2.3 Language of Computer Crime Investigation

2.3 Language of Computer Crime Investigation

The movement towards standardization in this area is made more difficult by a lack of agreement on basic terminology. Several attempts have been made to develop a standard language to describe the various aspects of computer crime investigation. Despite decades of discussion, no general agreement has been reached on the meaning of even the most basic term, computer crime.

There has been a great deal of debate among experts on just what constitutes a computer crime or a computer-related crime. Even after several years, there is no internationally recognized definition of those terms. Indeed, throughout this Manual the terms computer crime and computer-related crime will be used interchangeably. There is no doubt among the authors and experts who have attempted to arrive at definitions of computer crime that the phenomenon exists. However, the definitions that have been produced tend to relate to the study for which they were written. The intent of authors to be precise about the scope and use of particular definitions means, however, that using these definitions out of their intended context often creates inaccuracies. A global definition of computer crime has not been achieved; rather, functional definitions have been the norm.

Although there is no agreed upon definition of computer crime, the meaning of the term has become more specific over time. Computer crime mainly refers to a limited set of offenses that are specifically defined in laws such as the US Computer Fraud and Abuse Act and the UK Computer Abuse Act. These crimes include theft of computer services; unauthorized access to protected computers; software piracy and the alteration or theft of electronically stored information; extortion committed with the assistance of computers; obtaining unauthorized access to records from banks, credit card issuers, or customer reporting agencies; traffic in stolen passwords and transmission of destructive viruses or commands.

One of the main difficulties in defining computer crime is that situations arise where a computer or network was not directly involved in a crime but still contains digital evidence related to the crime. As an extreme example, take a suspect who claims that she was using the Internet at the time of a crime. Although the computer played no role in the crime, it contains digital evidence relevant to the investigation. To accommodate this type of situation, the more general term computer-related is used to refer to any crime that involves computers and networks, including crimes that do not rely heavily on computers. Notably some organizations such as the US Department of Justice and the Council of Europe use the term cybercrime to refer to a wide range of crimes that involve computers and networks.

The term computer forensics also means different things to different people. Computer forensics usually refers to the forensic examination of computer components and their contents such as hard drives, compact disks, and printers. However, the term is sometimes used to describe the forensic examination of all forms of digital evidence, including data traveling over networks (a.k.a. network forensics). To confuse matters, the term computer forensics has been adopted by the information security community to describe a wide range of activities that have more to do with protecting computer systems than gathering evidence.

In fact, computer forensics (and by extension, network forensics) is a syntactical mess that uses the noun computer as an adjective and the adjective forensic as a noun, resulting in an imprecise term. Imagine referring to forensic entomology as "bug forensics" - this lacks clear meaning and sounds unprofessional. Also, referring only to computers limits the scope of the term, neglecting important aspects of the field such as communication systems, embedded systems, and digital image, audio, and video analysis. In 2001, the first annual Digital Forensic Research Workshop (DFRWS) ^[3] recognized the need for a revision in terminology and proposed digital forensic science to describe the field as a whole. The terms forensic computer analysis and forensic computing have also become widely used.

Given these disagreements regarding terminology, such terms will be avoided in this book. Instead, more descriptive language, such as digital evidence examination, will be used. This term is specific enough to be clear in the context of digital forensic science, computer forensics, incident response, or any other situation that involves the examination of digital evidence. Additionally, there is room in this terminology to include digital evidence in a legal context as well as the process of persuading decision-makers in civilian or military operations.

2.3.1 The Role of Computers in Crime

In addition to clarifying the general terms describing this field, it is productive to develop terminology describing the role of computers in crime. More specific language is crucial for developing a deeper understanding of how computers can be involved in crime and more refined approaches to investigating different kinds of crime. For example, investigating a computer intrusion requires one approach, while investigating a homicide with related digital evidence requires a completely different procedure.

