Week 5 Notes Examining E-mail Since cyber crime involves the use of the internet, investigations into cyber crime will usually involve an examination of the suspect's internet activity and communications. In 1986, Congress passed the Electronic Communications Privacy Act (ECPA) to facilitate the cooperation of ISPs with law enforcement's need for information related to criminal activity. The ECPA created privacy protection for electronic communications and delineated the process necessary for obtaining different types of information. The government (law enforcement) can obtain certain information such as email addresses and website traffic with just a subpoena. However, to obtain the content of electronic communications, investigators may need a court order or a search warrant. A warrant is required in order to intercept an e-mail in transit, or to seize an e-mail stored on a suspect's home computer. The law restricts this practice to cases involving certain specific felonies. Additionally, a warrant is required to open an e-mail stored on the ISP's server, if it has not yet been opened. The ECPA limited this requirement to 180 days, meaning that after 180 days have elapsed, law enforcement may obtain the content of an unopened e-mail from the ISP with only a subpoena. That 180-day provision may be modified. In 2016, the House of Representatives voted overwhelmingly to remove the 180-day limit and require the use of a warrant to obtain an unopened e-mail from an ISP, regardless of the message's age. It should be noted that courts have treated unsecured wireless networks differently. Email and other transactions taking place over a secured Internet connection bring with them a certain expectation of privacy. Communications voluntarily shared over an unsecured wireless system do not carry that same expectation of privacy, which means that law enforcement has fewer restrictions when it comes to accessing data shared in this fashion. See more about the ECPA here : Securing Suspect Data Modern audio and video recording equipment use digital files, which are frequently stored in magnetic media such as memory sticks. When audio and video media are seized as evidence at a crime scene, they need to be protected from electrical and magnetic fields and should be shielded from extreme temperatures. The purpose of the examination process is to extract and analyze digital evidence. Extraction refers to the recovery of data from its media. Analysis refers to the interpretation of the recovered data and putting it in a logical and useful format. Whenever a computer is powered on, the operating system creates and alters files stored on the device during the boot process. This process may compromise existing evidence. To prevent this, investigators utilize specialized software to prevent the system from going through the boot process and altering files. Examination is best conducted on a copy of the original evidence. Forensics investigators may be looking for clues that help prosecutors build a case, such as a travel receipt that suggests the suspect was in the vicinity of a crime scene. They may also be searching for digital files that by themselves are illegal to possess, such as classified government documents or child pornography. When such a file is discovered, it is important that the investigator carefully gathers evidence that shows "knowledgeable possession." In other words, prosecutors will need to prove that the suspect intentionally acquired the illegal files. Computers connected to the Internet receive files without the user's consent throughout every session. Files such as tracking cookies, unsolicited e-mails (sometimes with attachments), and notifications from Facebook arrive on users' computers without the users' active participation. In order to achieve a conviction, prosecutors need to demonstrate evidence that the suspect actively and intentionally acquired the digital contraband. Searching a Hard Drive A search of a computer's hard drive can be accomplished through a number of different manual and automated processes. A manual review can be enhanced, if the software you are using to review data allows you to search for a string of characters. If it does, you can search for file names or file name extensions that are typically associated with the types of files you want to find. Another type of search is a string search where specific sequence of characters is used. There are automated search tools which can systematically review files contained on a stand-alone PC or network system. Many search tools will allow you to search by date of publication, publication type, location of the search, type of media, or search fields such as title, author, subject heading, and so on. Your personal computer's operating system includes a basic search tool that allows you to search your own hard drive for files or programs. Many times, the information you are searching for may not be obvious and may actually be embedded or hidden within other documents, images, or tables. The term "steganography" literally means "covered writing." This term applies to a wide range of techniques for passing a message from sender to recipient, hidden in plain sight. It is even possible to embed strings of text within the data that comprise digital photos. Forensic investigators should also identify for the record all of the specific software tools used in the extraction and analysis of data. Keep in mind that a great length of time may elapse between the collection of devices and the actual trial so careful documentation is essential. In this regard, there is no difference between digital data and physical evidence such as a blood stain or bullet casing.
Purchase answer to see full attachment