Computer Forensics For Dummies E-Book

Table of Contents

Introduction

Who Should Read This Book?

About This Book

How to Use This Book

What You Don’t Need to Read

Foolish Assumptions

How This Book Is Organized

Part I: Digging Out and Documenting Electronic Evidence

Part II: Preparing to Crack the Case

Part III: Doing Computer Forensic Investigations

Part IV: Succeeding in Court

Part V: The Part of Tens

Glossary

About the Web Site and Blog

Icons Used in This Book

Where to Go from Here

Part I: Digging Out and Documenting Electronic Evidence

Chapter 1: Knowing What Your Digital Devices Create, Capture, and Pack Away — Until Revelation Day

Living and Working in a Recorded World

Deleting is a misnomer

Getting backed up

Delusions of privacy danced in their headsets

Giving the Third Degree to Computers, Electronics, and the Internet

Answering the Big Questions

What is my computer doing behind my back?

How does my data get out there?

Why can data be discovered and recovered easily?

Examining Investigative Methods

Getting permission

Choosing your forensic tools

Knowing what to look for and where

Gathering evidence properly

Revealing Investigation Results

Preparing bulletproof findings

Making it through trial

Chapter 2: Suiting Up for a Lawsuit or Criminal Investigation

Deciphering the Legal Codes

Learning about relevancy and admissibility

Getting started with electronic discovery

Deciding what’s in and what’s not

Playing by the rules

Managing E-Discovery

Understanding that timing is everything

Grasping ESI discovery problems

Avoiding overbroad requests

Shaping the request

Stepping through the response

Conducting the Investigation in Good Faith

Deciding Who’s Paying the Bill

Chapter 3: Getting Authorized to Search and Seize

Getting Authority: Never Start Without It

Acknowledging who’s the boss (not you!)

Putting together your team

Involving external sources

No warrant, no problem (if it’s done legally)

Criminal Cases: Papering Your Behind (CYA)

Learning about the case and the target

Drafting an affidavit for a search warrant

Presenting an affidavit for judicial processing

Civil Cases: Verifying Company Policy

Searching with verbal permission (without a warrant)