The specific role that a computer plays in a crime also determines how it can be used as evidence. When a computer contains only a few pieces of digital evidence, investigators might not be authorized to collect the entire computer. However, when a computer is the key piece of evidence in an investigation and contains a large amount of digital evidence, it is often necessary to collect the entire computer and its contents. Additionally, when a computer plays a significant role in a crime, it is easier to obtain a warrant to search and seize the entire computer.

Several attempts have been made to develop a language, in the form of categories, to help describe the role of computers in crime. Categories are necessarily limiting, ignoring details for the sake of providing general terms, but they can be useful provided they are used with an awareness of their limitations. The strengths and weaknesses of three sets of categories are discussed in this section in an effort to improve understanding of the role of computers in crime.

Donn Parker was one of the first individuals to perceive the development of computer-related crime as a serious problem back in the 1970s and played a major role in enacting Florida's Computer Crime Act of 1978. Parker studied the evolution of computer-related crime for more than two decades and wrote several books on the subject (Parker 1976, 1983, 1998). He proposed the following four categories - while reading through these categories, notice the lack of reference to digital evidence.

1. A computer can be the object of a crime. When a computer is affected by the criminal act, it is the object of the crime (e.g. when a computer is stolen or destroyed).

2. A computer can be the subject of a crime. When a computer is the environment in which the crime is committed, it is the subject of the crime (e.g. when a computer is infected by a virus or impaired in some other way to inconvenience the individuals who use it).

3. The computer can be used as the tool for conducting or planning a crime. For example, when a computer is used to forge documents or break into other computers, it is the instrument of the crime.

4. The symbol of the computer itself can be used to intimidate or deceive. An example given is of a stockbroker, who told his clients that he was able to make huge profits on rapid stock option trading, by using a secret computer program in a giant computer in a Wall Street brokerage firm. Although he had no such programs nor access to the computer in question, hundreds of clients were convinced enough to invest a minimum of $100,000 each.

The distinction between a computer as the object and subject of a crime is useful from an investigative standpoint because it relates to the intent of the offender. However, additional terminology is needed to clarify this distinction. For the purposes of this text, a target is defined as the object of an attack from the offender's point of view, and may include computers or information they contain. The intended victim is the term for the person, group, or institution that was meant to suffer loss or harm. The intended victim and the target may be one and the same. There may also be more than one intended victim. Because of the closely linked nature of computer networks, there may also be collateral victims. This term refers to victims that an offender causes to suffer loss or harm in the pursuit of another victim (usually because of proximity). When an arsonist burns down a building to victimize an individual or a group, innocent individuals can get hurt. Similarly, when an intruder destroys a computer system to victimize an individual or a group, unconnected individuals can lose data.

Considering the computer as a tool that was used to plan or commit a crime is also useful. If a computer is used like a weapon in a criminal act, much like a gun or a knife, this could lead to additional charges or a heightened degree of punishment. As stated, the symbolic aspect of computers may seem irrelevant because no actual computers are involved and, therefore, none can be collected as evidence. The symbolic aspect of computers comes up more frequently when they are the targets of an attack and can be useful for understanding an offender's motivations. In this context, a symbol is any person or thing that represents an idea, a belief, a group, or even another person. For example, computers can symbolize authority to a particular offender, an organization can symbolize failure to an ex-employee, and a CEO can symbolize an organization. Therefore, a computer, organization, or individual may become a victim or target because of what they symbolize. Identifying the targets, intended victims, collateral victims, and symbols of a crime is one of the issues that an investigation is intended to resolve as discussed in Chapter 5.

The most significant omission in Parker's categories, is computers as sources of digital evidence. In many cases, computers did not play a role in a crime but they contained evidence that proves a crime occurred. For example, a revealing e-mail between US President Clinton and intern Monica Lewinsky could indicate that they had an affair, but the e-mail itself played no role in Clinton's alleged act of perjury. Similarly, a few of the millions of e-mail messages that were examined during the Microsoft anti-trust case contained incriminating information, yet the e-mail message did not play an active role in the crime - they were simply evidence of a crime.

