The proper execution of a search warrant for digital evidence should be considered one of the most
important, if not the most important, steps in investigating any cybercrime. This statement is based
on the belief that no crime may be proven and no suspect may be convicted without the proper
collection and storage of evidence related to the crime. Like the execution of any search warrant, it
will be necessary to preplan the roles of each person involved in the execution of the search warrant.
However, the execution of a search warrant for digital evidence may require several additional
personnel as the evidence obtained may require the services of subject matter experts trained in the
areas of computer science or networking.
Investigators assigned to investigate cybercrimes must have a basic understanding of the various
types of digital evidence that may be encountered during such an investigation. There is a variety of
digital storage media that may be encountered, ranging from floppy disks and CD-ROMs, which
store smaller amounts of information, to flash drives and external hard drives, which may store vast
amounts of potential evidence. Personal data assistants (PDAs) and cellular phones are also
potential storage depots for digital evidence. In fact, many of today's cellular telephones could be
considered more analogous to a computer than to a telephone given the variety of operating
systems, software programs available and computer capabilities of these phones. It is important that
all personnel involved in the investigation of cybercrime be familiar with the devices, whether they
are investigators assigned to a digital crime unit or they are first responders who secure the crime
scene. Failure to be aware of potential storage devices could result in a situation where an
invaluable piece of digital evidence is removed from the scene before it can be properly seized and
processed.
Cybercrime investigations may involve the execution of search warrants for computers at one
location or may involve the seizure of computers from multiple locations. The more computers
involved in the execution of the warrant the more complicated the seizure and the more potential for
damage to digital evidence. For this reason, it is recommended that investigators be aware of the
potential for computers involved in the cybercrime under investigation to be located at one or more
locations. Additionally, it is important for investigators to understand that computers that are
networked may maintain digital evidence on any of several networked computers. For this reason, it
is important to understand the difference between computers that are connected to the Internet and
computers that are connected to an Intranet, which is a privately maintained network usually
accessible only by authorized personnel of the company or agency.
This learning topic provides an overview of basic strategies involved in the execution of a search
warrant. This portion of the course will also provide an introduction to the various types of digital
storage media that may be encountered during the execution of a search warrant for digital
evidence. The course materials will also address the various legal issues associated with preserving
evidence obtained at a crime scene in order to properly introduce the evidence at trial.
Investigations involving digital evidence require investigators have a basic understanding of digital
forensics analysis. The field of digital forensics is a relatively new and exciting area. Individuals who
work in this area are tasked with developing a basic understanding of the types of evidence stored
on digital media, as well as the various areas in which digital evidence can be recovered. For
example, an investigation into a digital child pornography distribution ring could find any of the
following forms of digital evidence during the investigation:
1. Computer-generated images of child pornography
2. Digital videos involving children engaged in sexual activity
3. Billing records related to access for a child pornography-related websites
4. Passwords used in accessing child pornography-related websites
Professionals who work in the field of digital forensics are trained to not only recognize the types of
evidence that could be encountered during an investigation, but are also tasked with understanding
where digital evidence may be located within the various forms of digital storage media. Many
people do not understand how computer hard drives, USB flash drives, and other digital media store
files. Understanding how files are stored on digital media allows digital forensic analysts to locate
files that have been hidden or in some cases deleted.
There are a variety of software programs being developed to assist in the forensic examination
process. Many of these software programs are user-friendly and contain Graphical User Interfaces
(GUI) that are similar to icons used by the Windows Operating System. As a result of these
advances, it is easier for analysts to be trained in the use of the software. Proper adherence to a
series of forensic protocols is necessary for ensuring that evidence obtained during an investigation
is admissible during a criminal trial.
This learning topic provides an overview of how files are stored on digital storage media such as CDROMS, DVD-ROMs, computer hard drives, and USB flash drives. This portion of the course will also
introduce students to the basics of digital forensics analysis; including how to properly conduct an
analysis, how to document a forensics analysis, and how to ensure that the digital evidence is
admissible when presented at trial.
Required Text: Taylor, R., Fritsch, E., & Liederbach, J. & Holt, T. (2015). Digital crime and digital
terrorism (3rd ed). Upper Saddle River, N.J.: Pearson. ISBN: 13:978-0-13-345890-9
Chapter 11 and 12
Additional Resources
Britz, M. (2009). Computer forensics and cybercrime: An introduction. Upper Saddle River, NJ:
Prentice Hall.
Guidance Software (2004). Available at: http://www.guidancesoftware.com.
Harrison, W., G. Heuston, S. Mocas, M. Morrissey, & J. Rishardson (2004). High-tech
forensics. Communications of the ACM, 47(7), 49.
Knetzger, M. & Muraski, J. (2008). Investigating high-tech crime. Upper Saddle River, NJ: Prentice
Hall.
Marcella, A. & Menendez, D. (2007). Cyber forensics: A field manual for collecting, examining, and
preserving evidence of computer crimes. 2nd Edition. New York: CRC Publishing.
National Institute of Justice (2001). Electronic crime scene investigation: A guide for first responders.
Available at: http://www.ncjrs.gov/pdffiles1/nij/187736.pdf.
Patzakis, J. (2002). The Encase process. In E. Casey (ed.), Handbook of computer crime
investigations: Forensic tools and technology, pp. 53-72. San Francisco: Academic Press.
Wall, D. (2008). Cybercrime: The transformation of crime in the information age. Malden, MA: Polity.
Department of Justice. (2008). Electronic crime scene investigation: A guide for first
responders. Washington, DC. Available online at http://www.ncjrs.gov/pdffiles1/nij/219941.pdf.
