taken an aggressive role in the lead to stop child exploitation online as evidenced by
continued funding from the Department of Justices’ Office of Juvenile Justice and Delinquency Prevention
(OJJDP) of the Internet Crimes Against Children’s (ICAC) Task Forces nationwide. Millions of dollars from
the federal budget have been dedicated to these task forces and additional millions have been specifically
dedicated to the National Center for Missing and Exploited Children (NCMEC) and its important programs.1
1 www.icactraining.org and www.ncmec.org
[COLLECTING LEGALLY DEFENSIBLE ONLINE EVIDENCE] January 2008
Vere Software|© 2008. All Rights Reserved Worldwide. 3
Many additional law enforcement investigators, from local agencies to the highest levels of the federal
government, are investigating a variety of crimes committed on the Internet, from prostitution to network
hacking. Still, law enforcement investigators are not the only ones conducting investigations online. Many
other fields require the collection of evidence either for a judicial function or merely need to verify their
actions to a superior.
The legal system in the United States and elsewhere in the world has certain requirements for the
introduction of information as evidence in any civil or criminal
proceeding. According to Wikipedia “Digital evidence or
electronic evidence is any probative information stored or
transmitted in digital form that a party to a court case may use
at trial”.2 With more and more information stored on the
Internet, and accessible to the average user, more and more
information of “probative” value will be located there. That
being said, information from the Internet will be used by
attorneys needing to conduct due diligence investigations for their clients. Anyone conducting any type of
research for a civil proceeding of any kind uses the Internet. Research conducted by licensed private
investigators for a client is commonly accomplished through the use of tools found on the Internet.
Companies conducting investigations into Intellectual Property (IP) theft commonly use the Internet to
track the misuse of their companies IP. Additionally, those conducting competitive intelligence find much of
what they need through the use of the Internet. These are only a few examples of the kind of occupations
who use the Internet to conduct their investigations, quite a few of them being non‐law enforcement or
crime oriented investigations. In fact, the larger use of the Internet as an investigative tool is probably done
by many personnel other than those in law enforcement.
The online investigative situation is no different around the world. According to Abhaya Induruwa,
Department of Computing, Canterbury Christ Church University, UK, in a presentation during the Second
International Workshop on Digital Forensics and Incident Analysis, Samos, Greece, 27 – 28 August 2007, “of
around 140,000 police officers in the UK, barely 1,000 have been trained to handle digital evidence at the
basic level and fewer than 250 of them are currently with Computer Crime Units or have higher level
2 http://en.wikipedia.org/wiki/Digital_evidence
“There is a public expectation that the Internet will be
subject to routine ‘patrol’ by law enforcement agencies”. APCO Good Practice Guide for Computer‐Based Electronic
Evidence
[COLLECTING LEGALLY DEFENSIBLE ONLINE EVIDENCE] January 2008
4 © 2008. All Rights Reserved Worldwide| Vere Software
forensic skills.” With that being said, in the UK according to the Association of Chief Police Officers (ACPO)
Good Practice Guide for Computer‐Based Electronic Evidence, “As a result, many bodies actively engage in
proactive attempts to monitor the Internet and to detect illegal activities.”
CURRENT INVESTIGATIVE METHODOLOGIES
Current law enforcement investigative methodologies for the Internet are varied and many. Some agencies
have dedicated the necessary resources to conduct investigations and still many others have ignored the
Internet and the crime conducted there, either out of ignorance or negligence. No standard process
currently exists to guide an investigator, at any level within the government (local, state or federal), military
or those investigating the Internet for a corporation. This has
caused a lack of understanding among those assigned these tasks,
and have caused the development of a variety of practices within
this community. To add to the lack of consistent practices, the
lack of specialized tools in this area has driven the adoption of
tools specifically designed for other purposes. These tools have
sometimes provided the investigator with insufficient support for
Best Evidence practices. However, investigators ever adapting to
their changing world, proceeded ahead and have put many
criminals in prison based on their ability to collect evidence from the Internet with tools not designed for
evidence collection.
The most significant adoption of standardized investigative methods for Internet evidence collection is with
the Internet Crimes Against Children (ICAC) Task Forces (TF’s). Since their inception in the late 1990’s, The
ICAC TF’s have grown from a few task forces to over 46 across the United States. The managing working
group of the task forces has standardized the methods they use for investigating child exploitation on the
Internet. These standards guide the task force members and dictate appropriate actions during online child
predator investigations.
Many federal agencies invest personnel resources in the investigation of crime committed on the Internet.
For example the Federal Trade Commission (FTC) investigates identity theft, the Federal Bureau of
Investigation investigates terrorism, the Secret Service investigates credit card fraud and the Immigration
The law enforcement guide “Electronic Crime Scene
Investigation, A Guide for First Responders” is the first in a series of guides funded by the National Institute of Justice (NIJ), U.S. Department of
Justice
[COLLECTING LEGALLY DEFENSIBLE ONLINE EVIDENCE] January 2008
Vere Software|© 2008. All Rights Reserved Worldwide. 5
and Customs Enforcement investigates counterfeit pharmaceutical sales over the Internet. Amongst all of
these agencies, no common standard methodology exists for these online investigations.
The National Institute of Justice (NIJ), a division of the Office of Justice Programs (OJP), Department of
Justice, through the Office of Law Enforcement Standards (OLES) at NIST (the National Institute of
Standards and Technology) started producing guides for law enforcement regarding the investigation of
technology. The first in the series “Electronic Crime Scene Investigation, A Guide for First responders” was
an initial guide that exposed many in law enforcement to basic techniques for dealing with computers at
crime scenes. The project began in May 1998, and the technical working group met, reviewed, and
compiled material until the guide was published in 2001. Subsequent texts in the series include
“Investigations Involving the Internet and Computer Networks”, “Digital Evidence in the Courtroom: A
Guide for Law Enforcement Prosecutors” and “Forensic Examination of Digital Evidence: A Guide for Law
Enforcement”.
