Considering hiring an intern for day-to-day social media tasks

Collecting evidence from the Internet

Last time I blogged about iCyte, a bookmarking tool that archives websites rather than simply linking to them. This preserves pages for later reference, rather than a person having to deal with broken links.

The implications for online investigation are clear. If you can archive a website, preserving it with incriminating (or exculpatory) evidence the way you found it, you can make cases that way. Right?

Yes. Absolutely. But a third party storing evidence opens the door to reasonable doubt. How can you, the law enforcement officer, prove that no data went unchanged while the evidence was stored out of your direct control? (Chain of custody; evidence preservation.)

I debated with myself over whether to post this, because even if I disclose that I work for a maker of online evidence collection software, “conflict of interest” gives way to “selling something.” Not a comfortable position to be in.

And yet, I believe in what my client does. That’s why I signed with them. And I’d be remiss as a blogger if I didn’t draw attention to something that solves a problem for my community of readers.

Therefore:

Got WebCase?

Websites have a bad habit of changing content, especially when you least need or expect them to. They might undergo a redesign and lose the article you needed to find, or the server they’re hosted on goes down, or their owner might let the domain registration lapse.

Or they could be a social networking site, with status updates and tweets disappearing after a matter of days.

Forensic collection of evidence has always depended on the ability of the collector to preserve the evidence as it was at the time of collection. A bloodstained shirt goes into a properly sealed and marked paper bag, and is logged along the chain of custody until it gets to the analyst. A hard drive is imaged and likewise logged until a digital forensic examiner analyzes that image.

How do you do this with Internet evidence? A lot of investigators simply screenshot a website or capture its video. If that content is taken down or changed between the time it was collected and court, there’s no way to prove it ever existed as it did when you saw it. (Even the Internet Archive’s Wayback Machine is limited.) Again: reasonable doubt.

There’s a much longer story that goes into Vere Software’s making of WebCase, but in essence, it splices together legal expectation with commonly accepted digital forensic methodology by not just archiving, but also date/time stamping and hashing (“digitally fingerprinting”) the website content as evidence.

It then goes a step further by providing a way to show all this in court in a way that average jurors, attorneys, and judges can understand—visually, sometimes auditorially.

Can vs. should

Can you get away with screenshots and video captures? Sure. I can’t think of current or recent cases that made challenges to this kind of evidence… but that doesn’t mean they aren’t coming, as soon as defense attorneys and judges get savvy. I’m not sure that will take long. They’re already trying to figure out what to do about tweeting jurors and judges on Facebook.

Cops are so frequently accused of taking shortcuts, meanwhile, with investigations. Especially when it comes to evidence collection and preservation. And while digital evidence can be complicated, WebCase wasn’t designed for analysts. It was designed for average investigators, who deserve to be able to show in court how law enforcement takes case-building as seriously as we want you to.

So please head on over to the Vere Software website and download the 30-day free demo of WebCase, along with the various free tools offered. Subscribe to the blog, check out the free e-learning. No, I’m not getting paid for this post, nor based on sales that come from this post. Yes, I understand that budgets are strapped. Believe me.

At the same time, though, a good friend of mine secured two copies of WebCase not long before the union in his department voted to forego pay raises just to keep its gang unit rather than see it disbanded. That town is facing serious gang problems, and given that gangs are using social networking sites to do their business, the fact that this agency found the money for WebCase is significant.

What kinds of online evidence is your agency seeing?

Image: NIOSH via Flickr

4 thoughts on “Collecting evidence from the Internet

  1. Pingback: Behind the Seams: “Chronicles of EMS” Premiers, Public Safety Budget Cuts and More | Tactical Pants Blog

  2. Laura Madisonorg9

    No problem here because investigators must illustrate via access and control. Isp’s will give up the information to match a screen shot (even if a tipster sent it in to police) when legally compelled to do so.Usually this is secondary or perhaps even character evidence and does not generally make up the crucial elements to a case. Police still must build a case with other evidense, as you know. Social media and even DM or private messages are all copied, even if the poster subsequently erases it.

    Webcase seems a good tool so long as what the investigator is attempting to collect is visible ie: not via DM or locked down behind peoples privacy screens. Investigators must have a reasonably valid and legally sanctioned warrant to get “behind the scenes”.

  3. Christa Miller Post author

    Org9, actually you bring up a great point that I don’t think I made clear enough. WebCase doesn’t provide additional capabilities, such as the power of “X-ray vision” on private info; it simply makes the evidence easier and more legally solid to collect. Its use, as you point out, still (like with any other data capture tool) relies on the 4th Amendment. Conceivably you would use the visible stuff (along with any physical evidence) to support your search warrant or other court order for the private stuff. And if you’re getting private info based on an undercover operation, those rules apply too.

    Thanks for pointing that out!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

CommentLuv badge