Using Computers as Objects of Evidence in Corporate Investigations

June 27, 2006
How to avoid the common pitfalls when seizing computers for investigations: preserving the data and the chain of evidence

[Editor's note: The following article is excerpted with permission from chapter 22 of the third edition of The Process of Investigation: Concepts and Strategies for Investigators in the Private Sector, published by Butterworth-Heinemann, and authored by Charles Sennewald and John Tsukayama. The book is useful as a reference guide, though the clarity and readability of the book makes it a useful self-study text for any security director or corporate investigator looking to hone his or her skillset.]

The computer can be both the means of committing crimes as well as the “location” where crimes occurred (such as in a computer intrusion or denial of service attack). Accordingly, computers have become a new type of crime scene that requires as much care to process for evidence as the location of any high-profile homicide or bombing scene. In some ways, even more care must be taken than in traditional crime scenes because of the extremely fragile and ephemeral nature of digital evidence.

Additionally, computers are often the high-tech equivalent of a filing cabinet used by criminals to store information that to an investigator can turn into proof of numerous misdeeds including the distribution of child pornography, embezzlement, narcotics trafficking, money laundering, identity theft, sexual harassment, or the theft of trade secrets, to name a few. Such evidence can even be used to prove the selling of a nation’s secrets by its own senior counter-intelligence operatives, as was the case of the Central Intelligence Agency’s Aldridge Ames.

Specialized Techniques

The techniques for obtaining digital evidence commonly are not fully appreciated by either investigative or computer professionals. On the one hand, an investigator may believe that once a computer file has been deleted it is beyond retrieval. On the other hand, a computer analyst may pay little heed to the manner in which he resurrects that same file and in doing so can utterly destroy its usefulness as a piece of evidence in courts or quasi-judicial proceedings. As a result of the problems caused by this lack of understanding, very painstaking methods have been developed by the law enforcement community. Specialized forensic analysis software has been written to allow for both the culling of information from suspect computers and surviving legal challenges to the information’s reliability and authenticity.

Seizing Computer Evidence

Unfortunately, securing computer evidence is not quite as simple as photographing, bagging, and tagging a screwdriver found at the scene of an office burglary. A high-tech intrusion rarely leaves evidence that is easily apparent or durable.

As early as the mid-1980s the federal government was creating methods by which its agents were able to seize, examine, and present computer evidence in court. Michael R. Anderson was one of the early pioneers with the U.S. Department of the Treasury, Federal Law Enforcement Training Center (FLETC) in Glynco, Georgia. Anderson and others developed the first computer evidence courses before 1990 that have been taught to federal, state, and local law enforcement specialists.

Now the head of New Technologies, Inc., a private firm that through its software and training makes current state-of-the-art methods available to both public and private sector specialists, Anderson has provided easily accessible guidance through articles posted on his firm’s Web site. Though such articles, and other information available electronically or from other traditional sources, cannot substitute for a fully featured training course, they can still be instructive to an investigator in the cautions they describe.

Corporate Considerations

For the private/corporate investigator, certain suggestions are provided by Anderson to be considered when initially responding to a possible computer incident:

1. Don’t turn on or operate the subject computer. The computer should first be backed up using bit stream backup software. When the computer is run, the potential exists for information in the Windows swap file to be overwritten. Internet activity and fragments of Windows work sessions exist in the Windows swap file. This can prove to be valuable from an evidence standpoint. In the case of a DOS-based system, the running of the computer can destroy “deleted” files. For that matter, the same is true of a Windows system. To save grief, don’t run the computer.

2. Don’t solicit the assistance of the resident “computer expert.” The processing of computer evidence is tricky, to say the least. Without proper training even a world-class computer scientist can do the wrong things. Like any other science, computer science has its areas of specialty. We typically get calls “after the fact” and are advised that a computer-knowledgeable Internal Auditor or Systems Administrator has attempted to process a computer for evidence. In some cases, valuable evidence is lost or the evidence is so tainted that it loses its evidentiary value. For these reasons, seek the assistance of a computer specialist that has been trained in computer evidence processing procedures. Do this before you turn on the computer!

3. Don’t evaluate employee e-mail unless corporate policy allows it. New electronic privacy laws protect the privacy of electronic communications. If your corporate policy specifically states that all computers and data stored on them belong to the corporation, then you are probably on safe ground. However, be sure that you have such a policy and that the employee(s) involved have read the policy. Furthermore, it is always a good idea to check with corporate counsel. Don’t be in a hurry. Do things by the book! To do otherwise could subject you and your corporation to a lawsuit.

Seizing Computer Evidence

In 1995, a Deputy District Attorney for Santa Clara County, California, named Kenneth S. Rosenblatt published a book titled High-Technology Crime, Investigating Cases Involving Computers. Mr. Rosenblatt’s expertise was derived from his service as his office’s High-Technology Crime Unit supervisor that covered the Silicon Valley. In conducting our research for this chapter, Mr. Rosenblatt’s book was found to be constantly referred to by experts consulted and books read. It can probably be considered the bible for investigators seeking to become familiar with the law and methods that should be applied in seizing and initially examining computer evidence. His book provides a step-by-step guide for obtaining search warrants, executing searches, and examining computers. As such, it is primarily oriented to the needs of law enforcement investigators, but should still be read by corporate and private investigators who are serious about conducting investigations relating to high-technology crime.

Rosenblatt lists the priority items to accomplish at the time of executing a warrant:

1. Isolate the computers.
2. Isolate power and phone connections.
3. Confirm that the computers are not erasing data.
4. Check for physical traps.

It is clear that the first steps taken by investigators must be to ensure that the evidence existing at the moment they commence their search is not destroyed or damaged during the hunt as a result of protective measures taken by suspects either in advance of the search or during the search.

Another valuable source of information regarding various laws and methods relating to the seizure of computer evidence is the Federal Guidelines for Searching and Seizing Computers, from the U.S. Department of Justice. At the time of this writing it was posted on the Internet at Both Rosenblatt’s book and the Federal Guidelines make clear that great pains must be taken in preparing for and executing the seizure of computer evidence.

About the Authors:
Charles Sennewald, CPP, CSC, is an independent security management consultant and a member of ASIS International, and is the founder and first president of the International Association of Professional Security Consultants (IAPSC). He is the author of numerous out books on security topics published by Butterworth-Heinemann.

John Tsukayama, CPP, CFE, PCI, is the executive vice president of Safeguard Services, and a former investigator for the Internal Revenue Service (IRS). He has been recognized for excellence by the Association of Certified Fraud Examiners (ACFE), and is a member of that organization as well as ASIS and the Association of Threat Assessment Professionals (ATAP).

(Copyright 2006, Elsevier Inc. All rights reserved.)