In the United Kingdom the Association of Chief Police Officers has looked at digital evidence from the
computer forensic perspective and outlined in their pamphlet entitled “Good Practice Guide for Computer‐
Based Electronic Evidence”3, four basic principles for the handling of digital evidence:
Principle 1: No action taken by law enforcement agencies or their agents should change data
held on a computer or storage media which may subsequently be relied upon in court.
Principle 2: In circumstances where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
Principle 3: An audit trail or other record of all processes applied to computer‐based electronic
evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
Principle 4: The person in charge of the investigation (the case officer) has overall responsibility
for ensuring that the law and these principles are adhered to.
3 http://www.7safe.com/electronic_evidence/ACPO_guidelines_computer_evidence.pdf
T
I
A
t
t
T
I
I
I
T
c
a
E
R
c
[COLLEC
6 ©
The APCO gu
nternet”. Ho
APCO gives le
that the Inter
that some vo
The use of
nvestigation
nvestigators
nternet is to
The current m
collecting evi
and refined.
Evidence (TW
Responders”
collection, ex
CTING LEG
2008. All Ri
uide discusse
owever, unlik
ess than clea
rnet is essen
olatile data m
undercover
s, which are
.” The gene
consult thei
methods of c
dence from
Early in the d
WGDE) that p
outlined a fo
xamination, a
GALLY DEF
ights Reserve
es the collec
ke the previo
ar direction o
tially a large
may require c
r investigatio
e detailed in
ral advice in
r force’s Com
collecting dig
hard drives.
digital eviden
roduced the
our stage pro
analysis and
FIG
FENSIBLE
ed Worldwid
ction of onlin
ous clear guid
on the actua
computer n
apturing live
on techniqu
n the “Manu
n the guide f
mputer Crime
ital evidence
Over the pas
nce process d
document “
ocess for dea
reporting of
GURE 1 DIGITAL F
ONLINE E
e| Vere S
ne evidence
dance on ho
l collection o
etwork and t
e website con
ues is gover
ual of Stand
for an inves
e Unit.
e are based o
st decade, a s
development
“Electronic Cr
aling with dig
the digital ev
ORENSIC FOUR ST
EVIDENCE]
Softwar
in its sectio
w to handle
of evidence f
that data of i
ntent.
rned by the
ards for the
stigator wish
on law enforc
standard in t
t, the NIJ Tec
rime Scene In
gital evidence
vidence.
TAGE PROCESS
] January 2
re
on entitled “
digital evide
from the Inte
interest resid
e National
e Deploymen
ing to collec
cements earl
that process
chnical Work
nvestigation,
e. Those four
2008
“Crime scene
ence from co
ernet. They r
des on comp
Standards i
nt of Covert
ct evidence
y experience
has been de
ing Group on
, A Guide for
r stages are
es on the
omputers,
recognize
puters but
n Covert
t Internet
from the
es in
veloped
n Digital
r First
Tn
S
t
p
r
s
S
o
d
e
s
m
c
b
c
4
5
ss
[COLLEC
This process wnine (see figu
Several attem
the listed pro
processes ha
reporting of
similar mann
LEGAL B
Since the Inte
of crimes onl
daily discussi
exists anywh
systems in m
most digital e
computer fo
businesses r
communicati
http://www.u Computer Forscience is attribsolving puzzles,
CTING LEG
was later enure 2):
mpts have be
ocesses have
arkens back
the digital e
er.
BACKGROU
ernet went p
line. The col
ion. Digital e
here that th
many of the n
evidence is c
rensics5. The
ely on com
on.
utica.edu/acadrensics “ ... is thbutable to com, which is wher
GALLY DEF
Vere
hanced with
FIG
een made to
e in the digit
to the NIJ’
evidence. Cu
UND FOR C
public in 199
llection of di
evidence is a
here are ele
ewer autom
ommonly co
e area of dig
mputers to s
emic/institutehe art and scie
mputer forensicsre the art come
FENSIBLE
e Softwa
the Abstract
GURE 2 DIGITAL F
further defi
tal forensic c
’s TWGDE’s
urrent online
CONDUCT
94, law enfor
gital evidenc
as common t
ctronic devi
obiles. Comp
ollected. A lar
gital discover
store compa
es/ecii/publicatence of applyins, most succeses in”. ‐ Chris L
ONLINE E
are|© 200
t Digital Fore
FORENSIC NINE ST
ne this proc
community. T
four stages
e investigatio
TING INVES
rcement offic
ce has morph
today as any
ces, from c
puters have
rge industry
ry of electro
any data an
tions/articles/Ang computer scsful investigatoL.T. Brown, Com
EVIDENCE
08. All Rights
ensics Model4
TAGE PROCESS
ess, but few
The common
s, the collec
ons should fo
STIGATION
cers have inv
hed from an
y other “stan
ellular telep
become the
has arisen to
onic evidence
d rely on e
A04A40DC‐A6Fcience to aid thors possess a nmputer Eviden
] January 2
s Reserved W
4 which incre
have gained
nality of all o
ction, exami
ollow these f
NS ON THE
vestigated an
uncommon
ndard” evide
phones to th
standard ele
o support the
e alone has
email as an
F6‐F2C1‐98F94he legal processnose for investice Collection a
2008
Worldwide.
eased the sta
d the accepta
of the digita
ination, ana
four basic st
E INTERNE
nd collected
concept to a
ence. Digital
he global po
ectronic devi
e emerging s
grown imme
everyday m
4F16AF57232Ds. Although pleigations and a and Preservatio
7
ages to
ance that
l forensic
lysis and
tages in a
ET
evidence
a topic of
evidence
ositioning
ce where
science of
ensely as
means of
D.pdf enty of skill for on, 2006
[COLLECTING LEGALLY DEFENSIBLE ONLINE EVIDENCE] January 2008
8 © 2008. All Rights Reserved Worldwide| Vere Software
The legal system in the United States has been looking at the
changing landscape of legal cases by the inclusion of digital
evidence as a normal part of civil and criminal cases. The U.S.
