The computer investigator's crime scene is
The scene might be distributed and consist of multiple server rooms, offices, and communications closets. The investigator must determine which evidence locations are true physical scenes that need to be physically secured (for example, a suspect's office) versus which locations harbor logical evidence and can be
The scene may not be easily accessible. The physical crime scene may be located at another organization, within a private residence, or even in another country, which may or may not have similar computer crime laws. This might require
A specific physical crime scene might not exist. With the
When identifying the crime scene(s), the investigator may want to ask a few questions to determine potential locations for evidence:
What machine was the target of the attack?
Where was the suspected source of the attack or wrongdoing?
Where did the data accessed reside?
What routers/firewalls/switches did the suspect traverse?
What printers does the subject use?
What file servers (shares) does the subject use?
What FTP servers does the subject use?
Does the subject have more than one machine? Where are they located?
Does the subject use a proxy server?
Does the subject use a DHCP server?
Are there any peripherals the subject owns (PDAs,
The potential locations for evidence will change over the course of the investigation. For example, when analyzing the subject's computer, an investigator might find FTP connections to a corporate server. An examination of that server's logs may show additional connections from the same suspect on a completely different system.
The most likely location for a physical crime scene is the actual location where the suspect initiated a digital connection. This might be an office, a residence, or even a vehicle and is the best candidate for establishing and securing a physical scene.
Targeted machines, log servers, and network devices may require handling as a logical scene. In order to make the determination about whether to treat the scene as physical or logical, an analyst must ask two questions:
Is there likely to be physical evidence present in addition to digital evidence?
If the answer to either question is yes, treat the scene as a physical crime scene.
An external router was
The location of the router and switch was an access-controlled server room. The server room itself was initially treated as a crime scene. The router was secured and removed for remote analysis, and card reader access logs to the room were obtained. Likewise, an intrusion detection system (IDS) sensor on the same switch was treated as a logical part of the scene, and forensic copies were made of its logs. Because the room housed other operational servers, it was not
The IDS sensor logged the IP address assignments and
The badge reader logs from the site security team presented a few possible
The MAC addresses of the machines assigned to each of the suspects were remotely queried using nbmac from an anonymous workstation, making a simple NetBIOS call