Obtaining a subpoena

Chapter 4: Documenting and Managing the Crime Scene

Obsessing over Documentation

Keeping the chain complete

Dealing with carbon memories

Deciding who gets the evidence first

Getting to the truth

Directing the Scene

Papering the trail

Recording the scene: Video

Recording the sounds: Audio

Getting the lead out

Managing Evidence Behind the Yellow Tape

Arriving ready to roll: Bringing the right tools

Minimizing your presence

Stepping Through the Scene

Securing the area

Surveying the scene

Transporting the e-evidence

Part II: Preparing to Crack the Case

Chapter 5: Minding and Finding the Loopholes

Deciding to Take On a Client

Learning about the case and the theory

Finding out the client’s priorities

Timing your work

Defining the scope of work

Determining Whether You Can Help the Case

Serving as a resource for the lawyer

Taking an active role

Answering big, blunt questions

Signing on the dotted line

Passing the Court’s Standard As a Reliable Witness

Getting your credentials accepted

Impressing opinions on the jury

Going Forward with the Case

Digging into the evidence

Organizing and documenting your work

Researching and digging for intelligence

Keeping a Tight Forensic Defense

Plugging loopholes

Chapter 6: Acquiring and Authenticating E-Evidence

Acquiring E-Evidence Properly

Step 1: Determine the Type of Media You’re Working With

Step 2: Find the Right Tool

Finding all the space

A write-protect device

Sterile media

Step 3: Transfer Data

Transferring data in the field

From computer to computer

From storage device to computer

Step 4: Authenticate the Preserved Data

Step 5: Make a Duplicate of the Duplicate

Chapter 7: Examining E-Evidence

The Art of Scientific Inquiry

Gearing Up for Challenges

Getting a Handle on Search Terms

Defining your search list

Using forensic software to search

Assuming risks

Challenging Your Results: Plants and Frames and Being in the Wrong Place

Knowing what can go wrong

Looking beyond the file

Finding No Evidence

No evidence of who logged in

No evidence of how it got there

Reporting Your Analysis

Chapter 8: Extracting Hidden Data

Recognizing Attempts to Blind the Investigator

Encryption and compression

Data hiding techniques

Defeating Algorithms, Hashes, and Keys

Finding Out-of-Sight Bytes

Cracking Passwords

Knowing when to crack and when not to crack

Disarming passwords to get in

Circumventing passwords to sneak in

Decrypting the Encrypted

Sloppiness cracks PGP

Desperate measures

Part III: Doing Computer Forensics Investigations

Chapter 9: E-Mail and Web Forensics

Opening Pandora’s Box of E-Mail

Following the route of e-mail packets

Becoming Exhibit A

Tracking the biggest trend in civil litigation

Scoping Out E-Mail Architecture

E-mail structures

E-mail addressing

E-mail lingo

E-mail in motion

Seeing the E-Mail Forensics Perspective

Dissecting the message

Expanding headers

Checking for e-mail extras

Examining Client-Based E-Mail

Extracting e-mail from clients

Getting to know e-mail file extensions

Copying the e-mail

Printing the e-mail

Investigating Web-Based Mail

Searching Browser Files

Temporary files

Internet history

Looking through Instant Messages

Chapter 10: Data Forensics

Delving into Data Storage

The anatomy of a disk drive

Microsoft operating systems

Apple: HFS

Linux/Unix

Finding Digital Cavities Where Data Hides

Deleted files

Non-accessible space

RAM

Windows Registry

Search filtering

Extracting Data

Rebuilding Extracted Data

Chapter 11: Document Forensics

Finding Evidential Material in Documents: Metadata

Viewing metadata

Extracting metadata

Honing In on CAM (Create, Access, Modify) Facts

Discovering Documents

Luring documents out of local storage

Finding links and external storage

Rounding up backups

Chapter 12: Mobile Forensics

Keeping Up with Data on the Move

Shifting from desktop to handhelds

Considering mobile devices forensically

Recognizing the imperfect understanding of the technology

Making a Device Seizure

Mobile phones and SIM cards

Personal digital assistants

Digital cameras

Digital audio recorders

Cutting-Edge Cellular Extractions

Equipping for mobile forensics

Mobile forensic hardware

Securing the mobile device

Finding mobile data

Examining a smart phone step-by-step

Chapter 13: Network Forensics

Mobilizing Network Forensic Power

Identifying Network Components

Looking at the Open Systems Interconnection Model (OSI)

Cooperating with secret agents and controlling servers

Saving Network Data

Categorizing the data

Figuring out where to store all those bytes

Re-Creating an Event from Traffic

Analyzing time stamps

Putting together a data sequence

Spotting different data streams

Looking at Network Forensic Tools

Test Access Port (TAP)

Mirrors

Promiscuous NIC

Wireless

Discovering Network Forensic Vendors

Chapter 14: Investigating X-Files: eXotic Forensics

Taking a Closer Look at Answering Machines

Examining Video Surveillance Systems

Cracking Home Security Systems

Tracking Automobiles

Extracting Information from Radio Frequency Identification (RFID)

Examining Copiers

Taking a Look On the Horizon

Part IV: Succeeding in Court

Chapter 15: Holding Up Your End at Pretrial

Pretrial Motions

Motion to suppress evidence

Motion in limine

Motion to dismiss

Other motions

Handling Pretrial Hearings

Giving a Deposition

Swearing to tell truthful opinions

Surviving a deposition

Bulletproofing your opinions

Checking your statements

Fighting stage fright

Chapter 16: Winning a Case Before You Go to Court

Working Around Wrong Moves

Responding to Opposing Experts

Dealing with counterparts

Formatting your response

Responding to affidavits

Hardening your testimony

Chapter 17: Standing Your Ground in Court

Making Good on Deliverables

Understanding Barroom Brawls in the Courtroom

Managing challenging issues

Sitting on the stand

Instructing jurors about expert testimony

Presenting E-Evidence to Persuade

Staging a disaster

Exhibiting like an expert

Communicating to the Court

Giving testimony about the case

Answering about yourself

Getting paid without conflict

Chapter 18: Ten Ways to Get Qualified and Prepped for Success

The Front Ten: Certifications

ACE: AccessData

CCE: Certified Computer Examiner

CFCE: Certified Forensic Computer Examiner

CEECS: Certified Electronic Evidence Collection Specialist

Cisco: Various certifications

CISSP: Certified Information Systems Security Professional

CompTia: Various certifications

EnCE: Guidance Software

Paraben training

SANS and GCFA: GIAC Certified Forensics Analyst

The Back Ten: Journals and Education

Chapter 19: Ten Tactics of an Excellent Investigator and a Dangerous Expert Witness

Stick to Finding and Telling the Truth

Don’t Fall for Counsel’s Tricks in Court

Be Irrefutable

Submit a Descriptive, Complete Bill

Prepare a Clear, Complete Report

Understand Nonverbal Cues

Look ’Em Straight in the Eye

Dress for Your Role As a Professional

Stay Certified and Up-to-Date

Know When to Say No

Chapter 20: Ten Cool Tools for Computer Forensics

Computer Forensic Software Tools

EnCase

Forensic ToolKit (FTK)

Device Seizure

Computer Forensic Hardware

FRED

WiebeTech Forensic Field Kit

Logicube

Computer Forensic Laboratories

Computer forensic data server

Forensic write blockers

Media wiping equipment

Recording equipment

Computer Forensics For Dummies®

by Linda Volonino (Ph.D., MBA, CISSP, ACFE)

and

Reynaldo Anzaldua (MBA, CISSP, EnCE, CHFI, IBM I-Series)

Computer Forensics For Dummies®

Published byWiley Publishing, Inc.111 River St.Hoboken, NJ 07030-5774www.wiley.com

Copyright © 2008 by Wiley Publishing, Inc., Indianapolis, Indiana

Published simultaneously in Canada

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, or online at http://www.wiley.com/go/permissions.

Trademarks: Wiley, the Wiley Publishing logo, For Dummies, the Dummies Man logo, A Reference for the Rest of Us!, The Dummies Way, Dummies Daily, The Fun and Easy Way, Dummies.com, Making Everything Easier, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United States and other countries, and may not be used without written permission. All other trademarks are the property of their respective owners. Wiley Publishing, Inc., is not associated with any product or vendor mentioned in this book.

Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Website is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Website may provide or recommendations it may make. Further, readers should be aware that Internet Websites listed in this work may have changed or disappeared between when this work was written and when it is read.

For general information on our other products and services, please contact our Customer Care Department within the U.S. at 800-762-2974, outside the U.S. at 317-572-3993, or fax 317-572-4002.

For technical support, please visit www.wiley.com/techsupport.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books.

Library of Congress Control Number: 2008935815

ISBN: 978-0-470-37191-6

Manufactured in the United States of America

10 9 8 7 6 5 4 3 2 1

About the Authors

Linda Volonino (Ph.D., MBA, CISSP, ACFE) entered the field of computer forensics in 1998 with a Ph.D. and MBA in Information Systems. She’s taught computer forensics at the State University of New York at Buffalo School of Law, and to attorneys and state Supreme Court Justices as part of Continuing Legal Education (CLE) programs, and to the FBI. In 2003, Linda was the computer forensics adviser to Michael Battle, then-U.S. Attorney for the Western District of New York. She’s a computer forensics investigator and expert witness with Robson Forensic, Inc. working for plaintiff and defense lawyers in civil and criminal cases.

Linda’s given many entertaining/frightening seminars, including several in Las Vegas entitled “What Goes On in Vegas, Stays.” She has co-authored four textbooks; two on information technology, one on information security, and one on computer forensics — the latter with Rey Anzaldua and Jana Godwin. She’s a member of InfraGard and Program Chair for the Conference on Digital Forensics, Security and Law (CDFSL 2009). She can be reached via her blog at http://computerforensicsonline.wordpress.com/.

Reynaldo Anzaldua (MBA, CISSP, EnCE, CHFI, IBM I-Series) has been doing computer forensics since 1987 when it was only thought of as data recovery and considered an arcane geek skill. He has worked the computer field spectrum from computer repair technician to Information Technology director for various firms domestic and international as well as founding several computer related firms. In his current capacity at South Texas College, Rey created a new degree in Information Security and currently instructs in a wide range of computer security subjects. As part of the community mission of South Texas College, he is also working with the State Bar of Texas to offer Continuing Legal Education (CLE) programs to help attorneys understand computer forensic issues.

Rey is often asked to comment on television, radio, and newspaper regarding topics such as computer forensics, computer security, Internet privacy issues, and identity theft. In addition to regular media, he also gives seminars and guest speaks for various civic organizations.

He is currently helping to advise members of the Texas Legislature on issues regarding computer forensics and security in addition to keeping busy with a small consulting business specializing in computer, crime scene, and DNA forensics. He has worked with clients at the local, State, Federal, and International level over the years on a wide array of forensic cases as well as co-authoring a previous book on computer forensics.

He can be reached via [email protected], [email protected], or http://computerforensicsonline.wordpress.com/.

Dedication

To my parents and children: Each one encourages me in their unique way to keep reaching higher.

— Reynaldo Anzaldua

Authors’ Acknowledgments

We were most fortunate to have the world’s best team working with us. Great thanks to Amy Fandrei, Acquisitions Editor, and Rebecca Senninger, Project Editor.

And very special thanks to our copy editor Becky Whitney and technical editor Brian Koerner. We’re grateful to Mary Bednarek, Executive Acquisitions Director of Dummies Tech, for launching the project and Melody Layne, Business Development Account Manager, for putting us into motion. Sincere thanks.

Publisher’s Acknowledgments

We’re proud of this book; please send us your comments through our online registration form located at www.dummies.com/register/.

Some of the people who helped bring this book to market include the following:

Acquisitions, Editorial, and Media Development

Project Editor: Rebecca Senninger

Acquisitions Editor: Amy Fandrei

Copy Editor: Rebecca Whitney

Technical Editor: Brian Koerner

Editorial Manager: Leah Cameron

Editorial Assistant: Amanda Foxworth

Sr. Editorial Assistant: Cherie Case

Cartoons: Rich Tennant (www.the5thwave.com)

Composition Services

Project Coordinator: Erin Smith

Layout and Graphics: Reuben W. Davis, Melanee Habig, Melissa K. Jester, Christine Swinford, Christine Williams

Proofreader: Broccoli Information Management

Indexer: Broccoli Information Management

Publishing and Editorial for Technology Dummies

Richard Swadley, Vice President and Executive Group Publisher

Andy Cummings, Vice President and Publisher

Mary Bednarek, Executive Acquisitions Director

Mary C. Corder, Editorial Director

Publishing for Consumer Dummies

Diane Graves Steele, Vice President and Publisher

Joyce Pepple, Acquisitions Director

Composition Services

Gerry Fahey, Vice President of Production Services

Debbie Stailey, Director of Composition Services

Introduction

Who cares about digital footprints? Who cares about invisible trails of unshreddable electronic evidence (e-evidence) left by PCs and cellphones, PDAs and iPods, e-mail and social networks, visited Web sites and instant messaging, and every wireless and online activity? The sweeping answer is that you — and the many other people reading this book — care, and for good reasons. Investigators, attorneys, suspicious spouses, and the news media are legitimately interested in finding out what was sent over the Internet or private networks, what’s stored on backup tapes or logs, and who wrote what in corporate e-mail or the blogosphere.

People concerned with what’s happening to personal privacy certainly care. Anyone involved in litigation, criminal investigation, network intrusion, fraud or financial audit, marital or contract dispute, employment claim, or background check will care — sooner or later. Hardly a case goes to court — or avoids going to court — these days without the help of electronic gumshoes.

Digging up data to expose who did what and when, with whom, where, why, and how is a primary purpose of computer forensics. Computer forensics falls within the broader legal concept of electronic discovery, or e-discovery, the process of gathering data, documents, or e-mail in preparation for legal action that may lead to trial. Both these topics are serious stuff, as you soon find out in this book.

Searches for evildoers or illegal doings are now done megabyte by megabyte. But computers, network logs, and cell devices aren’t only breeding grounds for proof of guilt. E-evidence can be your best alibi if you’re wrongly accused. We’ve lightheartedly dubbed that type of evidence the e-alibi.

Who Should Read This Book?

Computer Forensics For Dummies was written for hands-on and armchair investigators. It’s designed to give you more than just a basic understanding of digital detective work, e-discovery, computer forensics, and e-evidence. Assume that we’re looking over your shoulder to guide you to do what’s right and to avoid doing irreversible wrongs.

