International Law Notes

Section 3 Criminology
CRIMINAL INVESTIGATION
A criminal investigation is an undertaking that seeks, collects, and gathers evidence of a crime for a case or
specific purpose.
A criminal investigator looks for clues and evidence to determine whether a crime has taken place. If a crime
has been committed, investigators may look into the background of the accused and try to uncover who
committed the crime. Police agencies and law enforcement are committed to criminal investigations of every
kind, but a growing number of individuals are choosing to launch their own criminal investigations with the
help of professional investigators.
What is the criminal investigation process?

Investigation: The investgation involves establishing that a crime was committed and whether an arrest
should be pursued. After confirming the crime, evidence is gathered and a suspect identified. If sufficient
evidence is gathered, the suspect is arrested.
Arrest: The suspect is apprehended.
Court Proceedings: All the evidence gathered during the investigation is presented to the court and a decision
is made in regards to punishment.
Types of investigation
1. Criminal Forensics
2. Intelligence gathering
3. Electronic discovery
4. Intrusion Investigation
There are four main types of investigation performed by digital forensics specialists. The first three are broadly
similar in the activities the involve, but differ in terms of the legal restrictions and guidelines imposed as well
as the type of digital evidence and form of report.
1. Criminal forensics
The largest form of digital forensics and falling under the remit of law enforcement (or private contractors
working for them). Criminal forensics is usually part of a wider investigation conducted by law enforcement
and other specialists with reports being intended to facilitate that investigation and, ultimately, to be entered
as expert evidence before the court. Focus is on forensically sound data extraction and producing
report/evidence in simple terms that a lay man will understand.
2.Intelligence gathering
This type of investigation is often associated with crime, but in relation to providing intelligence to help track,
stop or identify criminal activity. Unless the evidence is later to be used in court forensic soundness is less of
a concern in this form of investigation, instead speed can be a common requirement.
3. Electronic discovery (eDiscovery)

Similar to "criminal forensics" but in relation to civil law. Although functionally identical to its criminal counter
part, eDiscovery has specific legal limitations and restrictions, usually in relation to the scope of any
investigation. Privacy laws (for example, the right of employees not to have personal conversation
intercepted) and human rights legislation often affect electronic discovery.
4. Intrusion investigation
The final form of investigation is different from the previous three. Intrusion investigation is instigated as a
response to a network intrusion, for example a hacker trying to steal corporate secrets. The investigation
focuses on identifying the entry point for such attacks, the scope of access and mitigating the hackers
activities. Intrusion investigation often occurs "live" (i.e. in real time) and leans heavily on the discipline of
network forensics.
PRINCIPLES OF CRIMINAL INVESTIGATION

Outline:
Introduction
Gauging the Value of Evidence
1. It is unique
2. It has a low probability of occurring by chance –
3. It is inconsistent –
4. It is a physical match -
Introduction
The key principle underlying crime scene investigation is a concept that has become known as Locard’s
Exchange Principle. It states that whenever someone enters or exits an environment, something physical
is added to and removed from the scene. This principle is generally summed up by stating: “Every contact
leaves a trace.”
The logic behind this principle allows investigators to link suspects to victims, to physical objects, and to
scenes. Any evidence that can link a person to the scene is referred to as associative evidence. This may
include items such as fingerprints, blood and bodily fluids, weapons, hair, fibers and the like. This type of
evidence answers the question “Who did this?”
While associative evidence links people to the place of the crime, reconstructive evidence allows
investigators to gain an understanding of the actions that took place at the scene. A broken window, a
blood spatter pattern, bullet paths and shoe prints can all reveal what actually happened. This type of
evidence answers the question, “How did it happen?”
To help establish the linkage of people and things to a scene, the investigator may also collect known
substances, called control samples. These can be items such as fibers from carpeting at the scene, glass
fragments, soil, vegetation and other trace evidence. Learn more about trace evidence▸ If these are
found on the suspect’s clothing, in their vehicle or at their residence, it could provide circumstantial
evidence linking the person to the scene.
For example, police are called to a residential neighborhood where a home invasion and burglary has just
occurred. Investigators collect glass fragments from a shattered cabinet door with a distinct pattern etched
into the glass. A tip leads investigators to a local man with a known history of burglary. Examination of the
suspect’s clothing yields glass fragments with the same distinct pattern as the smashed cabinet doors.
Eliminating people who could not be the perpetrator is also important. Control samples of fingerprints and
DNA are often collected from any person(s) who have access to the scene who are not considered
suspects.
Gauging the Value of Evidence
5. It is unique - If an item is found that helps narrow the possibilities of who might be considered a
suspect, or the manner in which a crime was committed, this evidence would be of use. Is an
impression from a vehicle tire found in the dirt at the scene? The tread impression can be compared
to others to determine the type of tire that was on the car. Is a shoe print left in the soil? The tread
may help to identify the size and type of shoes it came from and the wear pattern could be used to
match it to a specific pair. Learn more about footwear impressions and tire tracks ▸
6. It has a low probability of occurring by chance - Considering the mathematical probabilities
will help to determine the odds that a piece of physical evidence found at the scene could appear
merely by coincidence. If DNA evidence found at the scene matches a suspect, the chances are
exceedingly low that another person could have left this sample. But even evidence that has a much
higher probability—for instance, a common type of shoeprint that is left in the soil—is still valuable.
When combined with other high probability evidence, these can help narrow the list of possible
parties and build a compelling case.
7. It is inconsistent - If an item is found that is out of place or inconsistent with the setting, or is out
of character for the victim—for instance if the victim was a non-smoker but a cigarette butt is found
at the scene—this could be an important bit of evidence.
8. It is a physical match - If trace evidence is found on the suspect or in his possession that
matches something at the scene, this makes this item valuable as evidence. For instance, broken
plastic parts or a broken fingernail that can be matched by fracture marks can demonstrate that two
pieces were once a part of the same item.
CRIME SCENE INVESTIGATION CONDUCTION

Outline:
Introduction
1. Establish the scene dimensions and identify potential safety and health hazards –
2. Establish security -
3. Plan, communicate and coordinate –
4. Conduct a primary survey/walkthrough –
5. Document and process the scene -
6. Conduct a secondary survey/review –
7. Record and preserve evidence -
How and Where Tests on the Evidence are Conducted
Introduction
The circumstances that investigators encounter at the scene will largely dictate the approach used to
process the scene. A homicide will likely require different treatment and processing than a burglary.
However, to ensure a thorough process, the seven steps outlined below are often followed. These steps
can be conducted in a different order, combined or even skipped altogether to meet the needs of the
situation.
1. Establish the scene dimensions and identify potential safety and health hazards -
Investigators initially locate the “focal point” of the scene, the main area of disturbance. This could be a
ransacked bedroom, the area where an attack occurred, or the room in which a victim was found. Radiating
out from that point, investigators establish an area that is sizeable enough to likely contain all relevant
physical evidence that may be present. It is easier for investigators to condense the size of a scene at a
later point than to discover that sensitive evidence outside the scene has been damaged or destroyed by
other responders, media or onlookers. In addition, potential paths of perpetrator entry/exit are identified.
Safety is of paramount importance during the initial approach to the scene. Weapons, biohazards, chemical
hazards and even intentional traps could be waiting for responders. If medical, fire or coroners will be on
scene, they will need to be advised regarding evidentiary issues as well.
2. Establish security - According to Locard’s Exchange Principle, every person who enters or exits the
scene will add or subtract material from the crime scene, so it’s crucial to quickly secure the area. To
control access, the scene may be cordoned off with yellow crime scene tape, cones or by other means. In
addition, a common entryway is often established that all crime scene personnel will use to enter and exit
the scene and all people entering or leaving the scene are documented once the boundaries have been
established. Additional areas for consultation and evidence storage may also be established if necessary.
3. Plan, communicate and coordinate - Before collecting evidence, investigators must first develop a
theory regarding the type of offense that occurred. Knowing the type of crime will help investigators
anticipate the evidence that could be present. This may require gathering information from witnesses or
persons of interest. Based on this information, the crime scene team will develop an evidence-collection
strategy taking into consideration weather conditions, time of day and other factors. Additional forensic
resources may also be requested to handle special situations.
4. Conduct a primary survey/walkthrough - An initial survey of the scene is then conducted to
prioritize evidence collection. During this walkthrough, the lead investigator will identify potentially valuable
evidence, take notes and capture initial photographs of the scene and the evidence. The crime scene is
documented to record conditions such as whether lights were on or off, the position of shades and doors,
position of movable furniture, any smells present, the temperature of the scene, etc. To facilitate this
process, crime scene specialists may create an evidence-free pathway leading to the primary area of
interest by conducting a thorough sweep for evidence in that area.
5. Document and process the scene - With a plan in place, the crime scene team conducts a
thorough, coordinated investigation of the scene, collecting all probative evidence. This entails detailed
documentation with digital and video cameras or, if available, a 3-D scanner. For some situations, sketches
and diagrams are also created. During the evidence-collection process, it is crucial that the crime scene
investigator follow proper procedures for collecting, packaging and preserving the evidence, especially if it
is of a biological nature. Biological evidence can be destroyed or damaged by weather conditions,
individuals can inadvertently contaminate it, or it can be overlooked entirely if alternate light sources are not
used to inspect the scene.
6. Conduct a secondary survey/review - To ensure that the scene has been thoroughly searched, a
second survey of the area is conducted as a quality control step.
7. Record and preserve evidence - To make certain that all evidence is accounted for, an inventory log
is created. The descriptions recorded into the log must match the photo of the evidence taken at the scene
and the description included in the crime scene report. For instance, if a gun is collected, the serial number
of the firearm in the evidence log must match the serial number shown in the photo that was taken at the
scene. This paper trail establishes the chain of custody that will follow the evidence throughout the lifecycle
of the case.
How and Where Tests on the Evidence are Conducted
The most probative evidence will be sent to either a forensic laboratory or, if the laboratory does not have
an expert in that forensic discipline, to an outside analyst for examination. To help identify the evidence that
is most valuable, the crime scene personnel may conduct initial screening tests, called presumptive tests,
at the scene. These tests can be useful in determining the type of substance present—whether it’s a toxin
or a drug, a stain that contains body fluids, or even whether a dried red substance found in the kitchen is
blood or ketchup.
Presumptive tests allow investigators to narrow the field of possibilities to a certain class of substance, but
they are not specific enough to confirm the presence of specific compounds. In addition to helping provide
clues to indicate how the crime occurred and who may have been involved, presumptive tests can also help
reduce the quantity of evidence that is submitted to the lab to include only the most important items. This
helps to expedite processing at the laboratory.
INTELLIGENCE AND INTELLIGECE OPERATIONS

