July 2, 2015
Digital Device Seizure Tips for Attorneys & Legal Staff
As a private
digital forensic practitioner, our clients come from several different
areas. Pro Digital markets our services
to private investigators, information security professionals, human resource
practitioners and our biggest segment of clientele, attorneys involved in litigation
practice, both civil and criminal. As a
natural first step in the digital forensic process, attorneys offices and legal staff will often
obtain possession of laptop computers, cell phones, tablets, etc. and call a
digital forensic practitioner for advice, to retain services and consult generally. What unfortunately happens in the meantime is
that the digital device may be manipulated, "examined" or otherwise
used by folks in the attorneys office in between device acquisition by the
staff and data acquisition by the digital forensic practitioner. Because the government has been (and still
is) pretty much at the forefront of digital forensics, this doesn't happen very
much in prosecutor's offices and other government sectors, but it does happen
in private legal practice quite a bit. To help close this gap, I'm offering a few
easy tips for digital device seizure and secure storage for attorneys and their
staff when cases arise necessitating a digital forensic examiner.
Computer Seizure & Secure Storage
1) Note the date, time and person from
whom you received the computer
This tip may
seem simplistic, but it's the first step in the chain-of-custody. This also helps answer some questions the
digital forensic examiner may have right off the bat. As with most things, if it's not documented,
it didn't happen, so initiating the documentation chain from the beginning is a
great first step.
2) Ask the client about the system
(and document their answers)
Does the
computer have a password? If so, what is
it? Is the hard drive encrypted? How big is the hard drive? Is the computer still currently in use? How many users have access to the
computer? All of these questions are important
and may serve to provide valuable information not only for the examiner, but
for evidentiary purposes later in the litigation process.
3) DO NOT turn the computer on and
start looking through the file system
This is
extremely important to prevent spoliation of the data. Every time you turn a computer on, settings
are changed, file dates and times are updated and the data starts traveling
down the dirty road toward being
tainted. Curiosity is a very powerful
human instinct. For the sake of acquiring
the best possible data, please try to quell your curiosity.
It's also
important to note that doing this may put YOU in the hot seat because you are
now a witness. As we already know, it's
inappropriate (at best) for attorneys and their staff to be witnesses in
clients cases, so the best way to prevent this is to not even put yourself in
that position.
4) Secure the computer in a locked
area with limited access
This may
also seem simplistic, but think about how desperate the other side is in your
case. In divorce and custody cases, the
opposing party may have a large sum of money and/or child custody on the line. In criminal cases, there may be evidence on
that computer that implicates someone else.
There are very few avenues a truly desperate person won't go down to
preserve their way of life or their freedom, up to and including breaking into
your office to steal or destroy the computer that contains the digital nail in
their coffin.
Securing
these items in an area that not everyone in your office has access to (or even
is aware of) is the best practice for digital evidence storage. Documenting all of these things in the file
goes hand-in-hand with secure storage and is also highly advisable.
Mobile Device Seizure
Many of the
same rules above pertain to mobile devices as well, particularly with regard to
documentation of when, where and from whom you received the device and secure
storage. There are a few additional
considerations and some marked differences, however.
1) Immediately put the device into
airplane mode and make sure all network connections (wi-fi, bluetooth, etc.)
are turned OFF.
This is also
extremely important to prevent any unwanted destruction of data and to preserve
the data on the device in the best possible form for subsequent data
acquisition. Will this in effect change
some settings and data on the device? Yes.
But it's also the most effective and universally accepted way to prevent
unwanted destruction of the data on the device.
2) Make sure to obtain any pass code
information for the device from the person you received it from.
This is
absolutely imperative for certain devices.
So imperative that if we don't get it, we aren't getting the data you
need from certain popular mobile devices.
While it may be true that you can just call the client later and get
this information, it will make the digital forensic examiners job a little
easier to have this information from the start.
3) Don't manipulate (or
"examine") the device to try and get answers to your questions
immediately.
This tip is
very similar to the one with regard to computers, but it seems that the ease of
use of mobile devices makes quelling your curiosity much more difficult. The bottom line is, the data isn't going
anywhere (especially if you followed steps 1 and 2), so turn it off, lock it up
and don't play with it. We'll find out
what's on the device soon enough and you won't have the added heartache of
being a potential witness in your case.
Once all of
these tips have been followed, you can confidently call in your digital
forensic expert to obtain possession of the device(s) involved in your case
and/or perform the forensic data acquisition.
Some of these tips may be seem overly simplistic to the point of being
obvious, but I share them because I've repeatedly seen where there may be a gap
in knowledge about what legal professionals should
do with these items when they're received in the office and before they call
the digital forensic expert.
By following
these simple tips, you help increase the effectiveness of your digital forensic
expert and take a huge step forward in properly obtaining the data that could
be the proverbial smoking gun in your case.
Please share
these tips with friends and contacts in the legal community and, as always,
please don't hesitate to call with any questions.
Author:
Patrick J.
Siewert, SCERS, BCERT, LCE
Principal
Consultant
Professional
Digital Forensic Consulting, LLC
Based in
Richmond, Virginia
Available
Globally
About the Author:
Patrick Siewert is the Principal
Consultant of Pro Digital Forensic Consulting, based in Richmond,
Virginia. In 15 years of law
enforcement, he investigated hundreds of high-tech crimes, incorporating
digital forensics into the investigations, and was responsible for
investigating some of the highest jury and plea bargain child exploitation
cases in Virginia court history. A
graduate of both SCERS and BCERT (among others), Siewert continues to hone his
digital forensic expertise in the private sector while growing his consulting
business marketed toward litigators, professional investigators and
corporations.
Twitter: @ProDigital4n6
