Professional Documents
Culture Documents
12 • December 2008
Electronic evidence is often associated with computer forensic investigation or e-discovery through the process of:
A – collecting electronic evidence: identifying and extracting digital information that can be used to establish proof
B – protecting electronic evidence: implementing controls to ensure the integrity of the information
C – presenting electronic evidence: processing information in the context of events such that it is understandable in a tribunal or court
of law.
Why is collecting, protecting and presenting electronic evidence an information security issue?
Many of the activities associated with electronic evidence are likely to be the organisational responsibility of information security and may
have a number of problems associated with them, such as:
A – collecting: electronic evidence may be difficult and costly to identity and extract if information security guidelines relating to the
production of data that may form electronic evidence (such as event logs) have not been put in place and followed
B – protecting: electronic evidence can be susceptible to tampering and the information security function may have a duty to implement
controls that protect the integrity of electronic evidence
C – presenting: the information security function is likely to be involved in placing electronic evidence in context and a representative
may be required to present in a court of law.
How do I respond?
For a large organisation there is likely to be a continual requirement to produce electronic evidence quickly and cost-effectively. Processes
related to electronic evidence should be documented and tested, and include:
A – collecting electronic evidence: guidelines for the collection of electronic evidence must be created and followed. Specialist tools
must be deployed and legal constraints (such as privacy laws) must be identified
B – protecting electronic evidence: employees must be made aware of how to secure evidence and controls must be used to protect
evidence both during and after collection
C – presenting electronic evidence: information security specialists must be able to produce information in a manner that is
understandable to a court of law and be prepared to testify in a court.
COMMENTARY
Collecting, protecting and presenting electronic evidence is becoming part of ‘business as usual’ for many information security
functions. There are significant costs and risks associated with electronic evidence and there are many ways in which the evidence
can be spoiled if information security processes related to electronic evidence are not drawn up and followed.
Electronic evidence is information in a digital format that is used to establish proof of factual allegations or arguments.
Typically electronic evidence is used to establish proof in cases of:
• employment tribunals (eg proving Internet misuse, identifying the sender of an abusive e-mail, highlighting inappropriate material being
downloaded to company servers)
• civil litigation (eg supporting a dispute with competitors, suppliers or customers, defending a claim for discrimination by an employee,
or verifying online changes to insurance policies by customers)
• criminal prosecution (eg proving illegal content was hosted on company servers, ratifying facts about a malicious data breach, or in
support of facts related to a criminal legal case).
Standards
WHAT is Electronic Evidence?
Whilst there are several standards for handling electronic evidence (listed at the end of this paper), they often differ according to the
legal jurisdiction.
Electronic evidence is typically collected, protected and presented during a computer forensics investigation or as the result of an
e-discovery exercise. Computer forensic tools and devices are designed to read memory and storage devices directly (bypassing normal
operating system procedures) and allow duplication of different types of electronic evidence in their original form by creating a forensic
copy (mirror image) and avoiding subsequent access of the original copy.
Whilst electronic evidence is typically classified under legal terminology of direct or circumstantial, different types of electronic evidence
may exist as illustrated below and on the following page.
Metadata ‘Data about data’, or hidden data which • Original author of a document clarifying the source of a forged document
explains the circumstances about a file and • Time of file creation, placing the document into a timeline
any historical changes. • Spreadsheet formulae revealing fraudulent calculations
Audit trail Chronological chain of events that have • Network logs showing information sent outside of the organisation
taken place on a system or application. • System logs listing attempted logons
• Hardware logs cataloguing the removal of a hard drive
Configuration Operating system, software and • BIOS settings establishing internal time clock settings
settings application settings that can be used to • Version numbers demonstrating that data has been accurately reconstructed
establish the integrity of evidence. • Windows Registry data proving that an external disk drive was connected
There are many different examples of electronic evidence that may be used in disputes. Set out
in the table on the previous page, these may involve obvious sources such as system event logs
A. Collecting and e-mails to more obscure sources such as recorded VoIP calls or application configuration
files. An illustration of a sequence of events generating different types of electronic evidence
is shown below:
Negative evidence
Negative (or disproving) evidence is evidence which proves that an event or action did not occur, for example card swipe system logs
A. Collecting
show that the suspect was not in the building.
Protecting electronic evidence from alteration or destruction is crucial for its accuracy and reliability. Failure to collect evidence with
specialised computer forensic software or devices may result in: ‘trampling over’ evidence; metadata being overwritten (eg creation
date of file, storage location, name of author); or ‘smoking gun’ type evidence being erased (eg a logic bomb planted by the employee
committing fraud).
