Affordable Access

Publisher Website

Risk-sensitive digital evidence collection

Digital Investigation
DOI: 10.1016/j.diin.2005.01.001
  • Criminology
  • Ecology
  • Geography
  • Law
  • Political Science


Abstract Over the past decade or so, well-understood procedures and methodologies have evolved within computer forensics digital evidence collection. Correspondingly, many organizations such as the HTCIA (High Technology Criminal Investigators Association) and IACIS (International Association of Computer Investigative Specialists) have emphasized disk imaging procedures which ensure reliability, completeness, accuracy, and verifiability of computer disk evidence. The rapidly increasing and changing volume of data within corporate network information systems and personal computers is driving the need to revisit current evidence collection methodologies. These methodologies must evolve to maintain the balance between electronic environmental pressures and legal standards. This paper posits that the current methodology which focuses on collecting entire bit-stream images of original evidence disk is increasing legal and financial risks. 1 The authors emphasize that the proposed risk-sensitive evidence collection methodology is intended to complement traditional bit-stream methodology in circumstances that necessitate a more efficient and cost-sensitive approach to digital evidence collection. Those types of contexts are addressed herein. The authors do not suggest an abdication of the bit-stream methodology in contexts where the cost–benefit assessment suggests that it is reasonable to adhere to this traditional approach. For example, when a search warrant application (affidavit) establishes that the computer is an “ instrumentality ” or “fruit” of the crime(s), then seizure and retention of the entire machine are permitted (and advisable) under the law because the computer per se becomes evidence of the criminal conduct, like a gun used in furtherance of a robbery. See, e.g., United States v. Farrell, 606 F.2d 1341, 1347 (D.C. Cir. 1979) (noting that the government is entitled “to seize the instrumentalities of crime and hold them until the trial is completed”) 1 The first section frames the debate and change drivers for a risk-sensitive approach to digital evidence collection. The next section outlines the current methods of evidence collection along with a cost–benefit analysis. Then, the methodology components of the risk-sensitive approach to collection are described. This paper concludes with a legal and resource risk assessment of this approach. Anticipated legal arguments are explored and countered, as well. The authors suggest an evolved evidence collection methodology which is more responsive to voluminous data cases while balancing the legal requirements for reliability, completeness, accuracy, and verifiability of evidence.

There are no comments yet on this publication. Be the first to share your thoughts.


Seen <100 times