This book is for individuals concerned about how their personal information becomes digitally recorded — investigators looking for a smoking gun or smoldering e-mail held in all types of electronic media; professionals required by lawsuit or audit to turn over their e-mail or business records; information technologists facing a subpoena or discovery request for electronic documents; lawyers wanting to know how to identify and use electronically stored information (ESI) to either win or not lose a case; and members of the court who want to know how to evaluate arguments about e-discovery (costs and burdens), the admissibility of paperless evidence, and the truth that it reveals.

Anyone who needs a quick read to understand e-evidence and computer forensics will benefit from this book too. From our experience, those folks are the accused, crime victims, anyone facing discovery requests, and their lawyers.

About This Book

Computer Forensics For Dummies is an introduction to the exploding field of computer forensics and e-discovery. Computer forensics and e-evidence are important because the crime scene is where the evidence is — which makes computers and handheld devices qualify as crime scenes. So, more and more cases hinge on e-evidence.

We explain how your data gets recorded, how to find and recover data; and how lawyers try to use or refute that evidence to win their cases.

We explain — from the forensic point of view — what’s important and why it’s important. This nuts-and-bolts how-to guide shows you how to

Prepare for and conduct computer forensic investigations in actual practice.

Find out the current state of computer forensic methods, software, tools, and equipment that are generally accepted by law enforcement, the FBI, the courts, and regulatory agencies, such as the Securities and Exchange Commission (SEC).

Conduct investigations according to generally accepted methods and avoid the risks of ignoring best practices.

View e-evidence and computer forensics from the trenches — from the up-close perspective of investigators who work with people, companies, agencies, and their lawyers on cases involving e-evidence.

How to Use This Book

Although all topics in Computer Forensics For Dummies are related, they’re distinct enough to fit into a modular format. You can use this book as a reference by going directly to the section related to your investigation or defense.

If you’re new to crime scenes and evidentiary issues, you should understand them before tackling the technical issues. Keep in mind that you get no do-overswith evidence. Mess with evidence and you no longer have any!

If you’re new to technical intricacies, you can explore how cybertrails are created and how to find them. Then move on to more advanced topics, such as identifying key search terms to locate relevant messages in response to an e-discovery request. You can find out how to dig up e-mail and documents that seemingly have been deleted, determine which Web sites a user visited, and find which key words were used to get there.

What You Don’t Need to Read

Depending on your background in law, criminal justice, investigative methods, or technology, you can skip the stuff you already know. If you’re the victim, the accused, the plaintiff, or the defendant, feel free to skip sections that don’t relate directly to your case or predicament.

Foolish Assumptions

We make a few assumptions about your interests, motives, and job requirements. As investigators, we’re hardwired to avoid preconceived notions about the crime and evidence. But, in this book, we assume that you fit one or several of these characteristics:

You understand basic computer concepts and terms, such as cookie and hard drive.

You use e-mail, the Internet, and other digital devices.

You have an interest in justice. (Or should we call it e-justice?)

You like detective work and solving mysteries.

You’re considering a career in computer forensics.

You’re concerned about your privacy and other civil rights.

How This Book Is Organized

This book is organized into five parts. They’re modular so that you can zero in on any issues of immediate concern. The more you discover, the more you want to discover, so we’re sure that you’ll return to read other sections. (Don’t worry: The order in which you read this book doesn’t leave a trace — unless you send an e-mail or blog about it.)

Part I: Digging Out and Documenting Electronic Evidence

The book starts by introducing you to life in a digitally recorded world. You find out how digital devices create indelible records of what happened — and how logs of Internet activities accumulate into a sort of digital underworld. The focus in Part I is on how to dig out those records for use as evidence in a lawsuit or criminal investigation — to either prove guilt or defend against it. We help you understand relevant rules — rules of evidence, discovery, and civil and criminal procedure. You read about computer forensics tactics, documenting crime scenes, and getting authorization to search and seize.

Part II: Preparing to Crack the Case

This part details the legal loopholes to avoid to keep a tight forensic defense or that you should look for in your opponent’s methods to your advantage. We tell you how to pick cases to get involved in and those to walk away from. You see the technical side of forensics, including how to create a forensically sound image of a hard drive. Then you jump into the art of searching to find the e-evidence you need in order to prove the case or defend against it. To break through attempts to hide evidence from you, Part II also details password cracking.

