Identifying and Collecting Digital Evidence
- Pages: 7
- Word count: 1741
- Category: Company
A limited time offer! Get a custom sample essay written according to your requirements urgent 3h delivery guaranteedOrder Now
1. What permissions/authorities should you have before you search Mr. Yourprop’s former Company work area, and how would you document that authority? Generally speaking, an employer can search an employee’s desk or work area without expecting any legal repercussions. The desk is property of the employer, therefore the employee should not be entitled to a reasonable expectation of privacy in their work area (Privacy at Work: What Are Your Rights?, 2015). Even though this is generally the case, its best practice, by and large, to have authorities such as this published in the company policy and employee handbook. This gives the employer a stronger leg to stand on, legally speaking, and provides full disclosure to the employees with regards to employee privacy (Searches at Work – Legal Issues to Consider, n.d.). In this situation specifically, the employer already has a few things in their favor concerning permissions/authorities to search the work area in question. First of all, Mr. Yourprop is a former employee.
He no longer works for Makestuff Company, so it’s not even his work area anymore. Also, during his exit interview Mr. Yourprop gave reasonable cause for the Company to search his belongings due to nature of his suspicious statements. When you factor these thoughts combined with Makestuff’s policy on searches, they would be fully prepared to defend themselves if Mr. Yourprop tries to make claims of an invasion of privacy (Searches at Work – Legal Issues to Consider, n.d.). 2. Look at the photo of Mr. Yourprop’s work area provided for Project 2 in the Week 5 Overview area. Identify three (3) potential items of digital evidence you see in the photo. For EACH item of digital evidence you identified, explain what potential use that item would be to your investigation (e.g., what kind of evidence it is, and what type of data that item might hold) AND how you would collect that item as evidence (with emphasis on your care, collection, and handling of that item consistent with digital forensic best practices described in your textbook).
Before touching anything, the scene will be photographed. Also, anyone planning to get hands on the digital evidence should also be grounded to prevent static shock damage to the devices (Soloman, Rudolph, Tittel, Broom, & Barrett, 2011). All procedures and handling of the evidence will be properly documented as they occur, to include chain of custody.
The three pieces of digital evidence would, in their current state, be considered real evidence. No analysis has been done yet to produce anything other than real evidence. Once analysis is done at the lab to search for digital evidence stored within the devices, there may be production of some documentary or testimonial evidence (Soloman, Rudolph, Tittel, Broom, & Barrett, 2011).
The first item collected will be the laptop. This may contain activity logs, a history of websites visited, login information, emails, documents/files, and images (U.S. Department of Justice, 2008). To seize and transport the laptop, first examine its current power state. If it’s off, do not turn it on. If it is on, move the mouse slightly so the picture appears on the screen and take a photograph of it. If you are in a position to capture any volatile data from the RAM, now would be the time. Once this is complete, unplug it and remove the battery. Label where cables may have been plugged into the laptop and disconnect them. Document the make, model, and serial number of the laptop. Package the laptop in a static shock protective bag for transportation and make sure to take the power adapter as well as they are usually unique to specific make and model laptops (U.S. Dept of Homeland Security, U.S. Secret Service, 2007).
Next item is the USB Flash Drive. This could be considered in some ways a digital filing cabinet. It’s basically a removable storage device made of flash memory that may contain files such as documents, images, or videos. USB Flash Drives are also sometimes used as encryption keys for encryption tools such as BitLocker Drive Encryption (Microsoft, 2015). To collect and transport as evidence, place the USB Flash Drive into a static shock protective bag (U.S. Dept of Homeland Security, U.S. Secret Service, 2007). Document any make, model, or serial number designations on the device.
The hard drive on the desk would be a good third source of digital evidence to seize. Assuming this hard drive is used for additional storage (i.e. does not have an Operating System on it), it would contain data similar to that which would’ve been on the USB Flash Drive: documents, images, videos, and maybe even some software files. Documentation should be done on the make, model, serial number and type (e.g. SATA, IDE, SCSI) of hard drive. For transportation, again, place into a static shock protective bag. Remember to keep the hard drive away from anything magnetic as the platters that are inside the hard drive are magnetically charged (U.S. Department of Justice, 2008). 3. Look at the photo of Mr. Yourprop’s work area provided for Project 2 in the Week 5 Overview area. Identify three (3) potential items of non-digital evidence you see in the photo. For EACH item of non-digital evidence you identified, explain what potential use that item would be to your investigation (e.g., what kind of evidence it is, and what type of data that item might hold) AND how you would collect that item as evidence (with emphasis on your care, collection, and handling of that item consistent with digital forensic best practices described in your textbook).
The sticky-note at the bottom-left corner of the keyboard is the first piece of non-digital evidence to take. There is a phrase “Purple743” handwritten on it. By itself this piece of documentary evidence may not mean much, but it could be a password of some type or maybe even part of an email address (U.S. Department of Justice, 2008). To store and transport this item, it will be placed into a standard evidence bag and documented on the chain of custody.
Next, there is a small notepad at the top-left corner of the keyboard. This documentary evidence has some notes on it about specific people Mr. Yourprop wanted to contact. If the individuals on the notepad could be found and contacted, they may have additional information about him and his intentions of stealing Product X. They might even become part of the criminal investigation. This notepad should be placed into a standard evidence bag and documented the chain of custody as well.
Fingerprints are real evidence and could be a key piece of non-digital evidence to forensically establish that this was indeed Mr. Yourprop’s desk and work area (U.S. Department of Justice, 2008). The InfoSec Specialist of course would not be processing fingerprints themselves, though if they were to involve law enforcement this can be done. Law enforcement should check for fingerprints in multiple places: the digital evidence seized, the mouse/keyboard, and the actual desk. This will prove beyond doubt that Mr. Yourprop had his hands on all of these things. 4. Look at the Evidence Custody Document and item photographs provided for Project 2 in the Week 5 Overview area. Read the Evidence Custody Document prepared by one of your co-workers, in which he is attempting to seize the three items pictured in the accompanying photos. Did your co-worker adequately describe each item? What could you add to the descriptions, and for which items (based on what you see in the photos), to make them more complete and serve as an example to your co-worker of what they SHOULD look like?
The co-worker did not adequately describe each item. The voice recorder has a label on the back suggesting it was distributed by “Saul Mineroff Electronics, Inc.” It is an Olympus DM620, takes two AAA batteries, has an LCD screen, mini-USB interface on the bottom, and Micro SD slot on the side. It has a microphone jack on the side as well and is a hand-held size.
The hard drive, in addition to what is already entered onto the custody form, is model# WD10EARS, has serial# WMAZA0202091. It should also be noted that it is a desktop-size 3.5” SATA drive, the torn label on the front has some writing underneath of the black marker, and there is a sticker on the side labeled “1 TB.”
In regards to the USB Thumb Drive, the co-worker did a much better job with the description. The only piece of information to add here is that it seems to a sliding piece of plastic that can be pushed over top of the USB connector, and, judging by the blue on the USB connector, it is a USB 3.0 device (Amazon, 2013). 5. How should the items you collected as evidence in this Project be stored in your evidence room? Describe any environmental conditions or concerns for your evidence room (remembering that digital evidence can require some unique considerations!), as well any security procedures that should be in place.
All digital evidence must be stored in an area where it is climate-controlled and does not have excessive humidity. Digital evidence has the potential to be destroyed if it comes in contact with extreme temperatures or moisture. There should be some type of ventilation system to prevent the buildup of dust. The room should be protective of electromagnetic signals or fields. Cables or power elements that are specific to certain pieces of digital evidence (e.g. power adapters, batteries) should be stored with it, though batteries should not be left in (U.S. Department of Justice, 2008).
Evidence room security and controls is a must. There should be a property officer who is in charge of maintaining and updating chain of custody for evidence. This individual also ensures all incoming evidence is packed appropriately for storage and entered into an evidence tracking system. Physical security such as alarms, controlled access, and security cameras must also be implemented in a proper evidence room (International Association for Property and Evidence, 2015).
Amazon. (2013). PNY Turbo 64GB USB 3.0 Flash Drive. Retrieved from Amazon: http://www.amazon.com/PNY-Turbo-64GB-Flash-Drive/dp/B00FDUHDAC International Association for Property and Evidence. (2015, March 8). Professional Standards, v.2.5.1. Retrieved from IAPE: http://www.iape.org/Standards_2015.PDFs/Stands%202.5.1%20Approved%20Clean.pdf Microsoft. (2015). What is a BitLocker Drive Encryption Key or PIN? Retrieved from Microsoft: http://windows.microsoft.com/en-us/windows-vista/what-is-a-bitlocker-drive-encryption-startup-key-or-pin Privacy at Work: What Are Your Rights? (2015). Retrieved from FindLaw: http://employment.findlaw.com/workplace-privacy/privacy-at-work-what-are-your