Computer Crime Research Center


Treat digital evidence with care

Date: February 20, 2005

A recent report on trends in computer crime described a 'cyber mafia' of hackers operating protection rackets and the like. It made lurid reading, detailing how traditional crimes have moved online to exploit society's dependence on computers.

Despite the emotive language, the report had more than an element of truth. As the recent denial-of-service and extortion attacks against online bookies illustrate, either hackers have learnt about money laundering or organised criminals have learnt about hacking. For a computer criminologist, these are exciting times.

The digital evidence required for prosecutions creates a lot of opportunities to analyse recovered and preserved data.

Just from my own caseload there are mobile phone records used in several high-profile murder cases; web pages used to prosecute robbers; frauds that involve falsifying computer data; and emails in which corrupt officials conspire. In each case, the seizure, handling, preservation, analysis and presentation of the digital evidence has been paramount.

Several years ago, the Association of Chief Police Officers issued a guide for investigators detailing 'best practices' for processing such evidence. Three over-riding requirements were described.

The first is that data should not be altered as a result of the investigation - to ensure that the data is admissible in court. The second is that it should be handled only by those qualified to do so and able to give evidence in court about their actions. The third is that if the data is somehow altered - say, by the alteration of a last-accessed timestamp - then it should be by someone able to understand the nature and extent of the change, and able to give evidence to explain it.

This is perfectly good advice for law-enforcers and civilian investigators. Non-compliance doesn't necessarily mean that the evidence won't be admitted, but I would recommend the best practices as required reading for anyone involved in investigating computer-related crime. Of course, many people who should read the guide almost certainly won't. Most computer evidence is spoiled within the first few minutes of discovery by careless or well-meaning first responders who don't know much about IT security but who insist on 'simply checking a few details' before the potential crime is passed for investigation.

As a result, timestamps are changed, log files altered, temporary files produced. In short, various changes are made by those who do not understand the scope or extent of those changes. It is like the first person at a murder scene picking up the bloodstained knife and cleaning it to see how sharp it is. No one would do that, so let's also try to prevent interference with computer evidence.

Add comment  Email to a Friend

Discussion is closed - view comments archieve
2005-09-17 15:22:44 - Thank you very much! Sany
2005-09-02 00:37:00 - Your blog is very interesint Misho
Total 2 comments
Copyright © 2001-2013 Computer Crime Research Center
CCRC logo