Computer crimes have become more sophisticated and widespread. They are challenging to investigate due to difficulties in detection, fragility of digital evidence, and jurisdictional issues. A preliminary investigation of a computer crime scene requires securing the area, obtaining a warrant, properly collecting and storing digital evidence, and documenting everything thoroughly. A full forensic examination may then recover deleted files or other data. Investigating computer crimes usually demands a multidisciplinary team with expertise in computers, networking, and relevant devices and software.
2. Introduction
• Computer crimes are relatively easy to commit and
difficult to detect
• Most computer crimes are not prosecuted
• Crimes involving computers have become much more
sophisticated
• Most computers on the planet are connected via the
Internet
• A new breed of detective—the cybercrime investigator
Hess 17-2
3. The Scope and Cost of the Problem
SOURCES
• IC3 2010 Internet Crime Report
• 2010 CyberSecurity Watch Survey
• 2010/2011 CSI Computer Crime and Security Survey
• Created a fundamental change in law enforcement
agencies
Hess 17-3
5. Terminology and Definitions
THE NET VERSUS THE WEB
• Net is a network of networks
• Web is an abstract space of
information
LIVE CHAT AND
INSTANT MESSAGING
• Two or more people
• Talk online in real time
Hess 17-5
6. Classification and Types of Computer Crimes
OVERVIEW
• Computer as target
• Computer as tool
• Computer as incidental to an offense
• Be aware of the ever-expanding ways
Hess 17-6
7. Classification and Types of Computer Crimes
COMPUTER AS TARGET
• Viruses and worms
• Invariably involves hacking
COMPUTER AS TOOL
• Traditional methods elevated
• Many offenses overlap
Hess 17-7
8. Special Challenges in Investigation
OVERVIEW
• Reluctance or failure to report crime
• Lack of training
• Need for specialists
• Fragility of the evidence
• Jurisdictional issues
Hess 17-8
9. Special Challenges in Investigation
NONREPORTING OF COMPUTER CRIMES
• Did not think law enforcement could help
• Too insignificant to report
LACK OF INVESTIGATOR TRAINING
• Cybercriminals are more technologically sophisticated
• Law enforcement needs additional training
Hess 17-9
10. Special Challenges in Investigation
NEED FOR SPECIALISTS AND TEAMWORK
• Cybercrime unit
FRAGILITY AND SENSITIVITY OF EVIDENCE
• Computer evidence is very fragile
• Can be altered or damaged easily
• Could be rendered unusable
Hess 17-10
11. Special Challenges in Investigation
JURISDICTIONAL ISSUES
• Traditional boundaries are complicated
• Double criminality
• Need for unified global approach
• Federal versus state
• Growing pains for this area of law
Hess 17-11
12. The Preliminary Investigation
COMMON PROTOCOL
• Secure, evaluate and document crime scene
• Obtain a search warrant
• Recognize, identify, collect and preserve the evidence
• Package, transport and store evidence
• Submit digital evidence
• Document in an incident report
Hess 17-12
13. The Preliminary Investigation
SECURING AND EVALUATING THE SCENE
• Basic ON/OFF tenet
• Follow departmental policy
• Ensure that no unauthorized person has access
• Ensure condition of electronic device is not altered
• Properly document
Hess 17-13
14. The Preliminary Investigation
OBTAINING A SEARCH WARRANT
• Searches may be conducted by consent
• Suspect unknown, warrant must be obtained
• Have both a consent search form and a search warrant
• Avoid destruction of evidence
Hess 17-14
16. The Preliminary Investigation
DOCUMENTING DIGITAL EVIDENCE
• Thorough notes, sketches and photographs
• Document condition and location of computer system
• Photograph the entire scene
• Photograph the front and back of the computer
Hess 17-16
17. The Preliminary Investigation
COLLECTING PHYSICAL AND DIGITAL EVIDENCE
• Evidence often contained on disks
• Devices may have fingerprints
• Avoid contact with recording surfaces
• Evidence log
• Chain of custody issues
Hess 17-17
18. The Preliminary Investigation
PACKAGING, TRANSPORTING AND STORING
DIGITAL EVIDENCE
• Keep away from magnetic fields
• Store away from humidity extremes
• Do not use plastic bags
• Be aware of battery needs
Hess 17-18
19. Forensic Examination of Computer Evidence
DATA ANALYSIS AND RECOVERY
• Deleted files remain on hard drive
• Forensic expert can make viewable
• Recycle bin
• Data remanence
Hess 17-19
20. Legal Considerations in Collecting
and Analyzing Computer Evidence
WARRANT EXCEPTIONS
• Contraband, fruits or instrumentalities of the crime
• Prevent death or serious bodily injury
• Has committed or is committing a criminal offense to
which the materials relate
Hess 17-20
22. Follow-Up Investigation
ORGANIZED CYBERCRIME GROUPS
• Generally not loyal to one another
• Operate in countries with weak hacking laws
UNDERCOVER INVESTIGATION AND SURVEILLANCE
• Headed by computer expert
• Online undercover officer
Hess 17-22
23. Security of the Police Department’s Computers
VULNERABILITY
• Access via phone lines
• Critical nature of law enforcement data
• Agency’s network should be a top priority
• Evidence logs
• Other valuable data
Hess 17-23
24. Legislation
GOVERNMENT MEASURES
• USA PATRIOT Act
• Foreign Intelligence Surveillance Act (FISA)
• National Security Letter (NSL)
• Child Protection and Sexual Predator Punishment Act
• All states have enacted tough computer crime control
laws
Hess 17-24
25. The Investigative Team
CYBER SPECIALISTS
• Often requires a team
approach
• Equipment owner
• Database technicians
• Auditors
• Computer experts
• Programmers
Hess 17-25
26. Resources Available
SOURCES
• National Cybercrime Training Partnership (NCTP)
• Electronic Crimes Task Forces (ECTFs)
• Perverted Justice
• NetSmartz
Hess 17-26
28. Summary
• Computer crimes are relatively easy to commit and
difficult to detect
• Basic tenet for first responders at computer crime
scenes is to observe the ON/OFF rule
• Most cybercrimes against businesses are committed by
outsiders
• Investigating such crimes often requires a team
approach
Hess 17-28