In 1995, Professor David L. Carter used his knowledge of Criminal Justice to improve upon Parker's categorization of computer-related crime (Carter 1995). Instead of describing a computer as an object or tool of crime as Parker did, Carter used the more direct and legally oriented terms target and instrumentality, respectively. Although Carter did not address the subtleties of target/victim/symbol, he corrected Parker's main omission, describing scenarios in which computers are incidental to other crimes but hold related digital evidence. However, Carter did not distinguish between physical evidence (computer components) and digital evidence (the contents of the computer components). Very different procedures are required when dealing with physical and digital evidence, as described in Chapter 9.

In 1994, the US Department of Justice (USDOJ) created a set of categories and an associated set of search and seizure guidelines (USDOJ 1994, 1998). These categories made the necessary distinction between hardware (electronic evidence) and information (digital evidence), which is useful when developing procedures and from a probative standpoint. For instance, developing a parallel process for physical crime scene investigation and digital crime scene investigation (Carrier and Spafford 2003). In this context, hardware refers to all of the physical components of a computer, and information refers to the data and programs that are stored on and transmitted using a computer. The final three categories that refer to information all fall under the guise of digital evidence:

1. Hardware as Contraband or Fruits of Crime.

2. Hardware as an Instrumentality.

3. Hardware as Evidence.

4. Information as Contraband or Fruits of Crime.

5. Information as an Instrumentality.

6. Information as Evidence.

These categories are not intended to be mutually exclusive. A single crime can fall into more than one category. For example, when a computer is instrumental in committing a crime, it usually contains evidence of the offense. The details of collecting hardware and processing digital evidence are introduced in Chapter 9 and developed in the context of computer networks throughout the remainder of the text. Conspicuously absent from these categories is the computer as target, possibly because this distinction is more useful from an investigative standpoint than an evidence collection standpoint, as discussed in Chapters 5 and 19.

In 2002, this USDOJ document was updated to keep up with changes in technology and law and developed into a manual (as opposed to guidelines) for "Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations" (USDOJ 2002). While the guidelines gave hardware and information equal weight, the manual takes the position that, unless hardware itself is contraband, evidence, an instrumentality, or a fruit of crime, it is merely a container for evidence. Thus, there is a realization that the content of computers and networks is usually the target of the search rather than the hardware. However, the manual points out that even when information is the target, it may be necessary to collect the hardware for a variety of reasons.

In light of these uncertainties, agents often plan to try to search on-site, with the understanding that they will seize the equipment if circumstances discovered on-site make an on-site search infeasible. Once on-site to execute the search, the agents will assess the hardware, software, and resources available to determine whether an on-site search is possible. In many cases, the search strategy will depend on the sensitivity of the environment in which the search occurs. For example, agents seeking to obtain information stored on the computer network of a functioning business will in most circumstances want to make every effort to obtain the information without seizing the business's computers, if possible. In such situations, a tiered search strategy designed to use the least intrusive approach that will recover the information is generally appropriate.

Although the manual does not explicitly categorize information as contraband, a fruit of crime, or an instrumentality, it makes occasional reference to child pornography as contraband. These distinctions can be useful as discussed later in this section.

Because each of these categories has unique legal procedures that must be followed, this manual has become required reading among investigators, prosecutors and defense attorneys.

[Defense] counsel should carefully review the Manual in cases where clients' computers are searched, because in almost every case there will be deviations from the Manual's recommended procedures. Whether those deviations are the result of casual adherence to the Manual or utter ignorance of it, this is a fertile area for suppression practice (Hoover 2002).

Significantly, the manual takes a more network-centric approach than its predecessor, taking into account more of the real world complexities of collecting digital evidence. In addition to general discussions about dealing with networks as a source of evidence, the manual mentions the possibility of a network being an instrumentality of a crime, and provides a section "Working with Network Providers" and a lengthy chapter titled "Electronic Surveillance in Communications Networks" with updated information regarding the USA PATRIOT Act. These sections are of interest to both law enforcement and computer security professionals who may be required to respond to requests for data on their networks.

