12 The Investigation of Computer-Related Crime
CHAPTER OBJECTIVES
After completing this chapter, you should be able to
■Explain and understand the search warrant application process appropriate to electronic
evidence at a single-location crime scene.
• ■Identify hardware and storage devices potentially containing evidence of a crime.
• ■Explain and understand the legal standards and best current practices for the documentation of a
single-location electronic crime scene.
• ■Explain and describe the best current practices for the collection, preservation, transportation,
and storage of electronic evidence.
• ■Distinguish between single-scene, multiple-scene, and network crimes.
• ■Communicate an understanding of network architectures and standards relevant to network
investigations.
• ■Identify sources of assistance for multiple-scene and network operations.
• ■Identify categories of evidence and probable locations of that evidence.
• ■Broadly outline procedures for preserving and collecting network trace evidence.
•
INTRODUCTION
This chapter focuses on the current state of the field in computer crime investigations. The
personnel available to an investigation will dramatically influence the type and scope of
investigations that may be undertaken. Understanding the roles of and skills needed by such
personnel is vital to planning appropriate investigations. Although there is no single policy or
plan for investigations, this chapter presents an overview of investigations, with special emphasis
on the process of the investigation. The chapter breaks investigations into three basic types:
single-scene, multiple-scene, and network investigations. Each type of investigation requires
different skills from personnel involved. Single-scene investigations require the skills found in
trained law enforcement investigators. The skills used in a single-scene investigation form the
building blocks of the more complex investigations. Thus, while building on single-scene skills,
multiple-scene investigations require additional networking and coordination skills. Coordination
of multiple searches at various locations is the realm of an experienced criminal investigator. The
networking skills may be provided by a subject matter expert (e.g., a computer consultant).
Finally, network crimes require the skills of multiple-scene investigators and outside expert
assistance. Even the most computer-proficient investigator needs help from the companies that
maintain the Internet to track a crime successfully through their servers. However, some degree
of preliminary knowledge is required even to know where to start. Techniques for acquiring this
type of information are presented in this chapter along with conceptual tools that allow an
investigator to communicate with the Internet experts.
INVESTIGATOR ROLES AND RESPONSIBILITIES
The role of computers is growing rapidly in our society; law enforcement has lagged behind. The
pervasive use of home computers has added another potential source of evidence to the over 54
million households with computers in the United States.1 Many large law enforcement agencies
have a dedicated electronic crime investigation capacity. Medium-sized agencies may be
acquiring their first electronic crime investigation unit or attempting to cross-train detectives
from traditional areas. Even the smallest departments encounter electronic crime, but do not have
the capacity for a dedicated unit. Thus, the mission of police, from patrol officers to forensic
specialists, depends greatly on their department’s size and organization. Generally, the role and
responsibility of police staff in electronic investigation is the same as their counterparts dealing
with physical crime.
First Responders
First responders to a crime scene are often patrol officers. First responders would not normally
attempt to complete an electronic search and seizure; however, they do benefit from an
awareness of the procedure and, if given even basic training, may be better able to preserve a
potential electronic crime scene for specialized investigators. First responders are not dedicated
electronic crime investigators. They have many other responsibilities, including safety, security,
and basic documentation of an event or scene. Furthermore, patrol officers are often not given
the time to conduct in-depth investigations; those are handled by detectives.
A well-trained first responder will control the human element of the crime scene first: tending to
the injured, isolating suspects, and controlling onlookers. First responders are trained to avoid
contaminating a crime scene or destroying physical evidence. As the prevalence of electronic
evidence increases, first responders have naturally become aware of the need to protect and
preserve it. For example, first responders who recognize that iPod, Blackberry, and personal
digital assistants can carry sensitive evidence are able to retrieve and carefully handle these
devices. Making first responders aware of potential digital evidence allows them to protect it in
the same way they protect physical evidence.
Investigators
Electronic crime investigators are trained law enforcement officers or experienced investigators
brought (sometimes unwillingly) into the world of electronic evidence. The basic skills required
successfully to organize an investigation, establish the elements of a crime, establish the
connection between the suspect and the crime, conceptualize and present the crime, and
document the investigation are still needed in electronic crime investigations. In fact, many
corporations seek computer investigators and security directors from the ranks of law
enforcement rather than technical experts. Investigators must have enough technical skill to
gather evidence, comprehend the crime, and communicate effectively with technical experts, but
do not need extensive theoretical knowledge or daily experience with computer systems. That is
not to say that highly skilled investigators are not desirable.
Forensic Analysts
In physical crime investigations and electronic crime investigations, the complex analysis of
evidence is often left to forensic specialists. A detective or crime scene technician would not feel
bad about not understanding the intricacies of laboratory DNA analysis. Although computer
skills and knowledge are essential to the investigator, the essential skills of an investigator
involve collection and preservation of evidence for further analysis. Technical experts conduct
this analysis through computer forensic techniques. Special programs and procedures allow
forensic specialists to compile evidence and present it to the court. Out of necessity, many
computer crime investigators feel compelled to learn these forensic analysis skills. Many
investigators become skilled computer forensic examiners, but have to devote a great portion of
their time to learning the latest technologies and conducting the analysis instead of conducting
their investigations. Forensic analysts provide efficiency through a division of labor and regular
practice with their equipment and techniques. It is not uncommon for senior investigators to act
as forensic analysts.
Private Police—Corporate Security
Private police (usually corporate security or computer security investigators) are hired by
corporations to secure the data assets of the corporation. Although they often cooperate with law
enforcement, they have a fundamentally different mission. Corporate officers must always
consider the good of the corporation. For example, a private computer investigator may be
withdrawn from a case if the corporation decides that expending resources on such investigation
will not be justified by the results.
Private computer security or investigative consultants are often brought in to review security
incidents or suspected crimes. A small discrepancy can indicate a system failure or a major
intrusion. In a famous case at the University of California, Cliff Stoll tried to reconcile a trivial
accounting error and ended up discovering an attempt at international espionage.2 It is not always
obvious that a crime has been committed without further investigation. Since many crimes are
committed by insiders, a security consultant also provides a check to the power of system
administrators.3
Many corporations keep former police officers on staff to advise them when to call the police
and when not to call. Although it is hard for many officers and investigators to understand such a
decision or even consider it dereliction of a societal duty, many corporations do not want adverse
publicity or fear the “seize everything” tactics of law enforcement once a crime is reported. The
delays, staff time, and computing resource downtime created by an investigation may cause more
financial loss than a break-in. In spite of the potential antagonism between the roles of private
police and law enforcement, these groups often work together smoothly. Once a decision is made
to report a crime, private police often act as liaisons between investigators and the corporate
structure, insulating other employees from disruption and facilitating the efforts of investigators.
A corporate security director not only will have access to the entire physical
(Taylor 273-275)
Taylor, Robert W., Eric Fritsch, John Liederbach. Digital Crime and Digital Terrorism, 3rd
Edition. Pearson Learning Solutions, 02/2014. VitalBook file.
Purchase answer to see full
attachment