Collection of Evidence from the Internet: Part 1
A Basic Methodology
The prospect of trying to obtain legally defensible digital evidence from the Internet is headache-worthy to many—but not impossible. Rather than collect, examine, analyze, and report as computer forensic examiners do, investigators instead need to collect and preserve the evidence as found for later presentation.
“Internet forensics” is not unlike network forensics, which requires the capture of “live” data in transit from one computer to another. However, with network forensics, the examiner has some degree of control over the network and the hard drives (computers) being examined. On the Internet, the investigator has no control over the “other end,” and so can only obtain a snapshot of what exists at a given point in time.
Data that can be useful to the investigator includes Web pages, social networking sites, and various chat-based applications. All this information is transmitted via various methods. For example, criminals may intentionally use tools that occupy volatile computing space (RAM), such as instant messaging and chat programs.
Unless the examiner is using a client that saves such conversations to a log file on the hard drive, they are not subject to traditional forensic capture (i.e. recovered chat conversation in a suspect's computer's unallocated space). Thus, capture must occur from the user, such as an undercover officer, initiating the connection and recording the conversation.
Moreover, basic forensic tools collect and analyze electronically stored information (ESI) at rest, not that which is moving through a network or stored in RAM. Additionally, while many of the forensics tool manufacturers are addressing collection of data in transit (data existing on or moving from and between networks), such software can only collect data under the examiner's control—via a network device physically accessible to the examiner, or through the use of an applet (code the examiner can push to a remote computer and gain control of). The collection of data outside of the user's control, as that on the Internet or the “cloud,” is not addressed.
As a result, investigators often use freeware and shareware for evidence captures from the Internet, but they were neither designed as evidence collection tools nor intended for law enforcement, so, naturally, they do not follow the procedures established by current case law: in particular, the procedures outlined in Lorraine v. Markel American Insurance Co.1
In that case, the magistrate denied the admission of ESI, but outlined how the evidence should have been properly admitted. Of particular note is his discussion of ESI authentication including the use of hashing (digital fingerprints), ESI meta-data, and the collection of data in its “native format.”
The decision, more than any other existing case, outlines clear guidance for the admission of electronic evidence in a federal civil case. Thus, it can be considered a partial road map for development of a standard methodology for Internet forensics and its successful admission in court.
Two years previously, a basic methodology for Internet forensics was laid out in Bruce Nikkel's Domain Name Forensics: A Systematic Approach to Investigating an Internet Presence,2 where he described the forensic advantages of collecting evidence using command line tools: that collection could happen without human intervention, that system-generated date and time stamping were available, and that the entire process could be logged. Indeed, the courts have generally accepted evidence collected from the Internet as long as its authenticity can be established.
Taken together, Nikkel's ideas, those discussed in Lorraine v. Markel, the processes described in the NIJ Guide to Electronic Crime Scene Investigation: A Guide for First Responders,3 and commonly accepted digital forensic methodologies can all be used to identify a three-pronged approach to Internet forensics:
- Verifiable collection, or capture, of evidence as viewed by the user.
- Preservation of evidence such that it remains unchanged, and part of the chain of custody.
- Presentation of evidence, offline, in a way that simulates its collection.
Following the current methodology and the lessons learned from the field of traditional digital forensics, a standard can be developed for the collection of Internet based evidence. The methodology described in this article to collect, preserve, and present Internet based evidence is a simply structured standard. Utilizing a defined, repeatable, and verifiable process, any investigator wishing to verify and validate information collected on the Internet can be assured that they will have collected defensible online evidence.
- Lorraine v. Markel Am. Ins. Co., 241 F.R.D. 534 (D. Md. 2007)
- Nikkel, Bruce, “Domain Name Forensics: A Systematic Approach to Investigating an Internet
- Presence,” http://www.digitalforensics.ch/nikkel04.pdf, retrieved Nov. 27, 2009
Todd G. Shipley has more than 25 years of experience in law enforcement: from investigating financial and computer crimes to overseeing the training of high-tech crimes investigators. Between 2004 and 2007, Mr. Shipley was the Director of Systems Security and High Tech Crime Prevention Training—and manager of the National Criminal Justice Computer Laboratory and Training Center—for SEARCH, The National Consortium for Justice Information and Statistics. Prior to joining SEARCH, Mr. Shipley served for 25 years with the Reno (Nevada) Police Department. As a Senior Detective Sergeant managing the agency's Financial and Computer Crimes Unit, he investigated serious financial offenses; developed cyber and technology crime investigative policy; and served as a liaison to other law enforcement, intelligence, and government agencies and industry bodies. During this time, he formed Nevada's first Computer Crime Investigations Unit.
Collection of Evidence from the Internet: Part 2