Federal Court system instituted changes in the Federal Rules of
Civil Procedures (FRCP) during December 2006, to clarify
“electronically stored information” and its place in the courts as
evidence.6 A large body of case law is building around digital evidence and its introduction in both criminal
and civil cases in the United States. Recently the most significant case in the area of digital evidence has
been the Lorraine v. Markel American Insurance Co.7. In this case, the magistrate denied the admission of
electronic stored information (ESI), but outlined how the evidence should have been properly admitted.
The decision outlines more than any other existing case, clear guidance for the admission of electronic
evidence in a Federal civil case. What this does for law enforcement and those collecting data as evidence
from the Internet is to layout a partial roadmap for development of a standard methodology for Internet
forensics and its successful admission in court. In the decision, Judge Grimm acknowledges “The process is
complicated by the fact that ESI comes in multiple evidentiary “flavors,” including e‐mail, website ESI,
internet postings, digital photographs, and computer‐generated documents and data files.” Of particular
note is Judge Grimms discussion of ESI authentication including the use of Hashing (digital fingerprints), ESI
meta‐data, as well as the collection of the data in its “native format”.
The United States Department of Justice (DOJ) early in this field developed guidelines for dealing with
digital evidence. 8 The DOJ Computer Crime and Intellectual Property Section produced the reference guide
“Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations.” This has
been the basis for law enforcement across the U.S. when dealing with digital evidence. In addition,
Guidance Software9 has maintained a running text of the applicable case law as a reference tool for
everyone in this digital evidence field entitled the “Encase® Legal Journal”.
6 http://www.blackwellsanders.com/pdf/FRCP_White_Papers.pdf 7 Lorraine v. Markel Am. Ins. Co., 241 F.R.D. 534 (D. Md. 2007) 8 http://www.usdoj.gov/criminal/cybercrime/s&smanual2002.htm 9 www.guidancesoftware.com
Recently the most significant case in the area of digital
evidence has been the Lorraine v. Markel American Insurance Co
Justice
[COLLECTING LEGALLY DEFENSIBLE ONLINE EVIDENCE] January 2008
Vere Software|© 2008. All Rights Reserved Worldwide. 9
A review of the current applicable case law reveals a complicated field that has developed around certain
concepts of evidence collection and preservation. Basic premises of digital evidence collection include the
collection of the data in a manner consistent with the law, verification of the data collected and
maintenance of a proper chain of custody of evidence collected. Digital evidence, although electronic bit
and bytes on some storage media, is extremely important to the average law enforcement investigation.
Specialized tools for its collection and examination have become the standard in the field of digital
evidence.
Guidance Software’s “Encase®”, a digital evidence examination and collection software program, is an
example of an evidence collection tool accepted by courts (as
exampled in recent prosecutions in Ohio State v. Anderson and
Texas State v. Willard 10). Additional tools in this field are
regularly used to automate and simplify the evidence collection
process. These tools include AccessData’s11 Forensic ToolKit
(FTK) and Technology Pathways’12 ProDiscover that are also
used by many in the digital evidence collection process. In the Ohio case State v. Anderson, the conviction
of the defendant was upheld using Encase® and the Texas case, State v. Willard, the court specifically
validated the reliability of Encase® as used in the case.
Each of these tools collect a variety of digital evidence based generally around data at rest on hard drives or
removable media. Data at rest is generally referred to as data that is saved to a computer storage device
and not moving through a network or residing in a computer’s memory. While Encase and ProDiscover are
both capable of collecting data across networks including volatile data contained in their memory, none of
these tools focus themselves on the collection of data specifically from the Internet. This is due to the
current theory that in order to use these digital evidence collection tools, access and control of the suspect
system to some degree is required.
10 http://www.guidancesoftware.com/support/legalresources.aspx 11 http://www.accessdata.com 12 http://www.techpathways.com
A variety of commercial and freeware tools have done the historical collection of Internet
based data.
[COLLECTING LEGALLY DEFENSIBLE ONLINE EVIDENCE] January 2008
10 © 2008. All Rights Reserved Worldwide| Vere Software
The collection of information on the Internet outside of the control of the user (observer of the data) is
unaddressed by these tools. A variety of commercial and freeware tools have done the historical collection
of Internet based data. The tools used by law enforcement and others conducting investigations online vary
from off the shelf (OTS) software designed for other purposes to tools designed by an agency for its
individual investigators use. Numerous tools have been adopted to collect evidence from various parts of
the Internet. Many freeware (no cost to the user) and shareware programs have been used to capture
webpages as well as commercial products. Adobe13and Techsmith14 provide tools that have been
moderately successful for law enforcement and others to capture images, video and webpages. These tools
save their captures in a normal electronic file used for general use such as a PDF15, jpg16 or mpg17.
For the purpose of collecting evidence from the Internet, law enforcement has adopted these tools for
these purposes, none of which were originally intended for the collection, preservation and presentation of
the data in court. As a result, their use has caused court challenges. The concept and process of evidence
collection from the Internet, most especially in the area of child exploitation investigations, has been
validated in a number of legal cases where convictions have occurred, (References to pertinent case law is
presented in Appendix A).
LAW ENFORCEMENT INTERNET INVESTIGATIVE COSTS
Choosing to conduct investigations or collect information for evidentiary purposes from the Internet
requires an investment. That investment includes hardware costs, software costs, personnel costs, training
costs, and physical location costs. Each of these requires a commitment of resources to the task that often
is more than an agency will want to allocate.
13 www.adobe.com 14 www.techsmith.com 15 .PDF is a document file format designed by Adobe 16 .jpg is an image format standard 17 .mpg is a movie format standard
T
d
a
p
c
t
a
e
b
[COLLEC
Perso
inves
assoc
Hardw
the co
Softw
the so
Train
neede
The cost of a
different. Wh
at the local, s
problem with
conducting in
to the comm
absorbed the
enforcement
based crime.
CTING LEG
FIG
onnel Costs:
tigations on
ciated with th
ware Costs:
omputers an
ware Costs: T
oftware need
ing Costs: Th
ed to conduc
a project driv
hat has occur
state and fed
h large amou
nvestigations
munity. Man
e cost into th
t administrat
GALLY DEF
Vere
GURE 3 COSTS ASS
These are
line. These
hat salary.
These are t
nd equipmen
These are th
ded to condu
hese are the
ct investigati
ves a govern
rred nationa
deral levels. T
unts of fundin
s on the Inte
ny agencies
heir normal in
tors still lack
FENSIBLE
e Softwa
SOCIATED WITH C
e the actual
costs includ
he actual co
t required to
e actual cos
uct investigat
actual costs
ons on the In
ment’s respo
lly in the Cyb
The Federal
ng. The State
rnet is actua
that accept
nvestigations
k the overal
ONLINE E
are|© 200
CONDUCTING INVE
l costs asso
de the hour
sts associate
o investigate
ts associated
tions on the
associated w
nternet.
onse to most
bercrime are
government
e and local re
lly relatively
t the need
s budgets as
l understand
EVIDENCE
08. All Rights
ESTIGATIONS ON
ciated with
ly wage of
ed with provi
crimes on th
d with provid
Internet.
with providin
t any issue. T
na is varied
has respond
esponse has
small when
for conduct
a cost of do
ding of the
] January 2
s Reserved W
THE INTERNET
assigning p
the employ
iding the ass
he Internet.
ding the ass
ng the assign
The response
among law e
ded to portio
been more s
compared to
ting Internet
oing business
need for a
2008
Worldwide.
personnel to
ee and any
signed person
igned person
ed personne
e to Cybercr
enforcement
ons of the Cy
sporadic. Th
o the financi
t investigatio
s. However, m
response to
11
conduct
benefits
nnel with
nnel with
el training
ime is no
agencies
ybercrime
he cost of
al impact
ons have
many law
o Internet
[COLLECTING LEGALLY DEFENSIBLE ONLINE EVIDENCE] January 2008
12 © 2008. All Rights Reserved Worldwide| Vere Software
This has caused a general tendency to ignore the communities’ victims, despite the public
acknowledgement of the amount of crime being conducted. This is evident by the International Association
of Chiefs of Police “Identifying Critical Technology Needs Technology Survey Results”18 study conducted in
2005. The survey’s respondents identified five technology priorities: communications, patrol cars,
management, forensics, and video cameras. None of the reported priority needs by the respondents
reflected the actuality of their need to respond to Cybercrime. A search on the IACP website offers little
direction for law enforcement managers and/or advice on how to deal with Cybercrime investigations other
than from an IT perspective. All too often there would appear to be a consensus in law enforcement that
Cybercrime investigations are someone else’s problem or jurisdiction.
Whole industries and professions have sprung up in response to the Cybercrime dilemma to address its
daily impact on everyone including those who do not use the Internet. Everyday companies, from the
banking industry to the newly formed “Identity Theft Protection” industry use the Cybercrime threat in
their marketing campaigns. Millions of dollars in the U.S., let alone the rest of the world, are being spent by
Americans to protect themselves from Cybercrime, which according to an FBI survey cost Americans
approximately 67 billion dollars in 2005. The fact is that more funds are being spent by the average citizen
to protect themselves from online crime than governments are spending in total to protect its own
residents from these crimes. Government’s response, although in the millions of dollars, have been
ineffective when dealing with the overall problem of Cybercrime. It isn’t just a matter of the need to have
more money being thrown at the Cybercrime problem. The need is a realization within government and law
enforcement that:
The Internet permits criminals easy access to every locked home and business online,
Cybercrime is here to stay,
Cybercrime is an activity that affects citizens on a daily basis more than any other crime category,
and
Everyday law enforcement needs to incorporate the Internet into their investigations, either as its
focus or as a tool.
18 http://www.theiacp.org/research/CuttingEdge/TechSurveyReport.pdf
[COLLECTING LEGALLY DEFENSIBLE ONLINE EVIDENCE] January 2008
Vere Software|© 2008. All Rights Reserved Worldwide. 13
Changing the Current Internet Investigation Paradigm
Clearly, the need exists to investigate crimes on the Internet and equally the need to collect evidence in
support of those crimes. The question becomes how is that best achieved and under what protocol. The
guidance for the proper collection of evidence from the Internet is not as well defined as that for the
general computer forensic field. Computer forensics has been establishing the digital evidence collection
process related to computers in general since the early 1990’s. Clear guidance and established practices
have been developed and are followed routinely throughout the world when dealing with digital evidence
as it applies to computer forensics. Not so clear are the procedures for the online collection of evidence
from the Internet. The complication for this comes from the real time interaction that the Internet gives the
users. Data is transmitted over the Internet through various methods. Some of these methods intentionally
use volatile data space as the transfer method, such as Instant Messaging and Chat applications. The use of
volatile memory space for these interactions allows the data not to be recorded on any computer or server
along the path of the conversation. This kind of data cannot generally be obtained through traditional
computer forensic examinations. The capture of this kind of data clearly needs to be accomplished by the
user initiating the connection. Law enforcement investigators have adopted several commercial tools for
this purpose. All are valuable tools for each intended purpose, but still adopted and used for an unintended
purpose, the collection of Internet based evidence.
