This week (and past weeks) your readings focuses on the techniques and tools you would use to collect, preserve, and analyze digital evidence. This really is the fun stuff, but while this class does not focus as heavily on the highly technical aspects of digital forensics (e.g., using the tools, techniques, processes to collect, preserve and analyze digital evidence), it does stress how to be prepared for the digital evidence process, as it fits into the criminal justice system. Although you may not know how to conduct these processes using the tools, you should be aware of what processes the tools are used for, what and what issues may come up regarding the analysis and the introduction as evidence. The class does stress understanding the digital evidence process (ex: using forensically-sound practices) as it fits into the criminal justice system and evidentiary issues.
Of course, it is critical that computer forensic examiners understand processes such as capturing volatile data, recognizing and collecting digital evidence, analyzing the evidence once it is collected, etc.; however, what I want you to focus on this week is why and how processes designed to identify, seize, collect, preserve, and analyze digital evidence relates to the criminal justice process.
You should all understand the need to verify what a warrant will allow you to search for and seize in a criminal case (ensuring that you do not exceed the scope and potentially compromise your case). In working as an IT professional with a corporation, you should also be aware of what a company’s policy or an organization’s leadership will allow you to do in a non-criminal justice investigation. In either case, you need to able to testify about all the steps you took, from the point when you were first notified of the incident or called in to collect the digital evidence, until the time you are called testify about it. Digital evidence must not just be simply collected (e.g., picked up and put in a bag), but procedures must be put in place to preserve the evidence so the defense cannot sufficient doubt about the integrity or provenance of the evidence.
For this week’s discussion: (answer all questions in a single posting)
1. Describe at least 5 steps in a process from the collection of digital evidence to the time you testify that you consider important. Please number your steps and explain why each step is important.
2. You are a witness and I am asking the following question – please answer as if you are on the witness stand. (By the way, when you answer a question, you would want to turn and give your answer directly to the jury)
“Upon entering the room where the computer was located, what was the first thing you did?”
3. Then, please answer my follow-up question, again as if you are on the witness stand.
“After seizing the computer evidence, what did you do with it?”