You are on page 1of 19

Computer Forensics and Cyber Crime, 2

nd
ed.
Britz
© 2009 Pearson Education, Upper Saddle River, NJ 07458.
All Rights Reserved.
1
Chapter 11
Computer Forensics and Cyber Crime, 2
nd
ed.
Britz
© 2009 Pearson Education, Upper Saddle River, NJ 07458.
All Rights Reserved.
2
 Computer crime investigators play multiple roles (i.e.
case supervisors, investigators, crime scene technicians,
& forensic scientists)
 Digital evidence is both volatile and voluminous –
susceptible to climatic, environmental, AND human
error)
 Requires analysis of the whole – not samples
 Extremely expensive
 Litigious mine field
 Easy to camouflage and difficult to find
 Increasing sophistication of criminals – encryption,
steganography, self-destructive programs, etc.
 Technology is outpacing LE training
Computer Forensics and Cyber Crime, 2
nd
ed.
Britz
© 2009 Pearson Education, Upper Saddle River, NJ 07458.
All Rights Reserved.
3
Computer Forensics and Cyber Crime, 2
nd
ed.
Britz
© 2009 Pearson Education, Upper Saddle River, NJ 07458.
All Rights Reserved.
4
 Creation of Forensic Laboratory
 Warrant preparation
 Intelligence gathering
 Assembling an execution team
 Planning the search
 Assigning responsibilities
Computer Forensics and Cyber Crime, 2
nd
ed.
Britz
© 2009 Pearson Education, Upper Saddle River, NJ 07458.
All Rights Reserved.
5
 Investigation & Pre-Search Activities
 Surveillance & intelligence gathering
 Warrant preparation & application
 Assembling an execution team
 Planning the search
 Assigning responsibilities
 On-Scene Processing
 Executing the warrant
 Securing the scene
 Evidence collection & preservation
 Transportation of evidence
 Analysis & Presentation
Computer Forensics and Cyber Crime, 2
nd
ed.
Britz
© 2009 Pearson Education, Upper Saddle River, NJ 07458.
All Rights Reserved.
6
 Rely on traditional methods to gather
information & prepare for scene arrival
 Factors to consider:
 Location, size, type, & number of computers at scene
 Potential danger to personnel & volatility of evidence
 Need for judicial authority of call
 Need for expertise or non-departmental experts
 Social engineering
 Dumpster diving

Computer Forensics and Cyber Crime, 2
nd
ed.
Britz
© 2009 Pearson Education, Upper Saddle River, NJ 07458.
All Rights Reserved.
7
 Four Corners rule – must stay within parameters
 Include as much as the judicial climate will allow, yet be specific
 Should be reviewed by computer experts & legal counsel prior to
application
 Probable Cause – Three Elements
 Probable cause that a crime has been committed
 Probable cause that evidence of a crime exists
 Probable cause that extant evidence resides in a particular location
 Scope will be based on rationale
 Seizing Equipment
 Must also justify the seizure (not just the search) of equipment
 Highly recommended that investigators request explicit permission to
seizure all hardware and storage devices that are constitutionally
justifiable
 Criminal contraband, fruits of the crime, & those items criminally
possessed may be seized without probable cause
Computer Forensics and Cyber Crime, 2
nd
ed.
Britz
© 2009 Pearson Education, Upper Saddle River, NJ 07458.
All Rights Reserved.
8
 No-Knock Warrants
 Nature of the offense
 Potential for evidence destruction
 Sophistication and maturity of the target
 Absence of the resident
 Secondary/Multiple Warrants
 May need a second warrant for contents of the computer
 Quite common
 Multiple warrants necessary in networked computers
 Recommendation – have a magistrate standing by
 MUST BE SPECIFIC!!!
Computer Forensics and Cyber Crime, 2
nd
ed.
Britz
© 2009 Pearson Education, Upper Saddle River, NJ 07458.
All Rights Reserved.
9
 On-Scene Personnel – investigators may play
multiple roles
 Case Supervisor
 Arrest Team
 Scene Security Team
 Interview & Interrogation Team
 Sketch and Photo Team
 Physical Search Team
 Seizure Team
Computer Forensics and Cyber Crime, 2
nd
ed.
Britz
© 2009 Pearson Education, Upper Saddle River, NJ 07458.
All Rights Reserved.
10

