• The jurisdiction where investigation occurs may require special certification or licensing to conduct digital forensic analysis.

• Authority to investigate must exist, and that authority is not without limit.

• The scope of the authorized investigation will likely be defined and must be well understood.

• Intruding on the privacy rights of relevant victim data custodians must be avoided.

• Other concerns raised by the victim might limit access to digital evidence stored on stand-alone devices.

• With respect to network devices, collection, preservation, and analysis of user-generated content (as compared to file or system metadata analysis) are typically handled pursuant to a methodology defined or approved by the victim.

• It is important to work with the victim to best understand the circumstances under which live network traffic or electronic communications can be monitored.

• Encountered data, such as personal, payment card, health, financial, educational, insider, or privileged information, may be protected by state or federal law in some way.

• Methods exist to obtain overseas evidence necessary to forensic analysis.

• In certain jurisdictions, restrictions may exist that prohibit the movement or transportation of relevant data to another jurisdiction.

• In certain jurisdictions, limitations relating to the types of investigative tools available to conduct relevant forensic analysis may exist.

• The functionality and nature of the use of investigative tools implicate these limitations.

• Understanding evidentiary requirements early on will improve chances for admissibility of relevant findings down the road.

• Whether and when to involve law enforcement in the malware investigation is an important determination.

• Approximately 45 states maintain private investigation laws that generally require the investigator to submit an application, pay a fee, possess certain experience requirements, pass an examination, and periodically renew the license once granted.¹

• Many state laws generally define private investigation to broadly include the “business of securing evidence to be used before investigating committees or boards of award or arbitration or in the trial of civil or criminal cases and the preparation therefore.”²

• Although such laws do not appear to implicate digital forensics conducted for investigatory purposes by internal network administrators or IT departments on data residing within a corporate environment or domain,³ once the investigation expands beyond the enterprise environment (to other networks or an Internet service provider, or involves the preservation of evidence for the pursuit of some legal right or remedy), licensing regulation appears to kick in within several state jurisdictions.

• Roughly 32 states’ statutes can be interpreted to include digital forensic investigators, like those in force in Florida, Georgia, Michigan, New York, Nevada, Oregon, Pennsylvania, South Carolina, Texas, Virginia, and Washington.

• On the other hand, some states exempt “technical experts”⁴ or “any expert hired by an attorney at law for consultation or litigation purposes”⁵ from private investigation licensing requirements. Indeed, at least one state, Delaware, has specifically excluded from regulation “computer forensic specialists,” defined as “persons who interpret, evaluate, test, or analyze pre-existing data from computers, computer systems, networks, or other electronic media, provided to them by another person where that person owns, controls, or possesses said computer, computer systems, networks, or electronic media.”⁶ A subcommittee of the American Bar Association (ABA) has urged the same result.⁷

• Given that most state licensing requirements vary and may change on a fairly regular basis, consult the appropriate state agency in the jurisdiction where you will perform digital forensic analysis early and often. Navigate to http://www.crimetime.com/licensing.htm or http://www.pimagazine.com/private_investigator_license_requirements.html to find relevant links pertaining to your jurisdiction and obtain qualified legal advice to be sure.

• Some legislation contains specific language creating a private right of action for licensing violations.

• Indirect penalties may include equitable relief stemming from unlawful business practice in the form of an injunction or restitution order, exclusion of any evidence gathered by the unlicensed investigator, or a client’s declaration of breach of contract and refusal to pay for the investigator’s services.

• Internal investigators assigned to work an investigative matter on behalf of their corporation often derive authority to investigate from well-defined job descriptions tied to the maintenance and security of the corporate computer network.

• Written incident response policies may similarly inform the way in which a network administrator or corporate security department uses network permissions and other granted resources to launch and carry out corporate investigative objectives.

• Chains of corporate command across information security, human resources, legal, and management teams will inform key investigative decisions about containment of ongoing network attacks, how best to correct damage to critical systems or data, whether and the extent to which alteration of network status data for investigative purposes is appropriate, or even the feasibility of shutting down critical network components or resources to facilitate the preservation of evidence.

