Sunday, November 12, 2006

Evidence Dynamics

One question in particular that I'm seeing more and more is, can volatile data be used as evidence in court? That's a good question, and one that's not easily answered. My initial thought on this is that at one point, most tools (EnCase is perhaps the most popular that will come time mind) and processes that are now accepted in court were, at one time, not accepted. In fact, there was a time when computer/digital evidence was not accepted.

There are two things that responders are facing more and more, and those are (a) an increase in the sophistication and volume of cybercrime, and (b) an increase in instances in which systems cannot be taken down, requiring live response and/or live acquisition. Given these conditions, we should be able to develop processes by which responders can collect volatile data (keeping evidence dynamics in mind) to be used in court as "evidence".

Others have discussed this as well, to include Farmer and Venema, Eoghan Casey, and Chris LT Brown. Much like forensics in the real world, there are forces at play when dealing with live computer evidence, such as Heisenberg's Uncertainty Principle and Locard's Exchange Principle. However, if these forces are understood, and the processes are developed that address soundness and thorough documentation, then one has to ask...why can't volatile data be used in court?

Take the issue of the "Trojan Defense". There was a case in the UK where a defendant claimed that "the Trojan was responsible, not me", and even though no evidence was found a Trojan within the image of his hard drive, he was acquitted. Perhaps collecting volatile data, to include the contents of physical memory, at the time of seizure would have ruled out memory-resident malware as well.

My thoughts are that it all comes down to procedure and documentation. We can no longer brush off the questions of documentation as irrelevant, as they're more important than ever. One of the great things about tools such as the Forensic Server Project is that they're essentially self-documenting...not only does the server component maintain a log of activity, but the FRU media (CD) can be used to clearly show what actions the responder took.

So what do you think?

Additional Resources
Evidence Dynamics: Locard's Exchange Principle & Crime Reconstruction
Computer Evidence: Collection & Preservation
HTCIA 2005 Live Investigations Presentation (PDF)
The Latest in Live Remote Forensics Examinations (PDF)
Legal Evidence Collection
Daubert Standard (1, 2)

10 comments:

Richard F. McQuown said...

Procedure, Documentation and Reputation

I wanted to weigh in on this a little bit being a full-time investigator. All evidence collection can be subject to unscrupulous practices or tampering anywhere along the line from discovery (at the scene) to discovery (turning over evidence to the defense)-(Pardon me but I love using the two different discovery terms in one sentence). The bottom line is that all evidence comes down to the reputation of the investigator and the investigator’s presentation of the evidence. Presentation includes describing procedures and proper documentation.

Volatile data collection is not the only evidence that disappears or changes after an investigator collects it. Take ‘Voluntary Statements’ made by a suspect. A voluntary statement is gone the second after the suspects talks yet investigators have effectively used voluntary statements against suspect’s since the Miranda Decision. A voluntary statement will be effective as long as it was properly documented and the investigator’s reputation was intact.

An investigators reputation is not dissimilar to a sequential access file. Every time you have contact with an individual in the process whether it is someone you see regularly (District Attorneys, Defense Attorneys, Judges, Other Experts…) or someone you might only see once, like a jury member, you keep adding to you sequential reputation file. If you do something to tarnish your reputation the file is not going to work and will be considered corrupt.

A reputation is also bolstered by clear concise reports and using “current acceptable forensic practices”. Remembering that my “current acceptable forensic practices” might be different from another investigator. So, if I’m going to try something a forensic procedure that is a little exotic I “back-up” my actions with a clear: who, what, when, why and how. (Covered by Daubert)

We are in an exciting field with regards to laws and rules of evidence. New case law and new statutory laws are coming out frequently. I’d be happy to show a jury how my collection of volatile evidence was appropriate and why it was the best course of action.

Look how DNA evidence has impacted investigations in the last ten years. If you go to scene with blood and don’t collect it you will lose your case. If you had collected all that blood 15 years ago investigators would have thought you a nut.

When an investigator enters a crime scene, the crime scene, has been changed or altered by the mere presence of the investigator. I believe I can effectively articulate this reason for this intrusion just like articulating why I attached a USB to the bad guys computer to capture volatile data.

Whether you like it or not the “volatile evidence” genie is out of the bottle. If you don’t collect it you better have a good reason why


An investigators reputation is not dissimilar to a sequential access file. Every time you have contact with an individual in the process whether it is someone you see regularly (District Attorneys, Defense Attorneys, Judges, Other Experts…) or someone you might only see once, like a jury member, you keep adding to you sequential reputation file. If you do something to tarnish your reputation the file is not going to work and will be considered corrupt.

A reputation is also bolstered by clear concise reports and using “current acceptable forensic practices”. Remembering that my “current acceptable forensic practices” might be different from another investigator. So, if I’m going to try something a forensic procedure that is a little exotic I “back-up” my actions with a clear: who, what, when, why and how. (Covered by Daubert)

We are in an exciting field with regards to laws and rules of evidence. New case law and new statutory laws are coming out frequently. I’d be happy to show a jury how my collection of volatile evidence was appropriate and why it was the best course of action.

Look how DNA evidence has impacted investigations in the last ten years. If you go to scene with blood and don’t collect it you will lose your case. If you had collected all that blood 15 years ago investigators would have thought you a nut.

When an investigator enters a crime scene the scene by definition has been changed or altered by the mere presence of the investigator. I believe I can effectively articulate this reason for this intrusion just like articulating why I attached a USB to the bad guys computer to capture volatile data.