2.3.1.1 Hardware as Contraband or Fruits of Crime

Contraband is property that the private citizen is not permitted to possess. For example, under certain circumstances, it is illegal for an individual in the United States, to possess hardware that is used to intercept electronic communications (18 USCS 2512). The concern is that these devices enable individuals to obtain confidential information, violate other people's privacy, and commit a wide range of other crimes using intercepted data. Cloned cellular phones and the equipment that is used to clone them are other examples of hardware as contraband.

The fruits of crime include property that was obtained by criminal activity such as computer equipment that was stolen, or purchased using stolen credit card numbers. Also, microprocessors are regularly stolen because they are very valuable, they are in high demand, and they are easy to transport.

The main reason for seizing contraband or fruits of crime is to prevent and deter future crimes. When law enforcement officers decide to seize evidence in this category, a court will examine whether the circumstances would have led a reasonably cautious agent to believe that the object was contraband or a fruit of crime.

2.3.1.2 Hardware as an Instrumentality

When computer hardware has played a significant role in a crime, it is considered an instrumentality. This distinction is useful because, if a computer is used like a weapon in a criminal act, much like a gun or a knife, this could lead to additional charges or a heightened degree of punishment. The clearest example of hardware as the instrumentality of crime is a computer that is specially manufactured, equipped and/or configured to commit a specific crime. For instance, sniffers are pieces of hardware that are specifically designed to eavesdrop on a network. Computer intruders often use sniffers to collect passwords that can then be used to gain unauthorized access to computers.

A sniffer is not always a piece of specialized hardware. With the right software, a regular computer that is connected directly to a network can be used as a sniffer, in which case the software might be considered the instrumentality of the crime. Specialized hardware and software can also be installed in standard handheld devices enabling them to monitor wireless networks, in which case both the hardware and software can be viewed as instrumentalities.

The primary reason for authorizing law enforcement to seize an instrumentality of crime is to prevent future crimes. When deciding whether or not a piece of hardware can be seized as an instrumentality of crime, it is important to remember that "significant" is the operative word in the definition of instrumentality. Unless a plausible argument can be made that the hardware played a significant role in the crime, it probably should not be seized as an instrumentality of the crime.

It is ultimately up to the courts to decide whether or not an item played a significant role in a given crime. So far, the courts have been quite liberal on this issue. For example, in a New York child pornography case the court ruled that a computer was the instrumentality of the offense because the computer hardware might have facilitated the sending and receiving of the images (United States v. Lamb 1996). Even more liberal, was the Eastern District Court of Virginia decision that a computer with related accessories was an instrumentality because it contained a file that detailed the growing characteristics of marijuana plants (United States v. Real Property 1991).

2.3.1.3 Hardware as Evidence

Before 1972, "mere evidence" of a crime could not be seized. However, this restriction was removed and it is now acceptable to "search for and seize any property that constitutes evidence of the commission of a criminal offense" (Federal Rule of Criminal Procedure 41[b]). This separate category of hardware as evidence is necessary to cover computer hardware that is neither contraband nor the instrumentality of a crime. For instance, if a scanner that is used to digitize child pornography has unique scanning characteristics that link the hardware to the digitized images, it could be seized as evidence.

2.3.1.4 Information as Contraband or Fruits of Crime

As previously mentioned, contraband information is information that the private citizen is not permitted to possess. A common form of information as contraband is encryption software. In some countries, it is illegal for an individual to possess a computer program that can encode data using strong encryption algorithms because it gives criminals too much privacy. If a criminal is caught but all of the incriminating digital evidence is encrypted, it might not be possible to decode the evidence and prosecute the criminal. Another form of contraband is child pornography. Information as fruits of crime include illegal copies of computer programs, stolen trade secrets and passwords, and any other information that was obtained by criminal activity.

