Berkeley College Cyber Crime
Lecture Notes Chapter 11
Searching and Seizing Computer-Related Evidence
I. TRADITIONAL PROBLEMS WITH FINDING DIGITAL EVIDENCE
Unlike traditional investigations in which forensic experts are tasked with analysis of criminal evidence, computer-related investigations often require role multiplicity on the part of investigators.
Computer crime investigators are often forced to act as case supervisors, investigators, crime-scene technicians, and forensic scientists. Such duality is further exacerbated by characteristics unique to digital evidence.
· Digital evidence is especially volatile and voluminous, susceptible to climatic or environmental factors as well as human error.
· It may be vulnerable to power surges, electro- magnetic fields, or extreme temperatures.
· Unlike traditional evidence in which analysis of small samples is utilized to preserve the totality of the evidence, assessment of digital evidence requires evaluation of the whole, making investigative mistakes quite costly.
· Digital evidence is also unique in its level of camouflage possibilities, lending itself to concealment by individuals desiring to hide information. Cyber criminals may hide incriminating evidence in plain sight without damaging its utility.
· Cyber criminals also use encryption and steganography programs which has made the process of recovering data increasingly complex.
· Cyber criminals use self-destructive programs to sabotage their own systems upon unauthorized access.
II. PRE-SEARCH ACTIVITIES
a. Intelligence gathering: determine location, size, type, and numbers of computers at a suspect scene.
Dumpster diving: processing trash of suspect may provide information of passwords or personal information on the suspect.
Social engineering and informants: gain information about suspects and personnel at the scene, types of computers and storage devices as well as operating systems.
b. Warrant preparation and application:
1. Determine the role of the computer in the crime.
2. Specifications of operating systems, storage devices and hardware.
3. Structure the application according to the unique court environments in the area of service. Find a judge that supports law enforcement versus one that doesn’t.
4. Have the application reviewed by other specialists, computer investigators and legal experts, before submitting to the judge or magistrate.
5. Clearly substantiate any requests for seizure of equipment found at the scene.
6. If exigent circumstances exist, a request for a “no-knock” warrant should be included in the application.
c. Probable cause: three elements are necessary in warrant.
1. Probable cause that a crime has been committed.
2. Probable cause that evidence of a crime exists.
3. Probable cause that extant evidence resides in a particular location.
d. Preparing a Toolkit: include all traditional equipment law enforcement uses plus computer specific equipment and materials (some listed below):
1. ...
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
Berkeley College Cyber CrimeLecture Notes Chapter 11Searching .docx
1. Berkeley College Cyber Crime
Lecture Notes Chapter 11
Searching and Seizing Computer-Related Evidence
I. TRADITIONAL PROBLEMS WITH FINDING DIGITAL
EVIDENCE
Unlike traditional investigations in which forensic experts are
tasked with analysis of criminal evidence, computer-related
investigations often require role multiplicity on the part of
investigators.
Computer crime investigators are often forced to act as case
supervisors, investigators, crime-scene technicians, and forensic
scientists. Such duality is further exacerbated by characteristics
unique to digital evidence.
· Digital evidence is especially volatile and voluminous,
susceptible to climatic or environmental factors as well as
human error.
· It may be vulnerable to power surges, electro- magnetic fields,
or extreme temperatures.
· Unlike traditional evidence in which analysis of small samples
is utilized to preserve the totality of the evidence, assessment of
digital evidence requires evaluation of the whole, making
investigative mistakes quite costly.
· Digital evidence is also unique in its level of camouflage
possibilities, lending itself to concealment by individuals
desiring to hide information. Cyber criminals may hide
incriminating evidence in plain sight without damaging its
utility.
· Cyber criminals also use encryption and steganography
programs which has made the process of recovering data
increasingly complex.
· Cyber criminals use self-destructive programs to sabotage
their own systems upon unauthorized access.
2. II. PRE-SEARCH ACTIVITIES
a. Intelligence gathering: determine location, size, type, and
numbers of computers at a suspect scene.
Dumpster diving: processing trash of suspect may provide
information of passwords or personal information on the
suspect.
Social engineering and informants: gain information about
suspects and personnel at the scene, types of computers and
storage devices as well as operating systems.
b. Warrant preparation and application:
1. Determine the role of the computer in the crime.
2. Specifications of operating systems, storage devices and
hardware.
3. Structure the application according to the unique court
environments in the area of service. Find a judge that supports
law enforcement versus one that doesn’t.
4. Have the application reviewed by other specialists, computer
investigators and legal experts, before submitting to the judge
or magistrate.
5. Clearly substantiate any requests for seizure of equipment
found at the scene.
6. If exigent circumstances exist, a request for a “no-knock”
warrant should be included in the application.
c. Probable cause: three elements are necessary in warrant.
3. 1. Probable cause that a crime has been committed.
2. Probable cause that evidence of a crime exists.
3. Probable cause that extant evidence resides in a particular
location.
d. Preparing a Toolkit: include all traditional equipment law
enforcement uses plus computer specific equipment and
materials (some listed below):
1. Multiple boot disks
2. Backup hardware
3. Antivirus software
4. Imaging software
5. Forensic software
6. Extra cables, serial port connectors
7. Extension cords and power strips
8. Cell phone analysis software and necessary hardware
III. On-Scene Activities
a. Securing the crime scene: one of the most important, yet
overlooked, factors in the successful prosecution of a suspect.
1. Dangerous individuals or safety hazards immediately
recognized and contained or neutralized.
2. All computers must be locked and secured. They are to be
protected by a police officer.
3. All non-police personnel must be removed from the
immediate area of the evidence.
4. 4. Network connections must be ascertained and appropriate
action taken.
5. All suspects should be immediately separated and escorted to
a predetermined location.
b. Crime scene processing:
1. Photograph/Video: The golden rule for any successful
criminal investigation should be document, document,
document. Photographs and videos are an integral part of the
documentation process, and they should occur at every stage of
scene processing.
2. Sketching: Sketching a crime scene is essential in any
criminal investigation. It provides an overview of the state of
the scene and acts as corroboration for investigative field notes
and scene photographs. Because extraneous objects may be
omitted from crime-scene sketches and not from photographs,
sketches represent a more focused illustration of the applicable
evidence.
3. Locating evidence: focus on the general areas below:
a. Desktops
b. Monitors
c. Keyboards
d. Telephone
e. Wallets or purses
f. Clothing
g. Trash cans, Shredders, Recycle bins or other garbage
containers
h. Printers
5. i. Inside the computer
c. Seizure and transportation of evidence:
1. Whenever possible, each individual investigator or team of
investigators should physically maintain in their possession a
copy of the warrant.
2. Once the determination is made that evidence may be seized,
and the collection process should be initiated with the imaging
(i.e., duplicated byte for byte, bit for bit) of drives onto clean
media
3. Bagging and tagging: Like any scientific evidence, great care
must be exercised when collecting and preserving crime-scene
evidence. The chain of custody and continuity of possession
must be maintained at all times for court admissibility.
Investigators should adhere to standard operating procedures for
custodial evidence collection—keeping in mind that
routinization enhances witness credibility and evidence validity.
Although policies and procedures vary by department, certain
things remain constant.
Special care and caution should be exercised in preserving
computer evidence. The materials may be affected by numerous
environmental factors including heat, magnetic fields, static
electricity as well as oil, dirt and dust.
4. Transportation to Laboratory:
a. Once the evidence has been properly collected and loaded
into appropriate vehicles for transportation, investigators should
follow traditional procedures for exiting a crime scene (e.g.,
physically securing the scene and removal of recovery
equipment).
b. Prior to leaving, investigators should re-photograph the crime
scene.
6. c. Upon arrival at the lab, shipping manifests should be checked
over carefully, and all items should be properly accounted for.
In addition, investigators should note the condition of the boxes
upon unloading. These manifests should remain with the
evidence at all times.
d. Once accounted for, all incoming evidence should be entered
into the appropriate evidence control systems and assigned to a
location or examiner to await analysis.
Homework Questions-Chapter 11
1. Describe the traditional problems associated with finding
digital evidence.
2. Discuss the areas noted in the lecture notes relative to
securing the crime scene in computer-related investigations.
3. Discuss the handling of seized evidence prior to
transportation to the laboratory.
4. Discuss crime scene processing for computer-related crimes.