Using Computers as Objects of Evidence in Corporate Investigations

How to avoid the common pitfalls when seizing computers for investigations: preserving the data and the chain of evidence

[Editor's note: The following article is excerpted with permission from chapter 22 of the third edition of The Process of Investigation: Concepts and Strategies for Investigators in the Private Sector, published by Butterworth-Heinemann, and authored by Charles Sennewald and John Tsukayama. The book is useful as a reference guide, though the clarity and readability of the book makes it a useful self-study text for any security director or corporate investigator looking to hone his or her skillset.]

The computer can be both the means of committing crimes as well as the “location” where crimes occurred (such as in a computer intrusion or denial of service attack). Accordingly, computers have become a new type of crime scene that requires as much care to process for evidence as the location of any high-profile homicide or bombing scene. In some ways, even more care must be taken than in traditional crime scenes because of the extremely fragile and ephemeral nature of digital evidence.

Additionally, computers are often the high-tech equivalent of a filing cabinet used by criminals to store information that to an investigator can turn into proof of numerous misdeeds including the distribution of child pornography, embezzlement, narcotics trafficking, money laundering, identity theft, sexual harassment, or the theft of trade secrets, to name a few. Such evidence can even be used to prove the selling of a nation’s secrets by its own senior counter-intelligence operatives, as was the case of the Central Intelligence Agency’s Aldridge Ames.

Specialized Techniques

The techniques for obtaining digital evidence commonly are not fully appreciated by either investigative or computer professionals. On the one hand, an investigator may believe that once a computer file has been deleted it is beyond retrieval. On the other hand, a computer analyst may pay little heed to the manner in which he resurrects that same file and in doing so can utterly destroy its usefulness as a piece of evidence in courts or quasi-judicial proceedings. As a result of the problems caused by this lack of understanding, very painstaking methods have been developed by the law enforcement community. Specialized forensic analysis software has been written to allow for both the culling of information from suspect computers and surviving legal challenges to the information’s reliability and authenticity.

Seizing Computer Evidence

Unfortunately, securing computer evidence is not quite as simple as photographing, bagging, and tagging a screwdriver found at the scene of an office burglary. A high-tech intrusion rarely leaves evidence that is easily apparent or durable.

As early as the mid-1980s the federal government was creating methods by which its agents were able to seize, examine, and present computer evidence in court. Michael R. Anderson was one of the early pioneers with the U.S. Department of the Treasury, Federal Law Enforcement Training Center (FLETC) in Glynco, Georgia. Anderson and others developed the first computer evidence courses before 1990 that have been taught to federal, state, and local law enforcement specialists.

Now the head of New Technologies, Inc., a private firm that through its software and training makes current state-of-the-art methods available to both public and private sector specialists, Anderson has provided easily accessible guidance through articles posted on his firm’s Web site. Though such articles, and other information available electronically or from other traditional sources, cannot substitute for a fully featured training course, they can still be instructive to an investigator in the cautions they describe.

Corporate Considerations

For the private/corporate investigator, certain suggestions are provided by Anderson to be considered when initially responding to a possible computer incident:

This content continues onto the next page...