Outline:
What is Intelligence?
What are the 5 steps of the Intelligence cycle?
1. Planning and direction –

2. Collection –
3. Processing and exploitation –
4. Analysis and production –
5. Dissemination and Integration –
What is Intelligence?
Intelligence is the product that results from a set of actions that are performed to information. Traditionally,
used across governmental organizations for the purpose of national security. The actions are collect,
analyze, integrate, interpret and disseminate. The final product of intelligence gives value-added, tailed
information that provides an organization or its adversary, the ability to make conclusions. For the enterprise
the information product might be to seek information about the threat actors means, motive and capabilities.
On the other hand the adversary might want to seek information about intellectual property (patents,
copyrights, trademarks, trade secrets, etc) from your company in order to gain economical advantage or to
subvert its interests. In any of the cases the information produced gives an edge, a competitive advantage to
you or to your adversary.
The information produced contains facts, findings and forecasts that supports yours or the adversary
goals. There are two categories of Intelligence. One is strategic and the other is operational. Strategic
intelligence means information produced to support well informed decisions of long-lasting importance.
Strategic intelligence is broader and often requires information concerning different fields. Operational
intelligence is of limited life span and it to be used rapidly and is concerned with current events and capability.
What are the 5 steps of the Intelligence cycle?
6. Planning and direction – This is the first step. It’s here were the requirements and priorities are
set. The capabilities to produce Intel are limited as any other resource which means we want to
maximize its production with a constant number of resources. Among others, a methodology to define
the requirements might be using the “Five W’s”. It’s also in this step where we define which areas the
intelligence produced will have the most impact and make to most contribution. During the planning
is fundamental to specify which categories of Intelligence will be gathered i.e. OSINT (Open Source
Intelligence). In addition, the processes, people and technology to support the different steps in the
cycle need to be established with clear roles and responsibilities.
7. Collection – The second step includes all the different activities, mainly research, that involves the
collection of data to satisfy the requirements that were defined. The collection can be done either via
technical or human means and involves gathering data from a variety of sources. In the military and
intelligence community the sources normally used are people, objects, emanations, records. These
sources span the different collection disciplines named as HUMINT, IMINT, MASINT, SIGNT, OSINT
and others. Once collected, information is correlated and forwarded for processing and production.
8. Processing and exploitation – Third step, the collected raw data starts to be interpreted,
translated and converted into a form suitable for the consumers of the intelligence. The raw data
becomes information.
9. Analysis and production – The refinement of the information that was produced in the previous
step. The fusion of the different information that was processed from the different intelligence
disciplines. These are key tasks performed during this step. The analysis consists of facts, findings
and forecasts that describe the element of study and allow the estimation and anticipation of events
and outcomes. The analysis should be objective, timely, and most importantly accurate. To produce
intelligence objectively, the analysts apply four basic types of reasoning. Induction, deduction,
abduction and the scientific method. Furthermore, because bias and misperceptions can influence
the analysis the analyst should be aware of the different analytical pitfalls. The outcome is value-
added actionable information tailored to a specific need. For example, in the United States, creating
finished intelligence for national and military purposes is the role of the CIA.
10. Dissemination and Integration – Essentially, this step consists in delivering the finished product
to the consumers who requested the information. This can be done using a wide range of formats and
in a manual or automated manner.
Link for Pakistan Intelligence Agencies: The Inside story
(https://herald.dawn.com/news/1153827)
Types of Investigations
1. Forensic Investigation
2. Electronic Investigation
3. Database Investigation
FORENSIC INVESTIGATION
Outline:
What is a forensic investigation?
Types of Forensic Investigation:

1. Forensic Accounting / Auditing
2. Computer or Cyber Forensics
3. Crime Scene Forensics
4. Forensic Archaeology
5. Forensic Dentistry
6. Forensic Entomology
7. Forensic Graphology
8. Forensic Pathology
9. Forensic Psychology
10. Forensic Science
11. Forensic Toxicology
What is forensic evidence?

• Genetic material (blood, hair, skin)
• Trace chemicals
• Dental history
• Fingerprints
• Witness testimonies
• Bullets or other potential weapons (ballistics)
• Shoe and tire marks
• Illicit substances
• Documents, files, and records (hospital records, tax forms, job history, etc.)
• Computers and phones
• Videos or photographs
Direct vs. circumstantial evidence:
Physical vs. biological evidence:
Reconstructive Evidence:
Associative evidence:
Testimonial evidence:
What is a forensic investigation?

Forensics are the scientific methods used to solve a crime. Forensic investigation is the gathering and
analysis of all crime-related physical evidence in order to come to a conclusion about a suspect.
Investigators will look at blood, fluid, or fingerprints, residue, hard drives, computers, or other technology to
establish how a crime took place. This is a general definition, though, since there are a number of different
types of forensics.
Types of Forensic Investigation:

13. Computer or Cyber Forensics

A forensic accounting investigation aids the victims of fraud or financial crimes. Also known as financial
investigation, this kind of analysis uses intelligence-gathering techniques, accounting, business, and
communication skills to provide evidence to attorneys involved in criminal and civil investigations. They
investigate by combing through a large amount of relevant figures, searching for irregularities or illegal
financial practices. Crimes can vary from tax evasion to theft of company assets. They also look into
insurance claims and high payouts.
Forensic accounting services can include:
• Searching for hidden assets
• Calculating lost wages
• Tracing misappropriated funds
• Performing fraud investigations
2. Forensic Computer or Cyber Forensics

Computer investigations are similar to electronic discovery (or e-discovery). These forensic investigations
recover data from computers and hard drives to solve a crime or find evidence of misconduct. Computer
investigators can uncover things like sale of black market goods, fraud, and sex trafficking. Some common
situations that call for computer investigation are divorce, wrongful termination, employee internet abuse,
unauthorized disclosure of corporate information, and other illegal internet activity. Forensic computer
investigations can find information on cell phones and hard drives including emails, browsing history,
downloaded files, and even deleted data. One of the first cases in which computer forensics lead to a
conviction involved the messages exchanged in an online chat room.

Crime scene investigations document and gather any physical evidence found at a crime scene in order to
solve a crime or determine whether a crime has taken place. This kind of investigation also includes the
analysis of what investigators collect to ensure the evidence is credible and relevant. There are a wide
range of crime scene investigators like ballistics experts, who study the trajectory of ammunition and match
bullets to potential firearms, and odontologists, who specialize in teeth and bite-marks to identify missing
persons or victims of mass disaster.
Forensic archaeology focuses on human remains that are severely decomposed. They mainly focus on
clues they can glean from the bones, including carbon dating to determine their age. From these clues,
they can sometimes establish cause-of-death. If a mass grave is discovered or in the event of large
casualties, forensic archaeologists can identify the victims using facial reconstruction software.
Forensic dentists are vital when a victim can’t be identified by any other means or when a culprit bites a
victim. Since teeth have distinct patterns, the marks left behind can identify a suspect or victim. The shape
of the jaw can also indicate age, gender, and DNA can be extrapolated from teeth like with bone marrow
and hair. Even if the victim wasn’t bitten, physical evidence found at a crime scene may still be useful for
forensic dentists. For example, a pencil with bite marks or a half eaten apple might have deep enough
impressions to reveal someone’s identity.
Forensic entomology is the study of any insects found at a crime scene. Alive or dead, these bugs can
reveal where a crime took place, whether the victim had been given drugs, and the time of death. Some
insects are only found in specific areas so finding them on a body can suggest whether a body was moved.
The presence of larvae in a body can also suggest how long a victim has been dead. If the crime isn’t a
murder, insects will still occupy untreated wounds in abuse cases or identify the origin of illegally imported
goods, like cannabis.
Forensic graphologists study the handwriting on ransom notes, poison pen letters, suicide notes, and
blackmail demands. Though age and gender cannot be determined by handwriting alone, it can indicate the
writer’s state of mind at the time the note was penned. Handwriting can give insights about:
• Mood
• Motivation
• Integrity
• Intelligence
• Emotional stability
Slant, size of writing, and the weight of the hand all reflect information about the writer. The phrases and
slang the writer uses can also say a lot about location and motive. Forensic graphologists are also used to
verify the validity of documents such as insurance claims or police statements.
Ultimately, it is the forensic pathologist’s job to find out cause-of-death, especially when it is suspected that
the death was not due to natural causes. They perform an autopsy, which involves observing both the
outside and inside of the victim. On the outside there may be signs of blows, bruises, bullet entry points, or
asphyxia. On the inside, the pathologist will look at things like the organs and stomach contents. By
observing these things, a pathologist can determine whether the death was a suicide, murder, or due to
natural causes.
Forensic psychology studies the thoughts behind an attacker’s actions. Before thinking about how to catch
a suspect, forensic psychologists consider why the act was committed. They look at sources of extreme
stress in the perpetrator’s life that might push them to act violently. They also observe the scene of the
crime, which can tell them whether the act was done out of a burst of emotion or was predetermined. Once
a suspect is caught, a forensic psychologist can determine whether they are of sound mind. Even in cases
of suspected suicide, investigators can examine the life of the victim and conclude whether the act was
purposeful or an accident.

