One should take care and consider the appropriate technical and legal aspects for a debtor case using established digital/computer forensic methodologies. Every debtor case needs to be tailored to the facts and circumstances related to the information technologies used, and this cannot necessarily be pre-fabricated. The specific circumstances will need to be examined on a case-by-case basis by the digital forensic accounting technologist early in the case (before the 341 and/or 2004 exam).
General Rules:
- Do not turn on, start or use the debtor's computers, PDA or other digital devices
until the electronically stored information (ESI) has been safeguarded. - Always document every step during acquisition, preservation and processing of
the debtor's ESI. - Always gather and analyze the digital evidence in accordance with written polices
and procedures, allowing for flexibility as may be necessary for the individual
case. - Use current computer forensic hardware and software for examination of the
debtor's ESI. - Be familiar with the forensic tools that you are using to gather or analyze digital
evidence.
Chain of Evidence:
- Use and maintain chain-of-custody records during the life of the case for all
debtor hard drives, PDAs, tape backups and other media and devices. - Keep a chronological diary with dates, times and detailed notes as to the
investigation process.
Acquisition of the Debtor's ESI:
- Do not allow the writing of any information to the debtor's HDD or digital devices.
- Do not rely on write-protection software, and always use write-protection
hardware. - Use new/sanitize HDD prior to using for copying/storage of the debtor's forensic image(s).
- Acquire and secure the forensic image using a cryptographic hash digest value
for the debtor's HDD and other devices, always preserving the original debtor's
information. - Should the forensic image fail, the destination drive will be wiped (sanitized)
before re-use. - Create multiple forensic images for expanded investigation if necessary.
- Be prepared for confronting computer viruses and worms early in the case.
- Maintain adequate forensic software for locating and capturing encrypted
debtor information. - Examine all media sources for possible steganography and/or encrypted files,
folders and drives. - Search forensic image for hidden disk partitions and disk areas early in the case.
- Examine date settings early in the case.
- Review possible file backdating early in the case.
- Create a timeline analysis for the debtor’s ESI found on the forensic images.
Processing the Debtor's ESI:
- Restore additional forensic image to another sterile drive to have a bootable
clone if not using forensic software designed for this purpose. - Filter e-mail and instant messages by name, subject, key information, text, dates and multiple addresses.
- Create the combined digital data source ESI from all forensic images for expanded investigation if necessary.
- Index the debtor's combined digital data source ESI image for each file type/signature.
- Create and regularly update the combined digital data source ESI for fast searches.
- Use electronic Bates numbers to identify case facts, files and documents as
necessary.
Preservation of the Debtor's ESI:
- Protect and secure the debtor's HDD, PDA, digital devices and media for several years including providing for storage and related environmental safeguard and other conditions.
- Be prepared to protect and secure the "pristine" image of the debtor's HDD, PDA
and digital devices for several years including providing for storage and related
environmental safeguard and other conditions. - Use care when moving and examining the debtor's electronic information, and
document accordingly.
Golden Rule:
- Never turn on (or off) the debtor's computer or digital devices prior to the digital forensic accounting technologist safeguarding the property of the estate - NEVER.
Committees