| In the field of computer forensics, as in the field of law, | | | | analysis was destroyed before the plaintiff had the |
| procedures in civil cases differ somewhat from those | | | | opportunity to inspect. Such attempts at hiding data are |
| in criminal cases. The collection of data and | | | | often discovered by the digital forensic sleuth, who |
| presentation of evidence may be held to different | | | | may in turn present evidence of such further |
| standards, the process of data collection and imaging | | | | wrongdoing in expert witness testimony. |
| can be quite different, and the consequences of the | | | | Opportunities for learning techniques and interacting |
| case may have very different impacts. | | | | with other professionals may differ as well. While |
| A couple of quick definitions may be in order. Criminal | | | | some computer forensic software suites and training, |
| law deals with offenses against the state - the | | | | such as Access FTK, EnCase, or SMART Forensics |
| prosecution of a person accused of breaking a law. | | | | are available to most who can pay, others, such as |
| Such offenses may of course include crimes against a | | | | iLook are available only to law enforcement and |
| person. A government body, or the representative of | | | | military personnel. While many support and professional |
| a government body accuses the person of having | | | | organizations and groups are available to all, some, |
| committed the offense, and the resources of the state | | | | such as the High Technology Crime Investigation |
| are brought to bear against the accused. Guilty | | | | Association (HTCIA) are not open to professionals |
| outcomes can result in fines, probation, incarceration, or | | | | who provide for criminal defense (with a few minor |
| even death. | | | | exceptions). |
| Civil law covers everything else, such as violations of | | | | When law enforcement has a case involving |
| contracts and lawsuits between two or more parties. | | | | computer forensics, the intention is to locate enough |
| The loser in such a dispute often must give payment, | | | | data to find the defendant guilty in court, where the |
| property or services to the prevailing party. | | | | standard for information presented tends to be fairly |
| Imprisonment is not at issue in civil cases. As a result, | | | | high. From the time digital data or hardware is seized |
| the standard for evidence is not as high in civil cases | | | | and acquired, Rules of Evidence must be kept in mind |
| as in criminal cases. | | | | (Cornell University has the complete and voluminous |
| For the law enforcement computer forensics specialist, | | | | code on its website). Law enforcement personnel |
| a certain amount of extra care should be taken in | | | | must follow accepted procedures or evidence could |
| collecting data and producing results, for the standard | | | | be thrown out. Acquisition of data and discovery in |
| of proof is higher. There are advantages on the data | | | | criminal cases often must follow sometimes strict and |
| collection end, however. For once a court has | | | | differing procedures depending upon whether the |
| authorized a search warrant, an officer (and possibly | | | | jurisdiction is federal, state, or municipality and at times |
| several) with badge and gun can go seize the | | | | depending upon a judge's preferences. |
| defendant's computer by surprise and by force. Once | | | | In a civil case, the initial processes of electronic |
| the computer has been seized and imaged, all data is | | | | discovery may be just to find enough data to show |
| accessible and may result in additional charges being | | | | one or the other party whether they are likely to |
| brought against the defendant. | | | | prevail, should the case go all the way to court. As |
| By contrast, in a civil case, there tends to be a lot of | | | | such, the initial presentation of data may be fairly |
| negotiation over what computers and what data can | | | | informal, and be just enough to induce the parties to |
| be inspected, as well as where and when. There is not | | | | settle the case. On the other hand, the data found |
| likely to be any seizing of computers, and quite a long | | | | may be so minimal the line of inquiry into electronic |
| time may take place between the time the request to | | | | evidence is dropped. |
| inspect a computer is made and the time the | | | | Although we use many of the same tools, computer |
| computer is made available to be inspected. It is | | | | forensic professionals in private practice and those in |
| common for one party to have access to a very | | | | law enforcement are held to different standards, have |
| limited area of data from the other party's computer. | | | | access to different resources, and their work results in |
| During this time, a defendant may take the opportunity | | | | substantially different outcomes between the criminal |
| to attempt to hide or destroy data. The author has had | | | | and civil cases to which they contribute. |
| several cases wherein the computer needed for | | | | |