ITEC854 Security Management

Week 11 – Computer Forensics & Evidence Collection

“If you think technology can solve your security problems, then you don't understand the
problems and you don't understand the technology.”
Bruce Schneier
Outline

Forensics and evidence basics

How to collect
What to collect
Roles and responsibilities
When is it better to leave it alone

"The damage from a hacker, often pales when compared to that done in error
by innocent but 'clueless' insiders"
What is IT evidence

• Any information, whether subject to human intervention or otherwise, that

has been extracted from a computer
• Must be in a human readable form
• Broad term used to describe any records generated by, or stored on, a
computer system that may be used as evidence in court proceedings
• Encompasses computer-generated or stored records that inform
management decisions which may be subjected to regulatory or judicial
scrutiny or that inform internal administrative procedures
• Is often termed electronic evidence, digital evidence or computer-based
evidence
• It encompasses data held on or passing through computers and other
electronic devices
What is IT evidence…

Can be divided into three categories:

1. records that are computer-stored
2. computer-generated records
3. records that are partially computer-generated and partially computer-
stored
The difference hinges upon whether a person or a computer created the
substantive content(s) of the records
Why manage IT evidence

• Company directors are expected to implement adequate systems of financial

and other internal controls to protect the rights and property of the company,
employees, customers and partners
• These fiduciary obligations to act with due care and diligence are embedded
within common law and various statutes
• A director is entitled to rely, to a reasonable degree, on the provision of
information by and advice from management
• The Courts, however, will not excuse carelessness. The fact that the
electronic environment is unfamiliar territory does not excuse directors from
liability based on the lack of knowledge
• IT evidence is a tool to confirm or deny the reality of a given set of purported
facts and under Australia’s adversarial system of law, it allows organisations
to protect themselves by—
a) taking action against those causing or facilitating damage (i.e. litigate)
b) referring such action to the relevant authorities
c) protecting themselves from litigation
Why manage IT evidence…

• IT evidence may be used for criminal, civil or administrative proceedings

• Organisations not party to such proceeding may still have to produce
electronic records or be witnesses in proceedings to which they are not a
party
• While there are incidents where IT specialist skills (including forensic skills)
will be required, the vast majority of situations are not technically complex
and special skills will not be required
The management of IT evidence

In many respects, IT evidence is just like any other evidence. However the following
characteristics warrant special processes for its management:
• design—computer systems will only create and retain electronic records if specifically
designed to do so
• volume—the large volume of electronic records causes difficulties with storage and prolongs
the discovery of a specific electronic record
• co-mingling—electronic records relating to a specific wrongdoing are mixed with unrelated
electronic records
• copying—electronic copies can be immediately and perfectly copied after which it is difficult,
and in some cases impossible, to identify the original from the copy. In other cases, a
purported copy may be deliberately or accidentally different from the original and hence
evidentially questionable
• volatility—electronic records can be immediately and deliberately or accidentally altered and
expunged
• automation—electronic records may be automatically altered or deleted
A common complaint of investigators is that key records are automatically deleted from a
computer system before their probative value is realised. This is done to save storage media
IT evidence management processes must be technologically robust to ensure that all relevant
electronic records are stored, located and presented. Moreover, they must be legally robust to
withstand judicial scrutiny
Principles for the management of
IT evidence

Obligation to provide records

Design for evidence
Rules of evidence
Evidence collection
Custody of evidentiary records
Original, copy and original copy
Personnel
Definition a life cycle for the management of IT evidence and explains how the
principles can be applied. Stages of the IT evidence management life cycle are—
1. designing for evidence
2. producing records
3. collecting evidence
4. analysing evidence
5. reporting and presentation
6. determining evidentiary weight
Uses for IT evidence

Civil and Administrative

Many civil and administrative regulations require organisations to make and/or keep records
Taxation laws require that any person carrying on a business must keep records that record and
explain all transactions in a form that is readily accessible and convertible into writing in
English, for a period of at least five years
Regulations including the Corporations Act (2001) and the Audit Act (1901) stipulate further
requirements for the retention of financial records
The Privacy Act (1988) specifies how organisations manage personal data
The Archives Act (1983) prevents Commonwealth government organisations from destroying
records
The Banking Act (1951) requires financial institutions to keep records and the Health Services
Act NSW (1997) requires hospitals and medical practitioners to keep records
Various states also have specific legislative requirements
When these records are in electronic form, organisations should ensure that they are admissible
in evidence, or risk prejudicing the outcome of any litigation
Many contractual dealings are now in electronic form, including e-mail - the evidentiary
weighting of such electronic records may have significant implications for any subsequent
contractual dispute
More will emerge as lawyers explore the breadth of actions supported by electronic records
Uses for IT evidence…

Criminal
IT evidence is required to prove a wide variety of crimes where “a computer is
used as a tool in the commission of an offence, as the target of an offence, or as
a storage device in the commission of an offence”. Crimes may fall into two
categories:
• computer focused crime—in which the category of crime has emerged as a
direct result of ICT and there is no direct parallel in other sectors
• computer assisted crime—in which ICT is used in a supporting capacity, but
the underlying crime or offence predates the emergence of computers or
could be committed without them.
IT evidence may also provide circumstantial evidence linking a criminal to a
crime, or exonerating an alleged criminal of wrongdoing
Uses for IT evidence…

Jurisdiction Legislation
Commonwealth Cybercrime Act (2001)modifies the Criminal Code
Act (1995) to deal with (i) the unlawful access and
modification of data; (ii) impairment of electronic
communications; and (iii) possession, production
and supply of data to commit an offence (see
section 10.7 “computer offences”).
Australian Capital Crimes Act (1900)includes “offences relating to
Territory computers” (see sections 135H to 135L).
New South Wales The Crimes Act (1900) includes offences similar to
the Commonwealth (section 308).
Uses for IT evidence…

Jurisdiction Legislation
Northern Territory The Criminal Code section 276(1) establishes the
offence of making false data processing material and
section 222 makes it an offence to unlawfully extract
confidential information from a computer
Queensland The Criminal Code Act (1899)“computer hacking and
misuse”
South Australia The Summary Offences Act (1953) section 44 includes
the offence of “unlawful operation of computer system”.
Tasmania The Criminal Code Act (1924)chapter XXVIIIA “crimes
relating to computers” and the police offences act
(1935) sub-sections 43A-43 that mimic its provisions.
Uses for IT evidence…

Jurisdiction Legislation

Victoria The Summary Offences Act (1996) includes the offence

of “computer trespass” (section 9A). The Crimes
(Property Damage & Computer Offences) Act 2003
includes provisions that are consistent with those of the
Commonwealth.

Western Australia The Criminal Code Act (1913) includes an offence

entitled “unlawful operation of a computer system”
(section 440A).
Uses for IT evidence…

Computer-assisted crime encompasses a broad list of activities, including theft,

extortion, defrauding governments, telephone fraud, securities fraud, deceptive
advertising and other business practices, industrial espionage, intellectual
property crimes, and the misappropriation and unauthorized use of personal
information
They are driven by time-honoured motivations, the most obvious of which are
greed, lust, power, revenge, adventure and the desire to taste ‘forbidden fruit’
Whilst some activities, for example child pornography and stalking are covered
in the criminal codes, other legislation covers a broad range of computer-
assisted criminal activity
The Trade Practices Act (1974) covers unfair and deceptive business practices
The Copyright Act (1986) covers the theft of intellectual property and improper
trademark use
IT evidence may also be used to establish innocence, for example by
establishing an alibi
Principles for the management of
IT evidence

Obligation to provide records

Understand regulatory, administrative and best-practice obligations to
produce, retain and provide records
Understand the steps that can be taken to maximise the evidentiary weighting
of records and the implications of not doing so
Understand regulatory constraints to the retention and provision of records
Principles for the management of
IT evidence…

Design for evidence

Ensure that computer systems and procedures are capable of establishing the
following:
• the authenticity and alteration of electronic records
• the reliability of computer programs generating such records
• the time and date of creation or alteration
• the identity of the author of an electronic record
• the safe custody and handling of records
Principles for the management of
IT evidence…

Evidence collection
Collect information in a forensically sound manner. Ensure that evidence
collection procedures are both:
• technologically robust to collect all relevant evidence
• legally robust to maximise evidentiary weighting
Principles for the management of
IT evidence…

Custody of evidentiary records

Establish procedures for the safe custody and retention of evidentiary records
Maintain a log recording all access to and handling of evidentiary records
Principles for the management of
IT evidence…

Original, copy and original copy

Determine if you are handling the original record or a copy of the original
record. Ensure that any actions performed on the original or a copy are
appropriate and are appropriately documented
Original evidence should be preserved in the state in which it is first
identified—it should not be altered, and in instances where alteration is
unavoidable, then any changes must be properly documented
Principles for the management of
IT evidence…

Personnel
Ensure that personnel involved in the design, production, collection, analysis
and presentation of evidence have appropriate training, experience and
qualifications to fulfil their role(s)
Evidence Management Life Cycle

• Corporations have considered the evidentiary implications of electronic

documents only when it is required for litigation, or forensic practitioners
have focused on collecting IT evidence as artefacts of an investigation
• Successful management of IT evidence is much broader than being merely
a post-mortem activity and must be managed continuously throughout the
records lifecycle.
• Unlike latent evidence that is inadvertently produced when a person contacts
something (e.g. fingerprints, DNA), computer systems must be specifically
designed to generate electronic records in a manner that maximizes their
potential evidentiary value
• Once electronic records are created, they must be carefully handled to
maximise their evidentiary weight
Evidence Management Life Cycle…
Stage 1: Design for evidence

There are five objectives when designing a computer system to maximise the
evidentiary weighting of electronic records:
1. ensuring that evidentially significant electronic records are identified,
are available and are useable
2. identifying the author of electronic records
3. establishing the time and date of creation or alteration
4. establishing the authenticity of electronic records
5. establishing the reliability of computer programs
A further objective is the design of procedures carried out by humans to collect,
analyse, and report and present evidence. Such procedures are discussed in
the relevant stage of the lifecycle and should be:
• designed prior to them being necessary
• tested to ensure that personnel can carry them out
• unambiguous and minimise the amount of decision-making
Stage 1: Design for evidence…

Classification and labelling

Computer systems that generate, process or retain evidentially significant
electronic records should be carefully designed
An organisation must:
• clearly identify records in electronic form
• assess their potential evidentiary significance
• determine the time they need and want to retain the electronic record
• assess the volume of electronic records
Stage 1: Design for evidence…

Format
• Corporations must ensure that records are stored in a format that is useable
in the future
• The timeframe to be considered will be based on the record’s classification
and labelling
• This is particularly important when computer systems are upgraded or
changed
• When changing computer systems, ensure that old electronic records can be
accessed
• This may mean devising a reliable data conversion program, or retaining old
computer equipment and programs to access old electronic records
Stage 1: Design for evidence…

Identifying a human author

The author of a computer-stored record can be identified electronically.
Prior to recording the author’s electronic identity, a user authentication system
should be used. The user authentication system validates that the user is in fact who
they claim to be
• Examples of user authentication systems are: userid and password (or PIN),
security token, digital signature, smartcard or biometric authentication
The evidentiary weighting of the recording of the author’s identity will depend on
the strength of the user authentication system.
In many instances the author of a computer-stored record can also be identified
from circumstantial evidence demonstrating their use of a particular computer
system at the time the record was created/altered.
Such evidence may be compiled from witnesses, video, building access system,
telephone records or latent forensic evidence
Such evidence is of particular value when a computer’s security system is violated or
an electronic identity is disputed
Circumstantial evidence can also be used to disprove that someone was the
purported author of an electronic record
Stage 1: Design for evidence…

Identifying the computer author

A computer-generated record is the output of a computer program untouched
by human hands and thus the “author” can be considered to be a particular
computer program or programs executing on a particular computer or multiple
computers
One computer program may author many records and many computer
programs may author elements of a single record
Each computer program generating elements of the electronic record must be
clearly identified in the record. This may be achieved by:
• clearly identified, unique and consistent labelling of filenames
• clearly identified, unique and consistent labelling within the record
• clearly identified, unique and consistent labelling in metadata
When multiple records are created by the same computer program (e.g.
program audit file or document database), it is only necessary to identify the
grouping of records (e.g. filename or database).
Stage 1: Design for evidence…

Human and computer authors

When electronic records consist of both computer-stored and computer
generated components, both the author of any human entries and the computer
creating any machine entries should be identified
• A financial spreadsheet contains computer-stored records in the form of
human entered numerical entries and the formula for calculations
• It also contains computer-generated records derived by the spreadsheet
program from the computer-stored records
• It is important to identify the human author of the computer-stored records
and the computer system that the author is using.
If the spreadsheet is e-mailed, in turn, to several users, each of whom input
some data, it is now important not only to identify each human author, but also
to identify the specific computer that performed the calculation (i.e. authored
the computer-generated record)
Stage 1: Design for evidence…

Corporate authors
In some instances, it is important to identify an organisation as the record’s
author or modifier (i.e. corporate author) in addition to the human or
computer author
In such cases, the identity of the human or computer author should be linked to
the corporate author
Stage 1: Design for evidence…

Establishing the authenticity of electronic records

In general there are two steps in establishing the authenticity of electronic
records:
1. identifying the original electronic record
2. identifying alteration
Stage 1: Design for evidence…

Identifying the original electronic record

If the original record is in electronic form, it must be clearly identified as the
original electronic record.
Any copy, or subsequent copies of a copy, must be clearly identified as copies
The original electronic record must be labelled as the original and copies
labelled as such
Alternatively, the original electronic records or metadata and sequence of
copying may be established by time and date stamps attached to the electronic
records or metadata
Stage 1: Design for evidence…

Identifying alterations
Organisations must be able to establish that a particular electronic record has not
been altered. This can be achieved by:
• retaining the original document in non-electronic form (e.g. computer printout,
microfiche, etc) for comparison
• relying on computer operating system facilities and circumstantial evidence (e.g.
by comparing the time the file was last changed with the time the original was
created)
• storing the original electronic record or a validated copy on write once read many
(WORM) media (e.g. CD-ROM)
• using cryptographic techniques (e.g. hash or MAC).
Organisations must also be able to establish that a copy of an electronic record is
identical to the original.
Standards-based cryptographic techniques using a dedicated hash function (“MAC”)
provide strong evidence that a particular computer record has not been altered or
that a copy of the record is exactly the same as the original
Such cryptographic techniques can also be used to determine if a compressed file
contains a copy of the original
Stage 1: Design for evidence…

In many situations, records will be admitted with significant evidentiary

weighting even though minor changes have occurred, so long as those
changes are “immaterial” and arise in the normal course of communication,
storage or display
In such cases, organisations must be able to demonstrate that the immaterial
change(s) have not changed the substantive content of the record
In some situations, it is sufficient to demonstrate that only authorized persons
or programs have access to create or alter the electronic record. In such cases,
the organisation must be able to demonstrate that:
• unauthorised persons or programs are prevented from altering the
electronic record
• authorized persons or programs did not alter the electronic record
Stage 1: Design for evidence…

Establishing the time and date a particular computer electronic record

was created or altered
Organisations must be able to establish the time and date that a particular
electronic record was created or altered
To achieve this, a timestamp can be attached to the electronic record upon
creation
The timestamp must be updated each time the electronic record is altered
Organisations should document the time system being used, any reference time
source, the time zone and if/how daylight saving has been implemented
To ensure that timestamps are accurate, organisations should ensure that all
computer system clocks are synchronized to a central reference
Stage 1: Design for evidence…

Establishing the reliability of computer programs

The objective of establishing the reliability of a computer program that produces
computer-stored records is to demonstrate that the text is an accurate recording of
the human author’s statement.
The objective of establishing the reliability of a computer program that produces
computer generated records is to demonstrate that the computer program was
operating correctly
In both cases, the organisation must demonstrate that—
• the computer program was designed correctly i.e. the output is:
i. consistent with design
ii. predictable
iii. repeatable
• the computer program was operating correctly when the electronic record was
created, copied or altered
In many instances, an alternative may be to demonstrate that the corporation
regularly relies upon the records produced by a particular program as a basis for
business decision-making
Stage 1: Design for evidence…

Formal design criteria

Organisations that produce their own software can demonstrate that a
computer program was designed correctly by adhering to methodologies
Organisations that purchase software can refer to the formal assessment
criteria of the provider to demonstrate the reliability of acquired software.
Organisations should be able to demonstrate that the software installed was in
fact the software provided. Many vendors provide cryptographic tools to
validate their software
Stage 1: Design for evidence…

Source code
The reliability of a computer program can be established by expert analysis of
the source code.
Organisations that produce their own software, or use open-source software,
should retain the source code for computer programs and be able to
demonstrate that the computer program was in fact generated from the
particular source code.
Organisations that purchase software should ensure that they are provided with
the source code, or alternatively ensure that the manufacturer retains the
source code for the particular version of the program that is used.
Stage 1: Design for evidence…

Regular business use

In many instances, if an organisation can demonstrate that it relies upon the
records produced as a basis for decision making, it is sufficient to assert that a
regularly used computer program is performing the task that it was designed
for
This generally applies for popular computer programs (e.g. word processor,
spreadsheet, e-mail, etc)
Stage 2: Produce records

In terms of an organisation’s ICT systems, this is the operational phase of the

life cycle. The objective in this stage is to be able to establish:
• that a particular computer program produced an electronic record
• for computer-stored records, the human author
• the time of creation
• that the computer program is operating correctly at the time the electronic
record is created or altered
Stage 2: Produce records…

Demonstrate/prove correct operation

Organisations should be able to demonstrate that a computer program was
operating correctly during the time a particular electronic record was created or
altered. This requirement is twofold, with organisations having to demonstrate:
• that the computer program was operating
• the reliability of a computer program
For many business records, the production of the electronic record may be
sufficient demonstration of correct operation, unless evidence is produced
otherwise
Circumstantial evidence may also be used to demonstrate that a computer
program is operating correctly. For example, a statement by a person asserting
that he/she was using a particular computer program at a particular time and
that he/she observed certain things, could be strong evidence of the operation
of a computer program that produces computer-stored records
Further, in many cases it will be sufficient to demonstrate that the computer
program was operating correctly in relation to the creation/alteration of a
particular record
Stage 3: Collect evidence

Standards for evidence collection

The standard of evidence collection is one factor determining the evidentiary
weight of electronic records. Whilst some organisations will seek to maximise
evidence collection capability, not all electronic records will require the highest
standard of collection.
The standard used to collect a particular electronic record will depend on an
assessment of its evidentiary value
Stage 3: Collect evidence…

Forensic
• Evidence collected using “forensically sound” procedures has the best chance
of being admissible
• Organisations should consider engaging computer forensic specialists to
collect IT evidence
• Organisations that routinely litigate should consider developing a computer
forensic capability
• Organisations should consider using a forensic standard of evidence
collection when there is a real likelihood of the evidence being subjected to
scrutiny based on the method of collection and handling
Stage 3: Collect evidence…

Best evidence
• Forensic specialists have not collected the vast majority of records that
Courts have admitted into evidence
• In Australia, the judiciary have significant discretion regarding the
admission of records and their evidentiary weighting and can and do admit
records collected by frontline IT and business personnel
• Organisations that choose not to engage a forensic expert to collect
electronic records can maximise the evidentiary weighting by using the
procedures described in this stage of the lifecycle
• In this context, ‘best evidence’ is not used in its legal context i.e. the
production of the original. The legal requirement to produce the original
document has generally been abolished
Stage 3: Collect evidence…

Contemporaneous notes
Individuals involved in evidence collection must be able to recall for a Court,
often years later, any actions performed on original electronic records or
evidentiary copies
Individuals must make contemporaneous notes of any actions performed on
original electronic records or evidentiary copies, specifically recording the time
and date. Individuals may make contemporaneous notes of any decision-
making process, including information available, persons consulted, authorities
sought and reasons for the decision
Contemporaneous notes must record facts (i.e. actions performed and
observations) and not opinions
It may be convenient to make contemporaneous notes using facilities on the
computer system (e.g. word processing, electronic post-it notes, keystroke
recording, etc). Ensure that the production of such notes does not interfere
with the evidentiary records
Stage 3: Collect evidence…

Relevance
Individuals involved in the collection of evidence must be acquainted with the
matter under investigation well enough to determine if particular bits of
evidence are relevant
In situations where a computer forensic specialist under the authority of a
warrant or other court order is collecting electronic evidence, the
indiscriminate copying or seizing of all data residing on a computer system may
exceed the authority prescribed in the order. An example of this is when a
computer hard drive is “imaged” despite the fact that the only relevant evidence
located on the computer consists of specific files/data
An alternate strategy is to ask the Court to prescribe that if any relevant
information is discovered, then the entire media can be copied
In such situations, a preliminary search of the computer (or other IT evidence)
should be conducted, with the objective of locating and cataloguing relevant
evidence. The procedures used to conduct a preliminary search must minimise
the potential to change any searched evidence
Stage 3: Collect evidence…

Chain of custody
Organisations must be able to identify who has access to a particular electronic
record at any given time from collection, to creation of the evidence copy to
presentation as evidence
The evidentiary weighting of electronic records will be substantially reduced if
the chain of custody cannot be adequately established or is discredited
Stage 3: Collect evidence…

Evidence copy
When the potential evidentiary significance of an electronic record is realized,
an organisation should create an evidence copy of an electronic record and
demonstrate the chain of custody of that copy. An individual should be given
custody of the evidence copy and be responsible for monitoring access to it. The
evidence copy may be created by:
• reproducing the electronic record as a printed document
• copying the electronic record to offline media (e.g. floppy disk, CD-ROM,
backup tape)
• using system access controls to restrict access
When an electronic record is copied, organisations must be able to demonstrate
that it has not been altered
Multiple evidence-copies may be created—establish a chain of custody for each
copy
Stage 3: Collect evidence…

Custody log
The individual in charge of the evidence copy must maintain a log recording:
• persons accessing the evidence
• the time, date and purpose for such access
• if the evidence is removed, the time and date of return
Organisations that routinely deal with evidentiary electronic records should
have documented procedures for the custody of evidence
Stage 3: Collect evidence…

Non-readable electronic records

Many evidentially useful electronic records are non-readable, that is they do
not consist of characters that can be printed or displayed—such non readable
records are only readable by special programs
For example, the slack space of a disk drive may contain deleted files or an
encrypted file may contain key electronic records. Non-readable electronic
records may be critical during the analyse evidence stage of the lifecycle
When collecting electronic records, care must be taken to discover and not to
alter non-readable electronic records
Personnel involved in the collection of electronic records must be aware that
computer programs may automatically alter or delete non-readable (and even
readable) electronic records
Stage 3: Collect evidence…

Interception
When the IT evidence is a communication, collection may entail ‘interception’
Communications must be intercepted using a facility that was implemented in
accordance with Design for evidence and Produce records
Stage 3: Collect evidence…

Limitations
Evidence collectors must also ensure that they adhere to rules governing the access
to or disclosure of certain information. Violation of these rules will reduce the
evidentiary weighting of electronic records and may result in electronic records
being inadmissible
Organisations or individuals may also incur penalties. For example:
• The Telecommunications (Interception) Act (1979) specifies criminal penalties
for the unauthorized interception of a “communication”. Evidence collectors
must be able to determine if an electronic message (e.g. e-mail or IRC)
constitutes a communication or if it is merely data.
• The Workplace Surveillance Act (NSW and VIC) specifies penalties if the records
are generated as the result of surveillance in the workplace (surveillance is
allowed under certain conditions BUT with adequate warnings provided to
employees)
In some circumstances, electronic records will be subject to privilege, for example,
communications with a legal advisor, self-incrimination or a religious confession.
Organisations should seek legal advice regarding the collection of privileged
electronic records
Stage 4: Analyse evidence

Use evidence copy

Analysis must be performed using an evidence copy
An exception is when the original electronic record is used to determine:
• if copies are duplicates of the original
• if the original has been altered
Care must be taken to ensure that the original is not altered. If alteration is
unavoidable (e.g. if the only access method results in changes), then any
changes must be properly documented
Stage 4: Analyse evidence…

Personnel qualifications
Should be suitably qualified for the role they are performing
Organisations should determine if analysis requires an ordinary witness or an
expert witness.
Ordinary witnesses must confine their analysis to matters of fact, whilst experts may
deduce matters of opinion from the IT evidence
An ordinary witness is sufficient for the vast majority of admitted electronic records
In Australia, “expert” means a person who has specialized knowledge based on the
person’s training, study or experience
There is no requirement for an expert witness to be a ‘member of a learned society’
and Australian Courts generally recognise a Bachelor’s Degree in a relevant field as
sufficient qualification, as is five or more years experience in the field (without
tertiary education)
Organisations must comply with procedures of the relevant Court. For example, the
Federal Court and higher Courts require that upon engagement experts be provided
with an ‘expert witness code of conduct’
Stage 5: Reporting and
presentation

The objective of this stage of the lifecycle is to persuade decision-makers (e.g.

management, lawyer, judge, etc) of the validity of the facts and opinion
deduced from the evidence
For most IT evidence, the original electronic record consists of electronic
impulses stored on media. It must be converted into human readable format
prior to presentation, either by computer printout or by using a computer
program
If IT evidence is to be used in legal proceedings, organisations should seek
legal advice regarding the manner and form in which the evidence should be
reported and presented
Expert witnesses may be required to comply with any applicable expert witness
codes of conduct. For example see the New South Wales Supreme Court
Expert Witness Code of Conduct (included as Appendix D)
Stage 6: Determine evidentiary
weight

The objective of this stage is to assess the evidentiary weighting of the

electronic records and the reports
Assessment of the evidentiary weighting of electronic records occurs during all
stages of the lifecycle. In earlier stages of the lifecycle (i.e. one through five)
assessment is often performed by participants or stakeholders
A final assessment is performed by an independent arbitrator who may be a
magistrate or judge; a member of a tribunal or an arbitrator; or senior
organisational management.
Two criteria are used to measure the evidentiary weighting of electronic
records:
1. probative value: is the electronic record relevant and has authorship,
authenticity, correct operation and reliability been established?
2. rules of evidence: has the electronic record been collected and handled
correctly in accordance with these rules?
Stage 6: Determine evidentiary
weight…

Probative value
Records must be relevant to the matter at hand and all relevant electronic
records must be presented
Organisations must demonstrate that the procedures used to collect electronic
records were reasonable and robust enough to discover obvious, lost or hidden
material
The following must be satisfactorily established:
• Authorship
• Authenticity
• For computer-generated records, correct operation and reliability of the
computer program
Stage 6: Determine evidentiary
weight…

Rules of evidence
With some exceptions, the general aim of the rules of evidence is to exclude
evidence that is either irrelevant or unreliable. If organisations collect and
handle IT evidence in accordance with the rules, they will minimise the risk of
having such evidence excluded by operation of any applicable rules of evidence
Further, parties in litigation must comply with the relevant rules and practice
notes of the relevant Court that cover, for example, using technology or
engaging expert witnesses
In some circumstances, e.g. alternate dispute resolution (ADR) forum, the rules
of evidence may be relaxed. However, if ADR is unsuccessful litigation may
proceed to the courts where the rules of evidence will apply
How to collect

Guiding principles
Adhere to your site’s security policy and engage the appropriate incident
handling and law enforcement personnel
Capture as accurate a picture of the system is possible
Keep detailed notes. These should include dates and times. If possible to
generate an automatic transcript (e.g. on UNIX systems the “script” program
can be used, however the output file generates should not be to media that is
part of the evidence). Notes and printouts should be signed and dated
No difference between the system clock and UTC. For each time stem provided,
indicate whether UTC or local time is used
Be prepared to testify (perhaps years later) outlining all actions you took and at
what times. Detailed notes will be vital
What to collect

• Minimise changes to the data as you are collecting. This is not limited to content
changes; you should avoid updating file or directory access times
• Remove external avenues for change
• When confronted with a choice between collection and analysis you should do
collection first and analysis later
• Though it hardly needs stating, your procedures should be implementable. As
with any aspect of incident response policy, procedures should be tested to
ensure feasibility, particularly in a crisis. If possible procedures should be
automated for reasons of speed and accuracy
• For each device, a methodical approach should be adopted which follows the
guidelines laid down in your collection procedure. Speed will often be critical, so
where there are a number of devices requiring examination it may be appropriate
to spread the word among your team to collect the evidence in parallel. However
on a single given system collection should be done step-by step
• Proceed from the volatile to less volatile

Undetectable errors are infinite in variety, in contrast to detectable errors, which

by definition are limited. — Ben Lachman
When is it better to leave it alone

ALWAYS!!!!
What should you do if you are asked to protect/investigate forensic evidence?

• Pull out the network cable

• Call an expert
References

Australasian Centre for Policing Research’s definition of ‘electronic crime’ at www.acpr.gov.au

ISO/IEC 27002—Code of practice for information security management
AS 13335—Guidelines for the management of IT security, all parts
HB 231—Information security risk management guidelines
ISO/IEC 2382—Information technology—Vocabulary
AS ISO 15489:2002—Records management, Parts 1 and 2
Guidelines for best practice in the forensic examination of digital technology published by
International Organisation on Computer Evidence and adopted by the G8
PD 0008:1999—Legal admissibility and evidential weight of information stored electronically,
British Standards Institution
RFC 3227—Guidelines for evidence collection and archiving published by the Internet Society
Searching and seizing computers and obtaining electronic evidence in criminal investigations,
United States Department of Justice
ISO PDTR 18044—Information Security Incident Handling Guidelines particularly see section
8.2.7—Forensic Analysis
Federal Court rules order 34A rule 2 and NSW Supreme Court rules, interpretation
Odgers, Stephen, Uniform evidence law 5th ed, Federation Press, 2002