• Internal considerations also indirectly source the authority of the external investigator hired by corporate security or in-house counsel or outside counsel on behalf of the victim corporation.

• More directly, the terms and conditions set forth in engagement letters, service agreements, or statements of work often specifically authorize and govern the external investigator’s access to and analysis of relevant digital evidence.

• Non-disclosure provisions with respect to confidential or proprietary corporate information may not only obligate the digital investigator to certain confidentiality requirements, but also may proscribe the way in which relevant data can be permissibly transported (i.e., hand-carried not couriered or shipped) or stored for analysis (i.e., on a private network with no externally facing connectivity).

• Service contracts may require special treatment of personal, payment card, health, insider, and other protected data that may be relevant to forensic investigation (a topic addressed later in the “Protected Data” section of this chapter).

• A victim corporation’s obligations to users of the corporate network may further limit grants of authority to both the internal and external digital investigator.

• Sanctions ranging from personnel or administrative actions, to civil breach of contract or privacy actions, to criminal penalties can be imposed against investigators who exceed appropriate authority.

• Federal and state statutes authorize law enforcement to conduct malware forensic investigations with certain limitations.⁹

• Public authority for digital investigators in law enforcement comes with legal process, most often in the form of grand jury subpoenas, search warrants, or court orders.

• The type of process often dictates the scope of authorized investigation, both in terms of what, where, and the circumstances under which electronic data may be obtained and analyzed.

• Attention to investigating within the scope of what has been authorized is particularly critical in law enforcement matters where evidence may be suppressed and charges dismissed otherwise.¹⁰

• Retained experts may be deemed to be acting in concert with law enforcement—and therefore similarly limited to the scope of the authorized investigation—if the retained expert’s investigation is conducted at the direction of, or with substantial input from, law enforcement.

• For more information, refer to the discussion of whether, when, and how to involve law enforcement in conducting malware forensic investigations, appearing later in the “Involving Law Enforcement” section of this chapter.

• Authorized access to stored e-mail data on a private network that does not provide mail service to the public generally would not implicate Electronics Communications Privacy Act (ECPA) prohibitions against access and voluntary disclosure, even to law enforcement.¹²

• E-mail content, transactional data relating to e-mail transmission, and information about the relevant user on the network can be accessed and voluntarily disclosed to anyone at will.

• If the network is a public provider of e-mail service, like AOL or Yahoo! for example, content of its subscribers’ e-mail, or even non-content subscriber or transactional data relating to such e-mails in certain circumstances, cannot be disclosed, unless certain exceptions apply.

• A public provider can voluntarily disclose non-content customer subscriber and transactional information relating to a customer’s use of the public provider’s mail service:

• With respect to the content of a customer subscriber’s e-mail, a public provider can voluntarily disclose to law enforcement:

• Of course, if the public provider is served with a grand jury subpoena or other legal process compelling disclosure, that is a different story.

• Otherwise, through the distinctions between content and non-content and disclosure to a person and disclosure to law enforcement, ECPA endeavors to balance private privacy with public safety.

• The Wiretap Act, often referred to as “Title III,” protects the privacy of electronic communications by prohibiting any person from intentionally intercepting, or attempting to intercept, their contents by use of a device.¹⁵

• In most jurisdictions, electronic communications are “intercepted” within the meaning of the Wiretap Act only when such communications are acquired contemporaneously with their transmission, as opposed to stored after transmittal.¹⁶

• There are three exceptions to the Wiretap Act relevant to the digital investigator: the provider exception; consent of a party; and the computer trespasser exception.

• The provider exception affords victim corporations and their retained digital investigators investigating the unauthorized use of the corporate network fairly broad authority to monitor and disclose to others (including law enforcement) evidence of unauthorized access and use, so long as that effort is tailored to both minimize interception and avoid disclosure of private communications unrelated to the investigation.¹⁷

• In practical terms, while the installation of a sniffer to record the intruder’s communication with the victim network in an effort to combat ongoing fraudulent, harmful, or invasive activity affecting the victim entity’s rights or property may not violate the Wiretap Act, the provider exception does not authorize the more aggressive effort to “hack back” or otherwise intrude on an intruder by gaining unauthorized access to the attacking system (likely an innocent compromised machine anyway).