The collection of evidence from the Internet needs fundamental structure to properly document the
veracity and defensibility of the data collected. Bruce Nikkel in Domain Name Forensics: A Systematic
Approach to Investigating an Internet Presence, describes the forensic advantages of collecting evidence
using command line tools. The advantages he describes are:
Each file containing evidence has a system generated time‐stamp showing the exact time of
evidence collection.
Collected evidence is transferred from the collection tools directly to the files without human
intervention.
The Whois and DNS server names are explicitly defined and logged, showing that the evidence
was collected from authoritative sources.
A complete transcript log of the evidence collection procedure is available for scrutiny.
N
c
c
l
a
c
s
G
E
S
c
p
C
b
m
[COLLEC
14 ©
Nikkel’s “for
collection pr
consistent an
ogging the e
and the add
collected. “Th
such as time
Geographical
Examining N
Scene Invest
clearly three
preservation
Collection of
be a webpag
message con
CTING LEG
2008. All Ri
ensic advan
rocess uses
nd repeatab
evidence coll
ition of verif
here is no sin
e‐stamping
l Location of
ikkel’s “fore
igation, A Gu
steps to the
, and its pres
f Internet ba
ge or items o
versations o
GALLY DEF
ights Reserve
tages” deta
tools to co
ble collection
ected to ma
fication met
ngle way to e
and hashing
Internet Hos
nsic advanta
uide for First
e proper coll
sentation.
FIGUR
ased evidenc
on a webpage
r chat conve
3. Pre
2. Pre
1. Co
FENSIBLE
ed Worldwid
il the collec
ollect the ev
n of evident
ake the evide
thods such a
enforce chai
g algorithms
sts using a M
ages” and th
t Responder
lection of Int
RE 4 PROPER INTE
e includes th
e such as im
rsations usin
esenta
eserva
ollectio
ONLINE E
e| Vere S
ction and ve
vidence with
tiary items.
ence authori
as logging ad
n of custody
s are centra
Multi‐Agent Sy
he processes
s” as well as
ternet based
RNET EVIDENCE C
he actual cap
age files, mu
ng a variety o
ation
ation
on
EVIDENCE]
Softwar
erification of
hout human
He describe
tative. The u
dd multiple
in digital for
al to all me
ystem
s detailed in
s the forensi
d evidence::t
COLLECTION STEPS
pture of cont
usic files, or
of application
] January 2
re
f Internet b
interventio
s the use o
use of autom
layers of ve
rensics, but t
ethods.” Øys
the NIJ gui
ic investigati
the collection
S
tent viewed
documents.
ns designed f
2008
ased eviden
n. This allo
of time‐stam
mated collect
rification to
the use of te
stein E. Tho
ide “Electron
ve models, t
n of the evid
by the user.
It can also b
for that purpo
nce. The
ws for a
ping and
tion tools
the data
echniques
orvaldsen,
nic Crime
there are
dence, its
. This can
be instant
ose.
P
c
P
s
o
C
i
A
i
a
g
[COLLEC
Preservation
concepts and
1. D
2. C
3. M
Presentation
simulating its
or the real tim
Currently, th
nvestigator
Against Child
mplementat
are not publ
great challen
CTING LEG
n of the Inte
d principles le
Don’t change
ollect the ev
Maintain a pro
n of the Inte
s real time co
me chat sess
e lack of sta
to make up
dren Task Fo
ion by the ta
ic. The avera
ge in front o
3
2
1
GALLY DEF
Vere
ernet based
earned from
the evidence
idence in a v
oper chain o
rnet based e
ollection. Th
ions.
FIGURE 5 P
andards for t
p collection
orces nation
ask force me
age investiga
f him.
3. Pres
2. Pres
1. Colle
FENSIBLE
e Softwa
evidence in
computer fo
e if possible.
verifiable ma
f custody of
evidence mea
is could inclu
ROPER INTERNET
the proper c
standards lo
wide, have,
embers. Due
ator interest
entati
ervati
ection
ONLINE E
are|© 200
ncludes the
orensics whe
nner.
the evidence
ans the actua
ude viewing
EVIDENCE COLLE
collection of
ocally. Some
through the
to the natur
ted in the co
ion
on
EVIDENCE
08. All Rights
treatment o
n dealing wit
e.
al viewing of
chat logs or
CTION STEPS IN D
Internet bas
e organizatio
eir federal f
re of the crim
ollection of e
• Prepare ediscovery • Prepare R• Save evid
•Maintain c• Secure fro• Hash evid
• Collect evdefensibilit
] January 2
s Reserved W
of this digita
th digital evid
ffline of the e
video files o
DETAIL
sed evidence
ons such as
unding, deve
mes investiga
evidence fro
evidence for pr
Reportdence to archiv
chain of custodom other evidedence items
vidence using tty
2008
Worldwide.
al evidence u
dence.
evidence in a
of the websit
e has led the
the Interne
eloped stand
ated, those s
m the Intern
rosecution and
val media
dy of all evidenence items
echniques tha
15
using the
a manner
es visited
e average
et Crimes
dards for
standards
net has a
d
nce
t ensure
[COLLECTING LEGALLY DEFENSIBLE ONLINE EVIDENCE] January 2008
16 © 2008. All Rights Reserved Worldwide| Vere Software
The current thought process would be to seek out training specifically designed for law enforcement
regarding the investigation of Internet based crime. This training occurs through federally funded programs
(such as SEARCH and the National White Collar Crime Center) or through a variety of colleges and
universities currently offering digital investigations programs, such as Champlain College’s Center for Digital
Investigation19.
Each program offers technical detail in the collection of evidence from the Internet. Each program has
developed its own standard for the curriculum and the process of
the collection of evidence from the Internet. All of the programs
are valuable and go a long way to bettering law enforcements
attempts at grasping the problem at hand. However, each program
has some drawbacks. The federally funded programs usually last a
week and are offered only a few times each year in various
locations, which in turn makes them almost inaccessible by the
average investigator. The post secondary programs are offered for credit within an associate or
bachelorette degree program. Champlain College is moving to an online program which will make the
training more accessible to the average investigator. The challenge remains a standard approach to the
training and evidence collection methodology. Dr. Robert DeYoung, St. Thomas University, in a paper titled
A Triad of Collaboration: Internet‐Related Investigative Considerations Prior to the Computer Forensic
Application said “A single piece of evidence is important; a second associative reference is significant; and
third occurrence is compelling.” The significance of this for the Internet Investigator is the ability to
corroborate the collection of evidence from the Internet. Multiple occurrences of associative references
can substantiate a collected piece of evidence as authentic. Those associative references to a piece of
Internet based evidence could include, Hash values of the evidence collected, date and time stamps of the
occurrence, log files of a tools actions, key logging of investigator actions, and a collection process that is
repeatable and reproducible. The collection of Internet evidence has long been a process rift with
undefined processes and completed using tools that collect data but not evidence. Adding a reproducible
process and associative references to the methodology makes the data collected as a defensible
evidentiary item.
19 http://c3di.champlain.edu/
“A single piece of evidence is important; a second associative reference is significant; and
third occurrence is compelling.” Dr. Robert DeYoung, St. Thomas
University
I
i
e
b
e
t
c
b
[COLLEC
Conclus
n the Unite
nvestigation
event. Only
become gene
environment
the collection
Following th
collection of
based eviden
1. Colle
•Evidencollectedefens
CTING LEG
ion
ed States t
s. The collec
digital evide
erally accept
for investiga
n of online ev
FIG
he lessons le
Internet bas
nce is a simpl
ection
ce not ed in ible manner.
GALLY DEF
Vere
he collectio
ction of evid
ence collecti
ted by the c
ators to seek
vidence will c
URE 6 CURRENT I
arned from
sed evidence
e standard to
In
FENSIBLE
e Softwa
n of digital
dence from
ion from co
courts. Inter
k out evidenc
cause challen
NVALIDATED MET
the field of
. The proces
o follow.
2. Preserv
•Chain ofdependainvestiganotes.•Not an e•Internetpotentia
nvalidated c
ONLINE E
are|© 200
l evidence
both compu
omputers ha
net based e
ce of crimes.
nges to the e
THOD OF COLLECT
computer fo
s outlined ab
vation
f custody ant on ators written
evidence file. t data has al for alteration
collection pr
EVIDENCE
08. All Rights
has become
uters and the
s evolved in
vidence coll
However, th
evidence.
TING INTERNET BA
orensics a sta
bove to colle
n.
rocess →
] January 2
s Reserved W
e a standar
e Internet h
nto a standa
ection has e
he use of inva
ASED EVIDENCE
andard can b
ect, preserve
3. Prese
•Invaliddata tprosecdefen•Reporaboutevidenproces
2008
Worldwide.
rd in many
as become
ard process
emerged as
alidated proc
be develope
and present
entation
dated Interneturned over to cutor and se.rts prepared unvalidated nce collection ss.
17
criminal
a regular
that has
a regular
cesses for
d for the
t Internet
U
v
d
[COLLEC
18 ©
Utilizing a de
verify and va
defensible on
The Inter
CTING LEG
2008. All Ri
FI
efined, repe
alidate infor
nline evidenc
rnet
GALLY DEF
ights Reserve
GURE 7 DEFENSIB
atable and v
mation colle
ce.
FENSIBLE
ed Worldwid
BLE EVIDENCE THR
verifiable pr
ected on the
Re
ONLINE E
e| Vere S
ROUGH ASSOCIAT
ocess law e
e Internet, c
producible c
EVIDENCE]
Softwar
TIVE REFERENCES A
nforcement,
can be assur
collection pr
] January 2
re
AND PROCESS
and any ot
red that the
rocess →
2008
ther fields w
y will have
wishing to
collected
[COLLECTING LEGALLY DEFENSIBLE ONLINE EVIDENCE] January 2008
Vere Software|© 2008. All Rights Reserved Worldwide. 19
APPENDIX A PERTINENT U. S. CASE LAW REGARDING INTERNET INVESTIGATIONS Tracing Internet Protocol Addresses
State v. Jacobs (Minn. Ct. App. April 17, 2007) 2007 Minn. App. Unpub. 360.
Tracing Internet Protocol addresses back to a suspect using automated tools even when the suspect is attempting
hide himself, does not violate the suspects “reasonable expectation of privacy”,
U.S. v. Perez (5th Cir. April 11, 2007) 484 F.3d 735
Law enforcement obtained a search warrant based on the transmission of child pornography which was traced back to a particular IP address registered to defendant.
Validation of Undercover Communications with Defendants
People v. Richardson (2007) , [not published] Previously published at: 151 Cal.App.4th 790.
That def., unbeknownst to him, was communicating with an adult posing as a minor is immaterial since factual impossibility is not a defense.
U.S. v. Han (H.D. N.Y. 1999) 66 F.Supp.2d.
