Investigations

Previous page
Table of content
Next page

Computer forensics is the science of conducting a computer crime investigation to determine what has happened and who is responsible, and to collect legally admissible evidence for use in a computer crime case.

The purpose of an investigation is to determine what happened, who is responsible, and collect evidence. Incident handling is done to determine what happened, contain and assess damage, and restore normal operations. Closely related to, but distinctly different from investigations, is incident handling (or response). Incident handling is discussed in detail later in this chapter.

Investigations and incident handling must often be conducted simultaneously in a well-coordinated and controlled manner to ensure that the initial actions of either activity don’t destroy evidence or cause further damage to the organization’s assets. For this reason, it’s important that Computer Incident (or Emergency) Response Teams (CIRT or CERT, respectively) be properly trained and qualified to secure a computer-related crime scene or incident while preserving evidence. Ideally, the CIRT includes individuals who will actually be conducting the investigation.

An analogy to this would be an example of a police patrolman who discovers a murder victim. It’s important that the patrolman quickly assesses the safety of the situation and secures the crime scene; but at the same time, he must be careful not to destroy any evidence. The homicide detective’s job is to gather and analyze the evidence. Ideally, but rarely, the homicide detective would be the individual who discovers the murder victim, allowing her to assess the safety of the situation, secure the crime scene, and begin collecting evidence. Think of yourself as a CSISSP!

Evidence

Evidence is information presented in a court of law to confirm or dispel a fact that’s under contention, such as the commission of a crime. A case can’t be brought to trial without sufficient evidence to support the case. Thus, properly gathering evidence is one of the most important and most difficult tasks of the investigator.

The types of evidence, rules of evidence, admissibility of evidence, chain of custody, and evidence life cycle comprise the main elements to be tested in the Investigations portion of this domain.

Types of evidence

Sources of legal evidence that can be presented in a court of law generally fall into one of four major categories:

  • Direct evidence: Oral testimony or a written statement based on information gathered through the witness’s five senses (an eyewitness account) that proves or disproves a specific fact or issue.

  • Real (or physical) evidence: Tangible objects from the actual crime, such as the tools or weapons used and any stolen or damaged property. May also include visual or audio surveillance tapes generated during or after the event. Physical evidence from a computer crime is rarely available.

  • Documentary evidence: Includes originals and copies of business records, computer-generated and computer-stored records, manuals, policies, standards, procedures, and log files. Most evidence presented in a computer crime case is documentary evidence. The hearsay rule, which we discuss in an upcoming section, is an extremely important test of documentary evidence that must be understood and applied to this type of evidence.

  • Demonstrative evidence: Used to aid the court’s understanding of a case. Opinions are considered demonstrative evidence and may be either expert (based on personal expertise and facts) or non-expert (based on facts only). Other examples include models, simulations, charts, and illustrations.

Other types of evidence that may fall into one or more of the above major categories include

  • Best evidence: Original, unaltered evidence, which is preferred by the court over secondary evidence. Read more about this in its upcoming section “Best evidence rule.”

  • Secondary evidence: A duplicate or copy of evidence, such as a tape backup, screen capture, or photograph.

  • Corroborative evidence: Supports or substantiates other evidence presented in a case.

  • Conclusive evidence: Incontrovertible and irrefutable: you know, the smoking gun.

  • Circumstantial evidence: Relevant facts that can’t be directly or conclusively connected to other events but about which a reasonable inference can be made.

Rules of evidence

Important rules of evidence for computer crime cases include the best evidence rule and hearsay evidence rule. The CISSP candidate must understand both of these rules and their applicability to evidence in computer crime cases.

Best evidence rule

The best evidence rule, defined in the Federal Rules of Evidence, states that “to prove the content of a writing, recording, or photograph, the original writing, recording, or photograph is [ordinarily] required.”

However, an exception to this rule is also defined in the Federal Rules of Evidence, as follows:

“[i]f data are stored in a computer or similar device, any printout or other output readable by sight, shown to reflect the data accurately, is an ‘original’.”

This means that data extracted from a computer - that is a fair and accurate representation of the original data - satisfies the best evidence rule and may normally be introduced into court proceedings as such.

