18.8 Summary

Criminal activity on the Internet can generate a significant amount of information at the application layer, including Web pages, Usenet posts, e-mail messages, and IRC logs. In addition to extracting information from these sources of digital evidence, it is important to apply the lessons from previous chapters, seeking related server logs and possibly monitoring network traffic, to establish continuity of offense and locate the offender. Also keep Locard's exchange principle in mind, looking for transfer of digital evidence between the offender's computer and other systems on the Internet to help attribute online activities to the offender. It can be more difficult to establish continuity of offense when offenders attempt to conceal their activities or identity on the Internet. This is particularly true when Freenet is involved, making it necessary to rely on class and individual characteristics, searching image databases for similar characteristics.

When following the cybertrail, remember that one of the main limitations of the Internet as a source of evidence is that it generally only has the latest version of information. If a Web page is modified or someone retracts a Usenet post, the old information is usually lost. Because it cannot be assumed that evidence will remain on the Internet for any duration, it should be collected as quickly as possible. It is also important to remember that not all activities on the Internet are automatically archived (e.g. IRC). If you are fortunate to be in the right place at the right time, witnessing live interactions can greatly benefit an investigation. Otherwise, you might be lucky enough to find Internet chat logs when you search a suspect's computer. Either way, these live interactions contain a wealth of behavioral information about the individuals who are involved.