THE overriding principle concerning all phases of seizing and processing electronic evidence i.e. seized computers, disks and other media, should be never to alter the evidence from its original state. This should ensure its admissibility in court or other legal proceedings. The processing officer should carefully document every step taken while processing the electronic evidence. All seized computer hard disks, diskettes or other media should be "write protected" because electronic media that has been "write protected" cannot be altered or erased either intentionally or accidentally. A "bit-stream" identical copy of all hard drives, diskettes or other media must be made prior to any processing. A 'bit-stream' backup will make a full and accurate copy of all areas if the disk or media including erased files and other portions of the media contain evidence but would not be copied by a standard copy or back-up copy. All processing must be performed on the copy. This will ensure the integrity of the original evidence. The investigating officers should be aware of viruses when introducing unknown software to a government computer system. A scan for viruses should be conducted in all cases. The existence of a virus should be documented. This will protect the investigating officers from a potential accusation that a virus was introduced by the authority who had seized the computer. A processing officer may encounter computer or operating system with which he is unfamiliar. In that case, it may be necessary to obtain the services of an outside consultant. However, as far as possible, this kind of situation should be avoided as outside consultants lack knowledge and training in rule of evidence and law enforcement techniques. If such a circumstance arises, the processing officer should always be present and maintain control of the evidence. This will allow the officer to direct the search and ensure that the rules of evidence and chain of custody are not compromised. All steps taken must be thoroughly documented to assist in the introduction of any evidence in the court. All software used by the processing officer should be licensed and owned by the customs administration. Pirated versions should not be used under any circumstances. The improper handling of seized computer or electronic evidence by an investigator may entail serious dangers. At the same time the investigator has to be aware of the many difficulties he will have to face to extract evidence from a computer. Evidence stored electronically can be instantly destroyed forever in such a manner that the investigator may never know the evidence existed. Data destruction devices -- both hardware and software, can destroy the electronic equivalent of thousands of documents, while erasing all traces of their actions. Such a data destruction device could be set off intentionally by the suspect or accidentally by a well computer literate customs officer who has not been trained to avoid such traps. A clever suspect can hide evidence on a computer media in locations or formats where 99 per cent of all computer users will never find it. Computer media like disks, tapes etc., can also be hidden. A small cassette tape less than 2 cm by 2 cm can store all of the text contained in more than 1500 novels. Computer diskettes containing criminal evidence can even be rolled up and hidden inside a fountain pen. Again, electronic records can be protected by passwords, encryption or other security devices. Nowadays, large software industries have sprang up that markets data protection software specifically to protect or encrypt computer information. In addition, computer bulletin boards exist to publish information on how to protect computerised information from law enforcement, how to break into other computerised and how to challenge electronic evidence in court proceedings. If the computer or the electronic evidence is not handled in accordance with the applicable rules of evidence and the applicable laws of search and seizure, vital evidence discovered may be ruled inadmissible in court proceedings. Further, if the computer itself or the electronic evidence is damaged or lost through improper handling while in government custody, a civil claim for damage may be sought. Therefore, whenever possible, only professional law enforcement officers who have been trained in seizing and processing computers in accordance with the rules of evidence should handle any computerised evidence. If this is not possible, the absolute minimum handling should be done to secure and seize the computer and related items, and secure them for processing by trained professionals. Individuals not trained in computer forensics, regardless of their level of computer expertise, should not be allowed to access computer's or related materials. In this context, the NBR should develop, as much as possible, internal expertise in this area and identify and cooperate with other law enforcement agencies that have expertise on the subject matter. It is vital that the NBR should now be alert about this novel concept of electronic evidence and take necessary steps to develop appropriate measures to tackle the new situation. Such measures should include creation of core groups of computer investigating officers who are computer-minded and have sound background on law enforcement and national legal procedures. They should not only be trained to seize and extract evidence from computers but also have expertise in computer forensic science. These measures should be accompanied by the development of national training standards for computer literacy of all customs officers and creation of general awareness of the importance of electronic evidence in customs matters. The customs officers should no longer be bogged down only in traditional paper trail investigation, but rather open up their minds to new techniques of paperless investigation. In order to fulfill these goals, the NBR should create a high level computer policy team with the responsibility for a number of duties. The duties will include training of qualified customs officers in computer know-how, keeping current with the rapidly changing technology, researching software and methods of searching and seizing computerised evidence, and other complex computer issues. Once trained, the investigators can also be used to assist in the search and seizure of evidence for many other types of offences. This would include any type of offence where evidence is located on a computer system such as records on narcotics, pornography, money laundering, fraud and vice. However, the long-term goal should be to train all customs officers to deal with computerised evidence. This will take time but it is a necessity of the time. (Concluded) .................................................. The writer is the Permanent Representative of Bangladesh to the World Customs Organisation, Brussels, Belgium
|