Collecting digital evidence of a cybercrime is not as easy as rounding it up for a real-world crime. Television episodes of CSI typically begin with a horrified bystander stumbling over a dead body in a dark alley.
Investigators quickly descend on the crime scene, armed with latex gloves, plastic baggies and DNA swabs to collect the physical evidence. Maintaining the chain of custody (preserving the integrity of the evidence) is a fairly straightforward process.
Not so with digital evidence. First, IT staff are often not even aware they’ve stumbled across a crime scene.
The first inkling frequently originates with a user complaints about their systems’ performance, and evidence is discovered in the course of routine troubleshooting. But digital evidence is easily tainted, inadvertently, by IT staff in the course of carrying out their job duties.
Establishing the timelines of an incident is crucial, and therein lies a major problem. Browsing files or opening logs to figure out the situation automatically changes the time stamps. “Just by booting a Windows machine, 70 to 100 files and time stamps are changed,” said Inspector Robert Currie, officer in charge of the RCMP’s Technological Crime Program.
Also, temporary information is often stored in “slack” space: unallocated space on the hard drive that the CPU may overwrite later.
Perpetrators sometimes connect to peripherals like an external CD to copy information, said Hamel, and metadata about that is stored in slack space. When IT staff browse a system, the chances overwriting and losing that information increases.
Routine troubleshooting conducted by IT staff can be discerned when doing a forensic analysis, explained Ren