2.1 Brief History of Computer Crime Investigation

Responding to the growth in computer-related crime, in the late 1980s and early 1990s law enforcement agencies in the United States began to work together to develop training and build their capacity to deal with the problem. These initiatives led to law enforcement training programs at centers such as SEARCH, Federal Law Enforcement Center (FLETC), and National White Collar Crime Center (NW3C).

Subsequently, the United States and other countries established specialized groups to investigate computer-related crime on a national level. However, the demands on these groups quickly exhausted their resources and regional centers for processing digital evidence were developed. These regional centers also became overloaded, causing many local law enforcement agencies to develop their own units for handling digital evidence. Additionally, some countries have updated the training programs in their academies, realizing that the pervasiveness of computers requires every agent of law enforcement to have basic awareness of digital evidence. This rapid development has resulted in a pyramid structure of first responders with basic collection and examination skills to handle the majority of cases, supported by regional laboratories to handle more advanced cases, and national centers that assist with the most challenging cases, perform research, and develop tools that can be used at the regional and local levels.

The rapid developments in technology and computer-related crime have created a need for specialization: digital crime scene technicians who collect digital evidence, examiners who process the acquired evidence, and digital investigators who analyze all available evidence to build a case. These specializations are not limited to law enforcement and have developed in the corporate world as well. In addition to recovering from a security incident, it is often necessary to collect digital evidence to determine what occurred and help decision makers assess the problem. This is conceptually similar to the situation in violent crime when paramedics tend to the injured person's needs while crime scene experts process the evidence. Since paramedics are often the first people on the scene, investigators depend on them for information about the crime scene and victims in their original state. If paramedics changed anything at a crime scene, investigators need to know this before reconstructing the crime.

Even when a single individual is responsible for collecting, processing, and analyzing digital evidence, it is useful to consider these tasks separately. Each area of specialization requires different skills and procedures - dealing with them separately makes it easier to define training and standards in each area. Realizing the need for standardization in training and best practices, in 2002, the Scientific Working Group for Digital Evidence (SWGDE)^[1] published guidelines for training and best practices. As a result of these efforts, the American Society of Crime Laboratory Directors (ASCLD) proposed requirements for digital evidence examiners in forensic laboratories (ASCLD 2003). There are similar efforts to develop digital evidence examination into an accredited discipline under international standards (ISO 17025; ENFSI 2003).

The development of these standards has created a need for standards of practice for individuals in the field. To answer this need, certification and training programs are being developed to ensure that digital evidence examiners have the necessary skills to perform their work competently and to follow approved procedures. The aim is to create several tiers of certification, starting with a general knowledge exam that everyone must pass, including first responders who handle digital evidence, and then more specialized certifications for individuals who handle more complex cases in a laboratory setting.

^[1]http://www.swgde.org