Whether the defendant was unable to complete the crime of 2423(b) because the victim was fictitious is irrelevant in addressing guilt.
U.S. v. Crow (5th Cir. 1999) 164 F.3d 229.
Motion to quash denied where individual defendant attempted to exploit [a § 2251(a) charge] was an undercover detective.
Email Authentication
U.S. v. Sidiqui (11th Cir. 2000) 235 F.3d 1318.
E‐mails introduced into evidence over defendant hearsay and improper authentication objections. Court analyzed the authentication issues under traditional evidentiary standards. (FRE 901(a) and 901(B)(4).) Contains good discussion of circumstantial evidence of authenticity but no discussion as to the technical aspects of e‐mail. As to hearsay objection, the e‐mails were considered admissions of a party. (FRE 801(d)(2)(A).)
People v. Von Gunten (2002 Cal.App.3d Dist.) 2002 WL 501612. [Unpublished.]
Defendant laid an inadequate foundation of authenticity to admit, in prosecution for assault with a deadly weapon, hard copy of e‐mail messages (Instant Messages) between one of his friends and the victim’s companion, as there was no direct proof connecting victim’s companion to the screen name on the e‐mail messages.
[COLLECTING LEGALLY DEFENSIBLE ONLINE EVIDENCE] January 2008
20 © 2008. All Rights Reserved Worldwide| Vere Software
On line Evidence Admissibility
United States v. Brand 2005 WL 77055 (S.D.N.Y. January 12, 2005).
Chat transcript of AOL instant messages admissible since it was sufficiently similar to the charged conduct.
Hammontree v. State (Ga. Ct. App. 2007) ‐‐‐ S.E.2d ‐‐‐‐, 2007 WL 547763
Where the victim testified that she was an ‘actual participant’ in the IM conversation and confirmed its contents, the IM ‘transcript’ was properly authenticated.
U.S. v. Burt (7th Cir.,July 26, 2007) 495 F.3d 733
Logs of a Yahoo! chat were admissible when properly authenticated.
Lorraine v. Markel American Insurance Company (D.Md. May 4, 2007) 241 F.R.D. 534.
Case provides a comprehensive analysis of how to authenticate digital evidence such as digital photos, email and text messages.
People v. Hawkins (June 2002) 98 Cal.App.4th 1428.
Court addresses California Evidence Code section 1552 [printed representation of computer information or a computer program is presumed to be accurate]. Court noted "the true test for admissibility of a printout reflecting a computer’s internal operations is not whether the printout was made in the regular course of business, but whether the computer was operating properly at the time of the printout."
EEOC v. E.I dupont de Nemours & Co., 2004 WL 2347559, 65 Fed. R. Evid. Serv. 706,
Printout from Census Bureau web site containing domain address from which image was printed and date on which it was printed was admissible in evidence.
Telewizja Polska USA, Inc., v. Echostar Satellite Corp. (N.D. Ill.2004) 2004 WL 2367740 [Not Reported]
Archived versions of web site content, stored and available at a third party web site, were admissible into evidence under Federal Rule of Evidence 901. The contents of the web site could also be considered an admission of a party opponent, and thus are not barred by the hearsay rule.
U.S. v. Tank (9th Cir. 2000) 200 F.3d 627.
Authentication of screen name.
People v. Von Gunten (2002 Cal.App.3d Dist.) 2002 WL 501612. [Unpublished.]
Defendant laid an inadequate foundation of authenticity to admit, in prosecution for assault with a deadly weapon, hard copy of e‐mail messages (Instant Messages) between one of his friends and the victim’s companion, as there was no direct proof connecting victim’s companion to the screen name on the e‐mail messages.
[COLLECTING LEGALLY DEFENSIBLE ONLINE EVIDENCE] January 2008
Vere Software|© 2008. All Rights Reserved Worldwide. 21
Admission of Duplicate Digital Evidence
State v. Morris, 2005 WL 356801 (Ohio App. 9 Dist.)
During forensics analysis using EnCase a copy of the hard drive was made. Before returning the computer the expert erased all data on the original drive. At trial the copy was used as evidence. The court found that the rules of evidence permit admission of duplicates, that appellant was unable to show what type of exculpatory evidence may have been lost during the copying procedure, and that the original was not destroyed in bad faith.
Use of Automated Tools in Digital Evidence Collection
Williford v. State (2004 Tex.App.‐Eastland) 127 S.W.3d 309.
Upholding the use of EnCase as a forensic tool.
Introduction of Web Sites
EEOC v. E.I dupont de Nemours & Co., 2004 WL 2347559, 65 Fed. R. Evid. Serv. 706,
Printout from Census Bureau web site containing domain address from which image was printed and date on which it was printed was admissible in evidence.
Telewizja Polska USA, Inc., v. Echostar Satellite Corp. (N.D. Ill.2004) 2004 WL 2367740 [Not Reported]
Archived versions of web site content, stored and available at a third party web site, were admissible into evidence under Federal Rule of Evidence 901. The contents of the web site could also be considered an admission of a party opponent, and thus are not barred by the hearsay rule.
