Professional Documents
Culture Documents
Appendix I Questions That Every Cyber PDF
Appendix I Questions That Every Cyber PDF
Table of Contents
Appendix I: Questions That Every Cyber Investigator Should Ask; Before, During, and
after an Investigation........................................................................................................................1
Overview................................................................................................................................1
Review of Search Warrant or Consent..................................................................................1
Preparation............................................................................................................................2
Where Is Seized Equipment Stored? Heat Humidity, CMOS Battery Life, or PDA—Keep
Devices Charged....................................................................................................................2
Fingerprinting: Must Tie the Evidence to a Person, Do Forensic First, Then Fingerprints....2
Seize All Peripherals. Smart Keyboards, Other Devices May Have Fingerprints..................3
Look for Media in the Area of Computer, Passwords, ISP Info..............................................3
Photograph Scene, Computer, Monitor, Screen. Work with Digital Photos to Make Sure
You Have "Evidence Grade" Pictures.....................................................................................3
If Off, Leave Off. If On, Pull Plug............................................................................................4
Questions That Every Cyber Investigator Should Ask, Before, During, and After an
Investigation ….......................................................................................................................4
At the Scene …......................................................................................................................5
Upon Transport ….................................................................................................................5
Appendix I: Questions That Every Cyber Investigator
Should Ask; Before, During, and after an
Investigation
Overview
Following the Best Practice for the Seizure of Electronic Evidence as set forth by the National High
Tech Crime Unit, published by the Association of Chief Police Officers.
In a preliminary stage that should precede the "Discovery of Computer or Digital Equipment to be
Seized," several items need to be determined before launching the investigation. These preliminary
steps should include:
1. The computer that will become evidence, what is the role in this case?
4. Because the lead investigator of a case is often not the individual that actually performs the
forensic analysis of the computer, what is it that the investigator is looking for?
5. What evidence is being sought? Besides simple cases of possession of child pornography,
where an investigator can easily find evidence with today's tools, the forensic analyst must
have a thorough understanding of what the lead investigator is seeking.
A good interview of the suspect—this is probably the most important part of the investigation beside
the actual analysis of the electronic evidence. Computer crime investigators have indicated that this
is an important fact finding opportunity if you have a cooperative suspect.
This interview, coupled with a thorough background check, can give you insight to the technical
skills of your suspect. By using a variety of interview techniques, a skilled investigator may get a
suspect to reveal passwords, tips to unusual system configurations, and identify the potential for
unusual circumstances like logic bombs or booby traps.
2. Are you sure that the person giving consent is authorized to do so?
3. Is the computer that you are going to analyze the computer that you think it is?
5. Determining the situation that will be encountered at the scene—is the computer that is to be
seized at the incarcerated suspect's apartment, where no one else lives? Or is it a
workstation in a business.
Preparation
Do not plan to image a desktop computer and show up to find a server farm. Again, proper
preliminary investigations will prevent this. Make sure you have the proper tools in order, that
policies are followed, investigative tools checked and validated, proper crime scene processing
equipment is available (camera, gloves, paper bags, anti-static bags, logs, labels).
Another important consideration is the availability of expert advice. It is doubtful that most agencies
have an efficient communication system set up where there are contact people for unusual
situations. The time to set up those lines of communications is not in the mist of a raid or an
emergency.
Most municipal police departments do not have the expertise on staff to handle computer crime.
They rely on county or state police agencies, or regional task forces and those resources are often
thin as well. The depth of available computer expertise for some law enforcement agencies is only
one layer deep.
1. Where will numerous computer hardware units be stored and how can they be safely
transported? Many local police departments have limited space for evidence and that space
is not always conducive to housing electronic equipment long term.
Fingerprinting can severely damage a computer and should be done after the computer forensic
analysis is completed. But the same protections used on other crime scene items should be
afforded to computer crime scenes.
Reprinted for isaca537453, ISACA CRC Press, Taylor & Francis Group, LLC (c) 2008, Copying Prohibited
Cyber Forensics: A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes, Second Edition 3
Technology keeps changing and investigators must keep up on new devices and trends. A popular
computer enthusiast magazine recently demonstrated how some USB keyboards can be modified
to fit a USB hub inside. With the addition of high capacity USB thumb drives, the modified keyboard
could conceal several gigabytes of storage.
Other things to consider are manuals and documentation for the computer, software disks, software
manuals, and retail software boxes. If you cannot seize those items, make sure they are
documented in your crime scene report. This becomes important when dealing with a suspect that
uses proprietary software (like some accounting system) or evidence cleansing programs.
The fact that a particular piece of software was at the scene may save your computer forensic
analyst a few hours of trying to figure out what those unusual files are or why usual files are not
there.
Other considerations include how the computer is connected to the outside world.
4. Could your suspect be technically advanced enough to use hidden networked storage
devices, control a remote system, use IPods or X boxes as a storage device?
Reprinted for isaca537453, ISACA CRC Press, Taylor & Francis Group, LLC (c) 2008, Copying Prohibited
Cyber Forensics: A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes, Second Edition 4
The e-crime scene will be secured for unauthorized access, it will be photographed, every
procedure documented and, a diagram of the setup will be made.
The cables will be labeled in respect of how they were connected. Be sure to photograph the
computer screen making sure that the time is displayed and if there were any visibly identifiable
programs are running. Note if there is a difference in the time displayed on the computer and the
actual time.
Digital photos are suggested because it is easy to review the quality of the pictures because some
of the necessary angles may be close up shots or have reflectivity off of the monitor.
Also, treat the chain of custody of these items the same as you would for other evidence. That may
be stating the obvious, but better very safe and sure than sorry after the fact.
3. Did he or she reveal anything about his or her set up that may help my investigation?
4. Based on his or her background and interview, do I have to be concerned with booby traps?
6. Is the computer networked, and if so, could he or she be using unusual devices to store
data?
7. If the computer is in a work environment, is there someone there that will be in a position to
assist me?
9. Is the consent valid and does it everything check out (computer ownership can be validated,
the person giving consent is who they claim to be and they have the right to give consent)?
Reprinted for isaca537453, ISACA CRC Press, Taylor & Francis Group, LLC (c) 2008, Copying Prohibited
Cyber Forensics: A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes, Second Edition 5
11. Do I have MOU (Memos of Understanding) with agencies that can assist me?
12. Have I prepared for physically transporting any evidence collected at the scene, and do I
have the ability to maintain secured storage of that evidence?
13. If I am doing an onsite image, have I properly prepared my tools (performed checks and
validations)? Do I have "clean" media to image to? Am I prepared for things like using
diffierent adapters? Do I have items such as anti-static bags or other appropriate storage
materials?
14. Does my investigation follow my department's policy for computer forensic investigations?
15. Does my investigation follow good forensic methodologies that are widely accepted and will
it stand up to judicial review?
At the Scene …
1. Did I take photographs of the scene, both general shots of the layout , and specific shots like
how the peripherals are hooked up to the computer in back and the screen to include the
time and any visibly identifiable programs running?
2. Did I document who was on scene and anyone else who had access to the computer?
5. Did I search for and document other items of interest in the area, such as the actual time,
program manuals, program disks, and potential passwords?
6. Will I need to take extra care to preserve fingerprint or other trace evidence?
7. Will I need to take just the CPU, or does the case dictate that the monitor, keyboard, printer,
and other equipment be seized as well?
Upon Transport …
1. If I have a large number of CPU's or rack mounted equipment, where will these items be
stored and how will they be securely transported?
Reprinted for isaca537453, ISACA CRC Press, Taylor & Francis Group, LLC (c) 2008, Copying Prohibited
Cyber Forensics: A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes, Second Edition 6
This appendix was prepared for this text by Brian O'Neil, president of Confidential Computers, 857
Carriage Hills Drive, St. Peters, MO 63304, (314) 210-4400, Brianoneil@charter.net, brian@
confidentialcomputers.com, used with permission.
Reprinted for isaca537453, ISACA CRC Press, Taylor & Francis Group, LLC (c) 2008, Copying Prohibited