Disclaimer

Tools are mentioned in this book to illustrate concepts and techniques, not to indicate that a particular tool is best suited to a particular purpose. Digital investigators must take responsibility to select and evaluate their tools.

Any legal issues covered in this text are provided to improve understanding only, and are not intended as legal advice. Competent legal advice should be sought to address the specifics of a case and to ensure that nuances of the law are considered .

Part 1: Digital Investigation

Chapter List

Chapter 1: Digital Evidence and Computer Crime
Chapter 2: History and Terminology of Computer Crime Investigation
Chapter 3: Technology and Law
Chapter 4: The Investigative Process
Chapter 5: Investigative Reconstruction with Digital Evidence
Chapter 6: Modus Operandi, Motive, and Technology
Chapter 7: Digital Evidence in the Courtroom

Chapter 1: Digital Evidence and Computer Crime

Overview

Within the past few years a new class of crime scenes has become more prevalent , that is, crimes committed within electronic or digital domains, particularly within cyberspace . Criminal justice agencies throughout the world are being confronted with an increased need to investigate crimes perpetrated partially or entirely over the Internet or other electronic media. Resources and procedures are needed to effectively search for, locate, and preserve all types of electronic evidence. This evidence ranges from images of child pornography to encrypted data used to further a variety of criminal activities. Even in investigations that are not primarily electronic in nature, at some point in the investigation computer files or data may be discovered and further analysis required.

(Lee et al. 2001).

Increasingly, criminals are using technology to facilitate their offenses and avoid apprehension, creating new challenges for attorneys , judges, law enforcement agents , forensic examiners, and corporate security professionals. Organized criminals around the globe are using technology to maintain records, communicate, and commit crimes. Offenders have obtained computer information about a police officer and his family to intimidate and discourage him from confronting them. As a result of the large amounts of drugs, child pornography, and other illegal materials being trafficked on the Internet, the US Customs Cybersmuggling Center has come to view every computer on the Internet in the United States as a port of entry. Felons have even broken into court systems to change their records and monitor internal communications.

CASE EXAMPLE (CALIFORNIA 2003):

William Grace and 22-year-old Brandon Wilson were sentenced to 9 years in jail after pleading guilty to breaking into court systems in Riverside, California, to alter records. Wilson altered court records relating to previous charges filed against him (illegal drugs, weapons, and driving under the influence of alcohol) to indicate that the charges had been dismissed. Wilson also altered court documents relating to several friends and family members . The network intrusion began when Grace obtained a system password while working as an outside consultant to a local police department. By the time they were apprehended, they had gained unauthorized access to thousands of computers and had the ability to recall warrants , change court records, dismiss cases, and read e-mail of all county employees in most departments, including the Board of Supervisors, Sheriff, and Superior Court judges. Investigators estimate that they seized and examined a total of 400 Gbytes of digital evidence (Sullivan 2003).

As more medical machinery, office equipment, home computers and appliances, and handheld devices are networked, there is greater exposure to abuse that could disrupt health care, office, and home life work. Network-based attacks targeting critical infrastructure such as power, health, communications, financial, and emergency response services are becoming a greater concern as terrorists become more technologically proficient.

CASE EXAMPLE (COWEN 2003):

Michael McKevitt was charged with directing terrorist activities. In addition to being accused of involvement in a bombing in Northern Ireland, McKevitt allegedly contacted an FBI informant on behalf of the Real IRA to obtain laptops for bomb detonation, encryption software, and personal digital assistants. McKevitt apparently saw cyberterrorism - the use of the networks to cause panic and loss of life - as the future over bombing and was taking steps to expand his terrorist organization's capabilities in this area. The evidence in the case includes laptops, e-mail messages, and mobile telephone records.

There is a positive aspect to the increasing use of technology by criminals - the involvement of computers in crime has resulted in an abundance of digital evidence that can be used to apprehend and prosecute offenders. For instance, computers played a role in the planning and subsequent investigations of both World Trade Center bombings. Ramsey Yousef's laptop contained plans for the first bombing and, during the investigation into Zacarias Moussaoui's role in the second attack, over 100 hard drives were examined (United States v. Moussaoui; United States v. Salameh et al .; United States v. Ramsey Yousef). Realizing the increasing use of high technology by terrorists compelled the United States to enact the USA Patriot Act and motivated the European Union to recommend related measures. E-mail ransom notes sent by Islamists who kidnapped and murdered journalist Daniel Pearl were instrumental in identifying the responsible individuals in Pakistan. In this case, the "threat to life and limb" provision in the USA Patriot Act enabled Internet Service Providers (ISPs) to provide law enforcement with information quickly, without waiting for search warrants.

While paper documents relating to Enron's misdeeds were shredded, digital records persisted that helped investigators build a case. Subsequent investigations of financial firms and stock analysts have utilized e-mail and other digital evidence to build a case. Realizing the value of digital evidence in such investigations, the Securities and Exchange Commission set an example in December 2002 by fining five brokerage houses a total of $8.25 million for failing to retain e-mail and other data as required by the Securities and Exchange Act of 1934 (SEC 2002).

Digital evidence can be useful in a wide range of criminal investigations including homicides, sex offenses, missing persons, child abuse, drug dealing, and harassment . Also, civil cases can hinge on digital evidence, and digital discovery is becoming a routine part of civil disputes. Computerized records can help establish when events occurred, where victims and suspects were, whom they communicated with, and may even show their intent to commit a crime. Robert Durall's Web browser history showed that he had searched for terms such as "kill + spouse," " accident + deaths," and "smothering" and "murder" prior to killing his wife (Johnson 2000). These searches were used to demonstrate premeditation and increase the charge to first-degree murder. Sometimes information stored on a computer is the only clue in an investigation. In one case, e-mail messages were the only investigative link between a murderer and his victim.

CASE EXAMPLE (MARYLAND 1996):

{% if main.adsdop %}{% include 'adsenceinline.tpl' %}{% endif %}

A Maryland woman named Sharon Lopatka told her husband that she was leaving to visit friends. However, she left a chilling note that caused her husband to inform police that she was missing. During their investigation, the police found hundreds of e-mail messages between Lopatka and a man named Robert Glass about their torture and death fantasies. The contents of the e-mail led investigators to Glass's trailer in North Carolina and they found Lopatka's shallow grave nearby. Her hands and feet had been tied and she had been strangled. Glass pled guilty, claiming that he killed Lopatka accidentally during sex.

Digital data are all around us and should be collected in any investigation routinely. More likely than not, someone involved in the crime used a computer, personal digital assistant, mobile telephone, or accessed the Internet. Therefore, every corporate investigation should consider relevant information stored on computer systems used by their employees both at work and home. Every search warrant should include digital evidence to avoid the need for a second warrant and the associated lost time and evidence. Even if digital data do not provide a link between a crime and its victim or a crime and its perpetrator, they can be useful in an investigation. Digital evidence can reveal how a crime was committed, provide investigative leads, disprove or support witness statements, and identify likely suspects.

This book provides the knowledge necessary to handle digital evidence in its many forms, to use this evidence to build a case, and to deal with the challenges associated with this type of evidence. This text presents approaches to handling digital evidence stored and transmitted using networks in a way that is most likely to be accepted in court. However, what is illegal, how evidence is handled, received, rejected, and how searches are authorized and conducted varies from country to country. Therefore, it is important to seek legal advice from a competent attorney, particularly since the law is changing to adapt to rapid technological developments.