In this chapter, you learn how to process a computer investigation scene. Because this
chapter focuses on investigation needs for computing systems, you should supplement your
training by studying police science or U.S. Department of Justice (DOJ) procedures to understand
field-of-evidence recovery tasks. If you’re in another country, be aware of laws relating
to privacy, searches, and the rules of evidence for your region and consult your local
authorities.
Evidence rules are critical, whether you’re on a corporate or a criminal case. As you’ll see, a
civil case can quickly become a criminal case, and a criminal case can have civil implications
larger than the criminal case. This chapter examines rules of evidence in the United States,
but similar procedures apply in most courts worldwide. This chapter also describes differences
between a business (private entity) and a law enforcement organization (public entity) in needs
and concerns and discusses incident-scene processing for both types of investigations. Privatesector
security officers often begin investigating corporate computer crimes and then coordinate
with law enforcement as they complete the investigation. Law enforcement investigators
should, therefore, know how to process and manage incident scenes. Because public agencies
usually don’t have the funding to train officers continuously in technology advances, they
must learn to work with private-sector investigators, whose employers can often afford to
maintain their investigators’ computing skills.
This chapter also discusses how the Fourth Amendment relates to corporate and law enforcement
computing investigations in the United States. Many countries have similar statutes or
charters. As the world becomes more global or “flat” in nature, you need to be aware of
how laws are interpreted in other countries. As more countries establish e-laws and more
cases go to court, the laws must be applied consistently. Cases of fraud and money laundering
are becoming more of a global or an international issue, and crimes against consumers can
originate from anywhere in the world. Computers and digital evidence seized in one U.S. jurisdiction
might affect a case that’s worldwide in scope.
To address these issues, this chapter explains how to apply standard crime scene practices and
rules for handling evidence to corporate and law enforcement computing investigations. You
must handle digital evidence systematically so that you don’t inadvertently alter or lose data.
In addition, you should apply the same security controls to evidence for a civil lawsuit as evidence
for a major crime. The same rules of evidence govern civil and criminal cases. These
rules are similar in English-speaking countries because they have a common ancestor in
English common law (judge-made law), dating back to the late Middle Ages.