2.3.1.5 Information as an Instrumentality

Information can be the instrumentality of a crime if it was designed or intended for use or has been used as a means of committing a criminal offense. Programs that computer intruders use to break into computer systems are the instrumentality of a crime. These programs, commonly known as exploits, enable computer intruders to gain unauthorized access to computers with a specific vulnerability. Also, computer programs that record people's passwords when they log into a computer can be an instrumentality, and computer programs that crack passwords often play a significant role in a crime. As with hardware, the significance of the information's role is paramount to determining if it is the instrumentality of crime. Unless a plausible argument can be made that the information played a significant role in the crime, it probably should not be seized as an instrumentality of the crime.

2.3.1.6 Information as Evidence

This is the richest category of all. Many of our daily actions leave a trail of digits. All service providers (e.g. telephone companies, ISPs, banks, credit institutions) keep some information about their customers. These records can reveal the location and time of an individual's activities, such as items purchased in a supermarket, car rentals and gasoline purchases, automated toll payment, mobile telephone calls, Internet access, online banking and shopping, and withdrawals from automated teller systems (with accompanying digital photographs). Although telephone companies and ISPs try to limit the amount of information that they keep on customer activities, to limit their storage and retrieval costs and their liability, law makers in some countries are starting to compel some communications service providers to keep more complete logs. For instance, the US Computer Assistance Law Enforcement Act (CALEA) that took effect in 2000, compels telephone companies to keep detailed records of their customers' calls for an indefinite period of time. The European Union has created log retention guidelines for its member states. In Japan, there is an ongoing debate about whether ISPs should be compelled to keep more complete logs.

For fun, take a single day in a life as an example. After breakfast, Jane Doe reads and responds to her e-mail. Copies of this e-mail remain in various places so Jane takes care to encrypt private messages. However, even if her encrypted e-mail is never opened, it shows that she sent a message to a specific person at a specific time. This simple link between two people can be important in certain circumstances. Encrypted e-mail can be even more revealing in bulk. If Jane sends a large number of e-mails to a newspaper reporter just before publication of a story about a confidential case she is working on, a digital investigator would not have to decrypt and read the e-mails to draw some daring inferences. Similarly, if a suspect used encrypted e-mail to communicate with another individual around the time a crime was committed, this might be considered sufficient probable cause to obtain a warrant to examine the e-mail or even search the second person's computer or residence.

After checking her e-mail, Jane opens her schedule in her computerized planner. Jane's small planner contains vast amounts of information about her family, friends, acquaintances, interests, and activities. Next, on the way to the bank, Jane makes a few quick calls on her mobile telephone, propelling her voice through the air for anyone to listen to. At the bank, she withdraws some cash, creating a record of her whereabouts at a specific time. Not only is her transaction recorded in a computer, her face is captured by the camera built into the automated teller machine.

Although she pays for her lunch in cash, Jane puts the receipt in her wallet, thus keeping a record of one of the few transactions that might have escaped the permanent record. After lunch, Jane decides to page her husband John. From her computer she accesses a Web page that allows her to send John a short message on his pager. This small act creates a cascade of digits in Jane's computer, on the Web, and ultimately on John's pager. Unfortunately, the battery on Jane's telephone is low so when John tries to call, he gets Jane's voice mail and leaves a message. Then it occurs to him that Jane was probably at her computer when she sent him the short alphanumeric message, so he connects to the Internet and uses one of the many computer programs that allow live communication over the global network. These few minutes of digital tag create many records in many different places and though some of this information might dissolve in a matter of hours, some of it will linger indefinitely on backup tapes and in little-used crannies on Jane's hard drive.

As an exercise, think back on some recent days and try to imagine the trail of digits left by your activities on various computers at banks, telephone companies, work, home, and on the Internet.

^[3]http://www.dfrws.org