Computer Forensic Investigations: Legal Aspects
Dave Carlson - December 14, 2007
Even though the discipline of forensics can trace its history back more than 800 years, the specialized field of computer forensics is in its infancy. Computer forensics merges disciplines of computer science and the law. Because computer forensics is such a new discipline, many of the laws used to prosecute computer-related crimes are in a constant state of flux. There are two constitutional amendments and three statues related to computer forensics investigations in the United States. One of the most important aspects of presenting evidence in a court of law is establishing a clear chain of custody. Failure to follow proper legal procedures during a computer forensics investigation may not only loose the case, but put the investigator behind bars.
Legal Aspects of Computer Forensic Investigations
The American Heritage Dictionary of the English Language (2006) defines forensics as, "the use of science and technology to investigate and establish facts in criminal or civil courts of law." The discipline of forensics combines scientific knowledge and methods with standards of law to recover and present at court evidence related to a crime (Nolan, O’Sullivan, Branson, & Waits, 2005, p. 3). A computer forensics investigator gathering digital data to be used in a U. S. court of law has specific responsibilities.
This paper will provide a brief history of forensics and survey some of the specific U. S. laws related to computer forensics. The discussion will continue with rules of evidence a computer forensics investigator must consider when collecting digital information to be presented in court. The author will conclude with several situations illustrating what can go wrong when an investigator does not follow specific legal procedures.
The author of this paper is not a trained legal professional. The intent of this paper is not to present a comprehensive treatise on computer forensic law, but to provide an overview of legal aspects related to computer forensic investigations for the computer forensic investigator. The reader is encouraged to seek competent legal counsel for specific matters related to an active computer forensics investigation.
Forensics history traces back several centuries. Experts agree that the first known record of forensics was presented in the pages of a 1248 Chinese book written by Hsi Duan Yu entitled, The Washing away of Wrongs (Nolan, O’Sullivan, Branson, & Waits, 2005, p. 3). The author explained how to tell the difference between death by drowning, strangulation, and natural causes. This book was the first recorded application of scientific knowledge to solve a crime (James & Nordby, 2005, p. 28).
The earliest documented use of computer forensic techniques was by U.S. military and intelligence agencies in the 1970s (Mohay, 2003, p. 113). Little is known about the forensic activities of the military and intelligence agencies, because of the classified nature of their work. Mohay (2003) observed that the first agencies with an overt and publicly visible need to conduct computer forensics related to criminal offences were tax agencies (p. 114). Tax and revenue investigations of computer systems began in the 1980s (Mohay, 2003, p. 114).
In 1984, the Federal Bureau of Investigations (FBI) established the Computer Analysis and Response Team (CART), based in the FBI’s Washington, DC headquarters (Mohay, 2003, p. 114). However, the CART did not actually become fully operational until August 1991 (Theoharis, 1999, p. 381). The original purpose of CART was to support FBI investigations with the use of computers.
Even though the discipline of forensics can trace its history back more than 800 years, the specialized field of computer forensics is still in its infancy (US-CERT, 2005, p. 4). Nolan, O’Sullivan, Branson, and Waits (2005) defined computer forensics as “the collection and analysis of data from computer systems, networks, communication streams (wires), and storage media in a manner that is admissible in a court of law” (p. 4). Computer forensics merges the diverse disciplines of computer science and the law.
Because computer forensics is such a new emerging discipline, many of the laws used to prosecute computer-related crimes are in a constant state of flux. “Almost daily, new court rulings are handed down that affect how computer forensics is applied” (Nolan, O’Sullivan, Branson, & Waits, 2005, 2005, p. 6). It is no wonder that Circuit Judge Juan R. Torruella wrote in 2004 that current laws “may be out of step with the technological realities of computer crimes” (U.S. v. Councilman, 2004, p. 15).
It is beyond the scope of this paper to present a comprehensive review of all aspects of the law related to forensics. The following topics represent a review of the key aspects that most likely will affect the actions of computer forensic investigators. It was not possible for the original drafters of these legal foundations to conceive of how principles and practices would be applied in relation to today’s computer forensic investigations. Nevertheless, these legal foundations are the basis of U.S. legal proceedings.
U. S. Constitution
The 4th and 5th Amendments of the United States Constitution limits government action related to its citizens. The 4th Amendment provides for protection against unreasonable search and seizure. The 5th Amendment provides for protection against self incrimination. “A key point to remember when considering these amendments is that they were written some two hundred years ago and are now being applied to a technology that could not be imagined by the original authors” (Nolan, O’Sullivan, Branson, & Waits, 2005, p. 9).
The 4th Amendment to the United States Constitution states that: The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
The 4th Amendment provides protection for citizens of the United States against unreasonable searches by agents of their government, including public law enforcement agencies. The U.S. Department of Justice identified several court cases where the 4th Amendment was applied to information technology issues, including computer forensics (Nolan, O’Sullivan, Branson, & Waits, 2005, p. 10). See Table 1 for a sample of related cases.
Court Cases Illustrating 4th Amendment Protection from Unreasonable Searches
(Nolan, O’Sullivan, Branson, & Waits, 2005, p. 10)
|United States v. Ross,456 U.S. 798, 822-23 (1982)
||Accessing information stored within an electronic device is akin to opening a closed container.
|United States v. Lynch,908 F. Supp. 284, 287 (D.V.I. 1995)
||There is a reasonable expectation of privacy in data stored in a pager.
|United States v. Reyes,922 F. Supp. 818, 832-33 (S.D.N.Y. 1996)
||There is a reasonable expectation of privacy in data stored in a pager.
|United States v. Barth,26 F. Supp. 818, 832033 (W.D. Tex. 1998)
||There is a reasonable expectation of privacy in files stored on hard drive of personal computer.
The 5th Amendment to the United States Constitution states that: No person shall be compelled in any criminal case to be a witness against himself. The protection offered by the 5th Amendment related to computer forensics is protection from self-incrimination concerning cryptographic keys (Nolan, O’Sullivan, Branson, & Waits, 2005, p. 11). An individual cannot be compelled in court to reveal his or her memorized key or paraphrase (Doe v. United States, 487 U.S. 201, 210 n. 9 (1988)). Additionally, the court cannot compel an individual to decrypt encrypted files found during a legal collection of evidence (Nolan, O’Sullivan, Branson, & Waits, 2005, p. 11).
Senators John McCain (R-AZ) and Bob Kerrey (D-NE) proposed a possible contradiction to the 4th and 5th Amendments during the 105th U.S. Congress in 1997 (Davidson & Dempsey, 1997, ¶1). The original bill did not become law, but raised issues concerning possible violations of 4th and 5th Amendment rights. The Center for Democracy & Technology observed that “Key recovery systems of the type contemplated in the McCain-Kerrey bill open a huge window of vulnerability to the private data of computer users” (Davidson & Dempsey, 1997, ¶1). Even though this attempt to circumvent the Constitution of the United States occurred more than ten years ago, the principles presented remain a current concern.
U. S. Statutory Law
There are three U.S. statues that impact techniques used by examiners during the collection of computer records and other digital evidence related to a computer forensics examination (US-CERT, 2005, p. 3):
- Wire Tap Act, 18 U.S.C. §§ 2510-22 (Wire and Electronic Communications Interception and Interception of Oral Communications);
- Pen Register and Trap & Trace Act, 18 U.S.C. §§ 3121-27 (Pen Registers and Trap and Trace Devices);
- Stored Wired and Electronic Communications Act, 18 U.S.C. §§ 2701-12 (Stored Wire and Electronic Communications and Transactional Records Access).
Violation of these statues by a forensic examiner may constitute a federal felony punishable by a hefty fine and prison sentence (Nolan, O’Sullivan, Branson, & Waits, 2005, p. 12).
The Wire Tap Act prohibits the interception of real-time electronic data communications (specifically the content of the communication), unless a specific exception applies. The Act extends its protection to both voice communications and digital content. Three specific exemptions to the Wire Tap Act impact on digital forensic investigations.
- Provider Exception, 18 U.S.C. §§ 2511(2)(a)(i). This exception allows for authorized personnel to monitor network traffic to protect the “rights or property” of a network provider. Nolan, O’Sullivan, Branson, and Waits (2005) suggested that a system administrator using a URL scanner would fall under this exception to the Wire Tap Act.
- Consent Exception, 18 U.S.C. §§ 2511(2)(c). This exception allows for monitoring by authorized personnel when a person using a network consents to the monitoring. Signed acceptable use policies and banners displayed to a user before he or she is allowed to access a network are acceptable methods to prove consent (Nolan, O’Sullivan, Branson, & Waits, 2005, p. 16). Consent is not a blank check. A forensic investigator must ensure that any investigation conducted falls within the process explicitly identified in the consent documentation.
- Trespasser Exception, 18 U.S.C. §§ 2510(21). This exception may allow for unrestricted monitoring of unauthorized persons or systems accessing a network. Anyone who accesses a system without authorization “has no reasonable expectation of privacy in any communication transmitted to, through, or from” the system (Nolan, O’Sullivan, Branson, & Waits, 2005, p. 17).
The Pen Trap and Trace Act prohibits installation of a device that “records or decodes dialing, routing, addressing, or signaling information for outgoing (Pen Registers) and incoming (Trap and Trace) wired or electronic communications” (Nolan, O’Sullivan, Branson, & Waits, 2005, p. 18). This Act protects the technical functionality of a system. As with the Wire Tap Act, the Pen Trap and Trace Act allows for three specific exceptions that may affect the forensic investigator.
- Provider Exception, 18 U.S.C. § 3121(b)(1). This exception allows authorized persons to monitor specific activities related to “the operation, maintenance, and testing of a wire or electronic communication service or to the protection of the rights or property of such provider” (Nolan, O’Sullivan, Branson, & Waits, 2005, p. 19).
- Verification of Service Exception, 18 U.S.C. § 3121(b)(2). This exception allows organizations that provide network service to other organizations to monitor the use of the host system. The purpose of this exception is to allow the owner of a system to protect its rights and ensure the use of the system by the other organization follows mutually agreed upon rules. A specific example would be a cell phone company that tracked the number and size of text messages sent to and from an account for the purposes of establishing accurate billing data (Nolan, O’Sullivan, Branson, & Waits, 2005, p. 19).
- Consent Exception, 18 U.S.C. § 3121(b)(3). Authorized personnel may monitor activity if the user gave previous consent to monitoring through an appropriate signed acceptable use policy or network banner. As with the related exception to the Wire Tap Act, this exception must follow the specific steps outlined to the user in the policy or banner notification.
The statute which potentially has the most impact on the digital forensics examiner is the Stored Wired and Electronic Communications Act (Nolan, O’Sullivan, Branson, & Waits, 2005, p. 21). This statute covers general protections for stored communications. There are additional statutes which cover specific circumstances related to health, education, and other areas. For the purposes of a discussion about digital forensics, this paper will focus on the issues of the Stored Wired and Electronic Communications Act.
It is beyond the scope of this paper to discuss all issues of this statute. Nolan, O’Sullivan, Branson, and Waits (2005) observed that “this is a very complex statute that contains various restrictions” (p. 22). This paper will discuss only three of this statute’s prohibited acts related to digital forensic investigations: 1) contents of a communication in electronic storage (email, voice mail, electronic files, etc.), 2) contents of a communication accessible by a public remote service, and 3) contents of information records related to a subscriber or customer of a service (Nolan, O’Sullivan, Branson, & Waits, 2005, p. 23).