Forensic science is the general term used for all of the scientific processes involved in solving a crime.
Some types of forensic science include:
• DNA coding
• Toxicology (drugs and the effects)
• Serology (bodily fluids)
• Ballistics (everything related to firearms)
A big part of forensic science is the collection, storage, and analysis of fibres, DNA, bodily fluids, and other
physical evidence. The roles of forensic scientists have become vital to the sentencing of criminals due to
the reliability and accuracy of the evidence they provide. It is also a section of forensics that is constantly
growing and changing as technology advances.

Forensic toxicology studies toxic substances, environmental chemicals, and poison. The drug tests needed
for certain job applications are an example of the most basic forensic toxicology. Today, a large part of a
forensic toxicologist’s job is studying both illegal and legal drugs. Using urine, blood, or hair, they look at
the way these substances are absorbed, distributed, and eliminated by the body. They will also look at their
effects. For a murder, substances use shows itself in the brain, liver, and spleen.
What is forensic evidence?

• Genetic material (blood, hair, skin)
• Trace chemicals
• Dental history
• Fingerprints
• Witness testimonies
• Bullets or other potential weapons (ballistics)
• Shoe and tire marks
• Illicit substances
• Documents, files, and records (hospital records, tax forms, job history, etc.)
• Computers and phones
• Videos or photographs
Direct vs circumstantial evidence: Direct evidence establishes a fact and includes eyewitness
testimonies and/or confessions. Circumstantial requires inference on behalf of the judge or jury. Fingerprints
or hair fibers suggest someone was at the scene of the crime.
Physical vs biological evidence: Physical evidence is nonliving, inorganic material like fingerprints,
glass, or bullets. Biological evidence is organic material like DNA, wood, or plants.
Reconstructive Evidence: This includes any evidence that allows police to better understand how the
crime took place.
Associative evidence: Any evidence that links a suspect to a scene at a given time.
Testimonial evidence: What is said in court by a competent witness.
ELECTRONIC/DIGITAL INVESTIGATION
Outline:
Introduction
Investigative Tools and Equipment
Tools and Materials for Collecting Digital Evidence
Stages of Investigations
1. Policy and Procedure Development
2. Evidence Assessment
3. Evidence Acquisition
4. Evidence Examination
5. Documenting and Reporting
Introduction
The field of computer forensics investigation is growing, especially as law enforcement and legal entities
realize just how valuable information technology (IT) professionals are when it comes to investigative
procedures. With the advent of cybercrime, tracking malicious online activity has become crucial for
protecting private citizens, as well as preserving online operations in public safety, national security,
government and law enforcement. Tracking digital activity allows investigators to connect cyber
communications and digitally-stored information to physical evidence of criminal activity; computer forensics
also allows investigators to uncover premeditated criminal intent and may aid in the prevention of future
cyber-crimes. For those working in the field, there are five critical steps in computer forensics, all of which
contribute to a thorough and revealing investigation.
Investigative Tools and Equipment

In most cases, items or devices containing digital evidence can be collected using standard seizure tools and
materials. First responders must use caution when collecting, packaging, or storing digital devices to avoid
altering, damaging, or destroying the digital evidence. Avoid using any tools or materials that may produce
or emit static electricity or a magnetic field as these may damage or destroy the evidence. Should the
complexity of an electronic crime scene exceed the expertise of a first responder, the first responder should
request assistance from personnel with advanced equipment and training in digital evidence collection.
Tools and Materials for Collecting Digital Evidence
In addition to tools for processing crime scenes in general, first responders should have the following items
in their digital evidence collection toolkit:
■ Cameras (photo and video). ■ Cardboard boxes. ■ Notepads. ■ Gloves. ■ Evidence inventory logs ■
Evidence tape. ■ Paper evidence bags. ■ Evidence stickers, labels, or tags. ■ Crime scene tape. ■ Antistatic
bags. ■ Permanent markers. ■ Nonmagnetic tools. First responders should also have radio frequency-
shielding material such as faraday isolation bags or aluminum foil to wrap cell phones, smart phones, and
other mobile communication devices after they have been seized. Wrapping the phones in radio frequency-
shielding material prevents the phones from receiving a call, text message, or other communications signal
that may alter the evidence.
Stages of Investigations
1. Policy and Procedure Development
Whether related to malicious cyber activity, criminal conspiracy or the intent to commit a crime, digital
evidence can be delicate and highly sensitive. Cyber security professionals understand the value of this
information and respect the fact that it can be easily compromised if not properly handled and protected. For
this reason, it is critical to establish and follow strict guidelines and procedures for activities related to
computer forensic investigations. Such procedures can include detailed instructions about when computer
forensics investigators are authorized to recover potential digital evidence, how to properly prepare systems
for evidence retrieval, where to store any retrieved evidence, and how to document these activities to help
ensure the authenticity of the data.
Law enforcement agencies are becoming increasingly reliant on designated IT departments, which are
staffed by seasoned cyber security experts who determine proper investigative protocols and develop
rigorous training programs to ensure best practices are followed in a responsible manner. In addition to
establishing strict procedures for forensic processes, cyber security divisions must also set forth rules of
governance for all other digital activity within an organization. This is essential to protecting the data
infrastructure of law enforcement agencies as well as other organizations.
An integral part of the investigative policies and procedures for law enforcement organizations that utilize
computer forensic departments is the codification of a set of explicitly-stated actions regarding what
constitutes evidence, where to look for said evidence and how to handle it once it has been retrieved. Prior
to any digital investigation, proper steps must be taken to determine the details of the case at hand, as well
as to understand all permissible investigative actions in relation to the case; this involves reading case briefs,
understanding warrants and authorizations and obtaining any permissions needed prior to pursuing the case.
2. Evidence Assessment
A key component of the investigative process involves the assessment of potential evidence in cyber-crime.
Central to the effective processing of evidence is a clear understanding of the details of the case at hand and
thus, the classification of cyber-crime in question. For instance, if an agency seeks to prove that an individual
has committed crimes related to identity theft, computer forensics investigators use sophisticated methods
to sift through hard drives, email accounts, social networking sites and other digital archives to retrieve and
assess any information that can serve as viable evidence of the crime. This is, of course, true for other crimes,
such as engaging in online criminal behavior like posting fake products on eBay or Craigslist intended to lure
victims into sharing credit card information. Prior to conducting an investigation, the investigator must define
the types of evidence sought (including specific platforms and data formats) and have a clear understanding
of how to preserve pertinent data. The investigator must then determine the source and integrity of such data
before entering it into evidence.
3. Evidence Acquisition
Perhaps the most critical facet of successful computer forensic investigation is a rigorous, detailed plan for
acquiring evidence. Extensive documentation is needed prior to, during, and after the acquisition process;
detailed information must be recorded and preserved, including all hardware and software specifications, any
systems used in the investigation process, and the systems being investigated. This step is where policies
related to preserving the integrity of potential evidence are most applicable. General guidelines for preserving
evidence include: the physical removal of storage devices, using controlled boot discs to retrieve sensitive
data and ensure functionality, and taking appropriate steps to copy and transfer evidence to the investigator’s
system.
Acquiring evidence must be accomplished in a manner both deliberate and legal. Being able to document
and authenticate the chain of evidence is crucial when pursuing a court case, and this is especially true for
computer forensics given the complexity of most cybersecurity cases.
4. Evidence Examination
In order to effectively investigate potential evidence, procedures must be in place for retrieving, copying, and
storing evidence within appropriate databases. Investigators typically examine data from designated
archives, using a variety of methods and approaches to analyze information; these could include utilizing
analysis software to search massive archives of data for specific keywords or file types, as well as procedures
for retrieving files that have been recently deleted. Data tagged with times and dates is particularly useful to
investigators, as are suspicious files or programs that have been encrypted or intentionally hidden.
Analyzing file names is also useful, as it can help determine when and where specific data was created,
downloaded, or uploaded and can help investigators connect files on storage devices to online data transfers
(such as cloud-based storage, email, or other Internet communications). This can also work in reverse order,
as file names usually indicate the directory that houses them. Files located online or on other systems often
point to the specific server and computer from which they were uploaded, providing investigators with clues
as to where the system is located; matching online filenames to a directory on a suspect’s hard drive is one
way of verifying digital evidence. At this stage, computer forensic investigators work in close collaboration
with criminal investigators, lawyers, and other qualified personnel to ensure a thorough understanding of the
nuances of the case, permissible investigative actions, and what types of information can serve as evidence.
5. Documenting and Reporting