Guidance Software (2010). Encase. Available at: http://www.guidancesoftware.com/.
Harrison, W., G. Heuston, S. Mocas, M. Morrissey, & J. Richardson (2004). High-tech
forensics. Communications of the ACM, 47(7), 49. Retrieved from Business Source Elite database.
Knetzger, M. & Muraski, J. (2008). Investigating high-tech crime. Upper Saddle River, NJ: Prentice
Hall.
Marcella, A. & Menendez, D. (2007). Cyber forensics: A field manual for collecting, examining, and
preserving evidence of computer crimes. 2nd Edition. New York: CRC Publishing.
Nelson, B., A. Phillips, F. Enfinger, & C. Steuart (2004). Guide to computer forensics and
investigations. Boston: Thomson Course Technology.
Patzakis, J. (2002). The Encase process. In E. Casey (ed.), Handbook of computer crime
investigations: Forensic tools and technology, pp. 53-72. San Francisco: Academic Press.
Vacca, J. (2002). Computer forensics: Computer crime scene investigation. Hingham, MA: Charles
River Media.
1. Written Assignment: Essay Questions (Be sure you answer all parts of
the questions in essay format and APA well cited. These questions
require more than a one sentence answer.
Context: Questions relevant to the course material have been selected
to elicit critical responses from students. Please give the questions
some thought, and answer based on best practices in the field.
Task Description: Please answer the following questions in an APA essay
format. Please do not limit your answers to just a definition of terms.
You need to discuss the problems presented to include your own
opinions based on what you have researched. One to two paragraphs
each.
a. You have been assigned the task of convincing your Chief of Police to
hire a forensic analyst instead of requiring investigators to conduct
their own analyses. What are some arguments that you would rely on to
support your position? What are some arguments that you might
encounter in opposition to your position?
b. What are some examples of digital evidence that may be encountered
during the execution of a search warrant for digital evidence? Are there
any forms of digital evidence, or any storage media, that the authors do
not discuss that you believe should be considered during a search for
digital evidence?
c. Of all of the issues discussed in Chapter 12, which do you feel is the
most important issue in regards to investigating cybercrimes? Why is
this issue most important to you?
d. View the guide for best practices for seizing computers located
at https://www.fletc.gov/sites/default/files/imported_files/training/pro
grams/legal-division/downloads-articles-andfaqs/downloads/other/bestpractices.pdf . This document provides
several useful recommendations for seizing digital evidence. Which of
the recommendations did you find to be most interesting and why?
Which of the recommendations would you feel is most important to
properly ensure a good search is conducted?
e. You have been assigned to your department's digital crimes unit.
During your first investigation, you are asked to examine a suspect
computer and document any evidence uncovered. You turn on the
suspect computer and then begin your examination. During the course
of this investigation, you discover a variety of evidence related to the
crime in question. However, you realize that you have been examining
the original computer and not a proper copy. What are some problems
with the evidence recovered?
f. Discuss the concept of a hash value. What is the hash value and how is
the value used in digital forensics analyses?
g. Controlling Virtual Crime:
Given the type of crimes expected to increasingly be encountered by
criminal justice personnel, what recommendations would you make for
regulating or controlling these types of crime? Research an example of
someone who was caught and prosecuted for a cybercrime. What kind
of punishment did they receive? Was it severe enough?
h. Network Security:
You have been tasked with providing a risk analysis strategy for the
University. Discuss the process of developing such an analysis. What are
some important factors to consider in your analysis?
Discussion Activity #1: Change
Think of any situation in your professional life with your present (or a prior) organization,
whether you were in a leadership position or not, where a change was made, and you, your
peers, or your employees expressed or demonstrated strong resistance.
•
What type of change was implemented?
•
What component of the organization underwent change?
•
What were the sources of resistance?
•
What problems did the team, office, or component experience because of the resistance to
change?
Regardless of the source, a leader can use the following strategies to minimize resistance to
change:
•
First – demonstrate that there’s a real need for adaptation—one that will benefit the follower.
•
Second – deal with resistance by ensuring that those who need more training or skill
development know they’ll get it.
•
Third – give employees the opportunity to participate in the adaptation process so they’ll
develop a sense of ownership in the outcome. Next alternative calls for representatives of the
group to work with the leader to develop and execute the adaptation.
•
Fourth – Reduce opposition to adaptation by explaining, when appropriate, that the impetus
for the change came from within the organization.
•
Fifth – As a last resort the leader might have to take a more authoritarian approach. Where
time is crucial and the leader has considerable power, it may be appropriate to use coercion.
Tell them they must comply or suffer the consequences. This is risky as resistance may
become intense. However, this approach may be the only one that brings about the desired
result.
In reviewing the above leader strategies to minimize resistance to change, what leader
strategies were used to overcome resistance to the proposed change?
Discussion Activity #2: Kotter's eight steps to leading change:
In reviewing Kotter’s eight steps to leading change and applying Kotter’s principles to your
change example, if the change was resisted or failed, which of Kotter’s steps could have or
should have been applied to overcome the resistance?
Required Reading:
Northouse, P. G. (2013). Leadership: Theory and practice (6th ed.). Thousand Oaks, CA: Sage.
Kotter, J. P., & Schlesinger, L. A. (2008). Choosing Strategies for Change. Harvard Business
Review, 86(7/8), 130-139.
Kotter, J. P. (2012). ACCELERATE! (cover story). Harvard Business Review, 90(11), 43-58.
Purchase answer to see full
attachment