Security

Computer forensics: Securing permission to search


Computer forensics is a scientific approach to collecting, processing, preserving, and presenting electronic evidence. Failure to follow standard practices can make some or all evidence collected inadmissible in court. In this series of posts, I'll look at how to properly collect, process, and preserve evidence from both electronic and traditional sources. The discussion will be restricted to search and seizure practices in an office environment.

The first step in processing a scene is administrative. Permission must be obtained from the owner of the site to be investigated or through the use of a search warrant. In order to obtain permission, the investigator must document probable cause that a crime or security incident has occurred and that either the fruits of the crime or evidence related to the crime or incident exists in the place to be searched. Further, a clear definition of the area to be searched and the evidence to be obtained must be provided. 

In medium to large corporate environments, the human resources department is typically involved in all investigations conducted by an internal security team. An investigator can usually rely on HR to obtain the proper permissions from management. In smaller business entities, it's usually more efficient to go directly to the CEO for permission. No matter who grants access to the scene, be sure to secure permission in writing.

Scene processing conducted directly by law enforcement or requested by law enforcement requires a search warrant properly executed by a judge. This applies to non-law enforcement forensic investigators collecting evidence in response to a request from a government or law enforcement agency. Exceptions to the warrant requirement occur when it's possible to obtain the owner's permission to conduct a search. In business environments, this can be an appropriate member of executive management, a company's general counsel, etc. Warrants are usually required when the search is to be conducted of a workspace belonging to a public employee, regardless of the presence of employer permission to search.

There are exceptions to the requirement to obtain prior approval. These exceptions are known as exigent circumstances. From the perspective of evidence preservation, exigent circumstances exist when the person conducting the investigation believes that waiting for proper authorization will result in the destruction of critical evidence. In such cases, the evidence may be obtained without management approval or a warrant. However, processing evidence obtained in this way should wait until permission is actually granted.

The rules pertaining to search and siezure may vary from one legal jurisdiction to another. Be sure you understand the rules governing your actions.

About

Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...

13 comments
nlamczyk
nlamczyk

If any evidence must be collected from a server or pc it must be stated within the warrant. If email is the target the court can even seize your email server but again it must be stated in a warrant. Once seized though a copy must be made of the hard drives and work done with those in order to maintain that the evidence wasn't tampered with.

uniitaly
uniitaly

What happens if you are a Computer Forensic recovery specialists and you come across indecent images of children? If your conscience pushes you towards reporting the images to the law, yet the very law leaves legaly exposed to be prosecuted! Message was edited by: beth.blakely@...

mroonie
mroonie

How much does it cost to hire such an investigator? It seems like it would cost much more than the average investigation. I say, just lock down your computers systems and educate your employees how information should be shared. You're sure to save a lot of money! This study suggests that on average it costs up to 22 million dollars to recover from a breach when creating and implementing securtiy policies only costs 180,000.... So in terms of ROI, the smart decision to make is pretty obvious

Anthony.V
Anthony.V

Can't wait to read more on this!

martin.reading
martin.reading

This whole issue is a tricky one - because all of us (speaking on behalf of techies) see all sorts of stuff over the years. There was a discussion on this a couple of months ago I believe. I know I can say I have seen things and sometimes turned a blind eye and other times I have first of all reported it to a senior manager who then took it to HR. It is common sense but also human conscience plays a part (how many turn a blind eye if its a friend or somebody we like) for example lol I know we had to take somebody to court for using a digital camera and taking indecent photos so copies of the SIM card had to be taken. It went to court as the lady in question fought against being dismissed becasue of it and tried to claim she hadnt meant to cause offence !

CrimeDog
CrimeDog

Keep in mind that the original question was posted by a Brit and the responses have been US or from the Land of Oz ( Austrailia for the uninitiated)- completely different laws and obligations. In the US - CP is contraband at the federal level - mere possession is chargable. In the original example, a data recovery specialist find CP in the process of recovering a drive. S/He is obligated by law to report - this is NOT a conscience thing - and failure to do so has its ramifications. Keep in mind that actually determining if a picture is CP or has been morphed is a factor. I would report and let those with the proper tools determine the authenticity. The further disctiction between adult porn and obscenity is jurisdictional. Something legal in one baliwick may be chargable in another. CD

HAL 9000
HAL 9000

If we come across any criminal activity in the pursuit of our jobs we are legally obliged to report this to the authorities. As a Computer repairer if you find pictures of children that are indecent you are legally bound to report this to the nearest Police Station and they will then come out and look at the picture/s that you found and make a decision from there. If there is only 1 photo these are generally forgotten about but this depends on the content of the photo as well so a Copy can be asked for to see if any Digital Enhancements/Alterations have been applied to the picture to make it look as something different to what it actually looks like now. Here in AU provided that it can be shown that you acted [b]In Good Faith[/b] there is no comeback against the repairer for reporting the incident. The only possible comeback is if it is felt by the investigating Officer that you are being Frivolous or Vexatious you can then be held legally Libel for the cost of the Police Investigation and they will report you to the owner who is them capable of filing Civil Charges against the person who is making a nuisance of themselves. So far I haven't heard of one claim of this happening but it may have and been settled out of Court with Hush Orders as part of the settlement. Col

Tom Olzak
Tom Olzak

In the United States, discovery of evidence of illegal activity unrelated to the crime or incident under investigation, found subsequent to a legal search, is typically admissable. The investigator is not at risk.

Ron_007
Ron_007

right, but common sense is very uncommon! But can you get management to to accept all of the potential costs in the ROI calculation. All to often, the computer guys try to do it "right" but are not allowed to for "business" reasons (most commonly cost, which may or may not be a valid argument). Here is a link to an example of that situation: http://blogs.ittoolbox.com/security/investigator/archives/even-more-horror-stories-15524 (And yes, I know, that data leaks often a result of mistakes by the IT department.) If you like that story, check out this link, it has links to dozens more of similar stories, boy some of them are scary: http://blogs.ittoolbox.com/security/investigator/archives/official-securitymonkey-case-file-index-14787 And even if you do manage to do it "right", the sad fact of the matter is that there is always someone smarter than you who will find a way to bypass your security setup. It may be a hacker, your IT guy "gone bad", an executive who wants extra "privileges", a front line user who wants to use VOIP or simply clicks on the wrong link in an email. Or it could be a "honest" to goodness spy ... If the U$ Navy can't do it 'right' what chance does the average company have: http://blogs.zdnet.com/Murphy/?p=835 A navy petty office was caught with some porn, oops. Even more unfortunate for him, one of the porn files had secret specification files for the Aegis targeting system, double oops. Sadly, computer security, or more importantly DATA security, is a topic that is very rapidly gaining in importance requiring more time, effort and attention.

HAL 9000
HAL 9000

That could be contrived as CP is a chargeable offence and [b]HAS[/b] to be reported. Where life gets difficult is what some people consider as [b]Obscenity[/b] as different people have different views on this subject. My favourite case involved a very Prudish Police Officer who arrested a Newsagent for selling Pornography and had him charged for this offence. Apparently he took a poster of the Statue of David to be Hard Core Porn and acted as such. I believe that he was sent to [i]Sensitivity Training Classes[/i] after that case so that would probably make him the same one who was recently charged for Manslaughter at Palm Island where after arresting someone they did the unthinkable and died on him after he wasn't quite as gentle as he should have been. This caused the Natives to get restless and riot causing all the [b]Big Burly Bullet Proof Police Officers[/b] to hide under their beds while the Court House and most of the Police Vehicles where destroyed. Just to keep the Authorities worried someone managed to lay obstacles across the only runway on the island so that aircraft couldn't put down to supply reinforcements. They had to send them out on a boat and then when they arrived everyone had gone home to bed. :D Col

stephen.williams
stephen.williams

I agree with HAL 9000, and would go further. If in the course of professional work I find child porn, and because it's a serious criminal offence, I'm legally bound to report it to the Police. If I don't I could be accused of being an accessory after the fact by concealing (i.e. not revealing) it, although I've no knowledge of anyone being so accused here in UK.

320vu50
320vu50

The normal procedure when discovery of evidence of another crime is made while searching under a warrant for something else (i.e. Investigating a fraud scheme and finding child porn mingled with the finance entries) usually halts all further search until a search warrant is obtained for the crime uncovered by the "new" discovery. Often overzeleous investigators believe a permit to stroll through the garden allows tehm to look into the barn. So why risk the possibility of a 'sympathetic idiot' in a black robe tossing the whole thing out for the twenty minutes it takes to prepare and get a telephonic warant? Gerry Retired Police Officer (Arson and Fraud investigations)

Tom Olzak
Tom Olzak

This is a great point. When something changes stop and consider the ramifications of not pursuing expanded search authorization. This is true for warrants as well as for corporate officer approved searches.

Editor's Picks