Server Evidence Collection - Critical Decision Points
SECTION 1: LEGAL AUTHORIZATION
↓
⚖️ VERIFY LEGAL AUTHORIZATION (THREE TYPES)
Type 1: Consent (written - from authorized corporate officer)
Type 2: Warrant (judicial authority - must specify scope)
Type 3: Independent Expert Appointment
⛔ NO coercive activity without authorization
Authorization must cover: server location, cloud/remote access, business disruption
Type 1: Consent (written - from authorized corporate officer)
Type 2: Warrant (judicial authority - must specify scope)
Type 3: Independent Expert Appointment
⛔ NO coercive activity without authorization
Authorization must cover: server location, cloud/remote access, business disruption
↓
SECTION 2: SCENE RESPONSE
↓
⚖️ CONTRADICTORY PROCESS - LEGAL REQUIREMENT
ALL on-site operations MUST follow contradictory process:
• Server owner/legal representative MUST be present
• Witness(es) MUST be present throughout
• All operations in presence of all parties
• System administrators documented
• Ensures transparency and strengthens evidence
ALL on-site operations MUST follow contradictory process:
• Server owner/legal representative MUST be present
• Witness(es) MUST be present throughout
• All operations in presence of all parties
• System administrators documented
• Ensures transparency and strengthens evidence
↓
📸 PHOTOGRAPH EVERYTHING
Server rack/cabinet from all angles
Cable connections, LED indicators
Collect biological traces
Secure scene | Document all parties present
Server rack/cabinet from all angles
Cable connections, LED indicators
Collect biological traces
Secure scene | Document all parties present
↓
⚖️ ALBANIAN LAW - ARTICLE 37
SELF-INCRIMINATING STATEMENTS
BEFORE ANY QUESTIONING (including technical questions):
IF person makes statement raising suspicion of guilt:
⚠️ IMMEDIATELY INTERRUPT questioning
⚠️ Issue MANDATORY warnings:
• "Investigation may be carried out against you"
• "You have the right to appoint a lawyer"
• "You have right to lawyer presence during questioning"
❌ Statements BEFORE warning = INADMISSIBLE
⚠️ IF lawyer requested: SUSPEND all questioning
Applies to ALL questions (passwords, configs, admin access, etc.)
SELF-INCRIMINATING STATEMENTS
BEFORE ANY QUESTIONING (including technical questions):
IF person makes statement raising suspicion of guilt:
⚠️ IMMEDIATELY INTERRUPT questioning
⚠️ Issue MANDATORY warnings:
• "Investigation may be carried out against you"
• "You have the right to appoint a lawyer"
• "You have right to lawyer presence during questioning"
❌ Statements BEFORE warning = INADMISSIBLE
⚠️ IF lawyer requested: SUSPEND all questioning
Applies to ALL questions (passwords, configs, admin access, etc.)
↓
SECTION 3: SERVER TYPE & LOCATION
↓
Server Location Type?
Physical On-Site
↓
Proceed to
SERVER STATE ASSESSMENT
(Section 4 below)
SERVER STATE ASSESSMENT
(Section 4 below)
Remote/Cloud Hosted
↓
⚠️ CRITICAL FIRST STEP
VERIFY DATA STORAGE LOCATION
(Domestic vs. Foreign)
Contact cloud provider/hosting company
Identify physical server location
Document country/jurisdiction
VERIFY DATA STORAGE LOCATION
(Domestic vs. Foreign)
Contact cloud provider/hosting company
Identify physical server location
Document country/jurisdiction
↓
Data stored in foreign country?
↓
NO - Domestic
↓
Apply domestic legal framework
Standard provider procedures
Standard provider procedures
YES - FOREIGN
↓
BUDAPEST CONVENTION APPLIES
Articles 32 & 16 MANDATORY
See SECTION 7 below
Articles 32 & 16 MANDATORY
See SECTION 7 below
↓
SECTION 4: SERVER STATE ASSESSMENT
(Physical On-Site Servers)
(Physical On-Site Servers)
↓
Server Power State: OFF or ON?
OFF
↓
✓ DO NOT power on
✓ Label all cables
✓ Disconnect carefully
✓ Seal device
✓ Transport to lab
✓ Image in lab
✓ Label all cables
✓ Disconnect carefully
✓ Seal device
✓ Transport to lab
✓ Image in lab
ON - Running
↓
SECTION 5: BUSINESS CONTINUITY DECISION
↓
⚠️ CRITICAL BUSINESS DECISION
Consult administrator/owner:
• Server role (production/test/backup)
• Business impact of shutdown
• Alternative solutions available
• Legal priority vs. business need
Consult administrator/owner:
• Server role (production/test/backup)
• Business impact of shutdown
• Alternative solutions available
• Legal priority vs. business need
↓
Can business tolerate server shutdown?
↓
YES - Can Shutdown
↓
Perform Live Data Capture FIRST:
• RAM capture
• Running processes
• Network connections
• Open files
Then proper shutdown
Transport to lab for imaging
• RAM capture
• Running processes
• Network connections
• Open files
Then proper shutdown
Transport to lab for imaging
NO - Cannot Shutdown
↓
LIVE ACQUISITION ONLY
Server remains running
Forensic live acquisition
Network-based imaging
Coordinate with IT team
⚠️ Requires trained specialist
Server remains running
Forensic live acquisition
Network-based imaging
Coordinate with IT team
⚠️ Requires trained specialist
↓
SECTION 6: VIRTUAL MACHINES & RAID
↓
IF Virtual Machines present:
• Request VM snapshots from hypervisor
• Export VM in OVF/OVA format
• Include VM configuration files
• Document hypervisor type and version
IF RAID Array present:
• Do NOT disassemble array
• Image entire array as single unit
• Document RAID configuration (level, disks)
• Consult expert if complex RAID
• Request VM snapshots from hypervisor
• Export VM in OVF/OVA format
• Include VM configuration files
• Document hypervisor type and version
IF RAID Array present:
• Do NOT disassemble array
• Image entire array as single unit
• Document RAID configuration (level, disks)
• Consult expert if complex RAID
↓
SECTION 7: CROSS-BORDER DATA ACCESS
(BUDAPEST CONVENTION - Foreign Data)
(BUDAPEST CONVENTION - Foreign Data)
↓
⚖️ DATA STORED IN FOREIGN COUNTRY
Budapest Convention Articles 32 & 16 APPLY
Budapest Convention Articles 32 & 16 APPLY
↓
ARTICLE 32.a: Is data publicly accessible?
(public websites, public profiles, open databases)
(public websites, public profiles, open databases)
YES - Public Data
↓
✅ ACCESS PERMITTED
under Article 32.a
Document public nature
Screenshot access method
No additional authorization needed
under Article 32.a
Document public nature
Screenshot access method
No additional authorization needed
NO - Not Public
↓
ARTICLE 32.b:
Can lawful voluntary consent be obtained?
(from person legally authorized to disclose data)
Can lawful voluntary consent be obtained?
(from person legally authorized to disclose data)
↓
YES - Consent
↓
✅ ACCESS PERMITTED
under Article 32.b
Document consent:
• Identity of consenting person
• Legal authority over data
• Voluntary nature
• Signed consent form
• Date, time, witnesses
under Article 32.b
Document consent:
• Identity of consenting person
• Legal authority over data
• Voluntary nature
• Signed consent form
• Date, time, witnesses
NO - No Consent
↓
⚠️ ARTICLE 16 - DATA PRESERVATION
IMMEDIATELY issue preservation order:
• To cloud provider/custodian
• Specify data to preserve
• Maximum 90 DAYS
• Request confidentiality
• Include case reference
THEN initiate MLAT or international cooperation
IMMEDIATELY issue preservation order:
• To cloud provider/custodian
• Specify data to preserve
• Maximum 90 DAYS
• Request confidentiality
• Include case reference
THEN initiate MLAT or international cooperation
↓
SECTION 8: EVIDENCE IMAGING & DOCUMENTATION
↓
Forensic Imaging Requirements:
• Use forensic tools (FTK Imager, dd, etc.)
• E01 format mandatory (read-only, embedded hash)
• Calculate double hash (SHA-256 + SHA-1/MD5)
• RFC3161 timestamp
• Contradictory process (all parties present)
• All parties sign imaging report
• Maintain unbroken chain of custody
• Use forensic tools (FTK Imager, dd, etc.)
• E01 format mandatory (read-only, embedded hash)
• Calculate double hash (SHA-256 + SHA-1/MD5)
• RFC3161 timestamp
• Contradictory process (all parties present)
• All parties sign imaging report
• Maintain unbroken chain of custody
↓
✅ SERVER EVIDENCE COLLECTED
Legal procedures followed
Evidence admissible in court
Legal procedures followed
Evidence admissible in court
⚖️ Critical Legal Requirements
- Section 1 - Legal Authorization: Consent (written from corporate officer), warrant (specifying scope), or expert appointment REQUIRED
- Section 2 - Contradictory Process: Server owner/legal representative and witnesses MUST be present during on-site operations
- Section 2 - Article 37 (Albanian Law): IF person makes self-incriminating statement (including technical questions about passwords, configs, admin access), IMMEDIATELY interrupt, warn of rights (lawyer), suspend if requested. Statements BEFORE warning = INADMISSIBLE
- Section 3 - Remote/Cloud Servers: ALWAYS verify data storage location FIRST (domestic vs. foreign)
- Section 5 - Business Continuity: Consult administrator about business impact before shutdown decision
- Section 6 - RAID Arrays: Do NOT disassemble - image as single unit or consult expert
- Section 7 - Budapest Convention Article 32.a: Public data may be accessed regardless of location
- Section 7 - Budapest Convention Article 32.b: With lawful voluntary consent, data may be accessed
- Section 7 - Budapest Convention Article 16: If neither Article 32 applies, IMMEDIATELY issue data preservation order (max 90 days) + initiate MLAT/cooperation
- Section 8 - E01 Format: Mandatory for evidence (read-only, embedded hash, cannot be modified)
- Section 8 - Double Hash: SHA-256 (primary) + SHA-1/MD5 (secondary) - both documented with RFC3161 timestamp
- Section 8 - Contradictory Imaging: All parties MUST be present and sign imaging report
⚠️ Evidence May Be Inadmissible If:
- ❌ Section 1: No legal authorization (consent/warrant/expert appointment)
- ❌ Section 1: Authorization does NOT specify scope (server location, cloud access, business disruption)
- ❌ Section 2: Contradictory process violated (owner/witnesses not present during on-site operations)
- ❌ Section 2 - Article 37: Self-incriminating statements used without proper warning, OR questioning continued after lawyer requested
- ❌ Section 3: Remote/Cloud data accessed without verifying storage location
- ❌ Section 5: Business-critical server shut down without proper consultation/documentation
- ❌ Section 6: RAID array disassembled incorrectly causing data loss
- ❌ Section 7 - Budapest Convention: Foreign data accessed WITHOUT Article 32 compliance AND without MLAT/cooperation
- ❌ Section 7 - Article 16: Foreign data accessed without preservation order when Article 32 does not apply
- ❌ Section 7 - Article 16: 90-day preservation period expired without initiating MLAT/cooperation
- ❌ Section 8: Evidence NOT imaged in E01 format
- ❌ Section 8: Imaging NOT done with contradictory process (all parties present and signing)
- ❌ Section 8: Chain of custody broken
🌍 Budapest Convention - Cross-Border Data Access Summary
When data is stored in a foreign country, you have THREE options:
1️⃣ Article 32.a - Public Data (NO authorization needed):
- ✅ Data is publicly accessible (open source)
- ✅ Access permitted regardless of location
- ✅ Document public nature with screenshots
2️⃣ Article 32.b - Consent (authorization from data owner):
- ✅ Lawful voluntary consent from person legally authorized to disclose data
- ✅ Access permitted with documented consent
- ✅ Must document: identity, authority, voluntary nature, date/time, witnesses
3️⃣ Article 16 - Preservation + MLAT (when neither Article 32 applies):
- ⚠️ IMMEDIATELY issue preservation order to cloud provider/custodian
- ⚠️ Maximum 90 DAYS preservation (renewable)
- ⚠️ Data must be preserved with integrity and confidentiality
- ⚠️ THEN initiate MLAT (Mutual Legal Assistance Treaty) or international cooperation
- ⚠️ Monitor timeline - must obtain formal authorization before 90 days expire
- ❌ If 90 days expire without authorization: data may be lost, evidence inadmissible
⚠️ CRITICAL: NEVER access data in foreign country without one of these three legal bases. Illegally obtained foreign data = INADMISSIBLE evidence + potential international legal complications.
⚖️ Albanian Law - Article 37 (Self-Incriminating Statements) Summary
Protection Against Self-Incrimination - Applies to ALL questioning:
WHEN to apply Article 37:
- When questioning ANY person (server admin, IT staff, owner, user, etc.)
- Who is NOT yet formally taken as defendant
- Including technical questions (passwords, server configs, admin access, network setup, etc.)
IF person makes statement raising suspicion of guilt:
- ⚠️ IMMEDIATELY interrupt questioning
- ⚠️ Issue MANDATORY warnings:
- "Following your statements, an investigation may be carried out against you"
- "You have the right to appoint a lawyer"
- "You have the right to have your lawyer present during all questioning"
CRITICAL RULES:
- ❌ Statements made BEFORE warning = INADMISSIBLE (cannot be used against person)
- ✅ Only statements AFTER warning (with lawyer if requested) are admissible
- ⚠️ IF person requests lawyer: SUSPEND ALL questioning immediately
- ⚠️ Wait for lawyer arrival before resuming any questioning
- ✅ IF person waives lawyer: obtain signed waiver, witnessed by all parties
- ✅ Person can request lawyer at ANY time during proceedings
⚠️ WHEN IN DOUBT: Provide Article 37 warning. Better to warn unnecessarily than to obtain inadmissible statements. Technical questions about servers often reveal knowledge that could be incriminating.