Skip to content

Page020

Investigations are a critical way in which information security professionals come into contact with the law. Forensic and incident response personnel often conduct investigations, and both need to have a basic understanding of legal matters to ensure that the legal merits of the investigation are not unintentionally tarnished. Evidence, and the appropriate method for handling evidence, is a critical legal issue that all information security professionals must understand. Another issue that touches both information security and legal investigations is search and seizure.

Evidence

Evidence is one of the most important legal concepts for information security professionals to understand. Information security professionals are commonly involved in investigations, and often have to obtain or handle evidence during the investigation. Some types of evidence carry more weight than others; however, information security professionals should attempt to provide all evidence, regardless of whether that evidence proves or disproves the facts of a case. While there are no absolute means to ensure that evidence will be allowed and helpful in a court of law, information security professionals should understand the basic rules of evidence. Evidence should be relevant, authentic, accurate, complete, and convincing. Evidence gathering should emphasize these criteria.

Real Evidence

The first, and most basic, category of evidence is that of real evidence. Real evidence consists of tangible or physical objects. A knife or bloody glove might constitute real evidence in some traditional criminal proceedings. However, with most computer incidents, real evidence is commonly made up of physical objects such as hard drives, DVDs, USB storage devices, or printed business records.

Direct Evidence

Direct evidence is testimony provided by a witness regarding what the witness actually experienced with her five senses. The witnesses must have experienced what they are testifying to, rather than have gained the knowledge indirectly through another person (hearsay, see below).

Circumstantial Evidence

Circumstantial evidence is evidence which serves to establish the circumstances related to particular points or even other evidence. For instance, circumstantial evidence might support claims made regarding other evidence or the accuracy of other evidence. Circumstantial evidence provides details regarding circumstances that allow for assumptions to be made regarding other types of evidence. This type of evidence offers indirect proof, and typically cannot be used as the sole evidence in a case. For instance, if a person testified that she directly witnessed the defendant create and distribute malware this would constitute direct evidence. If the forensics investigation of the defendant’s computer revealed the existence of source code for the malware, this would constitute circumstantial evidence.