Part III: Doing Computer Forensic Investigations

To find out how to start investigating e-mail and instant messages, data storage systems, documents, mobiles, networks, and unusual hiding places, ranging in size from pockets to homes, read Part II. You see how to re-create the past from the perspective of almost anything with digital pockets.

Part IV: Succeeding in Court

Your job as a computer forensic investigator doesn’t end when the e-evidence has been dug out, documented, and dissected. You memorized the laws of evidence and the rules of computer forensics to score a touchdown at trial. Now you need to survive Daubert (not to be confused with the cartoon character Dilbert) and defend your methods in court. Find out how to keep your cool in the court’s hot seat.

Part V: The Part of Tens

Every For Dummies book has The Part of Tens, and we give you three top-ten lists of items that everyone interested in computer forensics should know, do, and build. Find out how to qualify for a career in computer forensics, what to do to be an excellent investigator and expert witness, and how to build a forensic lab or toolkit.

Glossary

We include a complete minidictionary of technical and legal terms used throughout this book.

About the Web Site and Blog

We’re providing a place to blog with us for readers who are personally or professionally interested in technical and legal information about e-evidence and computer forensics. You can check out our blog at

http://cf4dummies.wordpress.com

You can find links to forensic software demos, documents, videos, and other digital goodies online. You can check out the Web site for this book at

www.dummies.com/go/computerforensics

Icons Used in This Book

Useful clues represented by icons highlight especially significant issues in this book. The following paragraphs (with their representative icons) give you an idea of what to expect when you see these icons.

Save yourself time and effort, and save somebody else money or grief. Computer forensics often involves high-stakes issues pitting determined adversaries against each other — ranging from megadollar civil cases to criminal cases of the worst kind. These icons flag paragraphs that can be goldmines of information.

Take an in-depth look at real-world cases and issues — both good and bad.

Computer forensic investigations can involve one booby trap after another — you’re never out of the woods. And, the land mines can explode your efforts. We flag the land mines with this icon to draw your attention to killer mistakes.

We use this heads-up icon to flag certain concepts that you should keep in mind.

Technology addicts may savor the technical details of digging into the depths of the unseen digital universe, but if you don’t like excruciating detail, move on.

Where to Go from Here

How many digital devices do you own that you didn’t own five years ago? Two years ago? How many features do your cell devices have now that they didn’t have five or two years ago? Do you wonder which devices you can’t live without that haven’t been developed yet? Your answers point to the inevitable growing scope of computer forensics. Certainly, computer forensics and all its specialty offshoots form an exciting field that this book helps you discover. Use it as a reference you turn to for advice, methods, and tactics about computers or the courts.

Part I

Digging Out and Documenting Electronic Evidence

In this part . . .

This part covers the basic component of computer forensic investigations: finding electronic data, documents, or dirt to use as evidence. And we tell you in Chapter 1 not only how to find it but also how to ensure that it can be used to win or prevail in a legal action. Let’s face it: If you’re involved in a computer forensic mission, it’s not because you want to recover your lost vacation photos. For less money than you would pay for an investigation, you could redo the vacation and retake those photos. Computer forensics is more like the art of war — strategies and tactics to successfully navigate a tough environment, as you find out in Chapter 2.

In the first two chapters, you start to understand the number of ways in which your data and digital content get “out there,” how investigators find and recover e-evidence, and how lawyers use the evidence to win their cases. You’ll find out about technical issues and the dumb mistakes made by users trying to erase their tracks. Big Mistake #1 is thinking that the Delete key is the cyberequivalent of a paper shredder.

Mistakes stemming from delusions of grandeur can harm an investigation, as you read in Chapter 3. If you’re about to start an examination, you have to avoid Big Mistake #2 — jumping into an investigation without appreciating how fragile electronic data, and your posterior, are. Either one might get damaged if you don’t have the authority to proceed. Then in Chapter 4 you see strategies from the trenches for documenting and managing the scene of a crime.

The thousands of criminals I have seen in 40 years of law enforcement have had one thing in common: Every single one was a liar.

