Computer Forensics and Cyber Crime

Questions and Answers

What is one traditional problem associated with finding digital evidence?

Fragility of digital evidence (correct)

Enhanced cooperation among agencies

The ability to fully automate evidence collection

Increased funding for investigations

Which factor increases the complexity of finding digital evidence in cyber crime investigations?

Obsolete technology

Growing sophistication of criminals (correct)

Simplicity of computer systems

High levels of public awareness

Why is analyzing all potential evidence critical in computer forensics?

To cater to public demand for quick results

To reduce the total investigation time

To limit costs associated with forensics

To ensure no evidence goes unnoticed (correct)

What can be a consequence of not executing a computer forensics investigation correctly?

Potential lawsuits against the investigative agency

Which issue arises from the fast pace of technological advancements in relation to law enforcement?

Slow legislation related to cyber crime

Which of the following roles is not typically included in the on-scene personnel during pre-search activities?

Evidence Collection Team

What must be demonstrated to establish probable cause for a search warrant?

A crime has been committed and extant evidence of it exists in a specific location

What is the purpose of using Faraday bags in a toolkit for pre-search activities?

To shield wireless devices from remote corruption

What is required when preparing for the seizure of equipment during an investigation?

Justification for the seizure and explicit permission if needed

Which step is NOT involved in serving a warrant?

Secure devices

Which component is essential for imaging data during a computer forensic investigation?

Multiple boot disks

What is one of the first actions to take when arriving at a crime scene?

Deal with safety hazards

Which of the following is NOT generally acceptable in pre-search activities?

Waiting for the target to leave the premises

What does the 'E' in the military planning acronym SMEAC stand for?

Execution

Which type of documentation is important to protect evidence integrity in investigations?

Photograph/video documentation

Why might secondary warrants be necessary during a search?

When unrelated records, such as drug trafficking, are discovered

Under what circumstances can no-knock warrants be considered?

In exigent circumstances such as the potential for evidence destruction

What must the application for a search warrant be reviewed for?

Relevancy and protection language by legal counsel and computer experts

In securing a crime scene, what role does the network administrator ideally play?

He disables network access

What minimum information should be documented when processing the scene?

Date, time, and description of computer

Digital evidence is known for its durability and immunity to human error.

False

The growing sophistication of criminals contributes to the complexity of finding potential evidence.

True

Analyzing only samples of potential evidence is sufficient in computer forensics investigations.

False

The expense of conducting a proper forensic investigation can lead to organizations facing lawsuits if mistakes occur.

True

Law enforcement training is advancing at a faster pace than technological developments.

False

Documenting the date, time, and description of the computer is unnecessary when processing the scene.

False

Disabling network access at a crime scene is recommended to preserve evidence.

True

Dealing with dangerous individuals is not a part of securing a crime scene.

False

Photographing and video-documenting a crime scene can reinforce claims of evidence contamination.

False

Engaging in social engineering is considered an acceptable method during pre-search activities.

False

External specialists are often required for searching advanced computing systems.

True

No-knock warrants can be implemented only when there is an imminent threat to evidence destruction.

True

The seizure of equipment during an investigation requires explicit permission to be considered constitutionally justifiable.

True

Probable cause for a search warrant means that evidence of a crime must already be found at the scene before the warrant is issued.

False

All hardware and storage devices can be seized even if there is no judicial authority if they are considered criminally possessed.

True

A Faraday bag is used to prevent loss of data due to static electricity.

False

The military planning acronym SMEAC includes the component of 'Avenues of approach and escape.'

True

The Seizure Team is the first group to engage in bagging and tagging evidence at a crime scene.

False

Backup hardware is not considered part of the traditional equipment needed in computer forensic investigations.

True

On-scene personnel involved in digital investigations may include a Case Supervisor and an Interview and Interrogation Team.

True

Study Notes

Computer Forensics and Cyber Crime

• Computer forensics is a legal approach to finding digital evidence in cybercrime scenes.
• Pre-search activities include gathering information, determining the number and type of computers, identifying potential risks from personnel affecting evidence, and understanding the volatility of evidence.
• Pre-search activities also involve reliance on judicial authority for data gathering, possible expert consultation, social engineering, and dumpster diving.
• Warrant preparation and application requires thorough review by legal counsel and computer experts. Probable cause must be demonstrated.
• Seizing equipment procedures must explicitly justify the seizure of hardware and storage devices—not just the search.
• Items like criminal contraband, fruits of the crime, and items criminally possessed may be seized without warrants.
• No-knock warrants may be used in exigent circumstances like specific offense type, potential for evidence destruction, target sophistication, or absence of the resident.
• Secondary/multiple warrants are sometimes necessary, for example, when searching for theft of identity and encountering drug trafficking records, or for networked computers with off-site storage.
• Pre-search activities incorporate a five-paragraph military order (SMEAC): situation, mission, execution, avenues of approach and escape, and communications.
• On-site personnel may include a case supervisor, arrest team, security team, interrogation team, sketch and photo team, physical search team, and seizure team, the latter which usually goes last.
• Law enforcement tool kits depend on what they expect to find on the scene.
• This may include evidence tape, packing tape, evidence containers, labels, anti-static bags, conductive bags, and Faraday bags.
• Computer-specific equipment and materials may include multiple boot disks, backup hardware, new hard drives, color scanners, color printers, computer paper, current anti-virus software, imaging software, and application software.

Forensic Investigation

• Legal approach to find digital evidence in cybercrime scene.
• Pre-search activities; On-site search activities.

Traditional Problems Associated with Finding Digital Evidence

• Multirole operation: Computer crime investigators need to take on multiple roles (e.g., case supervisors, investigators, technicians, forensic scientists), leading to complications due to resource limitations.
• Fragility of evidence: Digital evidence is susceptible to environmental damage (e.g., climatic, environmental), human error, and is often voluminous.
• Size of potential evidence: The need to analyze all potential evidence, not just samples.
• Costly Investigations: Incorrect procedures can lead to lawsuits against the investigating agency.
• Complexity: Growing criminal sophistication (encryption, steganography, self-destructive programs) makes finding evidence difficult.
• Slow legislation: Technological advancement outpaces the pace of law enforcement training.

Pre-search Activities

• Reliance on traditional methods for gathering information and preparing for scene arrival.
• Determining computer location, size, type, and number.
• Personnel risks affecting potential evidence and evidence volatility.
• Judicial authorization for data gathering.
• Potential need for expertise or non-departmental experts.
• Social engineering and dumpster diving for potential evidence.

Warrant Preparation and Application

• Search warrant applications should be reviewed by computer experts and legal counsel.
• Demonstrating probable cause is critical (crime committed, evidence exists in a specific location)

Seizing Equipment

• Justification needed for seizure of equipment (not just search), including all hardware and storage devices.
• Justification is based on constitutionally justifiable reasons.

No-knock warrants

• No-knock warrants may be considered based on the nature of the offense, potential for evidence destruction, sophistication and maturity of the target, and absence of the resident.

Secondary/multiple warrants

• Secondary/multiple warrants may be necessary when searching for specific crimes or for networked computers.

Plan Preparation and Personnel Gathering

• Uses a five-paragraph military order approach (SMEAC): Situation, Mission, Execution, Avenues of approach and escape, and Communications
• On-scene Personnel Roles: Including Case Supervisor, Arrest Team, Security Team, Interrogation Team, Sketch & Photo Team, Physical Search Team, and Seizure Team.

Traditional Equipment

• Evidence tape, Packing tape, Evidence Containers, Labels, Anti-static Bags, Conductive Bags, Faraday Bags

Computer-Specific Equipment and Materials

• Multiple boot disks
• Backup hardware and miscellaneous computer peripherals
• New hard drives
• Color scanner
• Color printer and computer paper
• Current antivirus software
• Imaging software
• Application software

On-Scene Activities

• Steps involved in serving a warrant (Knock, Notice, Document)
• Dealing with dangerous individuals/safety hazards
• Locating and securing all computers.
• Removing personnel from evidence area.
• Ascertaining network connections.
• Disabling network access (ideally by a network administrator).
• Protecting computers by a police officer.
• Collection of evidence-related literature.
• Determining the need for external specialists.
• Documentation of scene information like date, time, and detailed description of computer ( including physical damage) including info of all investigative personnel, suspect, and witnesses .
• Documenting all clues and leads found.
• Using investigative software.
• Photograph/Video documentation to verify and challenge corrupted/contaminated evidence
• Critical identifying info must be included in scene sketches.
• Non-digital evidence (trace evidence, hair, fibers, fingerprints) should not be overlooked.
• Circumstantial evidence should be noted (post-it notes, computer printouts, paper types, labels, DVD burners, packaging).
• Computer components and evidence should be noted (desktops, monitors, keyboards, telephones, wallets/purse, clothing, trash cans, recycle bins, printers, and inside the computer itself)
• Seizure and documentation of evidence limited by warrant, get secondary warrants if needed, all annotations must be in ink.
• Comprehensive notes must be generated and contents of computer drives imaged to clean media.
• Document the computer status before powering off (photos, sketches, notes, connections).
• Place evidence tape over all disk openings after powering off computer.
• Label all cords and empty slots.

Bagging and Tagging

• Use a chain of custody log to record items taken.
• Labels include investigator's initials, date found, and location of evidence.
• Taking pictures or making video documentation of the equipment.

Considerations and Factors

• Factors for packaging and transporting computers include temperature (heat), oil, dirt, dust, magnetic fields, and other environmental factors.
• Maintaining a chain of custody by clearly logging the evidence at each handling step.
• Consider who controlled the digital evidence, when it was collected and stored, where it was collected and what type of equipment was used to hold it, who had access, and who owned the equipment, after the forensic analysis.
• Relays on traditional methods for leaving the crime scene.

Scene Departure and Transportation

• Reliance on traditional methods for leaving the crime scene
• Review of shipping manifests upon arrival
• Documentation to evidence control systems for analysis.

Description

This quiz covers the critical concepts of computer forensics and its legal implications in cybercrime investigations. It explores pre-search activities, warrant preparation, and procedures for seizing equipment, along with the importance of judicial oversight. Test your knowledge on this crucial aspect of digital evidence gathering.