23.1 Identification or Seizure


23.1 Identification or Seizure

The aim of this step is to locate likely sources of digital evidence and seize them. In some cases, such as computer intrusion investigations, it may be necessary to extract information from RAM (Figure 23.1).

click to expand
Figure 23.1: Overview of identification and seizure process.

  • Look for hardware. In addition to desktop computers, look for laptops, hand held computers, external hard drives, digital cameras, and any other piece of equipment that can store evidence related to the crime being investigated. If the hardware is being collected for future examination, consider collecting peripheral hardware that is attached to the computer. Also collect any peripheral hardware that needs to be examined by a digital evidence examiner. For example, printers, cameras, and scanners might have unique characteristics that can be linked to documents or digitized images.

  • Look for software. If digital evidence was created using a program that is not widely used, collecting the installation disks will make it easier to examine the evidence.

  • Look for removable media. There are a wide variety of removable media that can contain digital evidence including floppy disks, Zip/Jazz disks, compact disks, and magnetic tapes. In particular, look for backups either on-site or in a remote storage facility. Determine what hardware and software was used to make the backups. In some instances, backup tapes can only be accessed using the type of hardware and software that created them. Therefore, consider collecting the unusual backup hardware and software. It is not necessary to collect hardware and software if a common, readily available method of backup was used. Keep in mind that criminals often hide removable media that contain incriminating or valuable information.

  • Look for documentation that is related to the hardware, software, and removable media. Documentation can help investigators understand details about the hardware, software, and backup process that are useful during an investigation and a trial. Also, the existence of books on encryption, digital evidence, and other technical topics can help assess the technical skill of the suspect and what to look for on computers.

  • Look for passwords and important telephone numbers on or near the computer. Individuals who have several Internet Service Providers often write down the phone numbers and passwords for their various accounts. This is especially true of computer intruders. Passwords and other useful information may also be obtained through interviews with people involved.

  • Look through the garbage for printouts and other evidence related to the computer. Computer printouts can contain valuable evidence and can sometimes be compared with the digital copies of the information for discrepancies.

  • Look for cybertrails as described throughout this book.

  • Unplug the modem or network cables from the computer. Consider testing the phone jack for a dial tone or data port to ensure that they are active.

  • Photograph evidence in situ, paying particular attention to serial numbers and wiring to help identify or reconstruct equipment later. This type of vivid documentation, showing evidence in its original state, can be useful for reconstructing a crime and demonstrating that evidence is authentic. Also consider removing casing and photographing internal components, including close-ups of hard drive jumper settings, and other details.

  • Dust for fingerprints and collect other trace evidence if it may be useful to the investigation.

  • Note or photograph the contents of the computer screen. If a program is running that might be destroying data, immediately disconnect power to that computer by pulling the cable out of the rear of the computer.

  • If the system is on, a judgement must be made as to whether to gather informaion from the system such as checking the system clock for accuracy and network neighborhood for connected machines. Note that a wily individual could create a link named "Network Neighborhood" that actually runs a destructive program. To limit the risks associated with operating the computer, it is advisable to use trusted utilities such as statically compiled executables on a CD-ROM. Any actions performed on the system must be clearly documented to enable others to assess the impact this process had on the system.

  • If applications are open, save their contents to a sanitized, labeled collection disk before closing. Preserve other data in the RAM as needed using approved tools and procedures. Although it may be necessary to print out certain items, be aware that this process creates spool files that can alter the system. When dealing with printouts, initial and date each page.

  • Shutdown the computer if necessary.

  • Before copying data, calculate MD5 values of all disks and the files they contain, recording the values for future reference.

  • Label, date, and initial all evidence. Write protect media when possible and check for obvious signs of damage. If other people are collecting evidence, record their names and where they found the evidence. The aim is to preserve chain of custody and document the evidence in a way that helps investigators reconstruct the crime. Not knowing where evidence came from, or who collected it, can render it useless.

  • Whenever possible, a copy of digital evidence should be preserved on storage media that can only be written to once and are stable for long-term storage, like compact disks.

  • Store in sealed envelope and secure in an evidence room or safe.

23.1.1 When the Entire Computer is Required

  • Label cables and ports. Empty ports should be labeled "unused." If there is no label on a port, it could be argued that the evidence was not properly documented or that the label fell off. Any doubts that can be shed on the evidence collection and documentation process can weaken a case.

  • Put an unused disk in each floppy drive to protect the drive.

  • Use evidence tape to seal the computer case and drives to protect them against tampering.

  • Carefully package the hardware and do not expose it to potentially damaging conditions (e.g. dirt, fluids, humidity, impact, excessive heat and cold, and static electricity).




Digital Evidence and Computer Crime
Digital Evidence and Computer Crime, Second Edition
ISBN: 0121631044
EAN: 2147483647
Year: 2003
Pages: 279

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net