In addition to fully documenting information related to hardware and software specs, computer forensic
investigators must keep an accurate record of all activity related to the investigation, including all methods
used for testing system functionality and retrieving, copying, and storing data, as well as all actions taken to
acquire, examine and assess evidence. Not only does this demonstrate how the integrity of user data has
been preserved, but it also ensures proper policies and procedures have been adhered to by all parties. As
the purpose of the entire process is to acquire data that can be presented as evidence in a court of law, an
investigator’s failure to accurately document his or her process could compromise the validity of that evidence
and ultimately, the case itself.
For computer forensic investigators, all actions related to a particular case should be accounted for in a digital
format and saved in properly designated archives. This helps ensure the authenticity of any findings by
allowing these cyber security experts to show exactly when, where, and how evidence was recovered. It also
allows experts to confirm the validity of evidence by matching the investigator’s digitally recorded
documentation to dates and times when this data was accessed by potential suspects via external sources.
Now more than ever, cyber security experts in this critical role are helping government and law enforcement
agencies, corporations and private entities improve their ability to investigate various types of online criminal
activity and face a growing array of cyber threats head-on. IT professionals who lead computer forensic
investigations are tasked with determining specific cyber security needs and effectively allocating resources
to address cyber threats and pursue perpetrators of said same. A master’s degree in information security and
assurance has numerous practical applications that can endow IT professionals with a strong grasp of
computer forensics and practices for upholding the chain of custody while documenting digital evidence.
Individuals with the talent and education to successfully manage computer forensic investigations may find
themselves in a highly advantageous position within a dynamic career field.
This is another substitute of Electronic Investigation

Outline:
What is electronic data discovery?
What types of electronic data are used during an investigation?
What happens during electronic data discovery investigations?

How do I know if I need an eDiscovery investigation?
What is electronic data discovery?

Electronic discovery (also known as e-Discovery or eDiscovery) is a type of investigation that locates digital
information with the intent of using it as evidence in litigation. In some ways, it is similar to many computer
forensic investigations where evidence is analyzed and reviewed using a document review platform.
Documents are reviewed as its native file, as a PDF, or in TIFF format after conversion. The platform provides
investigators with the ability to search through large amounts of electronically stored information, or ESI,
quickly and efficiently.
What types of electronic data are used during an investigation?

When practicing the process of electronic data discovery, any and all data types are analyzed and reviewed
for litigation purposes. To name a few:
• Email messages
• Software programs
• Plain text/images
• Web pages
• Word processing files
• Spreadsheets
• Meta data
• Databases
• Backup tapes
• Cache memory
• Hard drives
• CD-ROMs
• Thumb drives
• PDAs
• Firewall/IDS logs
• Phone call logs
• IM transmissions
Depending on the type of investigation, investigators may strive to recover lost files or information, trace
changes to electronic files, or determine whether any electronic files were involved in cyber
What happens during electronic data discovery investigations?

Electronic data discovery investigations generally begin when a business or individual contacts a private
investigator and expresses the concern that something is wrong with their electronic data. An investigator
may advise a client to take steps right away, such as gather all related data files or shut down a specific
computer. The investigator will visit the scene, speak with clients or others involved, and carefully examine
the computer system or the electronic files affected. Generally, investigations revolve around the contents of
the hard drive on a specific computer. Investigators create a digital copy of the hard drive and further
investigate using the copy rather than the original, which is secured and stored in its original condition.
Depending on the exact situation, an investigator may use surveillance, computer investigation, network
investigation, internet use investigation, data recovery techniques, special software, and other types of
techniques to gather evidence and resolve the problem.
How do I know if I need an eDiscovery investigation?

Unfortunately, the rate of cyber crime is rising and many companies are losing billions of dollars each year
to cyber criminals and fraud. In many cases, an electronic discovery investigation is the best way to protect
a company or to find evidence of wrongdoing that can lead to arrest or prosecution.
Signs that there may be something wrong with your electronic data:
• Unauthorized changes in some electronic files or data

• Employees acting suspiciously
• The computer systems seem slower or seem affected by hacking or a virus
• Your company is mysteriously losing money without any paper trail to account for it
In all of these situations, a qualified electronic discovery professional can help you. Even if you simply lose a
specific file or system, an eDiscovery specialist can help you recover files that have been lost or deleted.
INVESTIGATIVE INTERVIEWING
Outline:
Planning and preparation
• create and record the interview plan

• characteristics of the interviewee
• practical arrangements
• making a written interview plan.
Multiple interviewers
Engage and explain

Beginning the interview
Objectives of the interview
Routines and expectations
Account, clarification, challenge

Further information
Clarify and expand the interviewee’s account by:.
Questions
• open-ended
• specific-closed
• forced-choice
• multiple
• leading.
Closure
Evaluation
PEACE framework
PEACE model
There are five phases to the PEACE framework.
Planning and preparation
This is one of the most important phases in effective interviewing. The success of the interview and,
consequently, the investigation could depend on it.
A planning session that takes account of all the available information and identifies the key issues and
objectives is required, even where it is essential that an early interview takes place.
Interviewers should consider the following:
• create and record the interview plan

• characteristics of the interviewee
• practical arrangements
• making a written interview plan.
Interview plan
Planning and preparation gives the interviewer the opportunity to:
• review the investigation

• establish what material is already available
• decide on what the aims and objectives of the interview are.
Every interview must be prepared with the needs of the investigation in mind. How the material is obtained
during interview helps to establish the accuracy of the matter under investigation and should be considered
carefully.
The following questions may be helpful at this stage:
• who needs to be interviewed and in what order?

• why is a particular interviewee’s viewpoint so important?
• what information should now be obtained?
• should the interviewee be interviewed immediately or would it be more useful to wait until
more information has been obtained about the circumstances of the offence from other sources?
Interviewee
Individual characteristics should be taken into account when planning and preparing for an interview.
Although not an exhaustive list, these may include:
• age – knowing the interviewee’s age helps to determine the best time to undertake the interview
and whether an appropriate adult/interview supporter is required
• cultural background – this can affect the way a person prefers to be addressed, and may also
indicate the need for an interpreter
• religion or belief – eg, interviewers may need to take prayer requirements into account
• domestic circumstances – this can help to identify other people who may be useful to the
investigation, eg, family, associates or neighbours
• physical and mental health – knowledge of an existing medical condition and ensuring that
appropriate facilities are used
• disability
• previous contact with the police – this helps to determine factors such as the interviewee’s reaction,
and the interviewer’s safety
• gender – in certain types of crime, eg, sexual offences or domestic violence, it is important to
consider the gender of the interviewee. Potentially sensitive issues such as an interviewee’s sexual
orientation or gender assignment should be approached tactfully, if these matters become relevant
to the interview.
Practical arrangements
The interviewer may need to consider a number of activities and practical considerations which may help
them to understand the circumstances of the offence, and to achieve the best interview from the
interviewee.
These include:
• visiting the scene

• searching relevant premises
• location of the interview
• role of interviewers
• timings
• equipment
• exhibits and property
• knowledge of the offence.
Written interview plan

The interview plan summarises the aim(s) of an interview and provides framework for questioning. It can
increase the confidence of the interviewer and provide the flexibility to conduct a professional and effective
interview. A written interview plan should be used for key witnesses, as well as suspects. It should include:
• the time a suspect has been in custody (investigators should be aware of the detention clock and its
impact on the interview)
• the range of topics to be covered around identified time parameters (this may vary depending
on whether it is a witness or suspect interview)
• the points necessary to prove the potential offence(s) under investigation
• any points which may be a defence for committing the offence(s) under investigation
• introduction of exhibits
• material which suggests the suspect may have committed the offence
• identified information which may assist the investigation
• any other relevant points, eg, actus reus (guilty act), mens rea (guilty mind), intention, no valid
defence
• planning for a prepared statement, special warnings, adverse inference, significant comments or
silences.
Multiple interviewers
The plan should record who will be the lead interviewer, and who is responsible for note-taking. It is
important that interviewers understand their respective roles and maintain the role agreed. Two
interviewers asking multiple questions in an unstructured manner is unlikely to achieve the interview’s
objective.
Engage and explain

The first step to encouraging conversation is to engage the interviewee. This is not always easy, especially
if the person is previously unknown to the police.
Active listening assists the interviewer to establish and maintain a rapport. This then enables them to:
• identify topics during the interview and, therefore, manage the conversation
• communicate interest to the interviewee in their account
• identify important evidential information.
Factors such as the interviewee’s background and personal characteristics should be taken into account.
Beginning the interview
This is important and should be considered in the planning stage. The reason for the interview should also
be clearly explained, eg, the interviewer may say:
• ‘You are here because you have been arrested for (offence)’ or
• ‘You are here because you witnessed (offence/incident).’
The interviewer should then check the interviewee has understood the explanation.
Objectives of the interview
Before starting an interview, the objectives of the interview should be explained to the interviewee, and they
should be provided with an outline or route map of it.
For example, interviewers may say:
• ‘During this interview I will talk to you about (list objectives).’
Then go on to explain:
• ‘I will also ask you about anything else which may become relevant during the interview in order to
properly establish the facts and issues.’
Routines and expectations

It is good practice to explain to the interviewee that if they nod or shake their head the interviewer will state
that they have done so. It should also be explained that notes will be taken during the interview.
It may be useful to inform the interviewee that although the police wish to establish certain facts and issues,
it is the interviewee’s opportunity to explain their involvement or non-involvement in the incident under
investigation.
Investigators should encourage the interviewee to voice anything which they feel is relevant, explaining that
there is no time limit for the interview and that as much detail as possible is required, encouraging the
interviewee to voice anything which they feel is relevant.
The interviewee should be reassured that they will not be interrupted. It may be appropriate to ask the
interviewee to consider fully any question they are being asked before they answer.
Account, clarification, challenge

Obtaining an account consists of both initiating and supporting. In volume and priority crime investigations
the most common way of initiating an account is simply to use an open-ended prompt, such as, ‘tell me
what happened’.
Support an account with active listening
Further information
Obtaining the suspect’s account
This includes:
• non-verbal behaviour such as adopting an appropriate posture and orientation towards

the interviewee
• allowing the interviewee to pause so that they can search their memory, without interrupting
encouraging the interviewee to continue reporting their account until it is complete by using simple utterances such
as ‘mm mm’ and prompts, eg, ‘What happened next?’ or questions that reflect what the interviewee has said, such
as, ‘He hit you?’.
Clarify and expand the interviewee’s account by:
• breaking the account down into manageable topics

• systematically probing those topics by means of open-ended and specific-closed questions until as
full a picture as possible of the interviewee’s account has been obtained
• examining any information, identified during the planning phase, that has not already been covered.
Questions
These should be as short and simple as possible. They should not contain jargon or other language which
the interviewee may not understand.
Some types of questions are useful, helping the interviewer to extract information from the interviewee, eg,
open-ended. Others are not and may actually confuse the interviewee or prevent them from giving a full
and accurate account, eg, multiple questions.
Five key question types
• open-ended
• specific-closed
• forced-choice
• multiple
• leading.
Open-ended
For example, ‘Tell me’, ‘Describe’, ‘Explain’.
• are useful at the beginning of an interview as they allow for a full, unrestricted account
• produce answers which are less likely to have been influenced by the interviewer.
The interviewer should avoid interrupting the interviewee when asking open questions.
Specific-closed
For example, ‘Who did that?’ ‘What did he say?’ ‘Where does he live?’ ’When did this happen?’ This type of
question:
• gives the interviewer with more control

• can be used to elicit information that an interviewee has not yet provided in response to open-ended
questions
• may be used to clarify and extend an account that has been elicited through open-ended questions,
cover information important to the investigation that an interviewee has not already been mentioned,
or to challenge
• may have the potential disadvantage of restricting an interviewee’s account.
Forced-choice
For example, ‘Was the car an estate or a saloon?’ In this situation:
• interviewees might guess the answer by selecting one of the options given
• interviewees might simply say ‘yes’ in response to the question, leaving the interviewer to
guess which part of the question the response applies to, or needing to ask a follow-up question to
clarify it
• the choice of answer given to the interviewee might not contain the correct information, eg, ‘was it
dark blue or light blue’, when it could have been medium blue.
Multiple
For example, ‘Where did he come from, what did he look like and where did he go to?’ These questions
may also refer to multiple concepts, eg,’What did they look like’ and confusion might arise as a result of the:
• interviewee not knowing which part of the question to answer

• the interviewer not knowing which part of the question the answer refers to.
Leading
For example, ‘You saw the gun, didn’t you?’ implies the answer or assumes facts that are likely to be
disputed. They can also:
• be used to introduce information not already mentioned, eg, ‘What did he look like?’
• have an adverse influence on interviewee’s response
• distort the interviewee’s memory
The information obtained as a result of leading questions may be less credible and in extreme cases could
be ruled inadmissible. They should, therefore, be used only as a last resort.
Closure
This should be planned and structured so that the interview does not end abruptly.
Where there are two interviewers, the lead interviewer should check that the second interviewer has no
further questions before closing the interview.
The interviewer should accurately summarise what the interviewee has said, taking account of any
clarification that the interviewee wishes to make.
Any questions the interviewee asks should be dealt with.
The interviewer should then bring the interview to a conclusion by preparing a witness statement if
appropriate or, where the interviewee is a suspect, by announcing the date and time before turning the
recording equipment off.
They should then explain to the interviewee what will happen next.
Evaluation
Following an interview, the interviewer needs to evaluate what has been said with a view to:
• determining whether any further action is necessary

• determining how the interviewee’s account fits in with the rest of the investigation
• reflecting on the interviewer’s performance.
INTERROGATION
Outline:
Introduction
Prerequisites of an interrogation:
1. Suspect:
2. Victim:
3. Scene of crime:
4. Place of Interrogation:
5. Time of Interrogation:
Method of Interrogation
Interrogation of emotional offender:
Interrogation of non-emotional offender:
1. Question and Answer Method:
2. Narrative Method: Alibi:
3. Factual method:
4. Sweet and sour method:
5. Overheard conversation method:
6. Hypothetical situation:
7. Telling the story backward:
8. Bluff Method:
What is the difference between Interview and Interrogation?

Introduction
Interrogation is mostly applied to situations where suspects are questioned by police officers to unearth
information to come to a conclusion. Interrogation takes the shape of cross questioning and the role of the
person asking questions is different from the role of an interviewer. Often interrogation take place in a lopsided
condition where the interrogator looks like an aggressor and the suspect finds him in a desperate situation.
In the hands of a police officer, interrogation is a tool that he uses to unearth true information from suspects.
Officers have to learn how to make best use of this tool called interrogation to be able to secure true and
accurate information from culprits, suspects, victims, and witnesses. Interrogation is an art. You can master
it through your study and experience. A good investigator is not necessarily a good interrogator. To be a good
interrogator you need to be a good actor and must have an insight of human psychology. You should be able
to act according to age, profession and intellect of the individual suspect because a suspect could be a
lawyer, doctor, scientist, professor, manager or an unskilled laborer and, could be a child, teenager, adult
and senior.
Prerequisites of an interrogation:
Before conducting interrogation an interrogator should have the information about:
Suspect:
(i) Name, age, profession, occupation
(ii) Social and financial situation
(iii) Criminal history
(iv) Relation with the victim if any
Victim:
(i) Name, age, profession, occupation
(ii) Social and financial situation
(iii) Criminal history if any
Scene of crime:
(i) Time and place of occurrence
(ii) Modus operandi
(iii) Physical evidence collected
(iv) Information collected
Place of Interrogation:
(i) At the spot when a suspect is apprehended at the scene of crime
(ii) In an interrogation room where the interrogator has more psychological advantage.
Time of Interrogation:
(i) As soon as the suspect is apprehended and information collected
You should always remember that a suspect is innocent and not a criminal unless his guilt is proved in court.
Don't ever use third degree method.
Always maintain courtesy.
Be a good listener.
Control your anger because in anger you loose reasoning and the judgment made without reasoning is mostly
incorrect.
Never be in hurry to finish the interrogation.
Method of Interrogation
We can classify criminals into two major categories:
1) emotional offender
2) non-emotional offender
The purpose of classification is to vary your approach and methods during the interrogation of a suspect.
Interrogation of emotional offender:

Interrogation of an emotional offender is much easier than non-emotional offender.
1) An emotional offender is usually a first time offender and can be broken down easily when played with his
emotion, ie, love, hatred, anger, frustration etc.
i) By showing sympathy towards him.
ii) By telling him that anybody could do what he has done in the similar situation.
iii) Blaming the society for his action.
iv) Being friendly with him and offering him coke or cigarettes, which an offender never expects from a police
officer.
v) Observe his physical reaction to the crime related and non-related questions. When someone is lying he
will be under tension. The anti-diuretic bio-chemical substance released by his body leads to the dryness of
his mouth and lips. Again in tension he may be tapping his foot, playing with his fingers, looking blankly
somewhere else.
2) Emotional offender easily come clean when confronted by the evidence.
Interrogation of non-emotional offender:

Non-emotional offenders are hardened criminals. They are professional who have gained experience
committing series of crime and either subsequently have evaded the apprehension or served many jail terms.
They don't like to talk much or at all.
Question and Answer Method: This is a common form of interrogation where an interrogator ask several
questions to get the facts of a case. He develops his questions based on the fact of the case and the answers
given to him by the suspect.
Narrative Method: Let the suspect tell his side of story without interruption. Ask him to repeat it three or
four times. He will have to tell more and more lies just to cover up one lie. The more he lies, the more you
have a chance to detect untruthfulness of his story. Verify his story and re-interrogate him.
Alibi: Ask where he was and what he was doing at the time of occurrence of the crime. Verify his alibi and
re-interrogate him.
Factual method: The best way to interrogate a hardned and professional criminal is to confront him with
the physical and circumstantial evidence, which will eventually lead to his confession.
Sweet and sour method: Interrogation conducted by two different interrogators, one being soft spoken
and other being harsh towards the suspect could be fruitful in some case.
Overheard conversation method: Whenever there is more than one offender this method works well.
One suspect while being interrogated should be viewed but not heard by another suspect from outside of the
interrogation room. When his turn of interrogation starts, tell the offender that his associate has already
confessed about the crime and now it is his turn to confess.
Hypothetical situation: Ask a suspect that even he has not done it, how would he have done it in the
similar situation. May be some important clue could come out of this.
Telling the story backward: Sometimes you could ask a suspect his side of story backward. If he has
told you what he has done from yesterday 6AM to today 10PM, then let him start from today 10PM to
yesterday 6AM
Bluff Method: Interrogators have used this method for extracting truth from suspects.In this method an
interrogator tells a suspect that he has been seen by witness while committing crime or that his fingerprint,
footprint or physical evidence have been found at the scene of crime, so there is no choice but to tell the
truth. You may be successful extracting the fact in exceptional case but this is not the right method because
if the suspect is innocent, the situation is ridiculous.
There is no hard and fast rule as to what method you apply to extract the fact or the confession. It is upto you
and, your experience will guide you to interrogate various kind of suspects. But one should always keep in
mind that a confession even in writing is nothing more than a piece of paper unless it is supported or
corroborated by other independent physical or circumstantial evidence.
What is the difference between Interview and Interrogation?

