If an online investigator saves certain web pages from a site, what is the legal status of the cache? I think that there is a strong argument that this is disclosable as it is material collected from the suspects site, even though it may not be exhibited as primary evidence.
My standard advice is that it cant hurt to save this after an online session. Any thoughts?
how would you validate its authenticity?
Pat, what POV are you thinking of this from? Are you thinking as a defence expert, about requesting the cache, to try to back up / verify / disprove authenticity of some online investigation? From a prosecution POV, thinking of keeping it to again back up some online activity?
Neither and just pondering things?
Generally, the information contained in Web sites has been considered as public information, so copying Websites is not illegal unless you copy from a 'restricted access' Website. It becomes illegal if you use the contents of the website for illegal purposes.
Of course, depends where you are…. sometimes the Web site administrator sets the jurisdiction inside a contract that you have to sign by Browse wrap or click wrap . The applicable law and applicable court are still the most difficult areas in IT Law.
Here are some ideas….
Could depend on the content and in which country/jurisdiction maybe relevant, although you don't say whether the question relates to criminal or civil cases.
When you say 'certain' pages are those pages from a site the hypothetical online invetsigator hacked into, used false identity to gain access to it, etc?
This hypothetical online investigator, was s/he authorised to obtain, store and be in possession of IIoC material?
How relevant is the content over time, eg has the content changed based upon the current content vis-a-vis previously cached webpages?
and so on…
I am looking at crim cases and from both points of view but I can see that the defence would have a reasonable case for requesting this.
it is a matter of fact that just by viewing a web page, the data is sent from the suspect or their agent to the investigators machine. (I dont want to get into more complex examples, just a basic web site created by the suspect) Just because the browser labels these files as temp does not mean that we as investigators have to treat them as such. The investigator may browse a site and choose to only forensically capture certain pages and these can be captured using the relevant procedures. But it is a matter of fact that additional files were looked at during the investigation (and therefore downloaded) and as these are in the possesion of the investigator and were created during the investigation, it seems reasonable that they should be catagorised as unused material. As the investigator, I dont think they have to identify in advance exactly why the defence would want to look at the material, simply does it come within that remit.
In the physical world, if I received a regular supply of leafelts or letters from a suspect, if I identified certain documents to exhibit, I would not dream of shredding the remaining documents, they would be catagorised as unused material. If we fail to archive the cache, are we effectively shredding documents that were obtained during our investigation?
its an interesting point. You are saying that if the temp files are not collected and logged etc. then in reality, one is throwing away evidence collected. In the same way that you wouldn't throw away any physical material simply because you didn't see a need for it at that point.
A counter to this would be are you simply be duplicating evidence? The temp files are a copy of the page on screen. So any pages that are suitable for collecting are collected already. Would it also complicate matters further, in so far as the investigator and the defence would now be ploughing through huge amounts of extra cahced files and cookie files?
Bit of a logistical nightmare too, to select the temp files from that session on that website?
Another question to pose is could there be anything in the temp files that could question the case against the person? If so, then maybe they do become evidence.
I suspect that this will be settled in a case at some point. Are your thoughts that you should be doing this?
I may be being paranoid but we start out with a clean install in terms of the status of the browser cache so that when you come off line, you know that every thing within the cache originates from that online session and it's pretty easy then to archive this data. Its then burnt to CD and placed in the unused material folder. Its such a simple process that I would rather do this than have a good/thorough defense ask for it and we reply that yes, the data was on our computer but we chose to delete it. (you are effectively making this choice by leaving the files in cache and letting them be written over in time)
If the investigator has permanantly captured every page that they visited then , yes the cache is dulicating it but at least it then confirms that no additional pages were visited. If investigators pick and choose which pages to permenantly save, then the ones they chose not to save are only existing within the cache.
didn't assume you were working from a fresh install, so I accept that. I think you are a little over cautious, but as you say, better to say "yes" when the defence asks for the material, than to baulk. It also proves that there were no pages missed out as they didn't help your case.
I suggest you are taking the most sensible approach. I can't imagine it takes an additional CDs to record these files too, so sounds like a good MO IMHO )