[COLLECTING LEGALLY DEFENSIBLE ONLINE EVIDENCE] January 2008
22 © 2008. All Rights Reserved Worldwide| Vere Software
REFERENCES 1) Setting up an Online Investigative Computer: Hardware, Connectivity and Software Recommendations‐ Daniels, Keith
http://www.search.org/files/pdf/OnlineInvComSetup.pdf
2) An Examination of Digital Forensic Models, International Journal of Digital Evidence Fall 2002, Volume 1, Issue 3‐ Reith, Mark; Carr, Clint; Gunsch, Gregg
3) Good Practice Guide for Computer‐Based Electronic Evidence, Association of Chief Police Officers’ (ACPO)
4) CIOIM Supplement: Digital Officer Safety, 2000, Parmar, S.K., Cst, N. Cowichan Duncan RCMP Det., Duncan, BC
5) Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations, July 2002, Computer Crime and Intellectual Property Section Criminal Division United States Department of Justice
6) LAW ENFORCEMENT TOOLS AND TECHNOLOGIES FOR INVESTIGATING CYBER ATTACKS, A NATIONAL NEEDS ASSESSMENT, June 2002, Vatis, Michael A., Institute for Security Technology studies at Dartmouth College
7) LAW ENFORCEMENT TOOLS AND TECHNOLOGIES FOR INVESTIGATING CYBER ATTACKS GAP ANALYSIS REPORT, February 2004, Institute for Security Technology studies at Dartmouth College
8) INTERNET CHILD SEX PREDATORS: BUILDING A CASE FOR CONVICTION, August 2004, Sarah Elizabeth Smith, Liberty Business Review Volume II Number 2, Liberty University
9) Domain Name Forensics: A Systematic Approach to Investigating an Internet Presence, August 2005, Bruce J. Nikkel, The International Journal of Digital Forensics and Incident Response, Vol. 1, No. 4
10) Geographical Location of Internet Hosts using a Multi‐Agent System, November 2006, Øystein E. Thorvaldsen, Department of Computer and Information Science Norwegian University of Science and Technology
11) Investigation of Cybercrime and Technology‐related Crime, March 2002, Dan Koenig, National Executive Institute, www.neiassociates.org/cybercrime.htm
12) E‐Evidence & Internet crimes Against Children California case Digest and Commentary, December 2007, Robert Morgester, Deputy Attorney General, Office of the Attorney General, State of California, www.cdaa.org
13) Encase Legal Journal, April 2007, Guidance Software, http://www.guidancesoftware.com/support/legalresources.aspx
14) Collecting Evidence from a Running Computer: A Technical and Legal Primer for the Justice Community, 2006, Todd G. Shipley and Henry R. Reeve, Esq., http://www.search.org/files/pdf/CollectEvidenceRunComputer.pdf
15) CYBERCRIME Public and Private Entities Face Challenges in Addressing Cyber Threats, June 2007, Report to Congressional Requesters, United States Government Accountability Office (GAO) 16) Identifying Critical Technology Needs Technology Survey Results, Fall 2005, International Association of Chiefs of
Police
17) Suggested Protocol for Discovery of Electronically Stored Information (“ESI”), 2007, The United States District Court For The District Of Maryland, http://www.mdd.uscourts.gov/news/news/ESIProtocol.pdf
[COLLECTING LEGALLY DEFENSIBLE ONLINE EVIDENCE] January 2008
Vere Software|© 2008. All Rights Reserved Worldwide. 23
About the Author
Todd G. Shipley, CFE, CFCE
President & CEO of Vere Software
As President and Chief Executive Officer of Vere Software, Todd Shipley is primarily responsible for carrying out the strategic plans and policies, and as such, has the ultimate management responsibility for all company operations. Todd is directly responsible for providing leadership; the creation of its strategic, tactical, and financial plans; developing goals and measuring performance to the approved goals; organizational and customer development; and the development of the company’s staff.
Prior to starting Vere Software, Todd G. Shipley was the Director of Systems Security and High Tech Crime Prevention Training for SEARCH, The National Consortium for Justice Information and Statistics, where he oversaw a national program that provided expert technical assistance and training to local, state, and federal justice agencies on successfully conducting high‐technology computer crimes investigations. In this position he was also the manager of the National Criminal Justice Computer Laboratory and Training Center. Mr. Shipley oversaw a variety of SEARCH’s technology crime investigation courses offered at the National Criminal Justice Computer Laboratory and Training Center in Sacramento, California, and at other sites nationwide. He also supervised the training‐provided by an experienced team of certified computer crimes investigators and information systems security professionals‐focused on systems security, computer forensics and investigations involving the Internet, local area networks and online child exploitation. As the director, he was responsible for program grant writing and applications, preparing and implementing specific program and annual budgets and management of their subsequent expenditure. Mr. Shipley has 25 years' experience in law enforcement, all with the Reno, Nevada, Police Department, where he developed subject‐matter expertise in computer forensics, online investigations and information technology security. Prior to joining SEARCH in 2004, he was a Senior Detective Sergeant managing the Department's Financial and Computer Crimes Unit, where he investigated serious fraud‐ and financial‐related offenses using basic investigative, technical and covert surveillance techniques. He was responsible for developing cyber crime and technology crime investigative policy; serving as a liaison to other law enforcement, intelligence and government agencies and industry bodies; providing department/regional training; and serving as an expert witness. His previous positions with the Department included four years as a Detective and Detective Sergeant assigned to the U.S. Attorney's Office Organized Crime Drug Enforcement Task Force, five years as a Detective investigating major property and person crimes, and eight years as a patrol officer. Since 1979 Mr. Shipley has been a member of the 152nd Security Forces Squadron of the Nevada Air National Guard, where he is a Chief Master Sergeant and served, during the current war on terror as Security Coordinator at Bagram Airfield, Afghanistan from late 2001 to early 2002. During both his military and law enforcement careers, he has received many awards and commendations. Mr. Shipley formed Nevada's First Computer Crime Investigations Unit. He is a Certified Fraud Examiner through the Association of Certified Fraud Examiners and a Certified Forensics Computer Examiner through the International Association.
Contact Todd Shipley at [email protected]
[COLLECTING LEGALLY DEFENSIBLE ONLINE EVIDENCE] January 2008
24 © 2008. All Rights Reserved Worldwide| Vere Software
NOTES: