Global Forensics, Essay Example
The concept of evidence for pretrial requirements has undergone significant changes in the field of forensic science. These now extend beyond the US border into other countries like Europe and require international legal collaboration. This includes the ability to search for forensic documentation that is stored electronically (ESI) and obtain this regardless of the location where it might be stored. When being obtained from the Europe (EU) it is important that a number of directives are complied with and this includes that of The European Union Directive 95/46/EC, designed to outline the procedures for handling forensic data internal and external to the EU boundaries.
US Forensic investigators are required to accurately capture and reflect the computer forensics data / information captured and include this in their Forensics reports. It is an important requirement for the US investigators to have a firm grasp of the requirements of the EU directives before any capture, retrieval or transport of data to the US is made. Each case is considered to be unique and it is important that these procedures are clearly illustrated on the forensics plan.
It was the European Parliament and Council of the EU that issued directive 95/46/EC on 24th October 1995. (Data Protection Commissioner, 2011)This being aimed on the rights of individuals with regard to the processing of personal data and the legitimate free movement of such data. Section IX Notification Article 18 provides the obligation in order to notify supervisory authority. This means that any member states have a statutory duty to notify the supervisory authority, as referred to under article 28, before they are eligible to carry out operations. Article 10 provides legal constraints to the US investigator when conducting US forensic examinations. The controller must provide the identity of the representative used behind the processing of any forensic data in a specific case. This needs to be stated to the EU authorities who receive such data. (Office of the Data Protection Commissioner, 2011).
Legal Constraints On Stored Data (Esi)
It has been established that the majority of Companies in both Europe and the US have a document retention policy, thereby providing a starting point for any forensic examinations that may be required. The next step in a legal inquiry process will be to construct an ESI disclosure readiness strategy. A survey, as conducted by Kroll research, indicated that 38% of UK companies and 19% of US companies do not have firm policies in place to deal with a legal forensic inquiry as part of a litigation process. Research further indicates a level of complacency in both knowledge and awareness in this area. (Kroll ontrack, 2009)
Computer forensic services are primarily responsible for the collection and preservation of forensic evidence resulting from an incident of a criminal nature i.e. computer hacking, system intrusion, theft of data, etc. The process involved is obtaining evidence from data stored in computers or other digital storage devices. The process involves the identification and location of this information with a view towards determination whether it has been sabotaged, modified, deleted or manipulated for an unlawful purpose.
The Forensics Report
Any forensics investigation has to conclude with a report that is compliant with Federal Rules of Civil Procedure (FRCP) or the EU directives. This to ensure that an adequate degree of due care and protection has been made with the information. No such data would be transferred to a different jurisdiction without these compliances being made. It is important to show the forensic trail of data with appropriate exhibits from the investigation . In the US FRCP this requirement has been translated by stating that the findings of the investigation must be incorporated into the details section of the forensic report. The EU has some specific interests that are defined under Article 26 of the EU directive. This means the forensics report must show the precise details of the forensic investigation and clearly state how such evidence will be used in a subsequent court case against the individual accused of the crime. The report must state precisely what was discovered as a result of the investigation and how this data will be transported to the new jurisdiction. The EU will retain authority over the early part of the investigation until the points, as specified above, have been clearly specified. (Robinson, N. 2002)
Under Article 6 of the EU directive it is important that any personal data, extracted as a result of the investigation, is processed in accordance with EU legal directives. This means the safeguarding of such data during transportation and ensuring that it is both hashed for verification and encrypted during the transportation process. In addition the forensics report must clearly state that the procedures that were adopted in order to track IP data were not overly excessive and formed an integral part of the forensics investigation. The report must stick with actual factual evidence statements and clearly report and outline any considered areas of criminality or corruption detected.
Once the requirements of Article 6 have been dealt with, the investigating team must turn its’ attention to the provisions of Article 7. The main ingredients of Article 7 relate to how the forensic analyst arrived to the conclusions. That adequate documentary evidence exists to support the allegations and that there is sufficient forensic evidence extrapolated in order to pursue a prosecution. Further that the analyst confirms that any part of the information has not been revealed or disclosed to any third parties i.e. A Non-disclosure agreement. The rulings become particularly tight when prosecuting an investigation into the acts of an EU citizen. The forensic team will be required to justify the IP data trail and reveal how the data was stored, processed or transported in the course of the investigation. This can be particularly challenging when dealing with Child pornographers who move through different legal jurisdictions. US investigators will need to reveal sources of information to their EU counterparts, together with the internet history captured on the suspect’s movements. The EU law enforcement authorities have the power to insist upon this information being made available during the investigation before any data is released for transfer to another jurisdiction.
Figure 1 illustrates the main process steps of a digital crime investigation process. In the system preservation phase the forensic team is trying to preserve the original crime scene. The purpose of this phase is to try and avoid any overwritten evidence. The evidence searching phase is the steps taken to determine the root cause of the criminal act and obtaining the forensic evidence in support of that act. This is where cross border activity often takes place and there is the need for compliance with international law and the law of other jurisdiction like that of the EU. The final stage of the Event Reconstruction phase is putting all of the pieces together in what is termed the Forensics Report and becomes the main legal exhibit in the presentation of evidence to the courts. (Carrier,B. 2005).
Figure 1 Digital Crime Scene Investigation Process
In order to obtain a full forensics report, the forensics team has to develop a degree of dexterity in dealing with other law enforcement agencies and the international legal process before such cases can be successfully prosecuted in US law courts.
Carrier, B. (2005). File system forensic analysis. New Yprk: Addison Wesley.
Data Protection Commissioner. (2011, 11 25). EU Directive 95/46/EC – The Data Protection Directive . Retrieved from Daya Protection Commissioner: http://www.dataprotection.ie/viewdoc.asp?m=&fn=/documents/legal/6aii-2.htm#6
Kroll ontrack. (2009). Third Annual ESI trends Report. New York: Kroll Ontrack.
Robinson, N. (2002). Handbook of legislative procedures of network and computer misuse in EU countries. Cambridge UK : Rand Europe.
Time is precious
don’t waste it!