Evidential quality
The extent to which electronic evidence needs to be protected is related to the incident and form in which the evidence is to be
presented – for example, evidence for an internal disciplinary hearing may require a lower level of protection than a court of law.
However, it is important to note that a disciplinary hearing can escalate to a court of law, which may then reject previously used
evidence as inadmissible.
Electronic evidence needs to be protected from unauthorised tampering at a later date. Ideally devices containing electronic evidence
should be physically removed, sealed and stored in a secure place and controls (such as hashing) used to demonstrate that the evidence
has not been altered.
Litigation hold
In some cases the integrity of electronic evidence also needs to be protected before collection. An upcoming lawsuit may require
suspending housekeeping routines (such as archiving or deletion) to prevent deletion of existing documents or record archives that
contain potential electronic evidence. This action is called ‘litigation hold’.
Presenting is a process of demonstrating the meaning of electronic evidence to all the parties
of the dispute in a way that allows clear and unambiguous interpretation and supports the
C. Presenting final judgement.
Electronic evidence:
WHAT is Electronic Evidence?
• is typically analysed and summarised in a report. While the ‘smoking gun’ evidence is often self-explanatory, supplementary types of
electronic evidence, such as metadata require additional expertise to ensure the evidence is examined, interpreted and presented in a
way that can be understood by a judge and jury
• needs to be admissible when presented in the dispute. This involves proving that adequate measures have been taken to protect the
integrity of the evidence.
Although many of the information properties of evidence are related to integrity, in a court evidence may also have to be shown to be
authentic, credible, consistent and continuous.
Description Examples
Authenticity Electronic evidence needs to be original and valid, Hash values proving that the evidence has not been tampered with.
meaning that it has not been altered in any way. Document metadata indicating the original author.
Ideally it also confirms the authorship of the evidence.
Credibility Every piece of evidence needs to be believable in Evidence of an employee sending out threatening e-mails prior to the
the general context of the fact that the electronic employee deleting sensitive data indicates an intent to do so, making
evidence is supporting. it more credible.
Consistency Every piece of electronic evidence conforms to the Evidence of an employee logging into a workstation may be
same storyline without contradicting the logic of the inconsistent when there is no supporting evidence from the building
sequence of events. access control system showing that the employee was in the building.
Continuity Every piece of electronic evidence needs to be Evidence of an employee logging into a workstation followed by
contiguous and demonstrate that it follows the evidence of malicious modification of business data, and then
sequence of events. evidence of the employee deleting system access logs.
The way that electronic evidence is presented is typically guided by specialists, such as lawyers. However, it is possible that the court
requires testimonies by employees (including information security staff) or third parties to confirm the authenticity, credibility, consistency
and continuity of electronic evidence. This may cover a broad set of issues that are not directly related to the presented electronic evidence
itself, such as the policies, procedures and practices in the organisation and how electronic evidence was generated.
Organisations often find themselves under pressure to produce electronic evidence quickly when a dispute arises. Failure to do so may
result in excessive lawsuit costs, regulatory and legal fines or loss of the case. Even though electronic evidence is primarily a legal matter,
there are also a range of information security-related problems associated with the activities of collecting, protecting and presenting
electronic evidence.
In many organisations the information security function acts as the primary liaison with the legal department for all IT related matters and
assumes responsibility for ensuring that the activities of collecting, protecting and presenting electronic evidence are performed to the
required standard. Some of the typical problems that may be encountered are outlined in the section below:
The information security activities associated with the collection of electronic evidence typically
covers: configuring systems to generate specific information that can be used as electronic
A. Collecting evidence; ensuring that time-stamping is accurate at the point of generating such information;
checking that the content of information does not breach any privacy laws; searching databases
for evidence.
C. Presenting
Unsynchronised system time on
critical systems.
Critical systems have not been synchronised (eg to a
Network Time Protocol (NTP)) to keep system clocks
Organisations would be unable to correlate event
entries across multiple platforms to corroborate a
consistent and referenced to a standard time. sequence of events.
Negligence in balancing privacy An event investigation often introduces multiple privacy The organisation will not be able to use the electronic
rights with the need to collect issues. Creating a remote forensic copy of an employee’s evidence if it was gathered illegally. Furthermore such an
electronic evidence. laptop (for example) may be regarded as a breach of illegal action can itself have legal consequences, such as
human rights in certain jurisdictions. the prosecution of individuals who have gathered
the evidence.
