Chapter 5: Processing Crime and Incident Scenes
This chapter provides an overview of critical procedures and considerations for digital forensics investigators when handling crime and incident scenes.
Objectives
- Understanding the rules governing digital evidence.
- Methods for collecting evidence at private-sector incident scenes.
- Guidelines for processing law enforcement crime scenes.
- Steps involved in preparing for an evidence search.
- Techniques for securing computer incidents or crime scenes.
- Procedures for seizing and storing digital evidence.
- Methods for obtaining digital hashes to ensure integrity.
- Planning investigative strategies based on case requirements.
Identifying Digital Evidence
Digital evidence is defined as any information stored or transmitted in digital form. U.S. courts accept digital evidence as physical evidence, treating digital data as a tangible object. In some cases, digital evidence may need to be presented in a printed format.
Key investigative tasks include:
- Identifying digital information or artifacts usable as evidence.
- Collecting, preserving, and documenting evidence meticulously.
- Analyzing, identifying, and organizing collected evidence.
- Rebuilding or repeating situations to verify reproducible results.
Systematic approaches are crucial for collecting computers and processing criminal or incident scenes.
Understanding Rules of Evidence
Consistent practices enhance investigator credibility. Compliance with state and federal rules of evidence is mandatory. Evidence admitted in criminal cases can often be used in civil suits, and vice versa. Staying current with rulings on collecting, processing, storing, and admitting digital evidence is vital.
Digital evidence differs from physical evidence due to its susceptibility to change. Detecting these changes requires comparing original data with duplicates. Federal courts may interpret computer records as hearsay, which is secondhand or indirect evidence.
The business-record exception allows admissibility for records of regularly conducted activity, including computer records. Computer records are typically categorized as either computer-generated or computer-stored. To be admitted in court, computer records must be proven authentic and trustworthy. Computer-generated records are generally considered authentic if the creating program functions correctly. Proper evidence control procedures ensure the authenticity of computer evidence.
Attorneys may challenge digital evidence by questioning whether computer-generated records were altered or damaged. Proving the authenticity of computer-stored records often involves demonstrating that a specific person created them, which can be achieved through file metadata analysis, such as identifying the author of a Microsoft Word document.
Demo: Metadata in FTK
A demonstration covers using Forensic Toolkit (FTK) to analyze metadata. The process involves saving a Word document and then using FTK to add it as evidence, navigate to the file, and process it, highlighting how metadata can be accessed.
