As I thought more about my previous posting I realized I had more to say regarding digital investigations. One thing I've learned over the years is that investigations often lead you down a road you never thought you'd travel. You start out one Friday afternoon investigating a seemingly simple virus infection and 6 months later end up a material witness in a criminal fraud case. I can't count the number of times I've walked into work one morning thinking about the day I have ahead of me wondering "How did we get here?"
The valuable lesson to learn here is this. Assume that every investigation you go into could end up turning into a criminal case. I know that sounds horrible. You're thinking, "Dave, you sure live in a dark world" or "How about a little faith in humanity, huh?" My response is…I wish I could see into the future to tell which cases would become criminal so I could avoid them. They really are a pain.
So why the difference? Why worry if a case will become criminal? What's that mean to the organization or investigator? All very good questions…thanks for asking!
First and foremost is the workload associated with a criminal case is significantly higher. The cases take longer to develop, include multiple parties (you, law enforcement, lawyers, expert witnesses, etc), typically have lots of negotiations, and the best part…cost you a TON of money.
The real reason to treat every case as criminal is the standards required for burden of proof, evidence handling, etc. are much higher in criminal cases. Your procedure for collecting, storing and analyzing data during an internal investigation may be fine for an administrative procedure or maybe even a civil suit. If however during the investigation you decide to press criminal charges, your procedures may have ruined the evidentiary value of any information you collected. If the proper steps were not taken to safeguard the integrity and non-repudiation of the information, it's useless. It's an irreversible process. Evidence only has to have had the ability to have been modified (in general terms) for it to lose its value and become inadmissible in court. Nobody will care if it was altered. Could it have been altered will be the question.
So the answer is to use the higher standard for all cases you're working on. I know what you're thinking…"Thanks for all the extra work Dave…REALLY appreciate it". All I can say is welcome to the world of digital investigations. Trust me though…the few times your cases do move into the criminal realm, you'll be glad you spent the extra time processing the case accordingly. You certainly don't want a data theft left unpunished because the rock-solid evidence you collected wasn't done according to best practices and won't ever see the inside of a courtroom.
So "Hey…Let's be careful out there".