Traditional problems associated with computer crime ppt

Cyber Crime-Computer-Related Investigations

1. Describe the traditional problems associated with finding digital evidence.

2. Discuss the areas noted in the lecture notes relative to securing the crime scene in computer-related investigations.

3. Discuss the handling of seized evidence prior to transportation to the laboratory.

4. Discuss crime scene processing for computer-related crimes.

CHAPTER

Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

Searching and Seizing Computer-Related Evidence

11

Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

Learning Objectives

Discuss the seven general categories of personnel that may be present at a computer-related crime scene.
Familiarize yourself with the tools of the trade of computer-related crime scene investigation.
Gain knowledge of the concerns of preservation of digital evidence.
Develop comprehension of why documentation is so important.
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

Learning Objectives

Understand SMEAC and how it applies to computer investigation.
Become aware of the activities of investigators when approaching computer-related crime scenes and on the scene.
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

Traditional Problems Associated with Finding Digital Evidence

Occasional need for computer crime investigators to play multiple roles, i.e., case supervisors, investigators, crime scene technicians, and forensic scientists, due to resource limitations, which can increase the risk of complications
How digital evidence is volatile (susceptible to climatic, environmental, human error) and voluminous
The need to analyze all potential evidence, as opposed to examining only samples
Expensive to do correctly; failure could result in the filing of lawsuits against the agency
The ease of camouflaging data evidence and in general, the difficulty to find it.

Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

Traditional Problems Associated with Finding Digital Evidence

Occasional need for computer crime investigators to play multiple roles, due to resource limitations, which can increase the risk of complications:
Case supervisor
Investigator
Crime scene technician
Forensic scientist
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

Traditional Problems Associated with Finding Digital Evidence

Growing sophistication of criminals means greater difficulty in getting to potential evidence, for example, due to encryption, steganography, or self-destructive programs.
The pace of technological advancement surpasses the pace of law enforcement training.
Thus it is critical to develop strict search and seizure policies.

Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

Pre-Search Activities

Reliance upon traditional methods for gathering information and to prepare for scene arrival
Determination of the location, size, type, and number of computers at scene
Risks from personnel affecting potential evidence
The volatility of evidence
Reliance upon judicial authority to conduct data-gathering
Potential need for expertise or non-departmental experts
Engaging in social engineering
Dumpster-diving for potential evidence
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

Pre-Search Activities

Warrant Preparation and Application

Application for a search warrant should be reviewed by computer experts and legal counsel prior to application for relevant language and protections
Probable cause – must demonstrate that:
A crime has been committed
Extant evidence of a crime exists resides in a particular location
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

Pre-Search Activities

Seizing Equipment

Must justify the seizure (not just the search) of equipment
Request explicit permission to seize all hardware and storage devices as constitutionally justifiable
Note that criminal contraband, fruits of the crime, and those items criminally possessed may be seized without judicial authority
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

Pre-Search Activities

No-knock warrants may be an option, given exigent circumstances such as:
Nature of the offense
Potential for evidence destruction
Sophistication and maturity of the target
Absence of the resident
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

Pre-Search Activities

Secondary/multiple warrants may be necessary:
When searching for child pornography and encountering drug trafficking records
For networked computers, especially as there may be off-site storage, although should anticipate this and mention it when applying for original warrant
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

Pre-Search Activities

Plan Preparation and Personnel Gathering

Situation
Mission
Execution
Avenues of approach and escape
Communications
Hence, SMEAC as the guide on how to prepare
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

Pre-Search Activities

On-scene personnel, who could play multiple roles, may include:
Case Supervisor
Arrest Team
Scene Security Team
Interview and Interrogation Team
Sketch and Photo Team
Physical Search Team
Seizure Team, who go last and who would engage in bagging and tagging
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

Pre-Search Activities

Preparing a tool kit is dependent on what law enforcement expects to find on the scene.
Traditional equipment:
Evidence tape
Packing tape
Evidence storage containers and labels
Antistatic bags (prevent loss of data due to static electricity), conductive bags, and Faraday bags (to shield wireless devices from remote corruption or deletion of data)
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

Pre-Search Activities

Labeling materials (writing utensils, labels, note cards)
Sanitary materials
Flashlight and extra batteries
List of contacts
Mobile carts or evidence transport units
Wireless communications
Photographic equipment (camera, batteries, storage cards)
Nonmagnetic screwdrivers, hex wrenches, pliers
Small diagonal cutters
Hammer or nail-puller
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

Pre-Search Activities

Computer-Specific Equipment and Materials

Multiple boot disks
Backup hardware and miscellaneous computer peripherals:
New hard drives
Color scanner
Color printer and an assortment of computer paper
Anti-virus software (must be the most current)
Imaging software
Application software
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

Pre-Search Activities

Forensic software, including (but not necessarily limited to):
Viewers
Text, Hex editors
Password crackers
Verification software
Time/date programs
Wiping programs
Locking programs
Fuzzy logic tools
File cataloging and indexing
Recovery
Imaging
Other forensic software, like EnCase, FTK
Extra media
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

Pre-Search Activities

Extra cables, serial port connectors, and gender-changers
Extension cords and/or power strips
Surge protectors and/or UPS
Open purchase order
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

On-Scene Activities

Steps involved in serving a warrant:

Knock
Notice
Document

Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

On-Scene Activities

Depending upon the warrant and crime scene, securing the scene includes (but is not limited to):
Dealing immediately with dangerous individuals or safety hazards
Locating and securing all computers
Removing of all personnel from the immediate area of the evidence
Ascertaining network connections for taking appropriate action
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

On-Scene Activities

Disabling network access, ideally by a network administrator
Separating immediately all suspects and getting an escort to a predetermined location
Protecting all computers by a police officer
Collecting literature that relates to the underlying activities or offenses
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

On-Scene Activities

Determine the need for external specialists
May be needed when searching mainframes, minicomputers, and specialty and hacker computers
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

On-Scene Activities

When processing the scene, the following should be documented, at minimum:
Date, time, and description of computer, including physical damage
Identifying information of all investigative personnel
Identifying information of all others present, especially witnesses and suspects
All investigative clues uncovered and developing leads
Investigative software used
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

On-Scene Activities

Sequence and time of all actions taken
Type and status of network connection
Verification of network connection
Status of computer
Computer activity
Computer desktop
System date/time
Tree structure (if relevant and possible)
Image verification
Chain of custody
Identification of all material or equipment seized
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

On-Scene Activities

Photograph/video documentation can weaken defense arguments that officers corrupted or otherwise contaminated criminal evidence.
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

On-Scene Activities

When sketching the scene, be sure to include critical identifying information.
When identifying potential evidence:
Don’t overlook non-digital evidence
Trace evidence may be important to place the suspect at the scene, and can include hair, fibers, and fingerprints
Any other computer components, such as external hard drives, peripherals
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

On-Scene Activities

Circumstantial connections, such as post-it notes, computer printouts, even the type of paper used
For example, when searching for the crime of software counterfeiting, look for labels, DVD burners, packaging, etc.
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

On-Scene Activities

Investigating potential evidence:
Desktops
Monitors
Keyboards
Telephones
Wallets/purses
Clothing
Trash cans and recycle bins
Printers
Inside the computer itself
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

On-Scene Activities

Seizure and documentation of evidence
Limited to scope of warrant; get secondary when needed.
All annotations must be in ink.
Generate comprehensive notes.
Image contents of the drives onto clean media.
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

On-Scene Activities

When seizing computers:
Before powering off, document the status of the computer with photos, sketches, and notes, including the back of the computer and connections.
After powering off, place evidence tape over all disk openings.
Label all cords & empty slots.
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

On-Scene Activities

Bagging and Tagging

Use a chain of custody log to maintain a record of all items taken.
Labels used should contain, at a minimum:
Investigator’s initials
Date found
Location of evidence
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

On-Scene Activities

Use great care and wear gloves.
Factors to consider in packaging and transporting computers:
Temperature (heat)
Oil, dirt, dust
Magnetic fields
Additional environmental characteristics
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

On-Scene Activities

When interviewing witnesses, relevant questions can include:
What types of digital evidence have been collected prior to the involvement of law enforcement?
For example, in a cyberstalking case, does a hard copy version of the email exist? Is an electronic copy available? Does it contain full header information?
How was the evidence discovered?
Who handled the evidence? (Could be multiple individuals)
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

On-Scene Activities

Who controlled the digital evidence after it was examined and before it was given to authorities?
When and how was the digital evidence collected and stored?
Where was the evidence when it was collected?
What type of equipment held the digital evidence?
Who had access to the equipment?
Who owned the equipment?
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

On-Scene Activities

Was the equipment shared?
Was information retrieved from a network?
Was information password-protected?
Who had access to password-protected information?
Is the data located at an off-site location?
Who may be responsible for the incident? Why do you think so?
What actions have been taken to identify, collect, preserve, or analyze the data and the devices involved?
Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

On-Scene Activities

Scene Departure and Transportation of Evidence to Lab

Rely on traditional methods to exit a crime scene
Review shipping manifests upon arrival
Enter into appropriate evidence control systems for analysis

Computer Forensics and Cyber Crime, 3rd ed. Marjie T. Britz

Copyright © 2013 by Pearson Education, Inc. All Rights Reserved

Conclusions

Unique problems with computer-related evidence, including lack of resources, such as untrained or insufficient personnel to process it properly
Steps in a traditional investigation should be incorporated with those unique to computer-related investigations
Warrants should be specific and based on probable cause
Documentation is essential
Procedures will evolve along with computer forensics
Still a matter of careful planning and oversight