• Do not design an investigative plan to capture all traffic to the victimized network; instead avoid intercepting traffic communications known to be innocuous.

• The consent exception authorizes interception of electronic communications where one of the parties to the communication¹⁸ gives explicit consent or is deemed upon actual notice to have given implied consent to the interception.¹⁹

• Guidance from the Department of Justice recommends that “organizations should consider deploying written warnings, or “banners,” on the ports through which an intruder is likely to access the organization’s system and on which the organization may attempt to monitor an intruder’s communications and traffic.

• If a banner is already in place, it should be reviewed periodically to ensure that it is appropriate for the type of potential monitoring that could be used in response to a cyber attack.²⁰

• If banners are not in place at the victim company, consider whether the obvious notice of such banners would make monitoring of the ongoing activities of the intruder more difficult (and unnecessarily so where the provider exception remains available) before consulting with counsel to tailor banner content best suited to the type of monitoring proposed.

• Solid warnings often advise users that their access to the system is being monitored, that monitoring data may be disclosed to law enforcement, and that use of the system constitutes consent to surveillance.

• Keep in mind that while the more common network ports are bannerable, the less common (the choice of the nimble hacker) often are not.

• The computer trespasser exception gives law enforcement the ability with the victim provider’s consent to intercept communications exclusively between the provider and an intruder who has gained unauthorized access to the provider’s network.²¹

• This exception is not available to digital investigators retained by the provider, but only to those acting in concert with law enforcement.

• Do not forget the interplay of other limits of authority discussed elsewhere in this chapter, bearing in mind that such limitations may trump exceptions otherwise available under the Wiretap Act to digital investigators planning to conduct network surveillance on a victim’s network.

• For digital investigators who need only collect real-time the non-content portion of Internet communications—the source and destination IP address associated with a network user’s activity, the header and “hop” information associated with an e-mail sent to or received by a network user, the port that handled the network user’s communication a network user uses to communicate—be mindful that an exception to the federal Pen Registers and Trap and Trace Devices statute²² nonetheless must apply for the collection to be legal.

• Although the statute generally prohibits the real-time capture of traffic data relating to electronic communications, provider and consent exceptions similar and broader to those found in the Wiretap Act are available.

• Specifically, corporate network administrators and the digital investigators they retain to assist have fairly broad authority to use a pen/trap device on the corporate network without court order so long as the collection of non-content:

• Remember that surveillance of the content of any communication would implicate the separate provisions and exceptions of the Wiretap Act.

• Responding to an incident at a financial institution that compromises customer accounts may implicate the provisions of the Gramm Leach Bliley Act, also known as the Financial Services Modernization Act of 1999, which protects the privacy and security of consumer financial information that financial institutions collect, hold, and process.²³

• The Act generally defines a “financial institution” as any institution that is significantly engaged in financial activities.”²⁴

• The regulation only protects consumers who obtain financial products and services primarily for person, family, or household purposes.

• The regulation:

• In addition to these requirements, the regulations set forth standards for how financial institutions must maintain information security programs to protect the security, confidentiality, and integrity of customer information. Specifically, financial institutions must maintain adequate administrative, technical, and physical safeguards reasonably designed to:

• Be careful when working with financial institution data to obtain and document the scope of authorization to access, transport, or disclose such data to others.²⁵

• The Health Insurance Portability and Accountability Act (HIPAA)²⁶ applies generally to covered entities (health plans, health-care clearinghouses, and health-care providers who transmit any health information in electronic form),²⁷ and provides rules designed to ensure the privacy and security of individually identifiable health information (“protected health information”), including such information transmitted or maintained in electronic media (“electronic protected health information”).

• HIPAA specifically sets forth security standards for the protection of electronic protected health information.

• In February 2009, the American Recovery and Reinvestment Act (ARRA) became law, subjecting business associates—vendors, professional service providers, and others that perform functions or activities involving protected health information for or on behalf of covered entities—to many of the health information protection obligations that HIPAA imposes on covered entities.²⁸

• Given these stringent requirements, investigative steps involving the need to access, review, analyze, or otherwise handle electronic protected health information should be thoroughly vetted with counsel to ensure compliance with the HIPAA and ARRA security rules and obligations.²⁹

• The Sarbanes-Oxley Act (SOX)³⁰ broadly requires public companies to institute corporate governance policies designed to facilitate the prevention, detection, and handling of fraudulent acts or other instances of corporate malfeasance committed by insiders.

• Other provisions of SOX were clearly designed to deter and punish the intentional destruction of corporate records.

• In the wake of SOX, many public companies overhauled all kinds of corporate policies that may also implicate more robust mechanisms for the way in which financial and other digital corporate data is handled and stored.

• During the early assessment of the scope and limits of authority to conduct any internal investigation at a public company, be mindful that a SOX-compliant policy may dictate or limit investigative steps.

• Information About Children: The Child Online Privacy Protection Act (COPPA)³¹ prohibits unfair or deceptive acts or practices in connection with the collection, use, and/or disclosure of personal information from and about children on the Internet. The Juvenile Justice and Delinquency Prevention Act,³² governing both the criminal prosecution and the delinquent adjudication of minors in federal court, protects the juvenile defendant’s identity from public disclosure.³³ If digital investigation leads to a child, consult counsel for guidance on the restrictions imposed by these federal laws.

• Child Pornography: 18 U.S.C. § 1466A proscribes among other things the possession of obscene visual representations of the sexual abuse of children. Consider including in any digital forensic services contract language that reserves the right to report as contraband to appropriate authorities any digital evidence encountered that may constitute child pornography.

• Student Educational Records: The Family Education Rights and Privacy Act³⁴ prevents certain educational institutions from disclosing a student’s “personally identifiable education information,” including grades and student loan information, without the student’s written permission. Again, authority to access and disclose this type of information should be properly vetted with the covered educational institution or its counsel.

• Payment Card Information: The Payment Card Industry Data Security Standards (PCI DSS) established common industry security standards for storing, transmitting, and using credit card data, as well as managing computer systems, network devices, and the software used to store, process, and transmit credit card data. According to these established guidelines, merchants who store, process, or transmit credit card information, in the event of a security incident, must take immediate action to investigate the incident, limit the exposure of cardholder data, make certain disclosures, and report investigation findings. When handling PCI data during the course of digital investigation, be sure to understand these heightened security standards and requirements for disclosure and reporting.

• Privileged Information: Data relevant to the digital investigator’s analysis may constitute or be commingled with information that is protected by the attorney–client privilege or the attorney work product doctrine. Digital investigator access to or disclosing of that data, if not performed at the direction of counsel, may be alleged to constitute a waiver of these special protections.

• Forty-four states have passed a data breach notification law requiring owners of computerized data that include consumer personal information to notify any affected consumer following a data breach that compromises the security, confidentiality, or integrity of that personal information.

• The statutes generally share the same key elements, but vary in how those elements are defined, including the definitions of “personal information,” the entities covered by the statute, the kind of breach triggering notification obligations, and the notification procedures required.³⁵

• Personal information has been defined across these statutes to include some or all of the following:

• Most statutes exempt reporting if the compromised information is “encrypted,” although the statues do not always set forth the standards for such encryption. Some states exempt reporting if, under all circumstances, there is no reasonable likelihood of harm, injury, or fraud to customers. At least one state requires a “reasonable investigation” before concluding no reasonable likelihood of harm.

• Notification to the affected customers are ordinarily made in writing, electronically, telephonically, or, in the case of large-scale breaches, through publication. Under most state statutes, Illinois being an exception, notification can be delayed if it is determined that the disclosure will impede or compromise a criminal investigation.

• Understanding the breach notification requirements of the state jurisdiction in which the investigation is conducted is important to the integrity of the digital examiner’s work, as the scope and extent of permissible authority to handle relevant personal information may be different than expected. Consult counsel for clear guidance on how to navigate determinations of encryption exemption and assess whether applicable notice requirements will alter the course of what otherwise would have been a more covert operation designed to avoid tipping the subject or target.

• Intrusion detection systems

• Firewalls, routers, VPN appliances

• Web, mail, and file servers

• Output from ordinary course systems, devices, and servers constitutes a record generated for a business—a class of evidence for which there exists recognized indicia of reliability.

• Documentation and custodial testimony will support admissibility of such output.

• Simple traceroutes

• WHOIS lookups

• Other network-based tools

• Inside the victim network

• Outside the victim network

• Repeatable

• Supported by meticulous note taking

• Investigative steps were taken consistent with corporate policy and personal, customary, and best practice.

• Investigative use of tools was consistent without sound legal advice.

• What It Is:

• The Problem:

• What It Is:

• The Problem:

• What It Is

• The Problem

• The Issue

• The Problem

• Pay close attention to the emerging laws on misuse of devices, particularly when conducting forensic analysis in the 43 countries that have committed to implement the Convention and its provisions.

• When in doubt, obtain appropriate legal advice.

• Although inapplicable to data efforts made in the context of criminal law enforcement or government security matters, the 1995 European Union Data Protection Directive,⁴⁴ a starting point for the enactment of country-specific privacy laws within the 27 member countries that subscribe to it,⁴⁵ sets forth 8 general restrictions on the handling of workplace data⁴⁶:

• With respect to the restriction on onward transfer, no definition of “adequate” privacy protection is provided in the European (EU) Directive. Absent unambiguous consent obtained from former or current employee data subjects that affords the digital investigator the ability to transport the data back to the lab,⁴⁷ none of the other exceptions to the “onward transfer” prohibition in the EU Directive appear to apply to internal investigations voluntarily conducted by a victim corporation responding to an incident of computer fraud or abuse. As such, the inability to establish the legal necessity for data transfers for fact finding in an internal inquiry may require the digital investigator to preserve, collect, and analyze relevant data in the European country where it is found.

• When the EU questioned whether “adequate” legal protection for personal data potentially blocked all data transfers from Europe to the United States, the U.S. Department of Commerce responded by setting up a Safe Harbor framework imposing safeguards on the handling of personal data by certified individuals and entities.⁴⁸

• In 2000, the EU approved the Safe Harbor framework as “adequate” legal protection for personal data, approval that binds all the member states to the Directive.⁴⁹

• A Safe Harbor certification by the certified entity amounts to a representation to European regulators and individuals working in the EU that “adequate” privacy protection exists to permit the transfer of personal data to that U.S. entity.⁵⁰

• Safe Harbor certification may nonetheless conflict with the onward transfer restrictions of member state legislation implemented under the Directive, as well as “blocking statutes,” such as the one in France that prohibits French companies and their employees, agents, or officers from disclosing to foreign litigants or public authorities information of an “economic, commercial, industrial, financial, or technical nature.”⁵¹

• Parties to a bilateral treaty that places an unambiguous obligation on each signatory to provide assistance in connection with criminal and in some instances regulatory matters may make requests between central authorities for the preservation and collection of computer media and digital evidence residing in their respective countries.⁵²

• The requesting authority screens and forwards requests from its own local, state, or national law enforcement entities, and the receiving authority then has the ability to delegate execution of the request to one of its entities.

• For foreign authorities seeking to gather evidence in the United States, the U.S. Department of Justice is the central authority, working through its Office of International Affairs.

• The central authority at the receiving end of an MLAT request may be very reluctant to exercise any discretion to comply. That being said, most central authorities are incentivized to fulfill MLAT requests so that similar accommodation will accompany requests in the other direction.

• A less reliable, more time-consuming mechanism of the MLAT is the letter rogatory or “letter of request,” which is a formal request from a court in one country to “the appropriate judicial authorities” in another country requesting the production of relevant digital evidence.⁵³

• The country receiving the request, however, has no obligation to assist.

• The process can take a year or more.

• In addition to the widely known Council of Europe and G8, a number of international organizations are attempting to address the difficulties digital investigators face in conducting network investigations that so often involve the need to preserve and analyze overseas evidence.

• Informal assistance and support through the following organizations may prove helpful in understanding a complicated international landscape:

• The threat of public attention and embarrassment, particularly to shareholders, often casts its cloud over management.

• Nervous network administrators, fearful of losing their jobs, perceive themselves as having failed to adequately protect and monitor relevant systems and instead focus on post-containment and prevention.

• Legal departments, having determined that little or no breach notification to corporate customers was required in the jurisdictions where the business operates, would rather not rock the boat.

• Audit committees and boards often would rather pay the cyber extortionist’s ransom demand in exchange for a “promise” to destroy the stolen sensitive data, however unlikely, and even when counseled otherwise, rather than involve law enforcement.

• Victims are confused about which federal, state, or local agency to contact.

• Victims are concerned about law enforcement agent technical inexperience, agency inattention, delay, business interference, and damage to network equipment and data.

• Victims fear the need to dedicate personnel resources to support the referral.

• Victims exaggerate the unlikelihood that a hacker kid living in a foreign country will ever see the inside of a courtroom.

• Because the present proliferation of computer fraud and abuse is unparalleled,⁵⁵ domestic and foreign governments alike have invested significant resources in the development and training of technical officers, agents, and prosecutors to combat cybercrime in a nascent legal environment.

• Law enforcement understands that internal and external digital investigators are the first line of defense and in the best positions to detect, initially investigate, and neatly package some of the best evidence necessary for law enforcement to successfully seek and obtain real deterrence in the form of jail time, fines, and restitution.

• Evidence collected by internal and external digital investigators is only enhanced by the legal process (grand jury subpoena, search warrants) and data preservation authority (pen registers, trap and traces, wiretaps) available to law enforcement and not available to any private party.

• International cooperation among law enforcement in the fight against cybercrime has never been better, as even juveniles are being hauled into federal court for their cyber misdeeds.⁵⁶

• The victim company may be more interested in protecting its network or securing its information than, for example, avoiding containment to allow law enforcement to obtain necessary legal process to real-time monitor future network events caused by the intruder.

• Despite misimpressions to the contrary, victim companies rarely lose control over the investigation once a referral is made; rather, law enforcement often requires early face time and continued cooperation with the administrators and investigators who are most intimate with and knowledgeable of the affected systems and relevant discovered data. Constant consultation is the norm.

• Although law enforcement will be careful not to direct any future actions by the digital investigator, thereby creating the possibility that a future court deems and suppresses the investigator’s work as the work of the government conducted in violation of the heightened legal standards of process required of law enforcement, the digital investigator may be required to testify before a grand jury impaneled to determine if probable cause that a crime was committed exists, or even to testify before a trial jury on returned and filed charges.

• Remember the scope and limitations of authority that apply, and let the victim company and law enforcement reach a resolution that is mutually beneficial.

• Staying apprised of the direction of the investigation, whether it stays private, becomes public, or proceeds on parallel tracks (an option less favored by law enforcement once involved), will help the digital investigator focus on what matters most—repeatable, reliable, and admissible findings under any circumstance.

• Document in sufficient technical detail each early effort to identify and confirm the nature and scope of the incident.

• Keep, for example, a list of the specific systems affected, the users logged on, the number of live connections, and the processes running.

• Note when, how, and the substance of observations made about the origin of attack; the number of files or logs that were created, deleted, last accessed, modified, or written to; user accounts or permissions that have been added or altered; machines to which data may have been sent; and the identity of other potential victims.

• Record observations about the lack of evidence—ones that may be inconsistent with what was expected to be found based on similar incident handling experiences.

• Keep a record of the methodology employed to avoid altering, deleting, or modifying existing data on the network.

• Track measures taken to block harmful access to, or stop continuing damage on the affected network, including filtered or isolated areas.

• Remember early on to begin identifying and recording the extent of damage to systems and the remediative costs incurred—running notations that will make future recovery from responsible parties and for any subsequent criminal investigation that much easier.

• At the outset, create forensically sound redundant hashed images of original media, store one with the original evidence, and use the remaining image as a working copy for analysis. Do not simply logically copy data, even server level data, when avoidable.

• Immediately preserve backup files and relevant logs.

• When preserving data, hash, hash, hash. Hash early to correct potentially flawed evidence handling later.

• During analysis, hash to find or exclude from examination known files.

