The computer investigative procedure

London and Manchester, UK
0870 140 2525

Computer investigation: Engaging the Data Clinic

Introduction
The Data Clinic Forensic Computing Department was established in April 2000. Its purpose is to investigate and produce digital evidence that can be relied upon in a court of law.

A Data Clinic Forensic Investigator will act under instruction from a client or a legal practitioner. The investigator will undertake an independent analysis of computer systems and electronic media using a wide variety of tools and techniques.

The Data Clinic Investigator has sole responsibility to ensure that the results of his or her investigation are reliable and undertaken in accordance with procedures for the preservation, recovery and presentation of digital evidence.

The Data Clinic Investigator will inform those providing instructions if there is any reason whatsoever that his or her findings cannot be relied upon.

Computer Based Evidence
The Data Clinic Forensic Department adheres to the guidelines set out in the "Good Practice Guide for Computer based Electronic Evidence" issued by the National High-Tech Crime Unit (NHTCU) and agreed by the Association of Chief Police Officers (ACPO).

The evidence obtained from computers or computer media is subject to the same rules of evidence as documentary evidence. Data stored on a computer is no different to text on a written document. For this reason evidence that is stored on a computer or on computer media is subject to the same rules and laws that apply to documentary evidence. It must be shown to the court that the evidence produced is no different in any form from the evidence taken by the police or other investigating body.

No action taken should change data held on a computer or other media which may subsequently be relied upon in Court.

An audit trail or other record of all processes applied to computer based evidence should be created and preserved. It is essential to demonstrate to a court both integrity and continuity of evidence how it was recovered and the process by which it was obtained. Evidence should be preserved so that an independent third party is able to repeat the same process and arrive at the same result as that presented to a court.

The Data Clinic Investigator conducting the analysis is responsible for ensuring that the principals of law are adhered to. They must be satisfied that anyone accessing the media or any use of a copying device, complies with these principles.

The Investigative Procedure

The Data Clinic Forensic Department will require the following pre-requisites prior to undertaking any assignment:

Proof of identity
Evidence of authority or ownership
Confidentiality agreement
Details of the matters in hand
Description of the equipment types and operating systems
Consultation
Case Notes
Written set of instructions, e-mail, fax, or letter
Signed Contract

Further:

Chain of Custody
Written work log which details and controls continuity in an investigation.
A written receipt for all items taken into his or her possession.
On site work plan and the authority and access necessary to carry out this plan.
The Client must ensure the Investigator is named on any ID, Access or other Credentials

Securing Evidence
Before the analysis of storage media begins, a minimum of two evidence images are produced of each suspect item and detailed logs record all the items subsequently produced. The purpose is to secure from any storage media an exact copy of the data contained therein that does not compromise the original. The suspect item and an exact image are placed in a fireproof lockable and secure cabinet for retention. One of the evidence images is then subject to examination.

Full records of all work actions are kept. These can be made available to the defence or prosecution who may conduct a further examination to validate the actions taken. These records are also a part of the unused material of the investigation.

Analysis
When conducting an analysis in respect of the instructions and case notes provided to the Data Clinic, the Investigator will ensure that a full log of all the actions he has undertaken is kept.

On completion of the analysis the Data Clinic Investigator will produce a witness statement and a report showing the evidence found.

Disclosure
The Criminal Procedure and Investigations Act 1996 (CPIA) introduced a framework for the disclosure of unused material (i.e. all material that is not produced as evidence).

The rules of disclosure apply exactly the same to computer evidence as they do to any other material obtained during an investigation. However due to the amount of material that can be stored on a computer it is likely that not all of the information has been examined (e.g. 25 Gigabytes of data if printed on A4 paper would create a large stack of paper many metres high).

This raises a problem for the disclosure officer who must complete forms showing a list of items which undermine the prosecution case (primary disclosure) or assist the defence (secondary disclosure).

If the data has not been viewed the disclosure officer will not know if it contains any items as above. It is suggested that the relevant form is noted with details of the unused material that has not been viewed (e.g. print out a copy of the directory structure and highlight the files not viewed). A comment should be made as to the reasons why this has not been done, and that it is therefore not known if it holds any data which may undermine the case or assist the defence or prosecution.

Following a defence statement it may be necessary after consultation with the disclosure officer to supply a copy of the unused data to the defence or prosecution.

> Data Clinic Case Studies - Read about some of the computer misuse cases the Data Clinic have been involved in
> Illegal photographs on storage media (eg. hard disk) - Brief guidelines regarding the law and indecent photographs / images such as child pornography
> ACPO Guidelines - These are guidelines published by the Association of Chief Police Officers regarding Good Practice for Computer based electronic evidence
> General guidelines on the correct seizure of computer media for investigative purposes
> Frequently Asked Questions regarding computer evidence acquisition and investigation