Using Computers as Objects of Evidence in Corporate Investigations

How to avoid the common pitfalls when seizing computers for investigations: preserving the data and the chain of evidence


1. Don’t turn on or operate the subject computer. The computer should first be backed up using bit stream backup software. When the computer is run, the potential exists for information in the Windows swap file to be overwritten. Internet activity and fragments of Windows work sessions exist in the Windows swap file. This can prove to be valuable from an evidence standpoint. In the case of a DOS-based system, the running of the computer can destroy “deleted” files. For that matter, the same is true of a Windows system. To save grief, don’t run the computer.

2. Don’t solicit the assistance of the resident “computer expert.” The processing of computer evidence is tricky, to say the least. Without proper training even a world-class computer scientist can do the wrong things. Like any other science, computer science has its areas of specialty. We typically get calls “after the fact” and are advised that a computer-knowledgeable Internal Auditor or Systems Administrator has attempted to process a computer for evidence. In some cases, valuable evidence is lost or the evidence is so tainted that it loses its evidentiary value. For these reasons, seek the assistance of a computer specialist that has been trained in computer evidence processing procedures. Do this before you turn on the computer!

3. Don’t evaluate employee e-mail unless corporate policy allows it. New electronic privacy laws protect the privacy of electronic communications. If your corporate policy specifically states that all computers and data stored on them belong to the corporation, then you are probably on safe ground. However, be sure that you have such a policy and that the employee(s) involved have read the policy. Furthermore, it is always a good idea to check with corporate counsel. Don’t be in a hurry. Do things by the book! To do otherwise could subject you and your corporation to a lawsuit.

Seizing Computer Evidence

In 1995, a Deputy District Attorney for Santa Clara County, California, named Kenneth S. Rosenblatt published a book titled High-Technology Crime, Investigating Cases Involving Computers. Mr. Rosenblatt’s expertise was derived from his service as his office’s High-Technology Crime Unit supervisor that covered the Silicon Valley. In conducting our research for this chapter, Mr. Rosenblatt’s book was found to be constantly referred to by experts consulted and books read. It can probably be considered the bible for investigators seeking to become familiar with the law and methods that should be applied in seizing and initially examining computer evidence. His book provides a step-by-step guide for obtaining search warrants, executing searches, and examining computers. As such, it is primarily oriented to the needs of law enforcement investigators, but should still be read by corporate and private investigators who are serious about conducting investigations relating to high-technology crime.

Rosenblatt lists the priority items to accomplish at the time of executing a warrant:

1. Isolate the computers.
2. Isolate power and phone connections.
3. Confirm that the computers are not erasing data.
4. Check for physical traps.

It is clear that the first steps taken by investigators must be to ensure that the evidence existing at the moment they commence their search is not destroyed or damaged during the hunt as a result of protective measures taken by suspects either in advance of the search or during the search.

Another valuable source of information regarding various laws and methods relating to the seizure of computer evidence is the Federal Guidelines for Searching and Seizing Computers, from the U.S. Department of Justice. At the time of this writing it was posted on the Internet at www.usdoj.gov/criminal/cybercrime/s&smanual2002.htm. Both Rosenblatt’s book and the Federal Guidelines make clear that great pains must be taken in preparing for and executing the seizure of computer evidence.

About the Authors:
Charles Sennewald, CPP, CSC, is an independent security management consultant and a member of ASIS International, and is the founder and first president of the International Association of Professional Security Consultants (IAPSC). He is the author of numerous out books on security topics published by Butterworth-Heinemann.