Data is not searchable or Data fields that are required to identify the evidence Failure to provide evidence in accordance with court
prohibitively expensive to may not be indexed in a database and cannot be easily imposed timescales, or at a reasonable cost.
search. searched. For example, identifying e-mail text within a
corporate e-mail system of several terabytes is likely to
be a complex task.
Technical obsolescence
In some cases (for example in legal cases relating to medical records or insurance policies) it can be necessary to produce electronic
evidence that dates back a considerable number of years. It may be possible to retrieve the data relating to the event or incident,
but not to present the information, as it may have become obsolete (eg Is in Lotus 1-2-3 format, or is stored on floppy disk, or
decryption keys cannot be found).
Outsourcing
Increasingly the data that needs to be collected as evidence may reside with an outsource organisation, in a different legal jurisdiction.
This can create additional complications related to cost of collection, protecting integrity, confidentiality of the incident and
jurisdictional problems.
Information that could be used as evidence will need to be protected from modification or
destruction. This is often a complex undertaking as organisations do not always know what
B. Protecting types of information will be required as evidence to support a legal dispute.
Degradation of electronic Information stored on electronic media has a shelf-life. Damage, degradation or loss of information prevents an
information existing on Failure to continually access, re-write and restore these organisation from using it as evidence (eg to disprove a
removable media over time, or old files could result in the degradation or complete loss claim) which may harm their defence.
A. Collecting
obsolescence of media types. of information (eg the failure to be able to read data
from a backup tape).
Loss of the original set of Highly technical information may be processed to Failure to keep an original copy of the raw data
raw data containing summarise the results for presenting to a court of law may allow a challenge to the authenticity of the
B. Protecting
electronic evidence. and the source data may not be properly protected. processed version.
Presenting evidence in a court of law to support a prosecution or defence comes with a set
of issues different to collecting and protecting and requires a different set of skills. Although
C. Presenting a legal case will be led by a lawyer, if the evidence is poorly presented then this can adversely
affect the outcome of the case.
Incomplete records of the chain Organisations will need to prove that the integrity of Failure to document the steps of the process and
of custody of evidence. evidence has been maintained at each stage of the individuals involved could place the evidence in doubt. If
process for the electronic evidence used in a legal dispute. the case hangs on the electronic information as evidence
this could significantly affect the legal position of an
organisation.
Failure to deliver electronic Identifying and isolating the electronic evidence (eg Failure to deliver this information in a timely manner
evidence to a court of law from storage) typically requires significant amounts of could result in it being excluded from court presentation.
within a set timeframe. time and skilled resources.
COMMENTARY
Failure to request help or asking for help too late in an investigation is one of the biggest issues reported by computer forensics and
e-discovery experts. Not only is there a risk of electronic evidence being altered, there is also a risk that this evidence is spoiled or not
actually presented within the required timeframe.
Large organisations operating across the globe will typically experience a continual stream of legal actions from third parties, but also from
within the organisation as action is taken against third parties, or as the result of internal disputes (such as a fraud or staff disciplinary
action). This is simply the nature of global business, but can effectively generate an almost constant demand for electronic evidence of
some sort.
To be able to respond to this demand in a cost effective and timely manner, the information security function needs to be prepared to
handle all aspects of electronic evidence by ensuring that arrangements for collection, protection and presentation of electronic evidence
have been established.
Sequestration of assets
A full scale criminal investigation involving collection of electronic evidence is likely to involve disruption to business processes and
potentially the confiscation of IT equipment as evidence (sequestration of assets). The increased impact of cybercrime and new ways
of capturing electronic evidence without interrupting business processes (eg. enhanced forensic tools) have resulted in investigators
compromising with organisations to keep the impact of the investigation to a minimum and allow business operations to continue.
If a decision to produce electronic evidence has been taken, experts may need to be involved, especially if the dispute is to be settled
in a court of law. Organisations will often employ third party experts, who are often contracted on a contingency basis, or establish an
in-house team of experts dedicated to computer forensics and e-discovery in the organisation.
• can understand the organisational context of the electronic evidence • typically more experienced
• have a familiarity with the organisational infrastructure and systems and can collect • perceived as independent
evidence efficiently. • may have more up-to-date tools and skills.
Disadvantages: Disadvantages:
• high cost of setting up and maintaining a specialist team • may not be familiar with the organisation
• may be seen as susceptible to organisational influence. • time to engage may result in evidence being lost.
