How to Find Evidence

. . . while complying with law

We are awash in electronic evidence that can resolve audits and legal disputes.  An investigator can break a case with evidence gathered from gadgets like laptops or smartphones or from online sources like email, text messages, social media (Facebook, Reddit) or mobile apps (Waze, Foursquare).

But these alluring sources of evidence raise issues.  Many of the issues have been addressed in my blog posts over the years.

Here are examples, with links to relevant lessons:

1.  Terms of Service.  Suppose an investigator works for a divorce law firm, surreptitiously collecting evidence about a spouse from a social network.  The investigator may be wise to study the network’s terms of service to ensure his evidence is not tainted by a violation of those terms

2.  Documented Authority.  An in-house forensics investigator working for an enterprise may seek to recover deleted data – such as erased text messages – from a mobile device belonging to an employee.  The investigator is wise to document that clear authority – such as a BYOD agreement – establishes that the investigator has the legal power to execute her investigation.

3.  Preservation Letter.  As an investigation transpires, an adversary who possesses evidence may be tempted to destroy it.  But a powerful deterrent to that temptation can be a preservation letter.  The letter warns the data holder about the consequences of evidence destruction while an investigation is pending.

4.  Safeguard Personally Identifiable Information (PII).  A confusing, ever-changing array of laws requires that sensitive information like social security numbers be protected from illicit disclosure.  When an investigator comes into possession of PII, she may be prudent to lock the information with encryption or other controls to prevent its release to unauthorized people.

5.  Memorialize How the Evidence Was Accessed.  Cyber environments change constantly.  For instance, in 2011 I created a video demonstrating how an investigator could record his interaction with a criminal through a product called “Windows Live Messenger.”  The screencast video recorded exactly how Windows Live Messenger worked at the time.

But -- Gadzooks -- Microsoft recently retired Windows Live Messenger, replacing it with Skype Messaging!  From an evidentiary perspective, this change is profound.  If one wanted to show a jury how “Windows Live Messenger” works, you could not do it with technology that is available today.  The technology is gone.   Therefore the screencast video created in 2011 would be crucial to explaining in a court today what happened back in 2011.

As new sources of evidence emerge (e.g., wearable, always-on computers), investigators will face new challenges.  What new challenges do you see?

–Benjamin Wright

Mr. Wright teaches Law of Data Security and Investigations for SANS Institute.  This class trains professionals from all parts of the globe how to reduce legal risk and increase credibility in cyber investigations.