Computer forensics is a scientific approach to collecting, processing, preserving, and presenting electronic evidence. Failure to follow standard practices can make some or all evidence collected inadmissible in court. In this series of posts, I'll look at how to properly collect, process, and preserve evidence from both electronic and traditional sources. The discussion will be restricted to search and seizure practices in an office environment.
The first step in processing a scene is administrative. Permission must be obtained from the owner of the site to be investigated or through the use of a search warrant. In order to obtain permission, the investigator must document probable cause that a crime or security incident has occurred and that either the fruits of the crime or evidence related to the crime or incident exists in the place to be searched. Further, a clear definition of the area to be searched and the evidence to be obtained must be provided.
In medium to large corporate environments, the human resources department is typically involved in all investigations conducted by an internal security team. An investigator can usually rely on HR to obtain the proper permissions from management. In smaller business entities, it's usually more efficient to go directly to the CEO for permission. No matter who grants access to the scene, be sure to secure permission in writing.
Scene processing conducted directly by law enforcement or requested by law enforcement requires a search warrant properly executed by a judge. This applies to non-law enforcement forensic investigators collecting evidence in response to a request from a government or law enforcement agency. Exceptions to the warrant requirement occur when it's possible to obtain the owner's permission to conduct a search. In business environments, this can be an appropriate member of executive management, a company's general counsel, etc. Warrants are usually required when the search is to be conducted of a workspace belonging to a public employee, regardless of the presence of employer permission to search.
There are exceptions to the requirement to obtain prior approval. These exceptions are known as exigent circumstances. From the perspective of evidence preservation, exigent circumstances exist when the person conducting the investigation believes that waiting for proper authorization will result in the destruction of critical evidence. In such cases, the evidence may be obtained without management approval or a warrant. However, processing evidence obtained in this way should wait until permission is actually granted.
The rules pertaining to search and siezure may vary from one legal jurisdiction to another. Be sure you understand the rules governing your actions.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.