 Evidence tape
 Packing tape
 Evidence storage
containers & labels
 Miscellaneous writing &
labeling materials
 Sanitary materials
 Flashlight
 Extra batteries
 List of contacts


 Mobile carts or evidence
transport units
 Wireless
communications
 Photographic equipment
 Nonmagnetic
screwdrivers & hex
wrenches
 Small diagonal cutters
 Hammer or nail puller
Computer Forensics and Cyber Crime, 2
nd
ed.
Britz
© 2009 Pearson Education, Upper Saddle River, NJ 07458.
All Rights Reserved.
11
 Multiple boot disks
 Backup hardware and
miscellaneous
computer peripherals
 Anti-virus software
 Imaging software
 Application software
 Forensic software
 Extra media
 Extra cables, serial port
connectors, and gender
changers
 Extension cords and/or
power strips
 Surge protectors and/or
UPS
 Open purchase order
Computer Forensics and Cyber Crime, 2
nd
ed.
Britz
© 2009 Pearson Education, Upper Saddle River, NJ 07458.
All Rights Reserved.
12
Knock, Notice, and Document
Securing the Crime Scene
Determining Need for Additional Assistance
Computer Forensics and Cyber Crime, 2
nd
ed.
Britz
© 2009 Pearson Education, Upper Saddle River, NJ 07458.
All Rights Reserved.
13
 Date, time, and description of
computer, including physical
damage
 Identifying information of all
personnel
 Identifying information of all
present (i.e. witnesses and
suspects)
 All investigative clues
uncovered and developing leads
 Investigative software used
 Chronology of all actions taken
 Type and status of network
connection
 Verification of network
connection
 Status of computer
 Computer activity
 Computer desktop
 System date/time
 Tree structure (if relevant and
possible)
 Image verification
 Chain of custody
 Identification of all
material or
equipment seized

Computer Forensics and Cyber Crime, 2
nd
ed.
Britz
© 2009 Pearson Education, Upper Saddle River, NJ 07458.
All Rights Reserved.
14
 Don’t overlook non-digital evidence!!
 Trace evidence may be important to put suspect at
the scene (hair, fiber, fingerprints, etc.)
 Other non-computer evidence
 Circumstantial connections (post-it notes, computer printouts,
even type of paper)
 Ex. Software counterfeiting – labels, DVD burners,
packaging, etc.
 Evidence of passwords around the computer
 Digital evidence
 Located on hard disks, computer peripherals, and external
storage devices

Computer Forensics and Cyber Crime, 2
nd
ed.
Britz
© 2009 Pearson Education, Upper Saddle River, NJ 07458.
All Rights Reserved.
15
 Desktops
 Monitors
 Keyboards
 Telephones
 Wallets/purses
 Clothing
 Trash cans and recycle bins
 Printers
 Inside the computer itself

Computer Forensics and Cyber Crime, 2
nd
ed.
Britz
© 2009 Pearson Education, Upper Saddle River, NJ 07458.
All Rights Reserved.
16
 Photograph & Sketch before any seizure
 Computers which can not be seized or removed
from the scene:
 Imaging & Verification
 Seizing computers
 Prior to powering off – status of the computer should be
documented by photos, sketches, and notes
 This should include the back of the computer and connections
 Once powered off – evidence tape should be placed over all
disk openings
 Labeling of cords & empty slots

Computer Forensics and Cyber Crime, 2
nd
ed.
Britz
© 2009 Pearson Education, Upper Saddle River, NJ 07458.
All Rights Reserved.
17
 Document, document, document
 Chain of custody log
 Label (at a minimum: investigator’s initials, date found, and location
of evidence)
 Factors to consider in packaging & transport
 Temperature
 Dust
 Magnetic fields
 Corrosive elements
 Static electricity
 At Lab
 Maintenance of chain of custody
 All components stored together


Computer Forensics and Cyber Crime, 2
nd
ed.
Britz
© 2009 Pearson Education, Upper Saddle River, NJ 07458.
All Rights Reserved.
18
 Unique problems with computer-related
evidence
 Steps in a traditional investigation should be
incorporated with those unique to computer-
related investigations
 Warrants should be specific & based on
probable cause
 Documentation is essential
Computer Forensics and Cyber Crime, 2
nd
ed.
Britz
© 2009 Pearson Education, Upper Saddle River, NJ 07458.
All Rights Reserved.
19