Hearsay rule

Hearsay evidence is that evidence that is not based on personal, first-hand knowledge of the witness but rather was obtained through other sources. Under the Federal Rules of Evidence, hearsay evidence is normally not admissible in court. This rule exists to prevent unreliable statements by witnesses from improperly influencing the outcome of a trial.

Business records, including computer records, have traditionally, and perhaps mistakenly, been considered hearsay evidence by most courts because these records cannot be proven accurate and reliable. One of the most significant obstacles for a prosecutor to overcome in a computer crime case is seeking the admission of computer records as evidence.

A prosecutor may be able to introduce computer records as best evidence rather than hearsay evidence as we discuss in the preceding section.

Several courts have acknowledged that the hearsay rules are applicable to computer-stored records containing human statements but are not applicable to computer-generated records untouched by human hands.

Perhaps the most successful and commonly applied test of admissibility for computer records in general, has been the business records exception, established in the Federal Rules of Evidence, for records of regularly conducted activity, meeting the following criteria:

  1. Made at or near the time of occurrence of the act

  2. Made by a person with knowledge or from information transmitted by a person with knowledge

  3. Made and relied upon during the regular conduct of business, as verified by the custodian or other witness familiar with their use

  4. Kept for motives that tend to assure their accuracy

  5. In the custody of the witness on a regular basis (as required by the chain of evidence)

Admissibility of evidence

Because computer-generated evidence can sometimes be easily manipulated, altered, or tampered with, and because it’s not easily and commonly understood, this type of evidence is usually considered suspect in a court of law. In order to be admissible, evidence must be

  • Relevant: It must tend to prove or disprove facts that are relevant and material to the case.

  • Reliable: It must be reasonably proven that what is presented as evidence is what was originally collected and that the evidence itself is reliable. This is accomplished, in part, through proper evidence handling and the chain of custody. (We discuss this in the upcoming section
    “Chain of custody and the evidence life cycle.”)

  • Legally permissible: It must be obtained through legal means. Evidence that’s not legally permissible may include evidence obtained through the following means:

    • Illegal search and seizure: Law enforcement personnel must obtain a prior court order; however, non-law enforcement personnel, such as a supervisor or system administrator, may be able to conduct an authorized search under some circumstances.

    • Illegal wiretaps or phone taps: Anyone conducting wiretaps or phone taps must obtain a prior court order.

    • Entrapment or enticement: Entrapment encourages someone to commit a crime that the individual may have had no intention of committing. Conversely, enticement lures someone toward certain evidence (a honey pot, if you will) after that individual has already committed a crime. Enticement is not necessarily illegal but does raise certain ethical arguments and may not be admissible in court.

    • Coercion: Coerced testimony or confessions are not legally permissible.

    • Unauthorized or improper monitoring: Active monitoring must be properly authorized and conducted in a standard manner; users must be notified that they may be subject to monitoring.

Chain of custody and the evidence life cycle

The chain of custody (or evidence) provides accountability and protection for evidence throughout its entire life cycle and includes the following information, which is normally kept in an evidence log:

  • Persons involved ( Who): Identify any and all individual(s) who discovered, collected, seized, analyzed, stored, preserved, transported, or otherwise controlled the evidence. Also identify any witnesses or other individuals present during any of the above actions.

  • Description of evidence ( What): Ensure that all evidence is completely and uniquely described.

  • Location of evidence ( Where): Provide specific information about the evidence’s location when it is discovered, analyzed, stored, or transported.

  • Date/Time ( When): Record the date and time that evidence is discovered, collected, seized, analyzed, stored, or transported. Also, record date and time information for any evidence log entries associated with the evidence.

  • Methods used ( How): Provide specific information about how evidence is discovered, collected, stored, preserved, or transported.

Any time that evidence changes possession or is transferred to a different media type, it must be properly recorded in the evidence log to maintain the chain of custody.

Law enforcement officials must strictly adhere to chain of custody requirements, and this adherence is highly recommended for anyone else involved in collecting or seizing evidence. Security professionals and incident response teams must fully understand and follow the chain of custody, no matter how minor or insignificant a security incident may initially appear.

Even properly trained law enforcement officials sometimes make crucial mistakes in evidence handling. Most attorneys won’t understand the technical aspects of the evidence that you may present in a case, but they will definitely know evidence-handling rules and will most certainly scrutinize your actions in this area. Improperly handled evidence, no matter how conclusive or damaging, will likely be inadmissible in a court of law.

The evidence life cycle describes the various phases of evidence from its initial discovery to its final disposition.

The evidence life cycle has the following five stages:

  • Collection and identification

  • Analysis

  • Storage, preservation, and transportation

  • Presentation in court

  • Return to victim (owner)

Collection and identification

Collecting evidence involves taking that evidence into custody. Unfortunately, evidence can’t always be collected and must instead be seized. Many legal issues are involved in seizing computers and other electronic evidence. The publication Searching and Seizing Computers and Obtaining Evidence in Criminal Investigations (January 2001), published by the U.S. Department of Justice (DOJ) Computer Crime and Intellectual Property Section (CCIPS) provides comprehensive guidance on this subject. Find this publication available for download at www.cybercrime.gov.

In general, law enforcement officials can search and/or seize computers and other electronic evidence under any of four circumstances:

  • Voluntary or consensual: The owner of the computer or electronic evidence can freely surrender the evidence.

  • Subpoena: A court issues a subpoena to an individual ordering that individual to deliver the evidence to the court.

  • Search warrant or Writ of Possession: A search warrant is issued to a law enforcement official by the court, allowing that official to search and seize specific evidence. A Writ of Possession is a similar order issued in civil cases.

  • Exigent circumstances: If probable cause exists and the destruction of evidence is imminent, that evidence may be searched or seized without a warrant.

When evidence is collected, it must be properly marked and identified. This ensures that it can later be properly presented in court as actual evidence gathered from the scene or incident. The collected evidence must be recorded in an evidence log with the following information:

  • A description of the particular piece of evidence including any specific information, such as make, model, serial number, physical appearance, material condition, and preexisting damage

  • The name(s) of the person(s) who discovered and collected the evidence

  • The exact date and time, specific location, and circumstances of the discovery/collection

Additionally, the evidence must be marked, using the following guidelines:

  • Mark the evidence: If possible without damaging the evidence, mark the actual piece of evidence with the collecting individual’s initials, the date, and the case number (if known). Seal the evidence in an appropriate container and again mark the container with the same information.

  • Or use an evidence tag: If the actual evidence cannot be marked, attach an evidence tag with the same information as above, seal the evidence and tag in an appropriate container, and again mark the container with the same information.

  • Seal evidence: Seal the container with evidence tape and mark the tape in a manner that will clearly indicate any tampering.

  • Protect evidence: Use extreme caution when collecting and marking evidence to ensure that it’s not damaged. If you’re using plastic bags for evidence containers, be sure that they’re static free.

Always collect and mark evidence in a consistent manner so that you can easily identify evidence and describe your collection and identification techniques to an opposing attorney in court, if necessary.

Analysis

Analysis involves examining the evidence for information pertinent to the case. Analysis should be conducted with extreme caution, by properly trained and experienced personnel only, to ensure the evidence is not altered, damaged, or destroyed.

Storage, preservation, and transportation

All evidence must be properly stored in a secure facility and preserved to prevent damage or contamination from various hazards, including intense heat or cold, extreme humidity, water, magnetic fields, and vibration. Evidence that’s not properly protected may be inadmissible in court, and the party responsible for collection and storage may be liable. Care must also be exercised during transportation to ensure that evidence is not lost, damaged, or destroyed.

Presentation in court

Evidence to be presented in court must continue to follow the chain of custody and be handled with the same care as at all other times in the evidence life cycle. This process continues throughout the trial until all testimony related to the evidence is completed and the trial is over.

Return to victim (owner)

After the conclusion of the trial or other disposition, evidence is normally returned to its proper owner. However, under some circumstances, certain evidence may be ordered destroyed, such as contraband, drugs, or paraphernalia. Any evidence obtained through a search warrant is legally under the control of the court, possibly requiring the original owner to petition the court for its return.

Conducting investigations

A computer crime investigation should begin immediately upon report of an alleged computer crime or incident. Any incident should be handled, at least initially, as a computer crime investigation until a preliminary investigation determines otherwise.

The CISSP candidate should be familiar with the general steps of the investigative process, which include the following steps:

  • Detection and containment: Early detection is critical to a successful investigation. Unfortunately, passive or reactive detection techniques (such as the review of audit trails and accidental discovery) are usually the norm in computer crimes, which often leaves a cold evidence trail. Containment is essential to minimize further loss or damage. Enter the CIRT, which we discuss in the next section.

  • Notification of management: Management must be notified of any investigations as soon as possible. Knowledge of the investigations should be limited to as few people as possible, on a need-to-know basis. Out-of-band communications methods (reporting in person) should be used to ensure that an intruder does not intercept sensitive communications about the investigation.

  • Preliminary investigation: This is necessary to determine whether a crime has actually occurred. Most incidents are actually honest mistakes rather than criminal conduct. This step includes reviewing the complaint or report, inspecting damage, interviewing witnesses, examining logs, and identifying further investigation requirements.

  • Disclosure determination: The first and most important determination is whether law requires disclosure of the crime or incident. Next, determine whether disclosure is desired. This should be coordinated with a public relations or public affairs official of the organization.

  • Conduct the investigation:

    • Identify potential suspects. This includes insiders and outsiders to the organization. One standard discriminator to help determine or eliminate potential suspects is the MOM test: Did the suspect have the Motive, Opportunity, and Means to commit the crime?

    • Identify potential witnesses. Determine who will be interviewed and who will conduct the interviews. Be careful not to alert any potential suspects to the investigation; focus on obtaining facts, not opinions, in witness statements.

    • Prepare for search and seizure. This includes identifying the types of systems and evidence to be searched or seized, designating and training the search and seizure team members (CIRT), obtaining and serving proper search warrants (if required), and determining potential risk to the system during a search and seizure effort.

  • Report findings: The results of the investigation, including evidence, should be reported to management and turned over to proper law enforcement officials or prosecutors, as appropriate.

 Instant Answer   MOM: Motive, Opportunity, and Means.

Incident handling (or response)

Incident response begins before an incident has actually occurred. Preparation is the key to a quick and successful response. A well-documented and regularly practiced incident response plan ensures effective preparation. The plan should include:

  • Response procedures: Detailed procedures that address different contingencies and situations should be included.

  • Response authority: Roles, responsibilities, and levels of authority for all members of the Computer Incident Response Team (CIRT) must be clearly defined.

  • Available resources: People, tools, and external resources (consultants and law enforcement agents) that are available to the CIRT should be identified. Training should include use of these resources, when possible.

  • Legal review: The incident response plan should be evaluated by appropriate legal counsel to determine compliance with applicable laws and to determine whether they’re enforceable and defensible.

Additional steps in incident response include:

  • Determination: Has a security incident occurred? This is similar to the detection and containment step in the investigative process, and includes defining what constitutes a security incident for your organization. Upon determination that an incident has occurred, it’s important to immediately begin detailed documentation of every action taken throughout the incident response process.

  • Notification: This step and specific procedures are identical to the notification of management step in the investigative process but also includes the disclosure determination step from the investigative process. All contact information should be documented before an incident, and all notifications and contacts during an incident should be documented in the incident log.

  • Containment: Again similar to the detection and containment step in the investigative process, the purpose of this step is to minimize further loss or damage. This may include eradicating a virus, denying access, and disabling services.

  • Assessment: This includes determining the scope and cause of damage, as well as the responsible (or liable) party.

  • Recovery: This may include rebuilding systems, repairing vulnerabilities, improving safeguards, and restoring data and services. This step should be done in accordance with a business continuity plan (BCP) with priorities for recovery properly identified.

  • Evaluation: This is the final phase of an incident response plan and includes the lessons learned. Lessons learned should include not only what went wrong but also what went right.

 Remember   Investigations and incident response have similar steps but different purposes: The distinguishing characteristic of an investigation is the gathering of evidence for possible prosecution, whereas incident response focuses on containing the damage and returning to normal operations.



Previous page
Table of content
Next page
CISSP For Dummies
CISSP For Dummies
ISBN: 0470537914
EAN: 2147483647
Year: 2004
Pages: 242
Authors: Lawrence C. Miller, Peter H. Gregory CISA CISSP
BUY ON AMAZON
Project Management JumpStart
Image Processing with LabVIEW and IMAQ Vision
C++ How to Program (5th Edition)
Service-Oriented Architecture (SOA): Concepts, Technology, and Design
Mastering Delphi 7
Understanding Digital Signal Processing (2nd Edition)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy