I believe the preparation phase of a digital search is the most important because it determines whether evidence will meet the standards necessary to be admissible in the court of law.
We learned in Module 3 that evidence must be admissible, authentic, reliable, and complete in order to be considered legally valid under the Federal Rules of Evidence. The preparation phase ensures that these standards are met.
The U.S. Supreme court ruled in 1993 in Daubert v. Merrell Pharmaceutical evidence submitted must be testable, scrutinized and found favorable by the scientific community, have a known or potential error rate, and be generally accepted (Garfinkel, 2013).
The preparation phase should also include obtaining the necessary warrants for search and seizure. Additionally, forensics investigators need to ensure that correct tools are available to extract and preserve data. This includes, appropriate labels, documents to retain chain of custody, and any other requirements of state and local governments for it to be admissible in a court of law.
Further, employees that are performing internal investigations should ensure that the preparation phase includes considerations for any company specific requirements around retaining, extracting, or maintaining evidence.
More importantly, without proper preparation, it is difficult to have a repeatable process, which is the cornerstone of digital forensics. Another forensics expert should be able to the recreate process to reach the same conclusion. If they cannot, then it brings the integrity of the evidence into question. This could lead to it being considered circumstantial and thrown out in court since opposing counsel could argue that the forensic process is flawed.
Proper evidence handling is critical to maintaining the integrity of the forensics, and preparation plays an integral role in ensuring it meets the Federal Rules of Evidence (U.S. Department of Justice, 2009).
As security professionals, we also have to keep in mind that digital forensics investigations will include more than collecting hard drives. In many cases, investigators cannot even access the hardware where the evidence is stored. For example, forensics teams have expanded their searches to include social networks, file sharing solutions, cloud service providers, mobile devices, third party applications, and more (Wright, 2012).
In fact, Boston Detective Pat Nally uses Facebook for clues about the sources of drugs during investigations. In an interview with the Boston Globe, he stated, “People arrange to buy and sell drugs on Facebook; there’s talk of what they may do and where they may go”. In the same article, Captain Randell Humphrey said his department uses social media in other digital crime investigations, including fraud, threats, and sex crimes (Masis, 2009).
Also consider this: most people access the internet from many different devices throughout the day. Some also use multiple browsers due to application interoperability, including as Internet Explorer, Chrome, and Firefox. Digital investigations must include information about URLs visited by users, cookies, time data was accessed, the terms that were searched, cache, cookies, and downloaded files (Akbal, et al., 2016). I personally access the web from at least 3 devices and 3 browsers daily, so I assume criminals are using even more to hide their tracks.
These sources could include evidence that is pertinent to the crime, but the data could be deemed inadmissible if not collected properly. Likewise, it could be deemed admissible with proper preparation.
For these reasons and those described above, preparation is the most important phase of a digital search.
References
Akbal, E., Güneş, F., & Akbal, A. (2016). Digital Forensic Analyses of Web Browser Records. Journal Of Software (1796217X), 11(7), 631-637. doi:10.17706/jsw.11.7.631-637
Electronic crime scene investigation [electronic resource] : an on-the-scene reference for first responders. (2009). Washington, DC : U.S. Dept. of Justice, Office of Justice Programs, National Institute of Justice, [2009]
Garfinkel, S. L. (2013). Digital Forensics. American Scientist, 101(5), 370-377
Masis, J. (2009, January 11) Is this lawman your Facebook friend? Boston Globe. Retrieved from: http://archive.boston.com/news/local/articles/2009/01/11/is_this_lawman_your_facebook_friend/
Module 3, CSEC650 Cybercrime Investigation and Digital Forensics, Digital Evidence Controls and Crime Processing (2017) University of Maryland University college
Wright, B. (2012, December 20) Social Media and the Changing Role of Investigators. Forensic Magazine. Retrieved from: http://www.forensicmag.com/article/2012/12/social-media-and-changing-role-investigators