Investigation

Previous page
Table of content
Next page

  < Free Open Study > 


In order for any computer-related crime evidence to have any chance of holding up in a court of law, certain conditions, rules, and other criteria must be in place and followed. In most cases, professional advice as well as professional evidence collection methods are required for evidence to be considered admissible, relevant, and substantial.

In Chapter 6, you learned the importance of computer forensics, evidence collection, and evidence preservation. It is important that you keep your knowledge of that subject matter in mind as we now focus on developing an overall understanding of investigation preparation and rules to follow when conducting an investigation.

Conducting an Investigation

Conducting an investigation within your company requires that certain criteria already be established. First and foremost:

  • A company investigation committee should be established.

  • An enterprise or corporate investigation team should include all of the appropriate staff. This can include network security, building security, management, Human Resources, accounting departments, and other appropriate groups.

  • The committee should anticipate the likelihood of possible computer crime and prepare for such events by preparing for and establishing the following:

    • Creating a liaison with law enforcement an other emergency response agencies.

    • Creating a procedure that documents how and when law enforcement agencies will be notified.

    • Establishing documents and procedures that specify how the various computer crimes will be handled and reported. For example, will the FBI need to be notified? Will a professional forensics team need to be consulted?

    • Establishing documentation that specifies how the specific investigation will be handled and carried out.

  • The committee must ensure that evidence is handled properly.

  • The committee must be prepared for retaliation as a result of an investigation.

  • The committee must be familiar with U.S. federal requirements as they pertain to reporting and handling investigations.

It should always be anticipated that computer crimes will happen. The question is when will they happen? You should prepare for computer-related crimes as you would prepare and protect your networked environment from computer virus attacks. You should have protection and an organized plan way ahead of time.

The frequency of computer crime is expected to increase as our society becomes more and more dependent on computer technology. In order to best protect and react to crimes committed within your organization, it is critical that your company employees are prepared and 'investigation smart.'

Categories of Evidence

It is most important that evidence obtained during an investigation is relevant and admissible in court. Although it is unlikely that the following descriptions of the types of evidence will not appear on the exam, it is important for you to know what they are if you are considering a career in security or investigation:

  • Physical: This is evidence that you can touch. It is real. In other words, it exists physically. For example, computer forensic evidence is considered physical evidence. Fingerprints are considered physical evidence.

  • Testimonial: This is evidence obtained through testimonials of witnesses or possible confessions by suspects. Typically, this type of evidence is obtained from those who have information regarding who committed a crime, how they committed a crime, and where they might be located.

  • Demonstrative: This type of evidence can include photographs or drawings of a crime scene or possible crime scene. Typically, these photographs and drawings are used to recreate or display where and how a crime occurred.

Chain of Evidence Custody

The chain of evidence custody is a documented report that identifies who has custody of evidence from beginning to end. It is important to know who has custody of the evidence at hand to ensure accountability. If the chain of evidence custody is broken, or if the evidence is ever misplaced, it is likely that the evidence will prove useless to an investigation and will most likely not be admissible in a court of law. Knowing who has custody of the evidence at all times is critical to the investigation process.

The chain of evidence custody starts when the first piece of evidence is obtained. The chain of evidence custody continues until the evidence is no longer needed. The holder or owner of the evidence in the chain of evidence custody is called an evidence custodian. Each person that handles his or her part of the evidence is responsible for the welfare of the evidence. They are accountable and responsible for evidence preservation. Evidence collection and preservation was detailed in Chapter 6. By now, it should be quite apparent to you that the proper chain of evidence custody and the proper evidence collection and preservation techniques and guidelines are going to be a big part of the Security+ exam.

Enticement

The term enticement is defined as the practice or act of alluring, tempting, or attracting someone or something into doing something. For our Security+ focus and study, enticement is related to luring an intruder or hacker into leaving a trail or evidence behind that can be used to prove that they have broken the law. A honey pot can be used as a perfect example to demonstrate this point.

In Chapter 4, you learned that honey pots are used to attract hackers and crackers. A honey pot is basically an unprotected system with no applied patches, operating system updates, or firmware updates that is used to attract, trap, and identify possible attackers. The honey pot that is a system that is monitored, audited and logged. It is used to entice or lure the hacker. A better name for a honey pot might be mousetrap.

Entrapment

Entrapment involves luring or pursuing someone into committing an illegal act that they, the individual, had no original intention of committing. More times than not, entrapment seems to be associated with federal, state, or local officials such as police offices forcing civilians to commit an act or crime that they had not intended to commit.

Concerning computer-related security issues, entrapment has become more of a defense plea or mechanism that cyber criminals are using use as a result of being caught with their hands in the honey pot jar. In other words, a hacker who has been identified and reported after attacking a honey pot server might attempt to argue a case of entrapment as a legal defense.

Hearsay

Hearsay is evidence that is not generally admissible based on the fact that it is gathered from second hand sources and not directly tied to a first hand specific witness. Hearsay is not considered fact and usually holds little value. However, there are some exceptions where hearsay evidence might be justified and possibly used as admissible evidence. Here are a few possible exceptions:

  • If evidence is collected during the regularity of consistent business routines and direct witnesses are involved.

  • If evidence is presented by a person with knowledge of records.

  • If evidence is presented by a person with knowledge.

  • If evidence is gathered close to the time of the actual criminal act.

  • If evidence is in the possession of a witness on a regular or routine basis.


  < Free Open Study > 


Previous page
Table of content
Next page
The Security+ Exam Guide. TestTaker's Guide Series
Security + Exam Guide (Charles River Media Networking/Security)
ISBN: 1584502517
EAN: 2147483647
Year: 2003
Pages: 136
Authors: Christopher A. Crayton
BUY ON AMAZON
VBScript Programmers Reference
Visual C# 2005 How to Program (2nd Edition)
Data Structures and Algorithms in Java
The Java Tutorial: A Short Course on the Basics, 4th Edition
Introducing Microsoft ASP.NET AJAX (Pro - Developer)
Pocket Guide to the National Electrical Code(R), 2005 Edition (8th Edition)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy