Berkeley College Cyber Crime
Lecture Notes Chapter 11
Searching and Seizing Computer-Related Evidence
I. TRADITIONAL PROBLEMS WITH FINDING DIGITAL EVIDENCE
Unlike traditional investigations in which forensic experts are tasked with analysis of criminal evidence, computer-related investigations often require role multiplicity on the part of investigators.
Computer crime investigators are often forced to act as case supervisors, investigators, crime-scene technicians, and forensic scientists. Such duality is further exacerbated by characteristics unique to digital evidence.
· Digital evidence is especially volatile and voluminous, susceptible to climatic or environmental factors as well as human error.
· It may be vulnerable to power surges, electro- magnetic fields, or extreme temperatures.
· Unlike traditional evidence in which analysis of small samples is utilized to preserve the totality of the evidence, assessment of digital evidence requires evaluation of the whole, making investigative mistakes quite costly.
· Digital evidence is also unique in its level of camouflage possibilities, lending itself to concealment by individuals desiring to hide information. Cyber criminals may hide incriminating evidence in plain sight without damaging its utility.
· Cyber criminals also use encryption and steganography programs which has made the process of recovering data increasingly complex.
· Cyber criminals use self-destructive programs to sabotage their own systems upon unauthorized access.
II. PRE-SEARCH ACTIVITIES
a. Intelligence gathering: determine location, size, type, and numbers of computers at a suspect scene.
Dumpster diving: processing trash of suspect may provide information of passwords or personal information on the suspect.
Social engineering and informants: gain information about suspects and personnel at the scene, types of computers and storage devices as well as operating systems.
b. Warrant preparation and application:
1. Determine the role of the computer in the crime.
2. Specifications of operating systems, storage devices and hardware.
3. Structure the application according to the unique court environments in the area of service. Find a judge that supports law enforcement versus one that doesn’t.
4. Have the application reviewed by other specialists, computer investigators and legal experts, before submitting to the judge or magistrate.
5. Clearly substantiate any requests for seizure of equipment found at the scene.
6. If exigent circumstances exist, a request for a “no-knock” warrant should be included in the application.
c. Probable cause: three elements are necessary in warrant.
1. Probable cause that a crime has been committed.
2. Probable cause that evidence of a crime exists.
3. Probable cause that extant evidence resides in a particular location.
d. Preparing a Toolkit: include all traditional equipment law enforcement uses plus computer specific equipment and materials (some listed below):
1. Multiple boot disks
2. Backup hardware
3. Antivirus software
4. Imaging software
5. Forensic software
6. Extra cables, serial port connectors
7. Extension cords and power strips
8. Cell phone analysis software and necessary hardware
III. On-Scene Activities
a. Securing the crime scene: one of the most important, yet overlooked, factors in the successful prosecution of a suspect.
1. Dangerous individuals or safety hazards immediately recognized and contained or neutralized.
2. All computers must be locked and secured. They are to be protected by a police officer.
3. All non-police personnel must be removed from the immediate area of the evidence.
4. Network connections must be ascertained and appropriate action taken.
5. All suspects should be immediately separated and escorted to a predetermined location.
b. Crime scene processing:
1. Photograph/Video: The golden rule for any successful criminal investigation should be document, document, document. Photographs and videos are an integral part of the documentation process, and they should occur at every stage of scene processing.
2. Sketching: Sketching a crime scene is essential in any criminal investigation. It provides an overview of the state of the scene and acts as corroboration for investigative field notes and scene photographs. Because extraneous objects may be omitted from crime-scene sketches and not from photographs, sketches represent a more focused illustration of the applicable evidence.
3. Locating evidence: focus on the general areas below:
e. Wallets or purses
g. Trash cans, Shredders, Recycle bins or other garbage containers
i. Inside the computer
c. Seizure and transportation of evidence:
1. Whenever possible, each individual investigator or team of investigators should physically maintain in their possession a copy of the warrant.
2. Once the determination is made that evidence may be seized, and the collection process should be initiated with the imaging (i.e., duplicated byte for byte, bit for bit) of drives onto clean media
3. Bagging and tagging: Like any scientific evidence, great care must be exercised when collecting and preserving crime-scene evidence. The chain of custody and continuity of possession must be maintained at all times for court admissibility. Investigators should adhere to standard operating procedures for custodial evidence collection—keeping in mind that routinization enhances witness credibility and evidence validity. Although policies and procedures vary by department, certain things remain constant.
Special care and caution should be exercised in preserving computer evidence. The materials may be affected by numerous environmental factors including heat, magnetic fields, static electricity as well as oil, dirt and dust.
4. Transportation to Laboratory:
a. Once the evidence has been properly collected and loaded into appropriate vehicles for transportation, investigators should follow traditional procedures for exiting a crime scene (e.g., physically securing the scene and removal of recovery equipment).
b. Prior to leaving, investigators should re-photograph the crime scene.
c. Upon arrival at the lab, shipping manifests should be checked over carefully, and all items should be properly accounted for. In addition, investigators should note the condition of the boxes upon unloading. These manifests should remain with the evidence at all times.
d. Once accounted for, all incoming evidence should be entered into the appropriate evidence control systems and assigned to a location or examiner to await analysis.
Homework Questions-Chapter 11
1. Describe the traditional problems associated with finding digital evidence.
2. Discuss the areas noted in the lecture notes relative to securing the crime scene in computer-related investigations.
3. Discuss the handling of seized evidence prior to transportation to the laboratory.
4. Discuss crime scene processing for computer-related crimes.