Collecting, protecting and presenting electronic evidence needs to be managed in a consistent way. Organisations are advised to document
the handling of electronic evidence in a set of guidelines that have been approved by senior management and validated by the legal
department. The activities presented on the following pages should be considered when creating guidelines, but are not exhaustive, nor
are they intended to be followed as a sequential process.
COMMENTARY
The possibility of a legal dispute involving electronic evidence can often force an organisation to decide whether or not to produce
electronic evidence for a particular case. A decision against the production of electronic evidence may be taken after an initial
review of costs and the likelihood of finding quality electronic evidence. The decision is justified if the chances of finding electronic
evidence that would significantly contribute to a positive resolution of the dispute are particularly low, or if high costs and time
constraints for producing electronic evidence outweigh the costs associated with case settlement and legal or regulatory fines.
Ultimately the decision still revolves around the legal sustainability of the particular case, but in these instances, legal advice
should be sought as to whether there is legal precedent that can be used to balance the cost of producing electronic evidence
against the harm being considered.
A3 Use specialist tools (typically third party) to collect electronic evidence in a safe and efficient way
• Deploy specialist e-discovery tools to shorten the lengthy process of searching through all significant business data
HOW do I respond?
• Use specialist computer forensic tools to preserve the contents of storage media without altering it (eg by using write-blockers, which
ensure that the device cannot overwrite storage).
Interviewing techniques
Interviewing users to identify possible sources of electronic evidence can be a ‘double-edged sword’. Employees such as system
A.may
administrators Collecting
significantly assist the process of identifying sources of electronic evidence, whilst at the same time such an action
could alert a perpetrator who may attempt to destroy evidence.
In order to produce electronic evidence that is admissible in a legal dispute, organisations are
B. Protecting required to establish controls to protect the evidence from modification or destruction, and to
prove that it has not been changed in any way.
B2 Protect the sources of evidence before and during collection of the evidence
• Physically restrict access to the area where the electronic evidence is stored and record all accesses
• Institute ‘litigation hold’ to prevent deletion of existing documents and record archives which contain potential electronic evidence by
stopping relevant document ‘housekeeping routines’ such as deleting e-mails from the live e-mail server.
B4 Store electronic evidence in a secure manner after the evidence has been collected:
• Save electronic evidence to a write-once-read-multiple medium to prevent further writing and modifying
• Seal the storage device or medium containing original evidence in tamper-proof packaging
A. Collecting
• Store the storage device or medium containing electronic evidence in a safe, restricted place
• Ensure that evidence that is transmitted or sent to a third party (eg as the result of e-discovery order) is protected in transit.
for example, where the amount of data cannot be copied onto removable media. In this type of case, legal advice should be
sought on other mitigating controls, and checks and balances should be established so that the integrity of the evidence can be assured.
When presented, electronic evidence should be placed into a context that will be understandable
C. Presenting by all parties of the dispute. This is typically the role of a lawyer. The role of information security
is to ensure that the evidence is understandable and has integrity, authenticity, credibility,
consistency and continuity.
C1 Create a report to support the testimony:
• Review collected electronic evidence and advise on the most pertinent evidence to be presented in court
• Format the selected evidence in a way that makes it understandable to a judge and jury
• Create a report (chain of custody) outlining all steps taken in collection, protection and presentation of electronic evidence to be used
as exhibits and summarise any other collected evidence
• Remove any unrelated sensitive business data from the report, or mask it (eg by censoring financial reports, by replacing personal details
with codes, or by cleaning up details in product schematics).
Further information on best practice when collecting, protecting and presenting electronic evidence can be found in:
• Association of Chief Police Officers (UK) – Good Practice Guide for Computer Based Electronic Evidence
• US Department of Justice – Forensic Examination of Digital Evidence: A Guide for Law Enforcement
• BSi BIP0008 – Code of practice for legal admissibility and evidential weight of information stored electronically
• ISO 15801 – Electronic imaging recommendations for trustworthiness
• ISO18492 – Long term preservation of electronic documents.
Contact:
grega.vrhovec@securityforum.org
nick.frost@securityforum.org
The Information Security Forum is an independent, not-for-profit association of leading organisations dedicated to clarifying and resolving key issues in information security and developing security
solutions that meet the business needs of its Members.
Reference: ISF 08 12 01 Copyright © 2008 Information Security Forum Limited. All rights reserved.