Computer Forensics and Cyber Crime - Chapter 11

Questions and Answers

What is a necessary requirement for applying for a search warrant?

A prior conviction of the suspect

Probable cause indicating a crime has been committed (correct)

A confession from the suspect

Witness testimonies of the crime

What is one reason that justifies a no-knock warrant?

The target is of low sophistication

The evidence is likely to be destroyed (correct)

No prior offenses by the suspect

The resident is present at the location

Which activity is considered a pre-search activity for gathering potential evidence?

Surveillance of the suspect's home

Engaging in social engineering (correct)

Collecting physical evidence from the crime scene

Conducting an interview with a witness

Why must the seizure of equipment be justified?

It is constitutional law that requires justification

Which statement about criminal contraband is true?

It can be seized without any judicial authority

What is a major challenge faced by computer crime investigators due to resource limitations?

Need to play multiple roles

Why is digital evidence often considered fragile?

It is susceptible to various forms of damage

What is the first step involved in serving a warrant?

Knock

Which action is NOT part of securing the crime scene?

Collecting evidence

What complicates the process of finding potential evidence in cyber crime?

Growing sophistication of criminals

What should be documented when processing a crime scene?

Date, time, and description of the computer

How can the cost of investigations affect agencies handling cyber crime?

Failure could lead to lawsuits against the agency

What often surpasses the pace of law enforcement training in the context of cyber crime?

Technological advancements

Why is photograph/video documentation important during the investigation?

It can weaken defense arguments.

What may be required when searching specialized computer systems?

External specialists

Which of the following is NOT typically included in a law enforcement tool kit for computer forensics?

Video recording equipment

What role does the Seizure Team primarily play at a crime scene?

To bag and tag collected evidence

In the SMEAC preparation model, what does the 'E' in SMEAC stand for?

Execution

Which type of bag is specifically mentioned as preventing loss of data due to static electricity?

Antistatic bag

What additional equipment is necessary for networked computers during a forensic search?

Off-site storage consideration

Digital evidence is considered stable and reliable.

False

The growing sophistication of criminals complicates the search for potential evidence.

True

Finding digital evidence is inexpensive and straightforward.

False

Analyzing only samples of potential evidence is sufficient in forensic investigations.

False

Slow legislation can hinder law enforcement's ability to keep up with technological advancements.

True

Backup hardware is not considered a part of computer-specific equipment used in law enforcement.

False

Antistatic bags are used to prevent data loss due to static electricity during evidence collection.

True

A search warrant application does not need to be reviewed by computer experts before submission.

False

The Seizure Team is usually the first team to arrive at a crime scene.

False

Evidence tape is an essential component of the traditional equipment used in pre-search activities.

True

Probable cause must demonstrate that a crime has been committed and that evidence of that crime exists at a specific location.

True

Multiple warrants are unnecessary when dealing with different types of crime evidence.

False

Seizing equipment does not require justification beyond the reason for searching.

False

No-knock warrants may be utilized under circumstances like evidence destruction or the nature of the offense.

True

Criminal contraband can be seized without any judicial authority.

True

When processing the scene, documenting the date and time is not necessary.

False

Securing the crime scene includes dealing with dangerous individuals.

True

Photograph/video documentation can enhance defense arguments regarding evidence contamination.

False

External specialists may be needed when searching for mainframes and minicomputers.

True

Locating and securing all computers is part of the steps involved in serving a warrant.

True

Study Notes

Computer Forensics and Cyber Crime - Chapter 11

• Forensic Investigation: A legal approach to find digital evidence in cyber crime scenes. Involves pre-search and on-site search activities.

Traditional Problems Associated with Finding Digital Evidence

• Multirole Operation: Investigators often have to play multiple roles (supervisor, investigator, technician, scientist) due to resource limitations. This can complicate investigations.
• Fragility of Evidence: Digital evidence is volatile (easily damaged by climate, environment, human error) and voluminous (large amounts).
• Size of Potential Evidence: Forensic analysis requires examining all potential evidence, not just sample portions.
• Expense to Conduct Thoroughly: Accurate forensic investigations can be costly, and errors can lead to lawsuits.
• Complexity of Evidence: Increasing criminal sophistication makes it harder to access potential evidence (e.g., encryption, steganography).
• Slow Legislation: Advances in technology outpace law enforcement training, thus creating a gap in understanding.

Pre-Search Activities

• Reliance on Traditional Methods: Gather information to prepare for scene arrival.
• Scene Evaluation: Determine location, size, type, and number of computers at the crime scene.
• Personnel Risks: Assess potential risks from personnel involved in the scene.
• Evidence Volatility: Understand how easily evidence can be changed or lost during the investigation.
• Legal Authority: Clearly define the judicial authority to gather evidence.
• Expertise Requirements: Determine if expert personnel from outside are needed.
• Engagement in Social Engineering: Using deception to gather information, when deemed necessary.
• Dumpster Diving: Look for evidence discarded in public receptacles or trash cans.
• Warrant Preparation: The request for a search warrant should be reviewed by both legal counsel and computer experts. The warrant must demonstrate probable cause that a crime was committed and evidence of the crime exists at the specific location.
• Seizure Justification: Justifying the seizure of equipment, differentiating between search and seizure. Explicit permission required to seize all hardware and storage devices. Some criminal contraband can be seized without a warrant.
• No-Knock Warrants: An option under specific circumstances that involve nature of the offense, potential for evidence destruction, sophistication of the target. or the absence of the resident.
• Multiple Warrants: Sometimes, multiple warrants are needed. Example is searching for theft of identity when a drug trafficking case is also involved or networked computers located potentially at multiple sites.
• SMEAC: A plan preparation method that involves Situation, Mission, Execution, Avenues of approach and escape, and Communications.
• On-Scene Personnel Roles: Different teams are needed such as Case Supervisor, Arrest Team, Scene Security Team, Interview and Interrogation Team, Sketch and Photo Team, Physical Search Team, & Seizure Team.

On-Scene Activities

• Equipment Seizure: Document the state of computers before powering off. Evidence tape should be placed over all disk openings and all cords and empty slots should be labelled.
• Documentation of Evidence: Document everything. At a minimum, create records of date, time, computer descriptions (including damage), investigative team personnel, individuals present and witnesses. All investigative leads and investigative software used.
• Photography/Video Documentation: Important to mitigate defense arguments that officers contaminated or corrupted evidence.
• Critical Information: Including identifying information during scene sketching.
• Trace Evidence Considerations: Be mindful that trace evidence (e.g., hair, fibers, fingerprints) is often overlooked. Consider using post-it notes, computer printouts, type of paper to discover circumstantial connections.
• Investigating Potential Evidence: Evidence to look for could be physical (desktops, monitors, keyboards, telephones, wallets/purses, clothing, trash cans/recycle bins, printers).
• Seizure and Documentation: The seizure and documentation of evidence are limited to the warrant requirements. All annotations must be in ink, comprehensive notes must be taken, and images of the drives should be taken to clean media.
• Packaging & Transporting: Be mindful of the temperature (heat), oil, dirt, dust, magnetic fields, and other environmental characteristics.
• Evidence Control: Ensure evidence is properly controlled and tracked.

Description

Explore Chapter 11 of Computer Forensics and Cyber Crime, which dives into the intricacies of forensic investigation for digital evidence. This chapter covers the challenges faced by investigators, including the fragility and complexity of digital evidence and the multi-role demands placed on them. Understand the implications of these factors in cyber crime investigations.