Part I: Overview/Case Summary
Question 1
The case in question involves the provision that as the data Security analyst of Allied Technology Systems (ATS), Mr. Devin Roberts provided information regarding the possibility that Mr. Jackson, the former engineer of the New Products Division in the organization, might be taking ATS’s intellectual property to his new employer. In particular, Mr. Roberts is presumes that Mr. Jackson is responsible for the loss of the source code for “Product X.” For this reason, Mr. Roberts is interested in ensuring that the company could refer the case to investigations by law enforcement, which means that during the collection of evidence that would tie Mr. Jackson’s possible stealing of the company’s intellectual property, the evidence collected could be admissible in court.
Even though the rights outlined in the Fourth Amendment protect Mr. Jackson, the search and seizure provisions do not apply when considering going through his work area. Before searching Mr. Jackson’s former company working area, one of the considerations would be to take note of the idea that search warrants are not necessary for certain situations (Sonne & BCPI, 2016). For instance, an assessment of Mr. Jackson’s former company working space reveals that the evidence that could be used to refer investigations to law enforcement in future are in plain view. In such situations, a search warrant might not be needed to seize evidence in a place that an individual is legally authorized to be (Casey, 2011). For this reason, as the Data Security Analyst for the company, it would be legal to be within the environment that has the evidence that is to be collected. Since probable cause exists that the former employee might have engaged in a criminal act, the location of the evidence of the property that would be used to prove the case is within the reach of the legally recognized employee, which is an indication that no warranty would be needed.
Delegate your assignment to our experts and they will do the rest.
Part II: Physical Evidence Acquisition
Question 2
The three potential items of digital evidence seen in the photo include an external hard drive, a USB thumb drive, and a laptop. The hard drive at the scene is not connected or installed on the computer. Since the hard drive is loose, it can contain valuable evidence that could be used by the organization to secure information to be given to law enforcement for future investigation. Mr. Jackson could have used the hard drive to secure sensitive information based on the provision that it increases data storage. Conversely, the removable USB thumb drive is easy to conceal and transport. Based on the provision that the peripheral device can be connected to a computer to enhance expand the access that an individual can have on the functions of the computer, including enhancing the access of different computer functions, it is essential to collect and use it as evidence as well. The laptop is the other device that could be used to conceal information that Mr. Jackson is suspected to have taken. For this reason, securing the laptop and locking it up to be used as evidence in future is also essential.
In relation to the need to collect the digital evidence identified in Mr. Jackson’s workspace, it is vital to take note of the idea that taking suitable precautions in the collection, packaging and the storing of the devices is essential. In this case, it is vital to avoid storing the devices in a manner that could alter, damage, or destroy the evidence contained therein (Casey, 2011). For this reason, when collecting and storing the devices, it is vital to avoid using tools that emit static electricity, including materials that contain magnetic fields that might destroy the evidence (Slade, 2004). The first item that can be collected from the former employee’s workspace is the external hard drive. This digital evidence is likely to contain the different types of files that might be needed for presentation to law enforcement in future. The digital device might contain event logs that could be used as valuable evidence in case of an investigation or possible prosecution.
When collecting the external hard drive as evidence, the initial step would involve the identification and documentation of the hard drive. Given the different methods available for collecting digital evidence, it is essential to adopt the best possible collection method. The method applied should be based on the situation, the cost, time, and the documentation of the decisions necessary for using the selected method (Peel, 2016). Since the removal of digital storage media is not usually recommended during the collection of digital evidence, the collection of the USB thumb drive and the hard drive would be simple (Slade, 2004). The same is applicable for the USB thumb drive, which is detached from the computer and can easily be collected for presentation as evidence, including the laptop.
Before the collection of the digital evidence, it is essential to obtain a picture of the items, which involves the acquisition process. In this light, the acquisition method will involve the production of an image copy of the digital devices that may contain evidence. For this reason, it would be essential to verify the image using a proven verification function acceptable by the individual that will use the evidence (Casey, 2011). After the collection of the evidence, the next step to be considered would be the preservation of the collected and acquired evidence. In this light, it will be essential to initiate and maintain the preservation process that will involve the identification of the devices that might contain the digital evidence to be used in future (Casey, 2011). For this reason, the preservation process should ensure that the data contained in the devices is not destroyed, including any metadata associated with the evidence. The data could be used to prove that Mr. Roberts might have been correct when positing that Mr. Jackson might have been taking the organization’s intellectual property to the competitor.
Question 3
The potential items of non-digital evidence that could be identified in Mr. Jackson’s work area are inclusive of sticky notes on different sections of the workspace. These sticky notes can contain information that could be used to confirm or refute Mr. Roberts’ concerns. The other non-digital evidence that can be collected includes the notebook or notepad below on the desk under the monitor of the desktop. Some paper files also appear to be at the top shelf of the working space. The files can contain information that could be used to address the concerns brought forth by Mr. Roberts. In addition to securing the digital evidence that could be presented to law enforcement in future, it is also essential to collect the non-digital evidence for the same purpose.
When processing the scene, it is important to evaluate the identified documents since they might assist in determining the sequence of events that would prove Mr. Roberts’ fears. The documents collected will be presented for analysis, which is an indication that the team responsible for scanning the scene will be responsible for skimming through the suspect’s handwriting, text alterations, typewriting, as well as diaries, amongst other questioned documents (Calcerrada & García-Ruiz, 2015). When collecting the questioned documents as evidence, the initial step involves the careful preservation of the documents because they have a tendency of absorbing surrounding materials (Nissenbaum, 2016). For this reason, it is essential to collect the paper-based documents and keep them in the same condition as they were discovered. Under no circumstance should the documents be subjected to trimming, new cutting, and the inclusion of notations stapling or folding.
For the most part, it would be advisable to use manila envelopes that are slightly larger than the documents to be collected as evidence (Calcerrada & García-Ruiz, 2015). The surface of the manila envelope can be marked, including the careful insertion and sealing of the evidence to be submitted to the concerned entities (Peel, 2016). The process will obviate the need for marking the evidence. On the other hand, care should be taken when making the markings. In this light, it is would be essential to document the initials of the designated investigator, the case number, and the dates. The extraneous indented writing, which can be recovered by the individual examining the evidence in case of an investigation, can be blended with other viable indented writing (Peel, 2016). However, such a move is likely to confuse the results. However, the nature of the documents in question can dictate the most appropriate way through which the evidence will be collected and preserved for submission to a forensic document library. For this reason, awareness and common sense should guide the collection and analysis of the documents to be used as evidence. It would be bad enough for an individual examining the paper-based evidence to wade through punches, overwriting, and different cancellation marks without additional encumbrances to an investigation that emanate from an overzealous investigator.
Question 4
The guidelines for collecting and seizing evidence include the need to consider the equipment to take out of the scene. In this light, the items to be collected from the scene should be reviewed, meaning that it is essential to consult legal authority. During the collection process, it is vital to take note of the restrictions. In this light, it is vital to obtain additional authority to be considered for evidence outside the scope of the search (Casey, 2011). When securing the evidence, it would be essential to remove potential witnesses and bystanders from the proximity. Imaging of the collected evidence is also essential. However, a number of considerations are necessary when collecting the digital evidence.
The image of Mr. Jackson’s work area reveals that the laptop to be collected for evidence is powered off. Given the provision that the collection of the digital evidence requires a forensic specialist, it is essential to consider whether Mr. Jackson had the potential to install encryption software in the operating system. If the encryption software were present, using appropriate forensic methods would be necessary for capturing the encrypted data (Conlan, Baggili, & Breitinger, 2016). However, during the collection of the USB hard drive, the laptop, recorder and the external hard disc, documenting the items before the implementation of the collection process would be vital. In this light, taking legible photographs and making a sketch of the computer connections, including the surrounding areas, will be required. This process involves the documentation of the digital connections of the external components that are to be collected for evidence.
The collection process should also involve the protection of the integrity of the digital evidence. When collecting the laptop, it would be advisable to unplug it from a power source and remove the battery (Antwi-Boasiako & Venter, 2017). Following the removal of the battery is the need to place evidence tape over the power plug connector, including the connectors of the other devices that include the USB drive, hard disc, and the recorder. The evidence collected from Mr. Jackson’s workspace should also be protected from change. On the other hand, a chain-of-custody should be maintained as determined by the policies of the organization and the agency. According to Fonneløp, Johannessen, Egeland, and Gill (2016), it will be vital to use suitable packaging of the evidence. In this case, using plastic bags and sleeves during the collection and storage is essential. Conversely, when packaging devices with volatile memory, it should be essential to employ appropriate packaging to maintain power to the device.
To avoid physical damage to the devices collected in evidence, it should be essential to use appropriate transportation mechanisms. The transportation of the devices to a secure facility should also involve the avoidance of vibrations, including the effects of magnetic fields, variations in humidity and temperature, as well as electrical static. Conversely, the collected evidence should be monitored as well as documented to ensure that their proper performance is maintained (Saleem, 2015). Only suitable and properly operated digital evidence shall be employed in case Mr. Roberts decides to take the case to court. In line with the need to present the collected digital evidence, it would be advisable to obtain operation manuals from manufacturers since the access can assist in validating the analysis or imaging software.
Question 5
An assessment of the evidence collected from the co-worker reveals that the evidence collected for the case followed required provisions related to the collection of digital and non-digital evidence. In this light, the co-worker presented the required images before securing the evidence to be used in the possible prosecution. The items pictured in the accompanying photos revealed that the co-worker was not only keen in recording the dynamics of the evidence collected, but they also provided details of the condition of the items to be used for evidence (Saleem, 2015). For instance, the co-worker collected images containing different angles of the digital evidence collected. In this case, the co-worker provided images of Mr. Jackson’s workspace, which revealed the different items that were to be collected for evidence. In spite of the provisions presented for evidence, it might have been essential to include images that contain security seals to ensure that the security of the different items. The sealed items would assist in the validation of the collected evidence before they are analyzed and presented to court, in case Mr. Robertson’s fears are confirmed. On the other hand, it would be advisable to use software write blockers to prevent the modification of the evidence, which is an indication that the process should be forensically verifiable.
References
Antwi-Boasiako, A., & Venter, H. (2017). A Model for Digital Evidence Admissibility Assessment. In IFIP International Conference on Digital Forensics (pp. 23-38). Springer, Cham.
Calcerrada, M., & García-Ruiz, C. (2015). Analysis of questioned documents: a review. Analytica chimica acta , 853 , 143-166.
Casey, E. (2011). Digital evidence and computer crime: Forensic science, computers and the internet . Burlington, MA: Academic Press.
Conlan, K., Baggili, I., & Breitinger, F. (2016). Anti-forensics: Furthering digital forensic science through a new extended, granular taxonomy. Digital investigation , 18 , S66-S75.
Fonneløp, A. E., Johannessen, H., Egeland, T., & Gill, P. (2016). Contamination during criminal investigation: detecting police contamination and secondary DNA transfer from evidence bags. Forensic Science International: Genetics , 23 , 121-129.
Nissenbaum, H. (2016). Must Privacy Give Way to Use Regulation? Lecture at the Watson Institute, Brown University, March , 15 , 2016.
Peel, M. (2016). Opportunities to preserve forensic evidence in emergency departments. Emergency nurse , 24 (7), 20-26.
Saleem, S. (2015). Protecting the integrity of digital evidence and basic human rights during the process of digital forensics . Stockholm: Department of Computer and Systems Sciences, Stockholm University.
Slade, R. M. (2004). Software forensics: Collecting evidence from the scene of a digital crime . New York, NY: McGraw-Hill.
Sonne, W. J., & BCPI, C. (2016). Criminal investigation for the professional investigator . CRC Press.
