Computer Forensics and Cyber Crime

Questions and Answers

What is one traditional problem associated with finding digital evidence?

• Fragility of digital evidence (correct)
• Enhanced cooperation among agencies
• The ability to fully automate evidence collection
• Increased funding for investigations

Which factor increases the complexity of finding digital evidence in cyber crime investigations?

• Obsolete technology
• Growing sophistication of criminals (correct)
• Simplicity of computer systems
• High levels of public awareness

Why is analyzing all potential evidence critical in computer forensics?

• To cater to public demand for quick results
• To reduce the total investigation time
• To limit costs associated with forensics
• To ensure no evidence goes unnoticed (correct)

What can be a consequence of not executing a computer forensics investigation correctly?

Potential lawsuits against the investigative agency (C)

Which issue arises from the fast pace of technological advancements in relation to law enforcement?

Slow legislation related to cyber crime (C)

Which of the following roles is not typically included in the on-scene personnel during pre-search activities?

Evidence Collection Team (D)

What must be demonstrated to establish probable cause for a search warrant?

A crime has been committed and extant evidence of it exists in a specific location (A)

What is the purpose of using Faraday bags in a toolkit for pre-search activities?

To shield wireless devices from remote corruption (D)

What is required when preparing for the seizure of equipment during an investigation?

Justification for the seizure and explicit permission if needed (B)

Which step is NOT involved in serving a warrant?

Secure devices (B)

Which component is essential for imaging data during a computer forensic investigation?

Multiple boot disks (B)

What is one of the first actions to take when arriving at a crime scene?

Deal with safety hazards (A)

Which of the following is NOT generally acceptable in pre-search activities?

Waiting for the target to leave the premises (D)

What does the 'E' in the military planning acronym SMEAC stand for?

Execution (C)

Which type of documentation is important to protect evidence integrity in investigations?

Photograph/video documentation (A)

Why might secondary warrants be necessary during a search?

When unrelated records, such as drug trafficking, are discovered (D)

Under what circumstances can no-knock warrants be considered?

In exigent circumstances such as the potential for evidence destruction (D)

What must the application for a search warrant be reviewed for?

Relevancy and protection language by legal counsel and computer experts (C)

In securing a crime scene, what role does the network administrator ideally play?

He disables network access (B)

What minimum information should be documented when processing the scene?

Date, time, and description of computer (D)

Digital evidence is known for its durability and immunity to human error.

False (B)

The growing sophistication of criminals contributes to the complexity of finding potential evidence.

True (A)

Analyzing only samples of potential evidence is sufficient in computer forensics investigations.

False (B)

The expense of conducting a proper forensic investigation can lead to organizations facing lawsuits if mistakes occur.

True (A)

Law enforcement training is advancing at a faster pace than technological developments.

False (B)

Documenting the date, time, and description of the computer is unnecessary when processing the scene.

False (B)

Disabling network access at a crime scene is recommended to preserve evidence.

True (A)

Dealing with dangerous individuals is not a part of securing a crime scene.

False (B)

Photographing and video-documenting a crime scene can reinforce claims of evidence contamination.

False (B)

Engaging in social engineering is considered an acceptable method during pre-search activities.

False (B)

External specialists are often required for searching advanced computing systems.

True (A)

No-knock warrants can be implemented only when there is an imminent threat to evidence destruction.

True (A)

The seizure of equipment during an investigation requires explicit permission to be considered constitutionally justifiable.

True (A)

Probable cause for a search warrant means that evidence of a crime must already be found at the scene before the warrant is issued.

False (B)

All hardware and storage devices can be seized even if there is no judicial authority if they are considered criminally possessed.

True (A)

A Faraday bag is used to prevent loss of data due to static electricity.

False (B)

The military planning acronym SMEAC includes the component of 'Avenues of approach and escape.'

True (A)

The Seizure Team is the first group to engage in bagging and tagging evidence at a crime scene.

False (B)

Backup hardware is not considered part of the traditional equipment needed in computer forensic investigations.

True (A)

On-scene personnel involved in digital investigations may include a Case Supervisor and an Interview and Interrogation Team.

True (A)

Flashcards

Digital Evidence Volatility

Digital evidence is easily lost or changed due to environmental factors, human error, or the operating system.

Multirole Operations in Cybercrime

Investigators sometimes need to perform several jobs simultaneously (e.g., supervisor, investigator, etc) due to resource limitations.

Extensive Digital Evidence

Possible digital evidence is huge, and it's critical to check every possible source.

Search & Seizure Policies

Established strategies required for safely and legally collecting digital evidence in a crime scene.

Sophisticated Cybercriminals

Cybercriminals use advanced techniques (e.g., encryption, steganography), making it harder to collect the evidence.

Pre-search activities in computer forensics

Activities performed before a computer forensic investigation, such as determining the location, type, and number of computers, assessing risks, and preparing the warrant application.

Warrant preparation

Reviewing the warrant application with computer experts and legal counsel to ensure accuracy and protection of rights.

Probable cause for a warrant

Proof that a crime has been committed and that evidence of the crime exists at a specific location - the primary legal requirement for a search warrant.

Seizing equipment (Justification)

Justifying the seizure of computer hardware and storage devices, as opposed to only the search itself, using constitutional basis and relevant legal documentation.

No-knock warrants

Warrants that allow authorities to enter a premises without knocking, justified under exigent circumstances (e.g., evidence destruction risk).

Serving a Warrant: Steps

The process of serving a warrant involves three key steps: knocking, providing notice to the occupants, and documenting the entire process.

Securing a Crime Scene

Securing a crime scene involving computers includes actions like: handling dangerous individuals, securing all computers, removing personnel, and assessing network connections.

Disabling Network Access?

Disabling network access, ideally by a network administrator, is crucial to prevent evidence tampering or data loss.

Documenting the Scene

Documenting a computer crime scene requires recording information like: date, time, computer description, personnel involved, witnesses, clues, and software used.

Photo/Video Documentation

Photographing or video recording the crime scene is crucial to preserve evidence and counter claims of tampering by investigators.

Multiple Warrants

Sometimes, more than one search warrant is needed to collect digital evidence. For example, if investigators are searching for stolen identities and find evidence of drug trafficking, they may need a separate warrant to collect the drug-related evidence.

SMEAC Planning

A structured approach to planning a digital evidence search operation. It involves defining the situation, mission, execution plan, avenues of approach and escape, and communication channels.

On-Scene Roles

A range of roles may be required on a digital evidence search team, including supervision, arrests, security, interviews, sketching, photography, physical searches, and seizing evidence.

Tool Kit Contents

A digital evidence tool kit includes traditional equipment like evidence tape and bags, as well as computer-specific equipment like boot disks, backup hardware, imaging software, and antivirus software.

Anti-Static Bags

Special bags used to store digital evidence to protect it from static electricity, which can corrupt or damage data.

Pre-Search Activities

Steps taken before a computer forensic investigation, like determining the location and type of computers involved, assessing risks, and preparing warrant applications.

Probable Cause

The legal requirement for a search warrant, demonstrating that a crime has been committed, and evidence exists at a specific location.

Seizing Equipment

Justifying the seizure of computer hardware and storage devices based on constitutional laws, which requires evidence of criminal activity.

Volatile Evidence

Digital evidence can easily change or get destroyed due to factors like human errors, environmental conditions, or the operating system itself.

Expensive Forensics

Conducting a proper computer forensics investigation is costly due to the need for specialist tools, skills, and time. Failure to do it correctly can lead to legal issues for the agency involved.

Encryption's Challenge

Cybercriminals increasingly use encryption, making it harder for investigators to access potential evidence. They hide information by making it unreadable without a key.

Why Strict Policies?

Having strict policies for search and seizure is crucial for computer-related evidence. It ensures evidence is collected legally and protects individual rights.

Technology vs. Law

The quick pace of technological change often outpaces law enforcement training and legal frameworks, leading to challenges in keeping up with the latest criminal techniques.

What are the three steps involved in serving a warrant?

The three steps involved in serving a warrant are: knocking, giving notice, and documenting the process.

Why is securing the scene important?

Securing the scene aims to prevent evidence tampering and ensure the safety of everyone involved. It involves controlling access, identifying hazards, and protecting computers.

What is a network administrator's role in securing evidence?

A network administrator can help secure evidence by disabling network access, preventing data loss, and ensuring that no new data is added to the system.

What information should be documented at a computer crime scene?

Documentation should include details about the computers, personnel involved, witnesses, clues, and software used. This ensures accurate record-keeping and supports future investigations.

Why is photograph/video documentation essential?

Photo/video documentation provides strong evidence against any claims that investigators tampered with or contaminated the evidence.

Study Notes

Computer Forensics and Cyber Crime

• Computer forensics is a legal approach to finding digital evidence in cybercrime scenes.
• Pre-search activities include gathering information, determining the number and type of computers, identifying potential risks from personnel affecting evidence, and understanding the volatility of evidence.
• Pre-search activities also involve reliance on judicial authority for data gathering, possible expert consultation, social engineering, and dumpster diving.
• Warrant preparation and application requires thorough review by legal counsel and computer experts. Probable cause must be demonstrated.
• Seizing equipment procedures must explicitly justify the seizure of hardware and storage devices—not just the search.
• Items like criminal contraband, fruits of the crime, and items criminally possessed may be seized without warrants.
• No-knock warrants may be used in exigent circumstances like specific offense type, potential for evidence destruction, target sophistication, or absence of the resident.
• Secondary/multiple warrants are sometimes necessary, for example, when searching for theft of identity and encountering drug trafficking records, or for networked computers with off-site storage.
• Pre-search activities incorporate a five-paragraph military order (SMEAC): situation, mission, execution, avenues of approach and escape, and communications.
• On-site personnel may include a case supervisor, arrest team, security team, interrogation team, sketch and photo team, physical search team, and seizure team, the latter which usually goes last.
• Law enforcement tool kits depend on what they expect to find on the scene.
• This may include evidence tape, packing tape, evidence containers, labels, anti-static bags, conductive bags, and Faraday bags.
• Computer-specific equipment and materials may include multiple boot disks, backup hardware, new hard drives, color scanners, color printers, computer paper, current anti-virus software, imaging software, and application software.

Forensic Investigation

• Legal approach to find digital evidence in cybercrime scene.
• Pre-search activities; On-site search activities.

Traditional Problems Associated with Finding Digital Evidence

• Multirole operation: Computer crime investigators need to take on multiple roles (e.g., case supervisors, investigators, technicians, forensic scientists), leading to complications due to resource limitations.
• Fragility of evidence: Digital evidence is susceptible to environmental damage (e.g., climatic, environmental), human error, and is often voluminous.
• Size of potential evidence: The need to analyze all potential evidence, not just samples.
• Costly Investigations: Incorrect procedures can lead to lawsuits against the investigating agency.
• Complexity: Growing criminal sophistication (encryption, steganography, self-destructive programs) makes finding evidence difficult.
• Slow legislation: Technological advancement outpaces the pace of law enforcement training.

Pre-search Activities

• Reliance on traditional methods for gathering information and preparing for scene arrival.
• Determining computer location, size, type, and number.
• Personnel risks affecting potential evidence and evidence volatility.
• Judicial authorization for data gathering.
• Potential need for expertise or non-departmental experts.
• Social engineering and dumpster diving for potential evidence.

Warrant Preparation and Application

• Search warrant applications should be reviewed by computer experts and legal counsel.
• Demonstrating probable cause is critical (crime committed, evidence exists in a specific location)

Seizing Equipment

• Justification needed for seizure of equipment (not just search), including all hardware and storage devices.
• Justification is based on constitutionally justifiable reasons.

No-knock warrants

• No-knock warrants may be considered based on the nature of the offense, potential for evidence destruction, sophistication and maturity of the target, and absence of the resident.

Secondary/multiple warrants

• Secondary/multiple warrants may be necessary when searching for specific crimes or for networked computers.

Plan Preparation and Personnel Gathering

• Uses a five-paragraph military order approach (SMEAC): Situation, Mission, Execution, Avenues of approach and escape, and Communications
• On-scene Personnel Roles: Including Case Supervisor, Arrest Team, Security Team, Interrogation Team, Sketch & Photo Team, Physical Search Team, and Seizure Team.

Traditional Equipment

• Evidence tape, Packing tape, Evidence Containers, Labels, Anti-static Bags, Conductive Bags, Faraday Bags

Computer-Specific Equipment and Materials

• Multiple boot disks
• Backup hardware and miscellaneous computer peripherals
• New hard drives
• Color scanner
• Color printer and computer paper
• Current antivirus software
• Imaging software
• Application software

On-Scene Activities

• Steps involved in serving a warrant (Knock, Notice, Document)
• Dealing with dangerous individuals/safety hazards
• Locating and securing all computers.
• Removing personnel from evidence area.
• Ascertaining network connections.
• Disabling network access (ideally by a network administrator).
• Protecting computers by a police officer.
• Collection of evidence-related literature.
• Determining the need for external specialists.
• Documentation of scene information like date, time, and detailed description of computer ( including physical damage) including info of all investigative personnel, suspect, and witnesses .
• Documenting all clues and leads found.
• Using investigative software.
• Photograph/Video documentation to verify and challenge corrupted/contaminated evidence
• Critical identifying info must be included in scene sketches.
• Non-digital evidence (trace evidence, hair, fibers, fingerprints) should not be overlooked.
• Circumstantial evidence should be noted (post-it notes, computer printouts, paper types, labels, DVD burners, packaging).
• Computer components and evidence should be noted (desktops, monitors, keyboards, telephones, wallets/purse, clothing, trash cans, recycle bins, printers, and inside the computer itself)
• Seizure and documentation of evidence limited by warrant, get secondary warrants if needed, all annotations must be in ink.
• Comprehensive notes must be generated and contents of computer drives imaged to clean media.
• Document the computer status before powering off (photos, sketches, notes, connections).
• Place evidence tape over all disk openings after powering off computer.
• Label all cords and empty slots.

Bagging and Tagging

• Use a chain of custody log to record items taken.
• Labels include investigator's initials, date found, and location of evidence.
• Taking pictures or making video documentation of the equipment.

Considerations and Factors

• Factors for packaging and transporting computers include temperature (heat), oil, dirt, dust, magnetic fields, and other environmental factors.
• Maintaining a chain of custody by clearly logging the evidence at each handling step.
• Consider who controlled the digital evidence, when it was collected and stored, where it was collected and what type of equipment was used to hold it, who had access, and who owned the equipment, after the forensic analysis.
• Relays on traditional methods for leaving the crime scene.

Scene Departure and Transportation

• Reliance on traditional methods for leaving the crime scene
• Review of shipping manifests upon arrival
• Documentation to evidence control systems for analysis.

Description

This quiz covers the critical concepts of computer forensics and its legal implications in cybercrime investigations. It explores pre-search activities, warrant preparation, and procedures for seizing equipment, along with the importance of judicial oversight. Test your knowledge on this crucial aspect of digital evidence gathering.