Collection methods of common electronic evidence
Source:/zhangkai769805/blog/item/37a06 Author: Fan Lili Long Wen.
With the popularization of computer technology and network technology, the information age has brought great changes to all aspects of social life, from the use of credit cards and smart cards to communication through e-mail boxes and small transactions through the Internet. From electronic data interchange (EDI), to document management of government agencies, to modern e-commerce based on the Internet, countless traditional terms have been thoroughly interpreted. In the field of litigation, since computers entered social life, computer-based forms of evidence have always existed. Computers are widely and frequently used in government departments, companies, other organizations and individuals to make documents, save files, trade and communicate, making this computer-based form of evidence an important way to discover the truth in the information age. Combined with electronic evidence in daily life, there are several ways to collect electronic evidence:
I. Special tools for collecting electronic evidence
1, a special tool for collecting electronic evidence
Electronic evidence is triggered by the development of technology, and some special tools must be used in the process of obtaining evidence.
Data extraction and analysis tools are the most basic tools in the network forensics expert toolkit. It includes not only some command-line tools already existing in the operating system, but also special tools, software and toolkits.
The special tools used in network forensics include scanning tools.
2. Other tools
It mainly includes: blank disks suitable for different drives, portable recorders, scanners, notebook computers, modems, etc.
Second, due to the diversity of electronic evidence, it should be treated differently when collecting: 1, electronic evidence collection in the form of mobile phone short messages. In recent years, SMS has become an important way for people to contact. Because of its convenience and concealment, it is also regarded as an important criminal means and tool by criminals, such as using short messages to direct criminal activities or directly engaging in fraud activities. In such cases, if such evidence can be collected, it will often play a decisive role in the confirmation of the case, because each mobile phone user's mobile phone number and network access card number are unique, and after the short message is sent, the receiver's mobile phone can display the other party's mobile phone number. Only in this way can we determine who the sender is and play a role in confirming the facts of the case. When collecting this kind of evidence, the following methods can be adopted: First, under the condition that the receiving party has not deleted the short message, directly save the information and seal the mobile phone as the evidence material for the final trial. Second, when deleting the SMS related to the case, you can retrieve the SMS content through the SMS operator. When collecting, the sending time, mobile phone number and content of the corresponding mobile phone message can be printed out through the stored information of the operator, and the source can be confirmed by the signature and seal of the staff present for investigation and trial.
2. Collect electronic evidence by e-mail. E-mail is a new way of communication based on the Internet. It is different from the traditional way of communication. It converts what people want to express into digital signals, which are transmitted through the network and presented on the other party's computer screen. E-mail has been confirmed in civil litigation. For example, China's contract law stipulates that the written form of a contract includes electronic data mail. In the field of criminal proceedings, it is also reflected in the interpretation of judicial organs, but there is no provision on how to collect it. When collecting, we must first understand the characteristics of e-mail. E-mail is different from other forms of electronic evidence in that every e-mail user must have an e-mail address, and each e-mail address has a unique user name, account name and password. The header of a pure e-mail has the sender, the website address and the sending and receiving time. Anyone who knows the user name, account name and password of registered users can send, receive or delete emails. Of course, for ordinary people, it is not easy to modify files directly in the inbox, because the files in the inbox are read-only and the modification is refused. Even if it is saved, it only changes its position and cannot change its attributes.
In view of the above characteristics of e-mail, there must be a premise when collecting, that is, to ensure that the collected e-mail is in a safe environment, that is, the computer hardware operating system where the e-mail is located is safe and the e-mail is not attacked by viruses or hackers, otherwise the collected evidence materials are meaningless. To meet this requirement, the recruited personnel must have certain computer and network technologies and certain equipment. In civil litigation, the Supreme People's Court stipulated the practice of experts appearing in court to testify in Several Provisions on Evidence in Civil Litigation, which is called the technical consultant system abroad. In the collection of electronic evidence, hire specialized technicians to explain the collection when they appear in court. Professional collection can be fixed by printing or copying, and the content and user name of e-mail can be directly displayed in court through multimedia demonstration.
3. Collect electronic evidence materials in the form of online chat. With the development of network technology, online chat is a timely two-way communication method, mainly including chat room chat and QQ chat. Chat room chatting is a "one-to-many" public chat through the chat room opened on the website, while QQ chat refers to a "one-to-one" private chat. Compared with e-mail, the existing environment is more open and difficult to collect. Therefore, there are three kinds of evidence to collect online chat evidence: one is the evidence of chat content, including the content of chat conversation and the simple personal information of the chat person. Of course, this information is generally false, and there must be a collected Internet IP address and network support for surfing the Internet; The second kind is the evidence of the system environment, that is, whether the software and hardware data of the computer we use are normal or not, which helps to prove the reliability of the online chat evidence; The third category is evidence of incidental information, such as IP address, server, online account, information transmission path, etc. So as to connect the chatterbox with a specific actor. Chat content can be collected through copying and printing by Internet service providers. If the network service provider has not saved it, it can collect it from the computer records of both parties and fix it by copying or printing. For the tampered chat records, you can hire specialized technicians to recover them, because the current technology is enough to prove that every hard disk erase record can be recovered, and the computer's modification of files is not completely deleted or overwritten. The evidence collected in this respect can be fixed by the way of expert conclusions issued by relevant experts, and can be used as regenerative evidence.
Authors: Science and Technology Department of Shuozhou Public Security Bureau
Fan Lili Longwen