Computer Forensics and Cyber Crime PDF

Computer Forensics and Cyber Crime CHAPTER 11 Searching and Seizing Computer-...

Computer Forensics and Cyber Crime CHAPTER 11 Searching and Seizing Computer- Related Evidence Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved Forensic Investigation Legal approach to find digital evidence in cyber crime scene  Pre-search Activities  On-site search activities Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved Traditional Problems Associated with Finding Digital Evidence 1. Multirole operation: Occasional need for computer crime investigators to play multiple roles, i.e., case supervisors, investigators, crime scene technicians, and forensic scientists, due to resource limitations, which can increase the risk of complications 2. Fragility of evidences: How digital evidence is volatile (susceptible to climatic, environmental, human error) and voluminous 3. Size of Potential evidence: The need to analyze all potential evidence, as opposed to examining only samples. Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved Traditional Problems Associated with Finding Digital Evidence 4. Expensive to do correctly; failure could result in the filing of lawsuits against the agency 5. Complexity: Growing sophistication of criminals means greater difficulty in getting to potential evidence, for example, due to encryption, steganography, or self-destructive programs. 6. Slow legislation: The pace of technological advancement surpasses the pace of law enforcement training. Conclusion: it is critical to develop strict search and seizure policies. Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved Pre-Search Activities Reliance upon traditional methods for gathering information and to prepare for scene arrival Determination of the location, size, type, and number of computers at scene Risks from personnel affecting potential evidence The volatility of evidence Reliance upon judicial authority to conduct data- gathering Potential need for expertise or non-departmental experts Engaging in social engineering Dumpster-diving for potential evidence Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved Pre-Search Activities Warrant Preparation and Application  Application for a search warrant should be reviewed by computer experts and legal counsel prior to application for relevant language and protections  Probable cause – must demonstrate that: A crime has been committed Extant evidence of a crime exists resides in a particular location Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved Pre-Search Activities Seizing Equipment  Must justify the seizure (not just the search) of equipment Request explicit permission to seize all hardware and storage devices as constitutionally justifiable Note that criminal contraband, fruits of the crime, and those items criminally possessed may be seized without judicial authority Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved Pre-Search Activities No-knock warrants may be an option, given exigent circumstances such as:  Nature of the offense  Potential for evidence destruction  Sophistication and maturity of the target  Absence of the resident Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved Pre-Search Activities Secondary/multiple warrants may be necessary in some cases for example:  When searching for theft of identity while encountering drug trafficking records  For networked computers, especially as there may be off-site storage. Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved Pre-Search Activities Plan Preparation and Personnel Gathering such as five-paragraph military order SMEAC: Situation Mission Execution Avenues of approach and escape Communications Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved Pre-Search Activities On-scene personnel, who could play multiple roles, may include:  Case Supervisor  Arrest Team  Scene Security Team  Interview and Interrogation Team  Sketch and Photo Team  Physical Search Team  Seizure Team, who go last and who would engage in bagging and tagging Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved Pre-Search Activities Preparing a tool kit is dependent on what law enforcement expects to find on the scene. Traditional equipment:  Evidence tape  Packing tape  Evidence storage containers and labels  Antistatic bags (prevent loss of data due to static electricity), conductive bags, and Faraday bags (to shield wireless devices from remote corruption or deletion of data) Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved Pre-Search Activities Computer-Specific Equipment and Materials Multiple boot disks Backup hardware and miscellaneous computer peripherals:  New hard drives  Color scanner  Color printer and an assortment of computer paper Anti-virus software (must be the most current) Imaging software Application software Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved On-Scene Activities Steps involved in serving a warrant: Knock Notice Document Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved On-Scene Activities Depending upon the warrant and crime scene, securing the scene includes (but is not limited to):  Dealing immediately with dangerous individuals or safety hazards  Locating and securing all computers  Removing of all personnel from the immediate area of the evidence  Ascertaining network connections for taking appropriate action Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved On-Scene Activities  Disabling network access, ideally by a network administrator  Protecting all computers by a police officer  Collecting literature that relates to the underlying activities or offenses Determine the need for external specialists  May be needed when searching mainframes, minicomputers, and specialty and hacker computers Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved On-Scene Activities When processing the scene, the following should be documented, at minimum:  Date, time, and description of computer, including physical damage  Identifying information of all investigative personnel  Identifying information of all others present, especially witnesses and suspects  All investigative clues uncovered and developing leads  Investigative software used Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved On-Scene Activities Photograph/video documentation can weaken defense arguments that officers corrupted or otherwise contaminated criminal evidence. Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved On-Scene Activities When sketching the scene, be sure to include critical identifying information. When identifying potential evidence:  Don’t overlook non-digital evidence  Trace evidence may be important to place the suspect at the scene, and can include hair, fibers, and fingerprints  Any other computer components, such as external hard drives, peripherals Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved On-Scene Activities  Circumstantial connections, such as post-it notes, computer printouts, even the type of paper used  For example, when searching for the crime of software counterfeiting, look for labels, DVD burners, packaging, etc. Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved On-Scene Activities Investigating potential evidence:  Desktops  Monitors  Keyboards  Telephones  Wallets/purses  Clothing  Trash cans and recycle bins  Printers  Inside the computer itself Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved On-Scene Activities Seizure and documentation of evidence  Limited to scope of warrant; get secondary when needed.  All annotations must be in ink.  Generate comprehensive notes.  Image contents of the drives onto clean media. Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved On-Scene Activities When seizing computers:  Before powering off, document the status of the computer with photos, sketches, and notes, including the back of the computer and connections.  After powering off, place evidence tape over all disk openings.  Label all cords & empty slots. Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved On-Scene Activities Bagging and Tagging Use a chain of custody log to maintain a record of all items taken. Labels used should contain, at a minimum:  Investigator’s initials  Date found  Location of evidence Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved On-Scene Activities Use great care and wear gloves. Factors to consider in packaging and transporting computers:  Temperature (heat)  Oil, dirt, dust  Magnetic fields  Additional environmental characteristics Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved On-Scene Activities  Who controlled the digital evidence after it was examined and before it was given to authorities?  When and how was the digital evidence collected and stored?  Where was the evidence when it was collected?  What type of equipment held the digital evidence?  Who had access to the equipment?  Who owned the equipment? Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved On-Scene Activities Scene Departure and Transportation of Evidence to Lab Rely on traditional methods to exit a crime scene Review shipping manifests upon arrival Enter into appropriate evidence control systems for analysis Computer Forensics and Cyber Crime, 3rd ed. Copyright © 2013 by Pearson Education, Inc. Marjie T. Britz All Rights Reserved

Computer Forensics and Cyber Crime PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue