The purpose of this project is to assist DHS in identifying best practices for cyber forensics. The best practices will be used to identify gaps in current DHS training programs and to develop certification standards for DHS investigative organizations.
Investigations of crimes increasingly involve capturing, storing, analyzing, and sharing digital evidence. Digital evidence may be extracted from a great variety of smart devices, including smartphones, computers (that store cookies, emails, browsing histories), portable storage devices, components of the Internet (e.g., cloud-based storage, P2P networks, social media), in-vehicle navigation systems, dashboard- and body-cameras, and a growing number of devices comprising the Internet of Things. The chain of evidence from initial collection through its analysis and presentation in court involves different people, organizations, storage mechanisms, and networks. Not only must a chain of custody be maintained, but also care must be taken to ensure that data is protected so the digital evidence is “as originally discovered,” and the privacy rights of victims, suspects, and others are protected.
The situation is dynamic, since computer-based and computer-enabled crime is constantly changing. For example, the methods of identity theft today are totally different than they were ten years ago. Smartphones today are ubiquitous and a potentially rich source of evidence for many crimes if seized and handled appropriately. Cloud-based storage means that evidence may physically reside in a different state or a different nation than where a crime was committed. Laws governing privacy and search and seizure can differ across these boundaries. Legal rulings and equipment manufacturers’ practices regarding encrypted information are evolving. Investigators and law enforcement need to understand how and whether they can legally obtain digital evidence. Effectively and legally managing all aspects of digital evidence requires a set of best practices for investigators.
A recent RAND study (Goodison et al., 2015) identified what is needed to improve performance in criminal justice agencies. Among its recommendations are two that speak to the significance of the proposed work: (a) “Enable first-responding patrol officers and detectives to be better prepared for incident scenes where digital evidence might be present.” This recommendation requires best practices and training “to secure and use digital evidence to preserve chain of custody and later admissibility in court.” (b) “Provide better prioritization and triage analysis of digital evidence given scarce resources.” This recommendation speaks to improving the efficiency of managing digital evidence. Best Practices for Sharing Digital Evidence
- Project Fact Sheet
The purpose of this project is to assist DHS in identifying best practices for cyber forensics. The best practices will be used to identify gaps in current DHS training programs and to develop certification standards for DHS investigative organizations.
Investigations of crimes increasingly involve capturing, storing, analyzing, and sharing digital evidence. Digital evidence may be extracted from a great variety of smart devices, including smartphones, computers (that store cookies, emails, browsing histories), portable storage devices, components of the Internet (e.g., cloud-based storage, P2P networks, social media), in-vehicle navigation systems, dashboard- and body-cameras, and a growing number of devices comprising the Internet of Things. The chain of evidence from initial collection through its analysis and presentation in court involves different people, organizations, storage mechanisms, and networks. Not only must a chain of custody be maintained, but also care must be taken to ensure that data is protected so the digital evidence is “as originally discovered,” and the privacy rights of victims, suspects, and others are protected.
The situation is dynamic, since computer-based and computer-enabled crime is constantly changing. For example, the methods of identity theft today are totally different than they were ten years ago. Smartphones today are ubiquitous and a potentially rich source of evidence for many crimes if seized and handled appropriately. Cloud-based storage means that evidence may physically reside in a different state or a different nation than where a crime was committed. Laws governing privacy and search and seizure can differ across these boundaries. Legal rulings and equipment manufacturers’ practices regarding encrypted information are evolving. Investigators and law enforcement need to understand how and whether they can legally obtain digital evidence. Effectively and legally managing all aspects of digital evidence requires a set of best practices for investigators.
A recent RAND study (Goodison et al., 2015) identified what is needed to improve performance in criminal justice agencies. Among its recommendations are two that speak to the significance of the proposed work: (a) “Enable first-responding patrol officers and detectives to be better prepared for incident scenes where digital evidence might be present.” This recommendation requires best practices and training “to secure and use digital evidence to preserve chain of custody and later admissibility in court.” (b) “Provide better prioritization and triage analysis of digital evidence given scarce resources.” This recommendation speaks to improving the efficiency of managing digital evidence.