310 likes | 439 Views
From Log Files to Litigation. Making Electronic Evidence Count. Introduction. Who is Larry Gagnon? What is this all about? Why is this information important to me?. Agenda. Electronic evidence collection with a focus on admissibility Search tips Note-taking & documentation
E N D
From Log Files to Litigation Making Electronic Evidence Count
Introduction • Who is Larry Gagnon? • What is this all about? • Why is this information important to me? Forensicom Ltd.
Agenda • Electronic evidence collection with a focus on admissibility • Search tips • Note-taking & documentation • Continuity of evidence • Analysis basics • Effective reporting • Testimony & sneaky lawyer tricks Forensicom Ltd.
Overview • Data forensics is a process which must be managed • Evidence must be able to stand up to cross-examination • The admissibility of evidence is crucial • Preparation, process and practice Forensicom Ltd.
Searching for Evidence Forensicom Ltd.
Searching for Evidence • Identify various sources of potential electronic evidence • Desktop, mail server, firewall… • Might include PDA’s, thumb drives, cell phones, etc. • Can a company seize and examine an employee’s cell phone? Forensicom Ltd.
Searching for Evidence • Must be able to state specifically where the evidence came from. • More than “It was in Bob’s office” • Extensive searches require scene control and exhibits logging • Prepare and document a method that fits your needs. • Practice your selected method Forensicom Ltd.
Searching for Evidence • Before you search: • Limit physical access • Fully document the area to be searched • Photographs can be taken • Make a hand-drawn diagram of the area • Note the location and condition of things observed • You never know what may be important Forensicom Ltd.
Searching for Evidence • Number the room, letter the walls, number the furniture, letter the compartments. (POST-IT notes) • Include numbering in your diagram Example: Room 1, Wall N, Furniture 2, Drawer B, Floppy Disk 1 becomes 1-N-2-B-1 Forensicom Ltd.
Taking Notes • Notes form part of disclosure and are subject to cross-examination. • DRAFT notes, scribblings, etc. can also be cross-examined. • Notes are for refreshing your memory • Each case gets it own notebook. Forensicom Ltd.
Taking Notes • Notes are to be legible, (can’t use codes, foreign language or short hand). • You are required to provide full, frank and fair disclosure. • Consider what should stay out of your notes. Forensicom Ltd.
Taking Notes • Each entry should be time stamped • Entries should be chronological • Notes are made at or near the time of the incident. • Use 24 hour clock to avoid confusion • Do not erase, alter or change them • Use strikethrough on an incorrect entry • When are my notes good enough? Forensicom Ltd.
Continuity of Evidence Forensicom Ltd.
Continuity of Evidence • Continuity is the documentation of the life cycle of an evidence item. • An unbroken chain of events that accounts for the evidence at all times Forensicom Ltd.
Continuity of Evidence • Who handled it? • What did they do with it? • When did this occur? • Where was it taken or stored? • Did anyone alter/handle/tamper with the evidence? Forensicom Ltd.
Continuity of Evidence • Many different documents that can be used for tracking evidence. • Numbered bags, tamper-proof seals etc. • Never alter the original evidence item by writing on it. • See example forms Forensicom Ltd.
Continuity of Evidence Continuity forms Forensicom Ltd.
Analysis of Evidence • The integrity of the evidence must be preserved • No “quick peeks” • Never work on the original media • Use a hash function to verify the integrity of the original before and after you image it. • Use hashing to verify the integrity of your working copies. Forensicom Ltd.
Analysis of Evidence • Use more than one tool • Use ONLY PROPERLY LICENCED tools • Test and verify your tools before putting them into production. • Maintain documentation on your test process and subsequent results. • Ultimately your process and results must be repeatable if required by the court. Forensicom Ltd.
Effective Reporting • There is no “standard” report • Know the purpose for the report • Always consider that your report could end up in court, no matter how informal the case. • Keep it absolutely professional, clear and concise. Forensicom Ltd.
Effective Reporting • Civil & Internal HR cases • Only include relevant information • Use summary pages for executive summary, findings and opinions • Put the technical stuff in appendices • Attached a sworn affidavit • No speculation or unrelated information Forensicom Ltd.
Effective Reporting • Criminal Cases • An unbiased review of all the evidence • Case summary up front • Technical info at the back • No opinions unless requested by Crown • NO TECHNICAL TALK • Use a glossary Forensicom Ltd.
Testifying in court Forensicom Ltd.
Testifying in Court • Maintain composure • Answer the question • Don’t be argumentative • Speak to the judge / jury • Do not use high level tech talk • Do not offer “extra” • Don’t speculate, guess or agree just to accommodate a question Forensicom Ltd.
Sneaky Lawyer Tricks An excerpt from court transcripts: Q. When he went, had you gone and had she, if she wanted to and were able, for the time being excluding all the restraints on her not to go, gone also, would he have brought you, meaning you and she, with him to the station? Forensicom Ltd.
Sneaky Lawyer Tricks • They are paid money to make you and your work look bad. • They take courses on how to ask confusing and difficult questions • There are numerous time tested and effective questioning tactics that you will encounter in court. Forensicom Ltd.
Sneaky Lawyer Tricks • Diminishing your qualifications to testify on the matter. • Drawing “I don’t know” answers frequently • Re-phrasing and repeating questions • Paraphrasing your responses. “Is it fair to say…?” • Challenging your memory, “Earlier on you said…” Forensicom Ltd.
Sneaky Lawyer Tricks • Lulled into sense of agreeability • Answers that require speculation • Time and distance estimation • “Did you examine ALL of the evidence?” • Repeated confirmation of negative responses • Making statements and not asking questions Forensicom Ltd.
Sneaky Lawyer Tricks • Weakening or minimizing your opinion. • Cutting you off mid-answer. • Leading you down the garden path • “Is it Possible?” Forensicom Ltd.
Summary • Importance of scene control & documentation • What goes into notes and what doesn’t • Integrity of your process and continuity of evidence items must be proven • Consider the purpose and scope of your report • Lawyers can be scary Forensicom Ltd.
More information • http://www.canlii.org/ca/sta/c-5/ • http://www.oba.org/en/pdf_newsletter/E-DiscoveryGuidelines.pdf • http://www.thesedonaconference.org/content/miscFiles/7_05TSP.pdf larry.gagnon@forensicom.ca Forensicom Ltd.