• Consider using Camatasia or other screen capture software to preserve live observations of illicit activity before containment. This is a way to supplement evidence obtained from enabled and extended network logging.

• If legal counsel has approved the use of a “sniffer” or other monitoring device to record communications between the intruder and any server that is under attack, be careful to preserve and document relevant information about those recordings.

• The key is to use available forensic tools to enhance the integrity, reliability, and repeatability of the work.

• Although chain of custody goes to the weight not the admissibility of the evidence in most court proceedings, the concept remains nonetheless crucial, particularly where evidence may be presented before grand juries, arbitrators, or in similar alternative settings where evidentiary rules are relaxed, and as such, inexplicable interruptions in the chain may leave the evidence more susceptible to simply being overlooked or ignored.

• The ability to establish that data and the investigative records generated during the process are free from contamination, misidentification, or alteration between the time collected or generated and when offered as evidence goes not just to the integrity of evidence but its very relevance—no one will care about an item that cannot be established as being what it is characterized to be, or a record that cannot be placed in time or attributed to some specific action.

• For data, the chain of custody form need not be a treatise; simply record unique identifying information about the item (serial number), note the date and description of each action taken with respect to the item (placed in storage, removed from storage, mounted for examination, returned to storage), and identify the actor at each step (presumably a limited universe of those with access).

• A single actor responsible for generated records and armed with a proper chain of custody form for data can lay sufficient evidentiary foundation without having to present every actor in the chain before the finder of fact.

Treaties in Force: A List of Treaties and Other International Agreements of the United States in Force

http://www.state.gov/documents/organization/89668.pdf

Preparation of Letters Rogatory

http://travel.state.gov/law/judicial/judicial_683.html

Organization of American States

Inter-American Cooperation Portal on Cyber-Crime

http://www.oas.org/juridico/english/cyber.htm

Council of Europe Convention of Cybercrime

http://conventions.coe.int/Treaty/Commun/QueVoulezVous.asp?NT=185&CM=1&CL=ENG (and more generally) http://www.coe.int/t/dc/files/themes/cybercrime/default_EN.asp?

European Commission 2010 Directive On Attacks Against Information Systems

http://ec.europa.eu/home-affairs/policies/crime/1_EN_ACT_part1_v101.pdf

European Network of Forensic Science Institutes

(Memorandum signed for International Cooperation in Forensic Science)

http://www.enfsi.eu/page.php?uid=1&nom=153

G8 High-Tech Crime Subgroup

(Data Preservation Checklists)

http://www.coe.int/t/dg1/legalcooperation/economiccrime/cybercrime/Documents/Points%20of%20Contact/24%208%20DataPreservationChecklists_en.pdf

Interpol

Information Technology Crime—Regional Working Parties

http://www.interpol.int/public/TechnologyCrime/Default.asp

Asia-Pacific Economic Cooperation

Electronic Commerce Steering Group

http://www.apec.org/Groups/Committee-on-Trade-and-Investment/Electronic-Commerce-Steering-Group.aspx

Organization for Economic Cooperation & Development

Working Party on Information Security & Privacy

(APEC-OECD Workshop on Malware—Summary Record—April 2007)

http://www.oecd.org/dataoecd/37/60/38738890.pdf

The Organisation for Economic Co-operation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data

http://www.oecd.org/document/18/0,3746,en_2649_34255_1815186_1_1_1_1,00.html

The International Cyber Security Protection Alliance (ICSPA) Cyber-Security News Feed

https://www.icspa.org/nc/media/cyber-security-news-feed/

Maurushat, A. (2010). Australia’s Accession to the Cybercrime Convention: Is the Convention Still Relevant in Combating Cybercrime in the Era of Botnets and Obfuscation Crime Tools?, University of New South Wales Law Journal, Vol. 33(2), pp. 431–473.

Available at http://www.austlii.edu.au/au/journals/UNSWLRS/2011/20.txt/cgi-bin/download.cgi/download/au/journals/UNSWLRS/2011/20.rtf.

1. Disclosure is inadvertent;

2. Holder of the privilege or protection took reasonable steps to prevent disclosure; and

3. Holder promptly took reasonable steps to rectify the error.