• Both interview and interrogation are tools to obtain true and accurate information, but whereas interview
takes place in a cordial and non threatening atmosphere, interrogation takes place in a situation where the
interrogator looks like an aggressor and the suspect a victim
• Interrogation is a tool which is more of an emotional and psychological warfare between the interrogator
and the suspect
• What comes out of interrogation is confession while what comes out of an interview is true information
• There is often discussion in an interview but, in interrogation, there is always an attempt to get the
information
Website link for extra detail of topic

(https://www.app.college.police.uk/app-content/investigations/investigation-process/)
PRINCIPLES AND ETHICS OF INVESTIGATION

Introduction
The national strategic steering group on investigative interviewing and the professionalising investigation
programme support a quality approach to interviewing suspects, victims and witnesses. This, in turn,
generates a number of benefits.
The aim of all professional interviewers is to obtain a full and accurate account. To do this they must ask the
right questions.
The chances of obtaining a high-quality account are increased by the application of good investigative
interviewing techniques, underpinned by seven key principles.
These are designed to guide investigators on how to use the PEACE framework for investigative interviewing,
for interviewing in operational situations. They also help the investigator to comply with the legal issues, and
when working with legal advisers.
Benefits
The following benefits have been defined by the professional structure for investigative interviewing:
Public confidence – Professional interviews will provide high-quality material that enables the guilty to be
brought to justice and the innocent to be exonerated. This increases public confidence in the police service,
particularly with victims and witnesses of crime.
Consistent performance – Criminal investigation largely takes place away from the police station.
Interviews with victims and witnesses are conducted at scenes of crime, at witnesses’ homes, at their place
of work, in cars and in the street. The techniques of investigative interviewing will help investigators to achieve
results in even the most unpromising circumstances.
Support for victims and witnesses – Victims and witnesses may be upset, scared, embarrassed or
suspicious. Good investigative interview techniques will help to calm or reassure them so that they can
provide an accurate account.
Dealing with suspects – Interviews generally take place in a police station, but can be elsewhere, eg, a
prison. Do not assume that all suspects are going to lie, say nothing or provide a self-serving version of
events. Some may, but where suspects do admit guilt this will be due, in part, to the strength of material
gathered during the investigation.
Principle 1
The aim of investigative interviewing is to obtain accurate and reliable accounts from victims, witnesses or
suspects about matters under police investigation.
To be accurate, information should be as complete as possible without any omissions or distortion.
To be reliable, the information must have been given truthfully and be able to withstand further scrutiny, eg,
in court.
Accurate and reliable accounts ensure that the investigation can be taken further by opening up other lines
of enquiry and acting as a basis for questioning others.
Principle 2
Investigators must act fairly when questioning victims, witnesses or suspects. They must ensure that they
comply with all the provisions and duties under the Equality Act 2010 and the Human Rights Act 1998.
Acting fairly means that the investigator must not approach any interview with prejudice. The interviewer
should be prepared to believe the account that they are being given, but use common sense and judgement
rather than personal beliefs to assess the accuracy of what is being said.
People with clear or perceived vulnerabilities should be treated with particular care, and extra safeguards
should be put in place.
Principle 3
Investigative interviewing should be approached with an investigative mindset.
Accounts obtained from the person who is being interviewed should always be tested against what the
interviewer already knows or what can be reasonably established.
The main purpose of obtaining information in an interview is to further the enquiry by establishing facts. This
point highlights the importance of effective planning in line with the whole investigation.
Interviewers should think about what they want to achieve by interviewing the victim, witness or suspect, and
set objectives which will help to corroborate or disprove information already known.
Investigators should try to fill the gaps in the investigation by testing and corroborating the information by
other means where possible.
Principle 4
Investigators are free to ask a wide range of questions in an interview in order to obtain material which may
assist an investigation and provide sufficient evidence or information.
Conducting an investigative interview is not the same as proving an argument in court. This means that
interviewers are not bound by the same rules of evidence that lawyers must abide by.
Although the interviewer may ask a wide range of questions, the interviewing style must not be unfair or
oppressive. The interviewer should act in accordance with the Police and Criminal Evidence Act
1984(PACE) and the PACE codes of practice. See principle 2 for further information regarding equality and
human rights considerations.
In R v Fulling [1987] 2 ALLER 65, Lord Chief Justice Taylor stated that oppression is defined as:
the exercise of authority or power in a burdensome, harsh, or wrongful manner, or unjust or cruel treatment
of subjects or inferiors, or the imposition of unreasonable or unjust burdens in circumstances which would
almost always entail some impropriety on the part of the [interviewer].
Principle 5
Investigators should recognize the positive impact of an early admission in the context of the criminal justice
system.
Benefits of an early admission relate to the following areas:
Victim – has an opportunity to claim compensation in respect of an offence that has been admitted by the
defendant, detected, and acknowledged by the criminal justice system.
Court – has a fuller and more accurate picture of the offending and is able to sentence more appropriately.
There is the potential for savings too as offences can be dealt with promptly without additional court hearings.
Defendant – may receive credit for early admission of guilt. They may be eligible for a lesser sentence –
possibly allowing for tailored sentencing and access to rehabilitative programmes, and being able to ‘clear
the slate’ to avoid the risk of subsequent prosecution for other offences. See CPS guidance and Sentencing
Council Guidelines (2007) Reduction in Sentence for a Guilty Plea.
Police – gain valuable intelligence, increase detected offences rates, record a fuller picture of offending for
possible use in future cases or to support applications for anti-social behaviour orders, or other restrictive
orders.
Prosecution – has a fuller and more accurate picture of, for example, the offender’s criminal history when
considering the public interest test, bail decisions, bad character, level of danger, and what information to
give the court.
Resources – are used efficiently, and the public’s confidence in the criminal justice system is improved.
Principle 6
Investigators are not bound to accept the first answer given. Questioning is not unfair merely because it is
persistent.
An investigating officer has the duty to obtain accurate and reliable information. A complete and reliable
account from witnesses, victims and suspects may not always be easy to obtain.
There may be different reasons why an investigator needs to be persistent:
• they may have reasonable belief that the interviewee is not telling the truth
• they may believe further information could be provided.
Principle 7
This principle extends the right of an investigator to put questions to those they believe can help them to
establish the truth of a matter under investigation.
Suspects have the right to remain silent, but they are warned during the police caution or during special
cautions of possible adverse inferences being drawn should they choose to exercise that right.
STOP & FRISK, SEARCH & SEIZURE AND ARREST

What exactly is Reasonable Suspicion?
Reasonable suspicion is defined by a set of factual circumstances that would lead a reasonable police officer
to believe criminal activity is occurring. This is different from the probable cause (what a reasonable person
would believe) required for an arrest, search, and seizure. If the stop and frisk gives rise to probable cause
to believe the detainee has committed a crime, then the police officer should have the power to make a formal
arrest and conduct a search of the person.
What is a Stop?
What constitutes a stop and frisk? Can one be stopped and not frisked? Or does one action always follow
another? A stop is a seizure of a person. There are two types of stops: (1.) a show of force and (2.) a show
of authority. With a show of force, an officer must physically lay hands on the person with the intent of
detaining them. In a show of authority, the officer's look, demeanor, and display of authority persuades a
person to submit to authority. The key element in this type of stop is that the individual must submit to the
show of authority, believe they have been seized, and feel compelled to cooperate.
A Justified Stop
A stop is justified if the suspect is exhibiting any combination of the following behaviors:
Appears not to fit the time or place.
Matches the description on a "Wanted" flyer.
Acts strangely, or is emotional, angry, fearful, or intoxicated.
Loitering, or looking for something.
Running away or engaging in furtive movements.

Present in a crime scene area.
Present in a high-crime area (not sufficient by itself or with loitering).
What is a Justified Frisk?

A frisk is a type of search that requires a lawful stop. It involves contact or patting of the person's outer
clothing to detect if a concealed weapon is being carried. The frisk doesn't necessarily always follow a stop.
The law of frisk is based on the "experienced police officer" standard whereby an officer's experience makes
him more equipped to read into criminal behavior than the average layperson.
The purpose of a frisk is to dispel suspicions of danger to the officer and other persons. The frisk should only
be used to detect concealed weapons or contraband. If other evidence, such as a suspected drug container,
can be felt under the suspect's clothing, it can be seized by the officer. This is called the "plain feel" doctrine.
To pass the plain feel test, the item must have an immediately apparent character or quality of being
contraband or evidence.
A frisk is justified under the following circumstances:

Concern for the safety of the officer or of others.
Suspicion the suspect is armed and dangerous.
Suspicion the suspect is about to commit a crime where a weapon is commonly used.
Officer is alone and backup has not arrived.
Number of suspects and their physical size.
Behavior, emotional state, and/or look of suspects.
Suspect gave evasive answers during the initial stop.
Time of day and/or geographical surroundings (not sufficient by themselves to justify frisk).
Too much power?