As with other statutes, there are exceptions which allow for the lawful release of communications content and recorded data:
- Consent Exception, 18 U.S.C. § 2702(b)(3) and 18 U.S.C. § 2702(c)(2). This exception allows for release of information upon consent of an authorized individual. Many companies prohibit or limit the use of company email for personal business and require employees to consent to this policy as a condition of employment (Nolan, O’Sullivan, Branson, & Waits, 2005, p. 23).
- Provider Exception, 18 U.S.C. § 2702(b)(5) and 18 U.S.C. § 2702(c)(3). This exception allows for providers to disclose information necessary to provide service or protect the rights or property of the provider. Nolan, O’Sullivan, Branson, and Waits (2005) suggested that email virus scanners fall under this exception. “There is a clear nexus between what is being monitored and the threat” (p. 23).
- Law Enforcement Exception, 18 U.S.C. § 2702(b)(6)(A)(i)and(ii). If an authorized individual in the performance of normal duties discovered content related to the possible commission of a crime, that content may be covered by this exception and may be turned over to law enforcement officials. The key component of this exception is that “the discovery was incidental, the result of a regular process” (Nolan, O’Sullivan, Branson, & Waits, 2005, p. 24).
- Emergency Situations Exception, 18 U.S.C. § 2702(b)(6)C) and 18 U.S.C. § 2702(c)(4). This exception allows an authorized individual to disclose data that the individual reasonably believes to involve “an emergency involving immediate danger of death or serious physical injury to any person” (18 U.S.C. § 2702). Examples where this exception most likely would apply involve suicide notes, missing children, threats to persons, etc. (Nolan, O’Sullivan, Branson, & Waits, 2005, p. 24).
Nearly everything that someone does on a computer or network leaves traces—from deleted files and registry entries to the Internet history cache and automatic Word backup files. E-mail headers and instant messaging logs give clues as to the intermediate servers through which information has traversed. Server logs provide information about every computer system accessing a Web site. (Kessler, 2006, ¶ 3)
Investigators must ensure they follow proper procedures established by the Constitution and statutory laws when collecting evidence. Failure to follow correct procedures may violate the civil rights of those being investigated. Additionally, incorrect procedures “could result in a failed prosecution or even legal action against the investigator” (Stewart, Tittel, and Chapple, 2004, p. 591). It is important that the investigator does not modify original data leading to a courtroom discussion to convince a jury that the investigator “may have overwritten exculpatory evidence” (Carrier, 2005, p. 8).
The law has established three basic requirements that must be met before evidence can be admitted into a court of law. Prior to being discussed in open court, the judge must determine if evidence meets all three of the following requirements (Stewart, Tittel, and Chapple, 2004, p. 591):
- Relevant -- evidence to be discussed is used to establish a specific fact. Evidence would be ruled not relevant if it did not help determine facts of the case being tried.
- Material -- evidence to be discussed is related to the case. Evidence would be ruled not material if it could not be shown to be related to the specific case being tried.
- Competent -- evidence must have been obtained as the result of a legal search or discovery. Evidence would be ruled not competent if it was obtained as the result of an illegal search.
Courts of law admit four types of evidence: real evidence, documentary evidence, testimonial evidence, and demonstrative evidence (Stewart, Tittel, and Chapple, 2004, p. 591). In addition to being relevant, material, and competent, each type of evidence has different additional requirements for admissibility. Failure to meet these additional requirements may result in the evidence being declared as non-admissible.
- Real Evidence (also called object evidence) consists of physical things that can be seen or touched and may be brought into a court of law (Stewart, Tittel, and Chapple, 2004, p. 591). Examples of real evidence that may be gathered during a computer forensics investigation are a computer keyboard with recognizable fingerprints, a key capture hardware dongle, or a hard drive from a suspect’s computer (physical evidence).
- Documentary Evidence includes written items brought into a court to prove a fact being discussed (Stewart, Tittel, and Chapple, 2004, p. 591). Examples of documentary evidence that may be gathered during a computer forensics investigation are computer logs, files stored on a hard drive, and traces of activity captured from a computer’s volatile memory (US-CERT, 2005, p.2).
- Testimonial Evidence is testimony from a witness (Stewart, Tittel, and Chapple, 2004, p. 593). Examples of testimonial evidence that may be gathered during a computer forensics investigation are physical testimony and legal depositions.
- Demonstrative Evidence is comprised of presentations to demonstrate how an alleged activity could have been committed, as illustrated by Figure 1. Craig Ball, a Texas lawyer, synthesized demonstrative evidence in his classic “Ten Commandments of Demonstrative Evidence” (Ball, 1999, ¶ 1):
- Keep it simple.
- Use images and contexts familiar to the audience.
- Pay attention to scale, color, and contrast.
- Anchor key points and issues with a common visual theme.
- Test your evidence on men and women of different ages and backgrounds.
- Develop one or two key visuals early and use them consistently in deposition.
- Prepare your witnesses and experts using demonstrative evidence.
- Use a demonstrative aid with every witness.
- If you hope to get it in, don’t spring it on your opponent at the last minute.
- Never just tell when you can show and tell. (Ball, 1999, ¶ 1)
Illustration courtesy Browning & Co., All Rights Reserved
Figure 1. Demonstrative evidence. (http://www.craigball.com/demoevid.html)
A unique aspect of digital evidence compared to physical evidence is that courts view a carefully preserved copy of the digital evidence as good as the original. Scalet (2007) stated that “the first image of a hard drive that investigators take is know as best evidence, because it’s closest to the original source” (¶ 6). Proving this by documenting acceptable methods may be the most difficult step for computer forensics investigators (Kruse & Heiser, 2002, p. 12).
One of the most important aspects of presenting evidence in a court of law is establishing a clear chain of custody. Any time evidence changes hands, “it should be thoroughly documented on a Chain of Custody Form” (Jones, Bejtlich, & Rose, 2006, p. 168).
Computer Forensic Investigation Mistakes
Johnson (2005) observed that computer forensic investigation failures can be divided into two groups: false negatives and false positives (p. 149). “False negatives are items that should have been found and dealt with in the process but were not, whereas false positives are things that should have been discarded or discredited in the process but were not” (Johnson, 2005, p. 149). The following situations offered by Setec Investigations (2007) illustrate what can go wrong when appropriate legal computer forensic procedures are ignored or missed.
Computer forensics and the associated electronic evidence and electronic discovery are relatively new to the litigation game. The use of such information is growing steadily and it has become impossible for legal professionals or their clients to claim that they are unaware of the existence of electronic information. The following intends to make clear mistakes involving computer forensics, electronic evidence, and electronic discovery that are often made: (Setec, 2007, ¶ 1)
Ignoring Electronic Information or Attempting Discovery of It in a Disorganized Manner
The world produces more than a billion gigabytes of unique information each year, “which is roughly 250 megabytes for every man, woman, and child on earth” (Gildea & Gray, 2000, ¶ 1). More than 99% of that information is digital (Gildea & Gray, 2000, ¶ 1). Legal professionals must understand the importance of digital evidence: “how it can be identified, how it can be utilized to enhance a case, how to avoid the pitfalls associated with it, and how to avoid sanctions resulting from inadequately presenting it” (Setec, 2007, ¶ 2).
Believing That Deleted Information is Actually Irreparably Destroyed
Kruse and Heiser (2002) asserted that “you can’t really erase a hard drive” (p. 77). Given enough resources (time, knowledge, money, etc.) it is possible to recover most data ever written to a magnetic hard drive. “It may well be that data can never be truly erased from magnetic media” (Kruse & Heiser, 2002, p. 77). There are several software packages and data recovery services available to recover “deleted” data from a hard drive.
Lack of a Backup or Document Retention Policy
Setec (2007) advocated establishing a document retention policy to define how electronic documents are reviewed, retained, and destroyed during normal business operations (¶ 4). Several state and federal rules identify the length of time documents must be retained. It also would be a good idea if the retention policy detailed how to record documents that have been destroyed (Setec, 2007, ¶ 4). Residential Funding Corp. v. DeGeorge Fin. Corp. 306 F.3d 99 “sounded a grim warning for companies lacking a sound electronic document retention policy: if you wind up in court and can’t produce the goods, you may be liable” (French, 2004, ¶ 1).
Not Complying with Preservation Orders
The Sarbanes-Oxley Act became law in July 2002, when President Bush signed the act. One of the provisions of the law requires documents (including electronic documents) to be preserved once a legal investigation has begun. Penalty for violation may lead to fines or imprisonment up to 20 years, or both (Lange, 2003, ¶ 5). IT personnel responsible for such actions must be informed of this requirement to preserve possible evidence, since they often are overlooked in these situations (Setec, 2007, ¶ 5). The old adage, ignorance is no excuse, applies in this situation.
Failure to Utilize Certain Forms of Evidence
While any seasoned forensic investigator certainly would not ignore evidence contained on a suspect’s personal computer, some investigators may overlook some not-so-common sources of evidence. Backup tapes, cell phones, personal digital assistants (PDAs), and tablet PCs all provide a potential wealth of useful and relevant evidence that may prove critical to the case (Setec, 2007, ¶ 6). Even if the collecting examiner lacks the ability to extract useful and relevant data from these devices, the examiner should collect the devices and store for later access by qualified personnel. Of course, the responsible investigators must follow appropriate chain of custody procedures in case later investigation of these devices reveals meaningful data.
Failure to Produce All Electronic Evidence
The same rules apply for electronic evidence as they do for more traditional forms of evidence. The court system has broad discretion when applying sanctions for failing or waiting excessively to produce electronic evidence, including declaring a mistrial, delaying the start of the trial, imposing monetary penalties, or issuing an adverse inference instruction. Sanctions may be applied not only when a party has been grossly negligent or acted in bad faith, but also due to ordinary negligence. (Setec, 2007, ¶ 7)
Failure to Forensically Duplicate Hard Drives Used by Departing Employees
Setec (2007) advocated the policy of making a forensic duplicate of hard drives used by departing employees, both those who are terminated and those who resign (¶ 8). Store the duplicate with other official company data in case it is needed for future investigations. Having a forensic duplicate preserves the original data in case the former employee takes the computer or the computer is issued to a new employee (Setec, 2007, ¶ 8). As always, this forensic duplicate must have chain of custody documentation.
Failure to Use Experienced Computer Forensic Investigators
Shirk (2007) postulated that the most important consideration for computer forensic investigations is the concern for “repercussions of a botched computer forensics collection or investigation” (¶ 29).
Most qualified e-Discovery project managers and certified computer forensics examiners have witnessed many instances where valuable digital evidence was spoliated [sic] during collection, either accidentally or intentionally, by newly-assembled teams of DIY digital evidence “experts.” When a computer forensics examiner is brought into a matter where a DIY approach has been used, he/she can generally assume that the IT people have taken a “quick peek” at electronic evidence that will play a foundational role in the matter. (Shirk, 2007, ¶ 5)
Setec (2007) warned that the average IT professional may not “have the necessary knowledge or experience to properly conduct and manage a computer forensic investigation” (¶ 9). Computer forensics investigators should be or should retain experts in the field of computer forensics “to ensure that evidence is properly collected and admissible in a court of law” (Setec, 2007, ¶ 9).
Even though the discipline of forensics can trace its history back more than 800 years, the specialized field of computer forensics is still in its infancy. Computer forensics merges the two unrelated disciplines of computer science and the law. Because computer forensics is such an emerging discipline, many of the laws used to prosecute computer-related crimes are in a constant state of flux.
There are two constitutional amendments and three statues related to the conduct of computer forensics investigations in the United States. One of the most important aspects of presenting evidence in a court of law is establishing a clear chain of custody. Failure to follow proper legal procedures during a computer forensics investigation may not only loose the case, but put the investigator behind bars.
Ball, C. (1999). Ten commandments of demonstrative evidence. Retrieved December 5, 2007 from http://www.craigball.com/evid10co.htm
Carrier, B. and Spafford, E. H. (2003, Fall). Getting physical with the digital investigation process. International Journal of Digital Evidence, 2(2), 1-20. [Electronic version]. Retrieved November 18, 2007 from http://www.scm.uws.edu.au/compsci/computerforensics/Online%20Materials/ijde_physical.pdf
Carrier, B. (2005). File system forensic analysis. Indianapolis, IN: Pearson.
Constitution of the United States of America.
Davidson, A. and Dempsey, J. (1997). CDT analysis of the McCain-Kerrey bill: S.909. Center for Democracy & Technology. Retrieved December 10, 2007 from http://www.cdt.org/crypto/legis_105/mccain_kerrey/analysis.html
Forensics. (n.d.). The American heritage dictionary of the English language, 4th Ed. (2006). Retrieved December 03, 2007, from http://dictionary.reference.com/browse/forensics
French, P. (2004). Electronic document retention policies: And why your clients need them. Retrieved December 10, 2007 from http://www.abanet.org/lpm/lpt/articles/ftr01045.html
Gildea, R. and Gray, J. Eds. (2000). How much information? Retrieved December 10, 2007 from http://www2.sims.berkeley.edu/research/projects/how-much-info/summary.html
James, S. H, and Nordby, J. J., Eds. (2005). Forensic science: An introduction to scientific and investigative techniques, 2nd ed. Boca Raton, FL: CRC.
Johnson, T. A., Ed. (2005). Forensic computer crime investigation. Boca Raton, FL: CRC.
Jones, K. J, Bejtlich, R., and Rose, C. W. (2006). Real digital forensics: Computer security and incident response. Indianapolis, IN: Pearson.
Kessler, G. C. (2006). The role of computer forensics in law enforcement: Computers aren’t just for geeks anymore. Retrieved November 19, 2007 from http://www.officer.com/publication/printer.jsp?id=28161
Kruse II, W. G. and Heiser, J. G. (2002). Computer forensics: Incident response essentials. Indianapolis, IN: Pearson.
Lange, M. C. S. (2003). Sarbanes-Oxley has major impact on electronic evidence. Retrieved December 10, 2007 from http://www.law.com/jsp/article.jsp?id=1039054510969
Mohay, G. (2003). Computer and intrusion forensics. Norwood, MA: Artech House.
Nolan, R., O’Sullivan, C., Branson, J., and Waits, C. (2005). First responders guide to computer forensics. [Electronic version]. Pittsburg, PA: Carnegie Mellon University. Retrieved December 3, 2007 from http://www.cert.org/archive/pdf/FRGCF_v1.3.pdf
Scalet, S. D. (2007). How to keep a digital chain of custody. Retrieved from CSO Online on December 10, 2007 from http://www.csoonline.com/read/120105/ht_custody.html
Setec Investigations. (2007). Learning from other’s mistakes: Issues arising from electronic discovery. Retrieved December 10, 2007 from http://www.forensicfocus.com/electronic-discovery-mistakes
Shirk, E. (2007). The dangers of do-it-yourself computer forensics. Retrieved December 10, 2007 from Law Practice Today Webzine, November 2007 at http://www.abanet.org/lpm/lpt/articles/tch11071.shtml
Stewart, J. M, Tittel, E., and Chapple, M. (2004). CISSP: Certified information systems security professional. Alameda, CA: SYBEX.
Theoharis, A. G.,Ed. (1999). The FBI: A comprehensive reference guide. Phoenix, AZ: Oryx.
United States of America v. Bradford C. Councilman, United States Court of Appeals, 03-1383 (1st Cir. 2004). [Electronic version]. Retrieved December 5, 2007 from http://www.ca1.uscourts.gov/pdf.opinions/03-1383-01A.pdf
US-CERT. (2005). Computer forensics. [Electronic version]. Retrieved December 3, 2007 from http://www.us-cert.gov/reading_room/forensics.pdf