4.5 Explain the key aspects of digital forensics

  • Documentation/Evidence
    • Legal Hold
    • Video
    • Admissibility
    • Chain of Custody
    • Timelines of Sequence of Events
      • Time Stamps
      • Time Offset
    • Tags
    • Reports
    • Event Logs
    • Interviews
  • Acquisition
    • Order of Volatility
    • Disk
    • Random-Access Memory (RAM)
    • Swap/Pagefile
    • OS
    • Device
    • Firmware
    • Snapshot
    • Cache
    • Network
    • Artifacts
  • On-Premises vs Cloud
    • Right-to-Audit Clauses
    • Regulatory/Jurisdiction
    • Data Breach Notification Laws
  • Integrity
    • Hashing
    • Checksums
    • Provenance
  • Preservation
  • E-Discovery
  • Data Recovery
  • Non-Repudiation
  • Strategic Intelligence / Counterintelligence


How do we investigate an incident giving rise to a criminal case or civil suit?  There are several steps that we must follow to ensure that our evidence is admissible.

Legal Hold

A Legal Hold is a process where an organization preserves evidence in response to an external request.

Under the rules of Civil Procedure, an organization or individual is legally obligated to preserve any data that is subject to a lawsuit.  This obligation begins when an organization is notified of or threatened with a lawsuit, even if it has not been served with a complaint or subpoena.  The obligation applies when the organization

  • Is a Plaintiff in a lawsuit

  • Is a Defendant in a lawsuit

  • Is presented with a third-party civil subpoena or criminal subpoena/warrant

Wilful or negligent destruction of evidence is illegal. 

The organization must have a method for searching for and preserving data.  Many commercial applications such as Office 365 have built in tools for preserving data.

Under the Corporate and Auditing Accountability, Responsibility, and Transparency Act (also known as Sarbox, Sarbanes-Oxley, or SOX), public corporations and their accounting firms have a legal obligation to preserve certain types of data for at least seven years. 

If you delete the data, then the court might assume that the data was harmful to your case.  If you are being sued, then the court might let your opponent win by default.  If you are suing somebody, the court might throw out your case.


When an incident takes place, it would be a good idea to make a video of any on screen activity by using a cell phone.  Sometimes, it is difficult to recover evidence from the machine after the fact, but the video provides some proof of what took place.

When there is a major incident these days, bystanders will capture video on their cell phones.  It is important to identify these people and collect the videos if possible.  If they do not want to hand over their videos, then we should notify them that the videos may be required for evidence.  This will put them on notice not to delete the videos.  We should then obtain subpoenas for the videos if possible.

People driving by might have dash cams that have captured some video. 

We may also have video from surveillance cameras in our facility or from adjacent businesses.  We should capture and preserve all the video.


Each court has rules about whether a type of evidence is admissible. 

In the US Federal Courts, whether something is admissible is governed by the Federal Rules of Evidence.  Each state has their own rules.  In Canada, the rules are governed by the Canada Evidence Act.

Some general rules about admissibility

  • The evidence must be relevant to the proceeding.  In Federal Court, Rule 401 says that evidence is relevant if

    • it has any tendency to make a fact more or less probable than it would be without the evidence; and

    • the fact is of consequence in determining the action.

  • The evidence must not be prejudicial.  If the evidence makes the Defendant look bad in front of the jury, then the value of the evidence must greatly outweigh its negative effect.

  • Rule 403 says that the court can exclude evidence if it causes unfair prejudice, confuses the issues, misleads the jury, creates undue delay, wastes time, or repeats other evidence already introduced

  • A court can choose to admit prejudicial evidence for a limited purpose only (to prove a specific fact).  This is difficult to do.

  • Communication between an attorney and a client is protected.  The client can be an individual or a corporation.

  • Communication between a husband and a wife is protected in Canada.

  • The party introducing the evidence must show it is reliable.  That means that the party should bring a witness who can testify about the evidence.  There are two types of witnesses

    • A material witness.  The material witness testifies about what he saw and did.  If he collected the evidence, then he can testify about how and where he collected the evidence.  A material witness cannot testify about his opinion and he cannot speculate.

    • An expert witness.  An expert witness testifies about what he knows (his opinion).   An expert witness can testify about how he analysed the evidence and what it means.  An expert witness can also testify about what he saw.

      An expert witness is one who is qualified as an expert by knowledge, skill, experience, training, or education.  The party calling the witness must prove that he is an expert. 

      The witness will usually prepare a report about what he will testify about.  This report will include his CV, which may include his education, publications, past testimony, books and articles written, etc.  The court will then hold a hearing to determine whether this person is an expert.

      The expert can testify if

      • the expert’s scientific, technical, or other specialized knowledge will help the trier of fact to understand the evidence or to determine a fact in issue

      • the testimony is based on sufficient facts or data

      • the testimony is the product of reliable principles and methods; and
  • the expert has reliably applied the principles and methods to the facts of the case.

In order for the expert witness testimony to be admitted, we must prove that it is competent.  In the US Federal system, this is known as the Daubert standard.  It asks five questions

  • whether the theory or technique in question can be and has been tested

    • whether it has been subjected to peer review and publication

    • its known or potential error rate

    • the existence and maintenance of standards controlling its operation

    • whether it has attracted widespread acceptance within a relevant scientific community.

  • Hearsay rule

    • A person cannot testify about something he heard somebody else say.  This is called hearsay.

    • Hearsay is inadmissible because the person who was heard is not available to testify under oath or be cross-examined.  You have the constitutional right to question somebody who is testifying against you.

    • Business Records Exception: records created in the ordinary course of business are admissible because they are made on a regular basis.  The records are admissible even when the person who created them is unable to testify as to their authenticity.  We might call somebody from the business to testify.

    • There are other exceptions to the hearsay rule

  • It is preferred to admit the original document as evidence, but if we can’t then a duplicate is admissible

  • The rules of evidence do not apply to some proceedings such as bail hearings

  • The rules of evidence are lengthy and beyond the scope of this book.  Every jurisdiction has its own set of rules, and further standards established by case law.

On top of all these general rules, and the specific rules of evidence that are part of the law, we also have many tens of thousands of federal court cases, federal court of appeals cases, and supreme court cases, where each court made decisions about whether to admit a particular piece of evidence under a particular set of circumstances.

If push comes to shove, the court will look at the law.  It will then look at the case law to see how other courts have ruled in similar circumstances.  The court is obligated to rule in a way that is consistent with previous courts, especially the appeals court and the supreme court.

Chain of Custody

The chain of custody is a legal process that shows where the evidence was held from the time that it was collected until the time that it is presented in court.  Consider that evidence must be seized from a location and stored somewhere.  Later, this evidence is analyzed and then put back in storage.  In the end, the evidence is presented in court.  The Plaintiff must prove that the evidence has not been modified since it was seized.  That requires that the Plaintiff know exactly where the evidence was this entire time.

When the evidence is seized, there should be two witnesses to document the time, date, and location of the seizure.  Be as specific as possible.  Do not say “seized from house”, instead say “seized from living room coffee table”.  The people who seized it must document their observations.

The evidence must be stored in a secure vault or evidence locker.  Access to the evidence locker must be secured.  A second person should document who entered or left the evidence locker, and when.  The evidence locker must be climate controlled so that the evidence is not damaged.

When working with digital evidence, we never work directly on the original.  We make one master copy from the original, and then we make multiple copies of the master copy and work with them.  When additional copies are required, we make more copies from the master copy.  That way, the original evidence stays secure and the risk of modifying it is limited.

When we make the first master copy, we take a hash of the data.  Each time we make a new copy, we make a hash of the copy and compare it to the hash from the master.  If the hashes match, then we know that our copy has the same data as the original.

When we connect a Windows computer to a USB device, it may inadvertently make small modifications to the data.  Such is the nature of the file systems and Windows operating system.  When working with digital evidence, a device known as a “write blocker” is used.  The write blocker sits between the USB device and the computer and prevents inadvertent modification of the evidence by a connected computer system. 

Timelines of Sequence of Events

For our evidence to hold up in court, we must have a time stamp for each item.  When was it created or when was it recovered?  Each time we do collect or analyse the evidence, we must make a time stamp.

When we collect data from a surveillance camera, we should compare the time on the system to the actual time.  If they are not the same, then we have a time offset.  If the camera says that it is 4PM, but it is 2PM, then the camera is two hours ahead. 

That means that the events in the video happened two hours before the time stamp says they happened.  If we don’t measure the time offset, then our evidence won’t make sense.  And if it doesn’t make sense or match up with other evidence, we won’t be able to properly investigate the incident.

The time offset can also be measured on other devices such as computers and network appliances.  When we collect the evidence, we want to capture proof that there is a time offset; otherwise, it may be challenged in court.

Event Logs

We might gather event logs during the investigation.  Event logs may be gathered from an SIEM or from each device that generated them.  We must have a way to authenticate each event log. 

An event log is just a bunch of text.  How can we prove that it was really generated by a device versus somebody just typing it out in notepad?  We might need to have multiple witnesses verify the logs, or we might preserve the physical device containing the logs.  We might make an image of the device that contains the logs.


After the incident, we should interview any witnesses about what they saw.  The interview should be recorded.  A witness has the right to refuse to participate in an interview.

Order of Volatility

In computer forensics, data must be collected in the order of its volatility.  The order of volatility is how long it will take until the data is erased or disappears.  The order of volatility

  • Data in the RAM of a computer that has just been shut down.  This is data that is practically impossible to collect, except with specialized equipment that supercools the RAM (and even then, an investigator has only five minutes to collect the data).  The purpose of collecting this data is to attempt to obtain the BitLocker (or FDE) encryption key, which is present in the RAM of a running computer.  We can also collect the data that was in the RAM when the computer was on.

  • Data in the RAM a computer that is powered on.  The forensics investigator must collect the data from the RAM without modifying the data on the computer and without allowing the computer to lock itself. 

    As soon as we run a program on the computer, we are modifying the computer in some way.  We might not have a choice, but the investigator must be prepared to explain his effect on the computer when asked about it in court.

    Once the computer is encrypted, it may be impossible to collect the data.  How to avoid this

    • A running computer can be transported to a lab with the mouse jiggler and the special tool known as a HotPlug Field Kit.  The mouse jiggler is a tool that lets the computer stay unlocked by pretending to be a mouse that keeps moving.  The HotPlug Field Kit is a tool that lets us remove a computer from a wall outlet without powering it off.

    • A really smart suspect will take care to lock his computer when he is away.  Sometimes catching the suspect in the act when he has the phone and/or computer unlocked is necessary; this requires coordination with multiple law enforcement officials

    • Introducing spyware into the computer or phone to capture data; this may be illegal and can be challenged in court later.  Some ways that it can be challenged

      • Whether it is legal

      • Whether it was appropriate or if other measures where considered/attempted/exhausted

      • Whether the spyware modified the computer and/or produced accurate results

      • The defense may demand a copy of the spyware’s source code so that their expert can review it and determine whether it is capable of producing valid evidence.

        If the source code is source code is sensitive (exploits a zero day vulnerability that only the government knows about) then this could lead to a circumstance where the government is forced between dismissing the charges and disclosing the source code.

    • Bugging the office where the suspect is located to capture the data on the screen or phone

      • This is the most extraordinary measure

      • The government must prove that the measures are necessary to obtain the evidence and that other measures have been tried and failed

      • This won’t always be reliable to capture data on a computer screen or a phone screen; the surveillance device must be positioned correctly

      • The government must be able to enter the office without detection

    • Force the Defendant to provide the login credentials/encryption keys after the evidence is seized

      • Violates the Fifth Amendment in the United States and Canadian Charter of Rights and Freedoms against self-incrimination in Canada.  That is, you can’t be forced to testify against yourself.

      • Courts have debated whether a password/encryption key is considered “evidence”

        • Some courts say that the password is evidence and you are testifying about it by handing it over.

        • Other courts say that by handing your password over, you are admitting that you own the device, which is a form of testimony.

        • Some courts say that the password is either minimal or it already exists in your brain.  You aren’t testifying.  It is more like unlocking a safe.  If incriminating documents were stored in a safe, the documents are evidence, and the safe combination is the password.

        • Even if the government cannot compel production of the safe’s combination, they can break the safe and obtain the documents.

        • Some courts have held that an encrypted computer is like a safe (a container)

      • The US government can compel production if the government can prove that the specific data exists on the device and is simply encrypted; that is, it cannot be a fishing expedition but must be clear that the evidence will be found

        • The government must describe the contents of the device with “reasonable particularity”

        • In re Boucher, the court ruled that the government can compel production of a password to decrypt a hard disk drive after the Defendant had already provided the government with access to some of the files on the hard drive

        • United States v. Fricosu held that the government can compel production under the All Writs Act.

        • Normal constitutional protections do not apply at the border.  The border protection agents can force you to hand over your password, or they won’t let you in.

        • If the court orders the Defendant to provide the password, he can be held in contempt and jailed until he complies

        • The Eleventh Circuit ruled that if the government has shown by clear and convincing evidence that the Defendant can decrypt the devices is a foregone conclusion, then the Defendant can be compelled to decrypt the devices.

        • There aren’t many rulings covering the subject yet, but in general, courts are saying that if it is obvious (through other evidence) that the evidence is on the phone or computer, then you can be forced to hand over your password.  The password is not adding much to the government’s case.

        • The government can force you to unlock your device through a fingerprint or facial recognition.

      • United Kingdom and Australia passed laws that require Defendants to decrypt encrypted devices

      • R v. Shergill in Canada held that the government could not compel disclosure of a password, because the password was testimony.  The password existed in the suspect’s brain and compelling production would create a physical version of the password.

      • In some cases, the courts have held that the Defendant can be forced to unlock the phone/device but cannot be forced to provide the password.

      • In a civil case, the Defendant can be compelled by a court to disclose data during discovery process.  The fifth amendment does not apply to a civil case.

      • In an Anton Pillar Order in Canada, the Defendant can be compelled to disclose login credentials/encryption keys.

      • A civil suit by a government agency (such as FTC or SEC) can occur concurrently with a criminal investigation.  The government agency can share the data obtained during civil discovery with criminal investigators.

    • Obtain the encryption key from a third party.  BitLocker keys and other passcodes can be stored online through password-backup applications and in Active Directory.

  • The swap file or page file.  When a computer runs out of RAM, instead of shutting down, it stores some of that data inside a file on the HDD.  That file is known as the page file.  That file is located at C:\pagefile.sys.  The data in the file looks like different chunks, stored randomly, and the maximum size chunk we can hope to find is 4KB.  But we can still search this file for artifacts and reconstruct what the Defendant was doing.

    We might find this file on the disk of a computer that was not shut down gracefully.  If the computer crashed, it will usually dump the contents of the memory to another file, for later analysis.  This file will have better content.

    If you hibernate a Windows computer, it saves the entire contents of the RAM to disk.  That file is located in C:\hiberfil.sys.  Special software can analyse this file, and it is great.

    We might find the hibernation file on the disk of a computer that has been hibernated.

  • Data on a cell phone.  Remember that a cell phone can be wiped remotely.  A cell phone that is locked can be encrypted.  Most newer model phones are encrypted by default.  It is difficult or impossible to get data off of an encrypted phone.

    • If the phone cannot be unlocked and data downloaded, then it must be made offline, so that the data cannot be wiped remotely.  A Faraday cage can be used.

    • iPhone and Android phones are encrypted by default.  Encryption can be broken on old phones but not new phones, although security vulnerabilities are always being found

    • It is important to have a toolkit such as Cellebrite, MobilEdit, or Oxygen, which can unlock many phone models

    • Most phones back up their data to the cloud.  iPhones back up to iCloud and Android phones back up to Google.  Individual applications such as Facebook and Twitter back up data to their own sources.  Even if the phone cannot be unlocked, a substantial portion of the data can be obtained from third parties.

    • Compel production of the passcode if necessary, as previously discussed.

    • Only a limited logical image can be obtained from more recent editions of the Apple iPhone, even when unlocked.  A full logical image can be obtained from most rooted Android phones.

    • The phone manufacturer may cooperate if they can.  Apple has refused.

      • The Apple iPhone uses a hardware root of trust to authenticate the operating system prior to loading it.  The iPhone will not load an operating unless it has been digitally signed by Apple.  If you try to install an operating system that is not digitally signed by Apple, the phone won’t boot up.  It will ask you to reinstall the operating system.

      • The iPhone uses a “secure enclave” processor to store and process encrypted data.  It is not possible to bypass the processor and directly access the storage medium on an iPhone.

      • It might be technically possible for Apple to create an update to the operating system that automatically unlocks the phone or that allows it to transfer data to a third-party server.

      • Apple has been compelled under the All Writs Act to create such an operating system or to otherwise bypass the encryption on their phone.  Apple has refused, and to date, Apple has not complied with any order.

        Even if it did, the encryption key is further encrypted with the user’s passcode.  That means that a new operating system could not unlock the phone without the passcode, as far as we know.

  • Data on a computer

    • Like a cell phone, a computer can be encrypted.

    • Check if the computer has a hidden/encrypted partition such as TrueCrypt.  In the case, US vs Schulte the Defendant maintained multiple hidden partitions to store data.

    • If the computer is owned by an organization, the organization’s IT professional may have admin rights to unlock the computer.  It is possible that a rogue employee installed a second layer of encryption, that is not accessible by the organization.

    • Physically disassemble the computer to determine whether multiple physical storage devices are present.

    • There are two ways to copy the data

      • Hardware-Based: physically remove the drives and put them into a duplicator that copies the data to an identical drive.  We must copy the data to a sanitized drive (one that has been erased of all data).  Hardware based data collection is best.

        • If the drive is physically broken, it may need to be sent to a specialized laboratory where it can be repaired before we can copy it.

        • Always physically disassemble the computer to determine if it contains more than one physical drive.

      • Software-Based: a software-based imaging application such as Recon can be used.  We boot the computer from a USB drive containing the duplication software.  The software copies the data from the computer’s drives onto an external drive.

    • There is a ton of useful data on a hard disk drive

      • Deleted file fragments

      • Browser cache

      • User data

      • Windows Registry

      • Installed applications

      • Windows Temp folder

      • Logs

      • Event Viewer

    • You should work through the data methodically.  The different forensics tools discussed earlier have modules that help you analyse and visualize this type of data quickly.

  • Data in the cloud.  Data in the cloud can be erased (although a service provider can be ordered to retain the data).  If we don’t compel the retention of the data early on, it can be erased for good.

    • This may be the first step in a criminal investigation

    • Compel production through a subpoena (for data) or search warrant (for e-mails) as previously discussed

    • Service provider can be required to preserve data

    • There can be tons of data in the cloud.  AWS by itself has hundreds of services, and there are hundreds of different cloud service providers.  The real challenge is identifying all the different services in use by the Defendant, gathering the data, and then developing a strategy to sort and analyse all of it.

      • Images of servers

      • Snapshots of servers

      • Database servers

      • Cloud service provider logs

      • E-mail systems

      • DNS records and logs

      • Billing information

    • A service provider may notify the Defendant and give them an opportunity to quash the subpoena, or if illegal activity is detected, may terminate the defendant’s access to the services.  This warning may allow the Defendant to destroy evidence or to escape. 

      Some service providers do not warn the Defendants about possible investigations, but they generally have the right to do so.

  • Device Firmware.  We want to take a copy of the device firmware to see if it has been modified.  There are advanced tools for reading data off integrated circuits, but they require board-level analysis.

    Sometimes it is not possible to download read only data from the device firmware.  If a device has logs, then we might be able to take screenshots of them. 

  • Data stored on a USB drive, CD-ROM, DVD, or Flash memory may last for years or decades.  It can be taken off site and imaged later.

    • USB drives can be encrypted via software or hardware

    • Some USB drives have a self-destruct feature (example is the IronKey), which destroys all data after multiple incorrect password entries

Data Acquisition Considerations

  • Hash all the data to prove that none of it has been modified from when it was collected

  • Keep a printed log of each piece of data collected

  • Gather information to ensure non-repudiation.  Non-repudiation means that we can prove that the person who claims to have sent the data actually sent the data.  Some ways we can do this

    • Gathering digital signatures

    • Gathering MACs (Message Authentication Codes)


Remember that when faced with a lawsuit or the potential for a lawsuit, an organization is required to preserve all relevant data.  But what if there are millions or billions of documents and e-mails?  There are tools to manage E-Discovery or electronic discovery.

An E-Discovery tool can automatically search through all of the organization’s electronic documents for specific keywords and preserve the ones that are relevant. 

In an E-Discovery process what usually happens is

  • Both parties agree on the type and category of documents that need to be produced

  • When there are lots of documents, the parties agree on a keyword search.  They might choose 10 keywords, or 100 keywords, or 1000 keywords or whatever.  The words are relevant to the case.

  • The party with the data searches all their data for the keywords and produces a list of documents.

  • The party’s lawyers review each document to make sure that it does not contain any proprietary information or legally privileged information

    • A legally privileged document is one that contains correspondence between a client and a lawyer, or the work product of a lawyer.  If the document is legally privileged, then it is set aside.  The party must still disclose that it found the document, but that it is legally privileged.

      If the other party does not agree that the document is legally privileged, they might go to court to decide whether it can be disclosed.  In rare cases, the judge and the party with the document hold a hearing without the other party’s presence (this is known as an ex parte hearing).

    • If the document contains proprietary information such as the business’s plans, source code, market research, etc., then the party with the document might want to keep it a secret.  Prior to discovery, if the party anticipates that some of its documents will be proprietary, it might apply to the court for an order to keep them a secret.  The court may grant this request if the harm from disclosure of the documents outweighs their value.

      For example, Google was sued by a media company for copyright infringement (VIACOM INTERNATIONAL INC., et al., v. YOUTUBE INC., YOUTUBE LLC, and GOOGLE INC.).  The data that they wanted

      • They alleged that Google’s search algorithm was designed to promote videos that infringed copyrights over videos that did not.  They wanted a copy of the Google’s search algorithm so that they could analyse it and prove their case. 

        Obviously, Google’s search algorithm is worth billions of dollars, and if leaked, would allow another company to build a search engine equivalent to Google.  It is their most valuable secret. 

        The judge denied the request because the plaintiff’s request was “speculative”.  There was no basic proof that the algorithm promoted infringing videos.

      • They wanted a copy of the algorithm that Google uses to identify and fingerprint infringing videos.  They said that if they analysed the source code, they could find ways to make it better, and that Google was not doing enough to make their algorithm effective at removing infringing videos.  This was also denied because it was “speculative”.

      • They wanted a copy of all the videos removed from YouTube for any reason whatsoever.  They needed this to show the quantity of infringing videos.  This was granted.

      • They wanted a copy of the database that contained a list of every video view and who it was viewed by.  They needed this to show the quantity of infringing videos.  This was granted.

      • They wanted a copy of the database that showed Google’s advertising revenues.  They needed this to show that Google was profiting from the infringing videos.  This was denied because the database was proprietary and because Google’s #1 revenue source is advertising.

      • They wanted a copy of every private video uploaded to YouTube.  This was denied because it violates the Electronic Communications Privacy Act (as discussed earlier).

  • The party with the documents provides them to the other party in electronic format.  Ideally, the documents are provided in the same format that they were found.  This will allow the other party to search through them.

    For example, a database should be provided as a database, a PDF should be provided as a PDF, etc..

    If the party wanted to be difficult, it could print the documents and provide them in a printed format, or they could print the documents, scan them back into PDF, and then provide non-searchable scanned PDFs.  These kinds of things happened in the past but are now likely to irritate the judge and cause sanctions.

There is lots of data.  In E-Discovery, you will be paying a lawyer to review every produced document.  An in-house lawyer might only cost you about $75 per hour but an external lawyer might cost you $200 to $800 per hour.  Then the document review in a large case might cost millions of dollars. 

That is why you need to use software that can automatically collect, search, and filter the organization’s data.  Each time your organization creates a document, it should give it a classification – such as confidential, proprietary, sensitive, legally privileged, etc..  When you go to search, the E-Discovery software automatically categorizes the documents so that your lawyers spend less time on this.

Some tips for choosing good E-Discovery software

  • It is secure.  It has to be because it will have access to all of your data.

  • It can search across all types of premise and cloud sources (e-mail, virtual machines, network shares, intranet, HR systems, financial systems, CRM, etc.)

  • It can search through metadata

  • It uses machine learning to understand what to look for (not just keywords)

  • It has an audit trail.  The audit trail tells us who searched for what, and when, and what documents they found and viewed.

  • There is a tool to prove that the data hasn’t been changed since it was produced.

  • It can scale to search for many different keywords and through a large volume of documents

To obtain any data, there must be a legal process.  In the USA, there are four scenarios: National Security, Criminal Investigation, Civil Suit, or Internal Investigation.

National Security

  • Warrant from a FISA (Foreign Intelligence Surveillance Act) court.  This type of warrant is considered classified, and the documents used to obtain the arrant are classified.  In general, the service provider has no recourse because the warrant is classified, and disclosure is not permitted.  The service provider will not be able to challenge the warrant in court because the service provider will not have access to the classified information used to obtain the warrant.

    • The court has permitted the collection of a large amount of telephone call metadata.

  • National Security Letter.  This is issued by the FBI and no warrant is required.  The NSL requires a business to provide the FBI with records relevant to a national security investigation.

    • The recipient is not allowed to disclose the presence of the NSL or the records being sought.  The FBI must prove that the gag order is necessary.

Criminal Investigation.

  • A letter or e-mail.  Many companies will provide basic data to law enforcement without any court order or notice of a criminal investigation.  This could include subscriber contact and payment information.  A company can refuse to comply with such a request.

  • A prosecutor can issue a criminal subpoena.  The service provider may disclose the subpoena or provide the subscriber with an opportunity to challenge the subpoena in court.  The law enforcement agency may demand that the subpoena be kept secret, but there is no legal requirement to do so.

  • Search warrant to recover email under the Stored Communications Act (18 USC § 2701 to 2713).  In an earlier chapter, we discussed why a search warrant is required and we discussed changes brought about by the CLOUD Act.

    • There are two types of service providers

      • A Remote Computing Service is defined as: “the provision to the public of computer storage or processing services by means of an electronic communications system.”

      • An Electronic Communications Service is defined as: “any service which provides to users thereof the ability to send or receive wire or electronic communications”

    • Any e-mail in storage for 180 days or less is considered an electronic communication and may only be disclosed

      • In response to a search warrant.

      • To the government when urgent disclosure is necessary to prevent the death or serious injury of a human

    • Disclosing e-mail metadata (e-mail addresses, time/date sent/received, etc.) does not require a warrant

    • Disclosure of e-mail content is not permitted through a civil subpoena

    • Many companies (such as Facebook, Twitter, etc.) have classified themselves as “electronic communications services” instead of “remote computing services” and are refusing to provide most “content” data through civil subpoenas.  This includes posts and messages.

      If you need the Defendant’s social media data in a civil case, you must demand it through the discovery process.  The Defendant will then be required to obtain it directly from the social media provider and hand it over.

  • Search warrant.  A search warrant allows a law enforcement agency to physically enter a private property and seize objects.  The warrant may be issued by a federal or state court.

    • The warrant must describe in particular the items to be seized

    • Exceptions to a warrant exist

      • The law enforcement official has observed illegal evidence “in plain view”

      • There is a legitimate emergency to protect human life

      • The law enforcement official is in hot pursuit of a criminal suspect who has entered a building

      • There is a risk of imminent destruction of evidence

    • The law enforcement must announce their presence before they can enter the premises (an exception known as a “no knock” warrant exists)

  • Delayed Notice Warrant.

    • This warrant is obtained when law enforcement wishes to enter a premise and inspect the property and/or collect evidence without informing the suspect

    • This is also known as a “sneak and peak” warrant

  • Pen Register

    • A pen register warrant allows law enforcement to record metadata related to telephone calls, which could include date/time telephone call was placed, duration, and numbers dialed

    • A pen register does not allow collection of telephone call content

  • Telephone Wire Tap

    • Covered by Communications Assistance for Law Enforcement Act (18 USC § 2510)

    • Requires telephone companies to implement systems that allow them to readily assist law enforcement

    • Requires a phone company to provide contents of wire communication in response to a warrant

    • Prior to obtaining a wire tap, the government must prove that all other options for obtaining evidence have been exhausted

    • The warrant typically expires after thirty days unless renewed

    • The government must take steps to minimize the collection of privileged or irrelevant communications.  The government will appoint one agent to monitor the phone calls.  The monitoring agent should only disclose communications that are criminal in nature to the investigative team.

  • Warrants in general

    • In order to obtain a warrant, the government must show “probable cause” that a crime has been committed and that evidence is likely to be found

    • Special considerations must be made for searching the office of a lawyer because of the presence of legally privileged information

Civil Suit

  • The evidence standard for a civil lawsuit is lower than that of a criminal case.

  • The lawsuit must be filed in a court with jurisdiction over the subject matter and parties

  • The lawsuit must allege specific facts that show how the Defendant harmed the Plaintiff.  Specific evidence may be in possession of the Defendant or may be a matter of public record.

  • Parties are expected to exchange evidence in good faith prior to trial.  The ways that we gather evidence

    • Deposition (relevant witnesses are interviewed)

    • Discovery (each party is obligated to disclose evidence that it has)

    • Interrogatories (each party may pose a set of questions to the other party)

    • Subpoena (each party may subpoena relevant data held by third parties)

  • Rules of civil procedure may limit the amount of discovery that can take place.  Parties may ask the court for increases to the limits in unusual cases.

  • A party in a civil suit does not have the right to

    • Obtain or execute a search warrant

    • Obtain stored communications (e-mails) from a service provider

  • In special circumstances, a party may apply for an Anton Pillar Order (in Canada or the UK).  This order allows a Plaintiff to search the premises of a Defendant.  An APO is like a criminal search warrant, except that the party executing the APO may not use force.  Prior to obtaining an Anton Pillar Order, the party must prove that

    • Evidence will be destroyed

    • The plaintiff will be irreparably harmed without the evidence

    • The defendant has evidence in his possession

  • In the United States, a Plaintiff may obtain an impoundment order to seize items that infringe his copyright under the Copyright Act. 

Internal Investigation

  • In an internal investigation, an organization can obtain data held on their own systems/property.  Data could include computer and cell phone devices issued to employees and held by third parties.

  • An employee may have an expectation of privacy, even on an employer-owned device.  The employer must ensure that the employee has agreed to the monitoring and seizure.


Preservation is the process maintaining the data.  When the case gets to trial, how can we prove that the data we are presenting is the same as the data we collected

  • We took care to document the crime scene

  • We took a hash of the data that was collected

  • We stored the evidence in a secure location and documented each person who had access to the evidence.  We maintained the chain of custody

  • We only worked on copies of the data

  • We performed our work on computers that were air-gapped and through a write blocker

  • We used forensically sound software and techniques to analyse the data

  • We hashed the final data and verified that the hashes matched the hash of the original data

On Premise vs Cloud

When your data is in the cloud, and you are large enough, you might have a Right to Audit Clause in your contract.  That gives you the legal right to visit the cloud service provider’s facilities and make sure that they are operating according to the correct standards.

Some of the things you need to audit

  • Is your data being stored where they say it is?

  • Is the provider enforcing proper security measures, specifically, who has access to the devices holding your data?

  • Is the provider following applicable regulatory frameworks such as HIPPA, PCI, etc?

As discussed earlier, where your data is stored affects what laws apply to it.  The laws of the jurisdiction where the data was collected and the laws of the jurisdiction where the date is stored might come into conflict.  When there is a data breach, the specific actions you have to take might depend on both sets of laws.

The cloud provider may hire a third-party to complete a regular internal audit and publish a report.  These reports are commonly known as System and Organization Controls Type I and Type II.  They cover the following areas

  • Security
    • Firewalls
    • Intrusion detection
    • Multi-factor authentication
  • Availability
    • Performance monitoring
    • Disaster recovery
    • Incident handling
  • Confidentiality
    • Encryption
    • Access controls
    • Firewalls
  • Processing Integrity
    • Quality assurance
    • Process monitoring
  • Privacy
    • Access control
    • Multi-factor authentication
    • Encryption

The Cloud Security Alliance publishes a questionnaire (almost 200 questions) that you can use to evaluate whether a cloud provider is up to standard.


Recovery is the attempt to obtain missing or deleted data.  There are several ways to recover data.

A recovery attempt should not be made on the live evidence unless it is a last resort, and no other method is possible.  A recovery attempt on a live system will modify the system, damage the evidence, and delete parts of the deleted data.

A recovery attempt should be made on a physical copy of the evidence collected.  Recall that deleted data can be deleted at the logical level but preserved at the physical level – data is stored as 0’s and 1’s on a physical hard disk drive.  A group of 0’s and 1’s makes a file.  Details about the file are stored logically in the file system.  When the file is deleted, details are removed from the file system, but the original physical data may be maintained until it is overwritten.

If a physical copy is not available, then recovery attempts should be made on the logical copy.  The logical copy will not contain deleted data but may contain artifacts of deleted files such as thumbnails, log files, and history.

Databases are a special type of file.  A database – when viewed in a standard database viewer – will not display any deleted data.  When a user deletes an entry (a record) from a database, the database software will mark it for deletion, but it may not be removed from the file.  A special database analysis tool can be used to locate deleted data.

Data can be recovered as complete files or as file fragments.  Once a file fragment is recovered, a tool can be used to determine the type of file that it was.  This tool looks for patterns in the file.  A file may contain clues about its type in the beginning or end.  Once the file type is known, then more specialized tools can be used to analyse the fragment.

If a file was encrypted and then deleted, it may be impossible to recover the original data.

Strategic Intelligence/Counterintelligence Gathering

A large organization may engage in counterintelligence gathering.  Organizations face several threats:

  • Malicious Competitors.  A competitor may attempt to steal trade secrets or sabotage the organization’s systems.  The competitor may install rogue employees to spy on processes or intentionally damage systems.  Finding out who they are is important.

    Sometimes, these malicious competitors are located in countries where the government encourages this type of behavior.

  • Legitimate Competitors.  A competitor may be engaging in competitive behavior that is not illegal.  The organization should (legally) gather information so that they can remain competitive.

  • Fraud.  Rogue employees or contractors may engage in fraud or steal data from the organization’s systems.

  • Activists.  Political or environmental activists may engage in fraud or damage to hurt the organization if they do not agree with its activities.

  • Foreign Governments.  A foreign government may attempt to harm an organization to hurt the host country politically or to gain a competitive advantage in its own industry.

  • Hackers/malicious users.  External hackers may attempt to hurt the organization, either for “street credit” or to harm the organization.

The organization may need to seek the help of external law enforcement agents to help with a threat. 

  • A private individual/organization does not have the same power as law enforcement.  They cannot seek a subpoena, search warrant, wire tap or pen register to gather data.

  • The organization may not have the resources or experience to monitor or detect a large threat.