Does the ability to stop and frisk go too far? Many police departments are at odds with the public in certain
neighborhoods concerning what some people deem unwarranted stops. People in high crime areas and in
areas with high minority populations often complain they are stopped and questioned at a disproportionately
higher rate than their counterparts in other areas of the city.
Even some patrol officers complain about an unwritten quota system that rewards officers with promotions
based on the number of stop and frisks they perform that uncover drugs or guns. While officers believe the
stop and frisk law is a useful crime fighting tool, they also feel the law can be overused in an effort to boost
statistics. Moreover, stop and frisk may reduce crime by scaring criminals into thinking they might be stopped
at any time, but it also scares law-abiding citizens. This further alienates good citizens and strains the
relationship between the police and the community.
When used correctly, the stop and frisk tool benefits the police and average citizens. Curbing crime and
ensuring the safety of our on-the-beat public servants, stop and frisk can help us all sleep a little more soundly
- a good step in the all-American pursuit of happiness.
Why is stop-and-frisk abuse a problem?

First, a police stop or search of someone without individualized suspicion of a crime violates the Fourth
Amendment guarantee of freedom from unreasonable searches and seizures. Second, when officers use
race or ethnicity as a proxy for suspicion, it violates people’s civil rights. Third, stop-and-frisk abuse
undermines public safety by sowing distrust of the police among community members.
An arrest is the act of depriving people of their liberty, usually in relation to an investigation or prevention of
a crime, and thus detaining the arrested person in a procedure as part of the criminal justice system.
When the police arrest someone, they take away that person's fundamental right to freedom. Consequently,
there are several procedures the police must follow before they can make a legal arrest so that our rights
remain protected. This article has some information about the general requirements police must meet before
making an arrest.
It should be noted that many states and police departments add extra procedures; sometimes, these
procedures are designed to protect police officers' physical safety, sometimes they are designed to help the
police officer document the arrest, and sometimes they are designed to help the officer avoid making a legal
mistake which could ruin the prosecution's case in a criminal trial. These extra procedures differ from one
police department to the next, so if you have questions about these, it's best to contact your local police.
When may an officer arrest someone?

There are only a very limited number of circumstances in which an officer may make an arrest:
The officer personally observed a crime;
The officer has probable cause to believe that person arrested committed a crime;
The officer has an arrest warrant issued by a judge.
An officer cannot arrest someone just because she feels like it or has a vague hunch that someone might be
a criminal. Police officers have to be able to justify their arrest usually by showing some tangible evidence
that led them to probable cause.
Police Arrest Procedures

The rules regarding what an officer must do while making an arrest vary by jurisdiction. Generally, an arrest
happens when the person being arrested reasonably believes that she is not free to leave. The officer need
not use handcuffs, or place the arrestee in a police cruiser, although police often use these tactics to protect
themselves. Police also do not have to read Miranda Rights at the time of arrest.
However, the police must read a suspect his Miranda Rights before an interrogation, so many police
departments recommend that Miranda Rights be read at the time of arrest. This way, they can start
questioning right away, and also, any information volunteered by a suspect can be used against them. Finally,
although police will almost always tell an arrestee why they are under arrest, they may not necessarily have
any legal obligation to do so. This depends on both the jurisdiction and the circumstances of the arrest.
One universal rule police officers must follow is that they are not allowed to use excessive force or treat the
arrestee cruelly. Generally, police officers are only allowed to use the minimum amount of force necessary
to protect themselves and bring the suspect into police custody. This is why people are advised to never
resist an arrest or argue with police. The more a suspect struggles, the more force is required for the police
to do their job. If the arrestee thinks the arrest is unjustified or incorrect, she can always challenge it later with
the help of an attorney, and if warranted, bring a civil rights case.
Arrest Procedure in Pakistan

Arrest Definition and Meanings
Chapter 5 of Criminal Procedure Code is defines the arrest. Sections 46 to 67 are about the arrest and how
it is made.
First of all we have to define what is arrest? Arrest is not defined in Cr.P.C but we can define it as, “A persona
can be said to be arrested when he is actually touched or confined by police officer or other person in
accordance with law provided”.
Procedure of Arrest/How to made arrest

Under section 46 of Criminal Procedure Code, “in making the arrest police officer or any other person making
the arrest shall actually touch or confine the body of persona to be arrested unless there be submission to
the custody by words or action”.
Essentials of Arrest
A police officer or an other person authorized by law can arrest
Actual touch and confine
Submission to the custody by words or actions
When there is resistance to arrest

The police officer or any other person authorized to arrest may use all means necessary to effect the arrest
if;
Such persona forcibly resists the Endeavour to arrest
Attempt of evade arrest
But he cannot cause death of such persona during arrest (except in case when person accused of an offence
punishable with death or imprisonment of life).
Search for arrest

Search of place entered by person sought to be arrested
Procedure where ingress not obtainable
When there are chances that accused will escape, police officer can break open any door or window of house
Notice to ladies of house in case of ladies in house is necessary
Power to break open doors and windows for purpose of liberation
No unnecessary restraint to prevent this escape
Search of arrested person
Mode of searching women
Power to seize offensive weapons
Search and Seizure is a procedure used in many civil law and common law legal systems by which police
or other authorities and their agents, who suspect that a crime has been committed, do a search of a person's
property and confiscate any relevant evidence to the crime.
Some countries have provisions in their constitutions that provide the public with the right to be free from
"unreasonable" search and seizure. This right is generally based on the premise that everyone is entitled to
a reasonable right to privacy.
Search and Seizure and the Fourth Amendment

The Fourth Amendment to the U.S. Constitution protects personal privacy, and every citizen's right to be free
from unreasonable government intrusion into their persons, homes, businesses, and property -- whether
through police stops of citizens on the street, arrests, or searches of homes and businesses.
Lawmakers and the courts have put in place legal safeguards to ensure that law enforcement officers interfere
with individuals' Fourth Amendment rights only under limited circumstances, and through specific methods.
What Does the Fourth Amendment Protect?

In the criminal law realm, Fourth Amendment "search and seizure" protections extend to:
A law enforcement officer's physical apprehension or "seizure" of a person, by way of a stop or arrest; and
Police searches of places and items in which an individual has a legitimate expectation of privacy -- his or
her person, clothing, purse, luggage, vehicle, house, apartment, hotel room, and place of business, to name
a few examples.
The Fourth Amendment provides safeguards to individuals during searches and detentions, and prevents
unlawfully seized items from being used as evidence in criminal cases. The degree of protection available in
a particular case depends on the nature of the detention or arrest, the characteristics of the place searched,
and the circumstances under which the search takes place.
When Does the Fourth Amendment Apply?

The legal standards derived from the Fourth Amendment provide constitutional protection to individuals in
the following situations, among others:
An individual is stopped for police questioning while walking down the street.
An individual is pulled over for a minor traffic infraction, and the police officer searches the vehicle's trunk.
An individual is arrested.
Police officers enter an individual's house to place him or her under arrest.
Police officers enter an individual's apartment to search for evidence of crime.
Police officers enter a corporation's place of business to search for evidence of crime.
Police officers confiscate an individual's vehicle or personal property and place it under police control.
Potential scenarios implicating the Fourth Amendment, and law enforcement's legal obligation to protect
Fourth Amendment rights in those scenarios, are too numerous to cover here. However, in most instances a
police officer may not search or seize an individual or his or her property unless the officer has:
A valid search warrant;

A valid arrest warrant; or
A belief rising to the level of "probable cause" that an individual has committed a crime.
What if My Fourth Amendment Rights Are Violated?

When law enforcement officers violate an individual's constitutional rights under the Fourth Amendment, and
a search or seizure is deemed unlawful, any evidence derived from that search or seizure will almost certainly
be kept out of any criminal case against the person whose rights were violated. For example:
An arrest is found to violate the Fourth Amendment because it was not supported by probable cause or a
valid warrant. Any evidence obtained through that unlawful arrest, such as a confession, will be kept out of
the case.
A police search of a home is conducted in violation of the homeowner's Fourth Amendment rights, because
no search warrant was issued and no special circumstances justified the search. Any evidence obtained as
a result of that search cannot be used against the homeowner in a criminal case.
What is a search warrant?(Additional Topics)

A judge issues a search warrant to authorize law enforcement officers to search a particular location and
seize specific items. To obtain a search warrant, police must show probable cause that a crime was
committed and that items connected to the crime are likely to be found in the place specified by the warrant.
What constitutes a valid search warrant?
A valid search warrant must meet four requirements: (1) the warrant must be filed in good faith by a law
enforcement officer;
(2) the warrant must be based on reliable information showing probable cause to search;
(3) the warrant must be issued by a neutral and detached magistrate;

(4) the warrant must state specifically the place to be searched and the items to be seized.
Where can police search and what can they seize under a warrant?
Police may only search the particular area and seize the specific items called for in the search warrant. Police
may search outside the scope of the warrant only if they are protecting their safety or the safety of others, or
if they are acting to prevent the destruction of evidence. Police may seize objects not specified in the warrant
only if they are in plain view during the course of the search.
Can police conduct a search without a search warrant?
Yes. Under some circumstances, police are authorized to conduct a search without first obtaining a search
warrant. Common exceptions to the warrant requirement include:
Consent. Police may conduct a search without a search warrant if they obtain consent. Consent must be
freely and voluntarily given by a person with a reasonable expectation of privacy in the area or property to be
searched.
Plain View. An officer may seize evidence without a warrant if an officer is on the premises lawfully and the
evidence is found in plain view.
Search incident to arrest. While conducting a lawful arrest, an officer may search an individual's person and
their immediate surroundings for weapons or other items that may harm the officer. If a person is arrested in
or near a vehicle, the officer has the right to search the passenger compartment of that vehicle.
Exigent Circumstances. Police are not required to obtain a search warrant if they reasonably believe that
evidence may be destroyed or others may be placed in danger in the time it would take to secure the warrant.
Automobile Exception. An officer may search a vehicle if they have a reasonable belief that contraband is
contained inside the vehicle.
Hot Pursuit. Police may enter a private dwelling if they are in "hot pursuit" of a fleeing criminal. Once inside
a dwelling, police may search the entire area without first obtaining a search warrant.
Is it lawful for an officer to pat me down without a warrant?
A police officer may stop an individual to conduct a field interview if the officer has reasonable suspicion that
criminal activity has been, is being or is about to be committed. During the field interview, the officer may
conduct a pat-down search of the outer garments for weapons if the officer has a reasonable fear for his or
her own safety as well as that of others.
What recourse do I have if a search was conducted unlawfully?
If evidence is obtained without a valid search warrant, and no exception to the warrant requirement applies,
the evidence may be subject to the exclusionary rule. The exclusionary rule prevents illegally obtained
evidence from being admitted in a court of law. Evidence gathered on the basis of illegally obtained evidence
(known as "fruit of the poisonous tree") will also be excluded.
CRIMINAL PROFILING/CRIMINAL INVESTIGATION ANALYSIS
Outline:
Introduction
The Process
1. Profiling inputs
2. Decision processing
3. Crime assessment
4. The offender profile
5. Investigative use
6. Flaws
Introduction
Criminal profiling is an important part of a criminal psychology. This part of an article will partially answer
questions about what criminal profiling is, what it is used for, what is aim of it, in which cases it is mostly used,
what are it’s types and what kind of approaches it has.
In short, Criminal profiling (also known as offender profiling and specific profile analysis) is to create a
psychological and not only psychological portrait, determine location of the offenders by gathering their
personal attributes from crime scene behavior in order to assist in detection of them.
Criminal profiling is typically used when offender’s identity is unknown and with serious criminal offences
such as murder, sexual assault. Profilers also work on crime series, where is considered, that the crime is
committed by the same offender.
What creates an offender profile is not clearly agreed, but the process of profiling draws both, physical and
nonphysical information. This includes the layout of the crime scene in terms of disposition of the victim and
the presence or absence of significant items, evidence on what was done to the victim and the sequence of
events,and the perpetrator’s behavior before and after the crime. From these data, inferences are drawn
about the possible meaning and motivation of particular acts. For example, tying up a victim may mean a
necessity for control, while stabbing the victim before sexual intercourse may mean a need for arousal from
pain or blood. Characteristics of the victim, location of the crime, use of a vehicle, and relation to previous
crimes may also suggest social and demographic features of the offender, such as race, age or occupation.
The goal is to narrow the field of investigation, basic assumptions are, that an offender’s behavior at the crime
scene reflects consistencies in personality and method of committing crime (Holmes, 1989). In the majority
of cases Criminal profiling is used in serial crimes and sexual assaults and 90% of profiling attempts involve
murder or rape. Holmes suggests, that profiling is most useful when the crime scene reflects
psychopathology, such as sadistic assaults, rapes or satanic and cut killings. However, there have been
cases of it’s use in arson, obscene telephone calls and bank robbery.
There are two main directions of Criminal profiling: The profiling of an criminal’s personal
characteristics and geographical profiling. Most commonly, the first one is what people most commonly
associate with criminal profiling.
A geographical profiler could be asked to identify the location of an offender’s home, an offender profiler
might be asked to construct profile of an unknown offender based on his/hers behavior at the crime scene.
A profiler may also be asked to advise police about which particular suspect should be interviewed and how.
In addition to it, Ainsworth has identified four main approaches to criminal profiling, these are:
The geographical approach – this looks at patterns in the location and timing of offences to make
judgements about links between crimes and suggestions about where offenders live and work.
Investigative psychology – this grew out of geographical profiling and uses established psychological
theories and methods of analysis to predict offender characteristics from offending behavior.
The typological approach – this involves looking at the characteristics of crime scenes to assign
offenders to different categories, each category of offender having different typical characteristics.
The clinical approach – this approach uses insights from psychiatry and clinical psychology to aid
investigation where an offender is thought to be suffering from a mental illness of other psychological
abnormality.
The Process
The basic assumptions
When profiling characteristics of a person, a offender profiler assumes, that the offender’s behavior is directed
by the way he/she thinks and his/her characteristics. Although, “how they think how they behave” principle
is not flawless, because sometimes an offender’s behavior may be affected by involvement of another person,
such as victim or witness and in result a drawing of an his/her characteristics becomes more complicated. It
is the job of a criminal profiler to infiltrate a behavior that is indicative of a person rather than of the situation.
The process of criminal profiling can be divided into five stages:

• Profiling inputs
• Decision processing
• Crime assessment
• The offender profile
• Investigative use
1. Profiling inputs
This step involves gathering all the information about the crime. This may be any kind of information that
would help understand what happened, how it happened and why. On this stage gathering of background
information about the victim such as his/her employment, activities, friends, habits, social status, criminal
history is also very important.
2. Decision processing
During this step, all the information gathered in the first stage is being organized in order classify the crime
by type and style. A correct classification will assist profiler in determining the direction of investigation.
For the purposes of this step the answer to relevant questions about the crime will help. These may be:
• Where did the action take place?

• Why would a person commit the crime, what would his primary motive be?
• Why offender might have chosen the specific victim?
• What did he/she do in order to reduce the risk of detection, does the offender seem to be amateur or
professional, or at least how intelligent he/she may be?
The FBI has developed its own manual of classification and they have a checklist of symptoms and by
accumulation of their presence the offender will be assigned to a specific classification.
The more specific classification a criminal act falls in the better. For example, a murder can be divided into
many types of classification, such as:
• Constant murder (third party)

• Gang-motivated murder
• Kidnap murder
• Drug murder
• Insurance related murder with sub-classifications of individual profit and commercial profit
• Personal cause homicide with sub-classifications such as domestic homicide, argument/conflict murder,
revenge, nonspecific motive murder, extremist homicide, mercy/hero homicide.
• Sexual homicide, which can also be classified as organized, disorganized, mixed, sadistic, elder female
sexual homicide.
3. Crime assessment
After summarizing all the information gathered in previous steps, the crime assessment is made. The primary
aim of this stage is reconstructing a sequence of events that took place before, during and after committing
a crime and determine the behavior of both, victim and offender.
4. The offender profile

This stage focuses on hypothesizing about the type of a person who committed an offence. The created
profile will include information, which describes offender. In some examples this information will include age,
sex, location, social status, intelligence, physiological characteristics, etc.
5. The investigative use

There are two main ways in which an offender profile can help in investigation. Firstly, criminal profilers make
a report for investigators so that they will concentrate their efforts on finding an offender, that matches
characteristics in the profile and secondly it will be used for planning an interview process of suspects.
It is worth admitting also, that the profile may change during the investigative use.
Flaws:
The use of offender profiling is controversial. Many people don’t believe in it, because it is not an exact
science. One of the flaws of offender profiling is “Stereotyping.” this occurs in a case, when profiler starts
believing something about a person based on small number of characteristics. Many unsuccessful profiles
are created if they are based solely on Stereotyping.

International Law Notes

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

International Law Notes

Uploaded by

Copyright:

Available Formats

Section 3 Criminology

What is the criminal investigation process?

Arrest: The suspect is apprehended.

3. Electronic discovery (eDiscovery)

PRINCIPLES OF CRIMINAL INVESTIGATION

Gauging the Value of Evidence

CRIME SCENE INVESTIGATION CONDUCTION

INTELLIGENCE AND INTELLIGECE OPERATIONS

1. Planning and direction –

What are the 5 steps of the Intelligence cycle?

What is a forensic investigation?

Types of Forensic Investigation:

What is forensic evidence?

What is a forensic investigation?

Types of Forensic Investigation:

1. Forensic Accounting / Auditing

2. Forensic Computer or Cyber Forensics

3. Crime Scene Forensics

10. Forensic Science

11. Forensic Toxicology

What is forensic evidence?

Investigative Tools and Equipment

5. Documenting and Reporting

This is another substitute of Electronic Investigation

What is electronic data discovery?

What types of electronic data are used during an investigation?

What happens during electronic data discovery investigations?

What is electronic data discovery?

What types of electronic data are used during an investigation?

What happens during electronic data discovery investigations?

How do I know if I need an eDiscovery investigation?

• Unauthorized changes in some electronic files or data

Planning and preparation

• create and record the interview plan

Engage and explain

Account, clarification, challenge

• create and record the interview plan

• review the investigation

• who needs to be interviewed and in what order?

• visiting the scene

Written interview plan

Engage and explain

• ‘During this interview I will talk to you about (list objectives).’

Routines and expectations

Account, clarification, challenge

• non-verbal behaviour such as adopting an appropriate posture and orientation towards

Clarify and expand the interviewee’s account by:

• breaking the account down into manageable topics

• gives the interviewer with more control

• interviewee not knowing which part of the question to answer

• determining whether any further action is necessary

What is the difference between Interview and Interrogation?

(iii) Criminal history

(iv) Relation with the victim if any

(ii) Social and financial situation

(iii) Criminal history if any

(ii) Modus operandi

(iii) Physical evidence collected

(iv) Information collected

Don't ever use third degree method.

Always maintain courtesy.

Never be in hurry to finish the interrogation.

Interrogation of emotional offender: