CRJS475 Unit 3 Discussion Board – Legalities and Use of

Forensic Tools in Digital Evidence Collection and Preservation

Historical Legal Considerations

The Electronic Communications Privacy Act (ECPA) was a forward-looking statute when it was first enacted in 1986 because it created legal standards for law enforcement to access electronic communications and digital data from emerging wireless and Internet technologies. However, technology has advanced significantly since that time, and the ECPA statute has been outpaced and outdated due to fast-changing technologies in the 21st century and because it has not had any significant revisions since it was first created. As a result, the ECPA is a patchwork of confusing legal standards in the United States (Digital Due Process, n.d.). The history of legal evolution includes the following (Schwartz, 2021):

• 1986: The ECPA statute was first created.
• 2007: The U.S. government issued instructions on how to prosecute Internet crimes (Hagen & Eltringham, 2015).
• 2020: The Federal Bureau of Investigation (FBI) creates an Internet Crime Complaint Center (IC3, 2020).
• 2020:S. Supreme Court Justice Neil Gorsuch said that the government’s interpretation of the 1986 ECPA law, which has been used to prosecute Internet activists, is creating a risk of “making a federal criminal of us all” (as cited in Geller & Gerstein, 2021).

The Role of Digital Investigators

Visit this resource to review digital laws for searches and seizures.

Computer forensics supports law enforcement investigations by collecting evidence from digital media, including cellphones, computers, cloud services, and other digital devices. Digital investigations may include the analysis of files, e-mails, network activities, and other activities to preserve digital evidence. There are several forensic tools that can be used to perform the different parts of a digital investigation (Poston, 2021). Digital evidence is volatile and fragile, and improper handling can permanently alter it. Because of its volatility and fragility, proper steps must be followed to ensure that data are not modified or lost during an investigation. Digital steps include the following (UNODC, 2019):

1. Accessing the data
2. Collecting the data
3. Packaging
4. Transferring data
5. Safe storage of data for future evidentiary value in court

Forensic Tools for Evidence Preservation

Digital forensic tools are used to unravel criminal acts and to provide digital evidence of a crime in court. However, if the wrong digital forensic tools are used—or if the tools are used incorrectly—then the evidence that is uncovered may be unreliable for legal reasons, which means that it will not be admissible in court. For example, if a forensic expert uses a tool because they are familiar with it and not because it is the most effective one, then it may provide unreliable evidence that will not withstand legal scrutiny. Unreliable forensic results will jeopardize an entire forensic investigation (Kogeda & Dimpe, 2017).

Forensic Tools and Their Uses

The following are forensic tools and their uses (Poston, 2021; AccessData, 2020):

• Disk analysis: A forensic disk analysis examines hard drives, smartphones, and other digital devices.
  • Analyzing an image, instead of examining a live drive, allows digital experts to legally prove that investigators did not modify a hard drive.
  • Conversely, examining a live drive could affect forensic results, which may alter digital evidence, which potentially makes it inadmissible in court because it is legally seen as evidence tampering.
• Image creation: Forensic Toolkit (FTK) is a computer forensics software that scans a hard drive to look for specific information, such as deleted e-mails or text strings that can be used to crack passwords or encryption keys. An FTK Imager is a tool that saves an image of a hard disk in a file.
• Volatile memory storage: The hard drive is not the only place where forensic data can be stored. It can also be stored in random access memory (RAM), which is volatile memory that must be collected quickly to be of forensic value.
• Windows Registry analysis: The Windows Registry acts as a database of configured information for the Windows operating system, along with the applications that run on it. These applications can store data in the Registry, and the Registry is a common location where malware deploys bad things. The Windows Registry can be opened with a built-in Windows application called Registry Editor, and it can be used for a registry analysis.
• Network analysis: Most cyberattacks occur over a network, and subsequently, an analysis of network traffic can help identify malware, as well as provide access to data that have been deleted and overwritten.

Instructions for Victims of Computer Crimes

Before digital investigators can begin an investigation, evidence must be safeguarded. Therefore, first responders should give the following instructions to victims who are not trained in digital investigations (Donofrio, 2011):

• If a computer is off: o Leave it alone and wait for forensic experts to analyze it.
• If a computer is on:
  • Do not use the computer because that may destroy evidence. o Do not type on the keyboard nor move the mouse.
  • Do not remove Universal Serial Bus (USB) drives, cards, or other devices that are connected to the computer.
  • The victim should not turn it off because a computer expert will want to conduct a live forensic exam while the programs and applications are running, if possible.
  • When a noncomputer expert turns a computer off, valuable information is permanently lost because it initiates a set of commands that can change the contents of a hard drive.
  • If the computer is on and if the victim is forced to shut it down, then unplug it from the back of the tower or from the outlet.

References

AccessData. (2020, January 28). Imager user guide. https://adpdf.s3.amazonaws.com/Imager/4_3_0/FTKImager_UG.pdf

Digital Due Process. (n.d.). ECPA reform: Why now? https://digitaldueprocess.org/

Donofrio, A. (2011). Computer forensics: Frequently asked questions. MSA Investigations.

http://www.msainvestigations.com/com/msainvestigations/www/clients–we–help/privateindividuals/computer–forensics/computer–forensics–faq.html

Geller, E., & Gerstein, J. (2021, June 3). Supreme Court narrows scope of sweeping cyercrime law.

Politico. https://www.politico.com/news/2021/06/03/supreme–court–cybercrime–law–491764

Hagen, E., & Eltringham, S. (2015, January 14). Prosecuting computer crimes. Office of Legal Education.

https://www.justice.gov/sites/default/files/criminal–ccips/legacy/2015/01/14/ccmanual.pdf

Internet Crime Complaint Center (IC3). (2020). Internet crime report 2020. Federal Bureau of

Investigation. https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf

Kogeda, O. P, & Dimpe, P. (2017). Impact of using unreliable digital forensic tools. Proceedings of the

World Congress on Engineering and Computer Science 2017 (vol. 1).

https://www.researchgate.net/profile/OkutheKogeda/publication/320922374_Impact_of_Using_Unreliable_Digital_Forensic_Tools/links/5a02 c31c0f7e9b68874e12c4/Impact–of–Using–Unreliable–Digital–Forensic–Tools.pdf

Poston, H. (2021, January 6). 7 best computer forensics tools. INFOSEC.

https://resources.infosecinstitute.com/topic/7–best–computer–forensics–tools/

Schwartz, S. (2021, June 3). Supreme Court decision on computer fraud law hinges on one word — ‘so.’ Cybersecurity Dive. https://www.cybersecuritydive.com/news/van–buren–supreme–courthearing–insider–threat/589864/

United Nations Office on Drugs & Crime (UNODC). (2019). Handling of digital evidence. Module 6:

Practical aspects of cybercrime investigations and digital forensics.

https://www.unodc.org/e4j/en/cybercrime/module–6/key–issues/handling–of–digitalevidence.html