Whether you like it or not the “volatile evidence” genie is out of the bottle. If you don’t collect it you better have a good reason why.

Keydet89 said...

Rick,

Thanks for the comment.

Whether you like it or not the “volatile evidence” genie is out of the bottle. If you don’t collect it you better have a good reason why.

Maybe in some areas of law enforcement, this may be the case. However, for the most part, corporate America hasn't caught on, and IMHO, there's still a great deal that needs to be done to make this more common place.

Bill Ethridge said...

I see one big difference in volatile evidence in a computer case and in LE.

If LE gets a "voluntary" statement usually the subject is still around at trial ro either refute that statement on various grounds or at least fight the lawful taking of that statement.

When someone pulls the plug or otherwise fails to capture volatile computer evidence is never around again. Oh you may find traces of what MIGHT have been there. And if you do capture it, no other investigator can reproduce that capture, one of the cornerstones of properly preserved digital evidence, so the documentation must be impeccable.
I don't even think most LE guys are trained anywhere close to the level they need to conduct even live system acquisitions, much less capture live data properly, not on the local level. And in the private world, well lets just say that even if you are trained, usually when you arrive on a IR scene someone has usually done something to preclude you from having that option in the name of good IR.
VE will be accepted in court IF it is collected, preserved, and analyzed in ways that can support admission. But I see a dangerous thren especially with new examiners of almost letting junk science into the field. They don't develop, test or know their tools. They use tools in name of forensics that just aren't forensically sound. CF is new science for the court to deal with, the standards we set need to start high and stay high.

Bill

Keydet89 said...

I don't even think most LE guys are trained anywhere close to the level...

Perhaps not now, but at one point the same was true for traditional computer forensics. However, as the need for skills spread from the federal to the state level, slowly some LEs received training.

...usually when you arrive on a IR scene someone has usually done something to preclude you from having that option in the name of good IR.

I've stated elsewhere that this is where it becomes a function of senior management. As a responder, many times when I receive initial notification, someone's already taken action, although I'm on-call 24x7. If the organization had a process in place whereby the response team was notified before anything else was done, or if different procedures were in place (collect some initial volatile data, disconnect from the network but do not power down...) that were endorsed by senior management, that would change things, particularly if folks got reprimanded for NOT responding properly.

VE will be accepted in court IF it is collected, preserved, and analyzed in ways that can support admission.

Ah, see, there you go. Excellent. Well said.

They use tools in name of forensics that just aren't forensically sound.

Well, this is where we, as a community and profession, need to address the situation. The training and materials are out there...we just need to take advantage of them; set and maintain the standard.

Forensic said...

"I don't even think most LE guys are trained anywhere close to the level..."

I can’t speak for “most LE guys” but I can speak the professionals I work with and myself. We are all highly trained and competent in live system acquisitions. Every “Local” I know has been working full forensic caseloads for at least 3 years with cases coming in faster then they are going out.

Keydet89 said...

Forensic,

I hear you...can you elaborate on what it is you do and who you are? Aside from live acquistions, how often are you collecting volatile data? RAM? How often is that used as evidence?

What kind of documentation do you need to provide?

Thanks!

Brett said...

The only time I have seen evidence NOT be admitted in court is when the gathering of the evidence violated search and seizure rules. Even then, a violation of search and seizure rules doesn't automatically preclude that evidence from being admitted (inevitable discovery).

Even evidence that has been tainted (such as a loose chain of custody) can be admitted, however, the weight of that evidence would be less than had it been a solid chain of custody.

If there are documented resources (and there are...) that detail how live acquisitions are conducted and also detail the WHY of live acquisitions, then I don't see why there should ever be a dispute as to the validity of this type of evidence in a court setting.

Either side in a case will argue against the other. Attorneys will argue evidence, witness credibility, and if there is nothing else to argue about, will just plain argue.

If there is a question as to whether to capture VE and a criminal trial is imminent, a call to the prosecutor for advisement is an easy one to make.

My view, we are headed to live acquisitions and examinations in the near future, whether we like it or not. That in itself will change the rules all together regarding the gathering of electronic evidence.

Keydet89 said...

Brett,

Good points about live acquisition, but how do you see things going with regards to collecting volatile data (process list, contents of RAM, etc.) as "evidence"?

Brett said...

I would imagine it to be evaluated as any other evidence. Nearly anything can be admitted into court as evidence, no matter how the gathering was effected. The differences between the each item of evidence is the weight of credibility given to it. Poor evidence collection equals low credibility but however, it can add to circumstantial evidence.

Obviously, best evidence is best, but when you don't have a choice of the 'how' when gathering evidence, you can give some weight to your evidence by way of explanations (as in, 'there was no other way to get this').

Eventually, our entire field will be moved along the way of live forensics with volatile data so it won't be an issue forever.

Keydet89 said...

Brett,

Thanks for your comments.

Nearly anything can be admitted into court as evidence, no matter how the gathering was effected.

Interestingly, this doesn't seem to be the prevailing attitude amongst many in our field.

I agree that this won't be an issue forever...I'm simply trying to push it along now, through education, etc., as I believe that it's important now, and would like to aviod the issue that many are going to face, which is "man, I wish I would've collected that *before* the system was shut off." I'm already seeing a good deal of this, but it seems pretty clear that first responders simply aren't prepared or trained to react accordingly.