This week's reading [you have read it, haven’t you?] takes you from the general discussion we held last week into some more specific details about the role of both criminal justice and non-criminal justice professionals in the IT and computer forensics world (Chapter 1). We’ll also discuss why it is important that you understand the basic principles and concepts of the criminal justice process. Then we’ll get into what you would do and how you would interface with law enforcement in the event you have to conduct a forensic system analysis (Chapter 2). Chapter 2 again stresses the importance of understanding the criminal justice process, as well as discusses different types of devices or file systems that may contain information critical to your analysis.
One of the basic concepts to understand this week is that there are many types of evidence that can be found in digital data. Understanding what data you may find, even if it is not evidence of a crime, is important to preparing a digital examination/analysis plan. Let’s look at anon-technical example…
When a law enforcement officer applies for a warrant to search a residence, the officer must specify for what it is he or she is searching. If the case involves a stolen car, then the officer’s search will be limited to only those locations a stolen car, or pieces of a stolen car (in case it was chopped), could be located. It would be unwise to list only the stolen car on the warrant, as the court might limit the officer’s search just to the whole car, intact. So, the officer has to determine at the outset of her search what could have happened to the car (attempting to account for all the possibilities) so her search is complete and most likely to yield useful results. The officer will also have to justify in her affidavit why she believes that the car could be found in smaller pieces. To that end, an officer with auto theft experience may also be able to state that, in her experience: 1) stolen cars are often broken down into smaller components; 2) these components can be identified with certainty as belonging to the original stolen car; and 3) where such components could be hidden. It would most likely not be enough for the officer to simply assert that cars are broken down and sold for parts. If she wants to justify seizing an ashtray; the ashtray would need some specific characteristics to do that.
Search warrants and searches are usually limited in scope to items for which the searcher is looking (i.e., nearly always evidence of a crime or wrongdoing). You cannot look for an elephant in a kitchen drawer! I know that sounds absurd, but it is an excellent metaphor… However, if you were looking for narcotics, they could be hidden almost anywhere, and you could justify a much broader search. In this example, digital evidence is much more akin to narcotics than you may think, with evidential data often occurring in hidden, strange, or unlikely places. As such, although a warrant to search for digital evidence can often cast a “wide net”, it cannot be so broad that it is not supported by probable cause or it violates someone’s 4th amendment protections and implied rights to privacy.
However, don’t despair if you are not a law enforcement officer. NOTE THIS WELL: The requirement to obtain a search warrant does not apply to searches by private individuals or non-government organizations, as long as the individual(s) have the authority to conduct the search (e.g., IT security personnel are searching a computer owned by their company for company data, or an employee gives the company consent to search for their personal data). However, even those searches may be limited to certain parts of the computer system(s) or network(s). As noted in the text, if a person is allowed to use a personally-owned flash drive at work, and that drive is connected to the computer, you still may not be able to search it without the employee's consent. All of these examples depend heavily on established company policies and what warnings were given to the employee.
The text this week identifies several types of devices on which digital evidence could be found. For this week's discussion, please list two of the devices provided by the text (or other devices, if you prefer), state what types of evidence you would look for on those devices, and explain what limitations you might have or what hurdles you would have to clear before searching those devices (BOTH as a company IT professional and a law enforcement officer). Identify what, if any, policies would need to be in place for you to search as a private employee, as well as what limits can be placed on the search by police.