— J. Edgar Hoover, FBI director (1924–1972)

Chapter 2

Suiting Up for a Lawsuit or Criminal Investigation

In This Chapter

Decoding legal codes

Managing the discovery of e-evidence

Operating in good faith

Paying for the e-evidence

Investigators routinely deal with fingerprints, skid marks, bloodstains, bullets, burned buildings, and other traces left by criminals that connect them to the crime scene. What these types of physical evidence may have in common with electronic evidence is that they have no eyewitnesses. When no one has seen or heard a crime in progress to give direct evidenceabout what they saw or heard, the evidence speaks for itself — so to speak — with the help of experts. It can carry more weight and credibility in a case than direct, eyewitness testimony.

E-evidence is also powerful because it has perfect memory and no reason to lie, and it can’t be eliminated or intimidated by a Smith & Wesson weapon. The Achilles heel of e-evidence is that the lawyers, judges, and juries who are involved in the case may not understand the technological details and, as a result, not appreciate the relevance of the e-evidence — at least not until you fluently translate between technology and legal terms so that they can understand.

In this chapter, you find out how rules of evidence, legal procedures, and e-discovery processes converge to create admissible e-evidence — or why it fails to do so.

Deciphering the Legal Codes

Laws of evidence play a big role in the career of every type of investigator. The concept of relevancy is the foundation of evidence law. Relevancy is always the first issue regarding evidence because it’s the primary basis for admitting evidence.

Here are the first two rules of evidence:

Only relevant evidence is admissible.

Allrelevant evidence is admissible unless some other rule says that it isn’t admissible.

When you think about the logic of the second rule, you quickly realize that the word unless puts a mysterious spin on what admissible evidence is. If you think that the rule is saying, in effect, “Evidence is admissible unless it isn’t admissible” — you’re right! With these few basic concepts in mind, you can make sense of evidence rules.

Learning about relevancy and admissibility

With amazing power, the first rule of evidence law splits all facts in a legal action into binary parts: relevant and irrelevant. That sounds simple. It’s not, though, because many “buts” are factors on the path from relevant to admissible. “Buts” fall into two categories:

Exclusions: Rules that act like anti-rules. Evidence tagged as an exclusion reverses the rule. For example, one rule says that an e-mail message may be used as evidence. Any exclusion to that rule reverses it. Then that e-mail message isn’t allowed as evidence.

Exceptions: Rules that act like anti-exclusions. If an exception to the exclusion is found, the exclusion is ignored. In our example, the e-mail message would become admissible again.

Figure 2-1 illustrates the basic steps in determining whether e-evidence is admissible. Judges have the authority to decide whether evidence is admissible in a trial.

Exclusions and exceptions are discussed in the later section “Playing by the rules.” Legal-speak is confusing because it’s so often spoken in the negative, or double negative, or worse. Expect to hear a lot of discussion in the negative or double negative; for example, the e-evidence is not inadmissible.

Exploring evidence rules in detail can cause what seems like a temporary loss of consciousness. Mercifully, some rules are obvious or apply only in obscure situations. We condense the rest into an overview of essential rules that you need to know to investigate and prepare cases.

Clutter is the nemesis of clarity — and your career. Being able to condense material and delete clutter serves you well with judges and juries.

Getting started with electronic discovery

You first deal with evidence and the rules of evidence early in a case, during discovery, the investigative phase of the litigation process. When you deal with e-evidence, this process is cleverly referred to as electronic discovery, or e-discovery. Each side has to give (or produce) to the other side what they need in order to prepare a case.

Discovery rules are designed to eliminate surprises. Unlike in TV dramas, surprising your opponent with information, witnesses, or experts doesn’t happen. If you think about it, without rules against surprises, trials might never end! Each side would keep adding surprises.

You can think of discovery as a multistage process, most often a painful one, of identifying, collecting, searching, filtering, reviewing, and producing information for the opposing side in preparation for trial or legal action. For e-discovery, you as a computer forensic expert play a starring role, as do the software and toolset you use. Many cases settle on the basis of information that surfaces during discovery and negotiations.

E-discovery demands can become a weapon in many cases. Parties have even been forced to settle winnable cases to avoid staggering e-discovery costs. E-discovery rules try to prevent the risk of extortion by e-discovery. Suppose that a company estimates that defending itself in a lawsuit would cost $1.3 million for e-discovery plus other legal fees. If the company were being sued for less than e-discovery costs, the case wouldn’t get to court. The company would be predisposed to settle the lawsuit to avoid the cost of the e-discovery process.

Deciding what’s in and what’s not

Legally, evidence