Thursday, July 2, 2015
Digital Device Seizure Tips for Attorneys & Legal Staff
July 2, 2015
Digital Device Seizure Tips for Attorneys & Legal Staff
As a private digital forensic practitioner, our clients come from several different areas. Pro Digital markets our services to private investigators, information security professionals, human resource practitioners and our biggest segment of clientele, attorneys involved in litigation practice, both civil and criminal. As a natural first step in the digital forensic process, attorneys offices and legal staff will often obtain possession of laptop computers, cell phones, tablets, etc. and call a digital forensic practitioner for advice, to retain services and consult generally. What unfortunately happens in the meantime is that the digital device may be manipulated, "examined" or otherwise used by folks in the attorneys office in between device acquisition by the staff and data acquisition by the digital forensic practitioner. Because the government has been (and still is) pretty much at the forefront of digital forensics, this doesn't happen very much in prosecutor's offices and other government sectors, but it does happen in private legal practice quite a bit. To help close this gap, I'm offering a few easy tips for digital device seizure and secure storage for attorneys and their staff when cases arise necessitating a digital forensic examiner.
Computer Seizure & Secure Storage
1) Note the date, time and person from whom you received the computer
This tip may seem simplistic, but it's the first step in the chain-of-custody. This also helps answer some questions the digital forensic examiner may have right off the bat. As with most things, if it's not documented, it didn't happen, so initiating the documentation chain from the beginning is a great first step.
2) Ask the client about the system (and document their answers)
Does the computer have a password? If so, what is it? Is the hard drive encrypted? How big is the hard drive? Is the computer still currently in use? How many users have access to the computer? All of these questions are important and may serve to provide valuable information not only for the examiner, but for evidentiary purposes later in the litigation process.
3) DO NOT turn the computer on and start looking through the file system
This is extremely important to prevent spoliation of the data. Every time you turn a computer on, settings are changed, file dates and times are updated and the data starts traveling down the dirty road toward being tainted. Curiosity is a very powerful human instinct. For the sake of acquiring the best possible data, please try to quell your curiosity.
It's also important to note that doing this may put YOU in the hot seat because you are now a witness. As we already know, it's inappropriate (at best) for attorneys and their staff to be witnesses in clients cases, so the best way to prevent this is to not even put yourself in that position.
4) Secure the computer in a locked area with limited access
This may also seem simplistic, but think about how desperate the other side is in your case. In divorce and custody cases, the opposing party may have a large sum of money and/or child custody on the line. In criminal cases, there may be evidence on that computer that implicates someone else. There are very few avenues a truly desperate person won't go down to preserve their way of life or their freedom, up to and including breaking into your office to steal or destroy the computer that contains the digital nail in their coffin.
Securing these items in an area that not everyone in your office has access to (or even is aware of) is the best practice for digital evidence storage. Documenting all of these things in the file goes hand-in-hand with secure storage and is also highly advisable.
Mobile Device Seizure
Many of the same rules above pertain to mobile devices as well, particularly with regard to documentation of when, where and from whom you received the device and secure storage. There are a few additional considerations and some marked differences, however.
1) Immediately put the device into airplane mode and make sure all network connections (wi-fi, bluetooth, etc.) are turned OFF.
This is also extremely important to prevent any unwanted destruction of data and to preserve the data on the device in the best possible form for subsequent data acquisition. Will this in effect change some settings and data on the device? Yes. But it's also the most effective and universally accepted way to prevent unwanted destruction of the data on the device.
2) Make sure to obtain any pass code information for the device from the person you received it from.
This is absolutely imperative for certain devices. So imperative that if we don't get it, we aren't getting the data you need from certain popular mobile devices. While it may be true that you can just call the client later and get this information, it will make the digital forensic examiners job a little easier to have this information from the start.
3) Don't manipulate (or "examine") the device to try and get answers to your questions immediately.
This tip is very similar to the one with regard to computers, but it seems that the ease of use of mobile devices makes quelling your curiosity much more difficult. The bottom line is, the data isn't going anywhere (especially if you followed steps 1 and 2), so turn it off, lock it up and don't play with it. We'll find out what's on the device soon enough and you won't have the added heartache of being a potential witness in your case.
Once all of these tips have been followed, you can confidently call in your digital forensic expert to obtain possession of the device(s) involved in your case and/or perform the forensic data acquisition. Some of these tips may be seem overly simplistic to the point of being obvious, but I share them because I've repeatedly seen where there may be a gap in knowledge about what legal professionals should do with these items when they're received in the office and before they call the digital forensic expert.
By following these simple tips, you help increase the effectiveness of your digital forensic expert and take a huge step forward in properly obtaining the data that could be the proverbial smoking gun in your case.
Please share these tips with friends and contacts in the legal community and, as always, please don't hesitate to call with any questions.
Patrick J. Siewert, SCERS, BCERT, LCE
Professional Digital Forensic Consulting, LLC
Based in Richmond, Virginia