Risk sensitive digital evidence collection

Over the past decade or so, well-understood procedures and methodologies have evolved within computer forensics digital evidence collection. Correspondingly, many organizations such as the HTCIA (High Technology Criminal Investigators Association) and IACIS (International Association of Computer Inv...

Full description

Saved in:
Bibliographic Details
Published in:Digital investigation 2005-06, Vol.2 (2), p.101-119
Main Authors: Kenneally, Erin E., Brown, Christopher L.T.
Format: Article
Language:English
Subjects:
Computer forensics
Digital evidence admissibility
Digital evidence collection
Evidence acquisition
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Over the past decade or so, well-understood procedures and methodologies have evolved within computer forensics digital evidence collection. Correspondingly, many organizations such as the HTCIA (High Technology Criminal Investigators Association) and IACIS (International Association of Computer Investigative Specialists) have emphasized disk imaging procedures which ensure reliability, completeness, accuracy, and verifiability of computer disk evidence. The rapidly increasing and changing volume of data within corporate network information systems and personal computers are driving the need to revisit current evidence collection methodologies. These methodologies must evolve to maintain the balance between electronic environmental pressures and legal standards. This paper posits that the current methodology which focuses on collecting entire bit-stream images of original evidence disk is increasing legal and financial risks. 1 1 The authors emphasize that the proposed Risk Sensitive Evidence Collection Methodology is intended to complement traditional bit-stream methodology in circumstances that necessitate a more efficient and cost-sensitive approach to digital evidence collection. Those types of contexts are addressed herein. The authors do not suggest an abdication of the bit-stream methodology in contexts where the cost-benefit assessment suggests it is reasonable to adhere to this traditional approach. For example, when a search warrant application (affidavit) establishes that the computer is an “ instrumentality” or “fruit” of the crime(s), then seizure and retention of the entire machine is permitted (and advisable) under the law because the computer per se becomes evidence of the criminal conduct, like a gun used in furtherance of a robbery. See, e.g., United States v. Farrell, 606 F.2d 1341, 1347 (D.C. Cir. 1979) (noting that the government is entitled “to seize the instrumentalities of crime and hold them until the trial is completed.” The first section frames the debate and change drivers for a Risk Sensitive approach to digital evidence collection, which is followed by the current methods of evidence collection along with a cost-benefit analysis. Then the methodology components of the Risk Sensitive approach to collection, and then concludes with a legal and resource risk assessment of this approach. Anticipated legal arguments are explored and countered, as well. The authors suggest an evolved evidence collection methodology which is more res
ISSN:1742-2876
1873-202X
DOI:10.1016/j.diin.2005.02.001