Computer Forensics and Cyber Crime, 2

nd
ed.
Britz
2009 Pearson Education, Upper Saddle River, NJ 07458.
All Rights Reserved.
1
Chapter 11
Computer Forensics and Cyber Crime, 2
nd
ed.
Britz
2009 Pearson Education, Upper Saddle River, NJ 07458.
All Rights Reserved.
2
Computer crime investigators play multiple roles (i.e.
case supervisors, investigators, crime scene technicians,
& forensic scientists)
Digital evidence is both volatile and voluminous
susceptible to climatic, environmental, AND human
error)
Requires analysis of the whole not samples
Extremely expensive
Litigious mine field
Easy to camouflage and difficult to find
Increasing sophistication of criminals encryption,
steganography, self-destructive programs, etc.
Technology is outpacing LE training
Computer Forensics and Cyber Crime, 2
nd
ed.
Britz
2009 Pearson Education, Upper Saddle River, NJ 07458.
All Rights Reserved.
3
Computer Forensics and Cyber Crime, 2
nd
ed.
Britz
2009 Pearson Education, Upper Saddle River, NJ 07458.
All Rights Reserved.
4
Creation of Forensic Laboratory
Warrant preparation
Intelligence gathering
Assembling an execution team
Planning the search
Assigning responsibilities
Computer Forensics and Cyber Crime, 2
nd
ed.
Britz
2009 Pearson Education, Upper Saddle River, NJ 07458.
All Rights Reserved.
5
Investigation & Pre-Search Activities
Surveillance & intelligence gathering
Warrant preparation & application
Assembling an execution team
Planning the search
Assigning responsibilities
On-Scene Processing
Executing the warrant
Securing the scene
Evidence collection & preservation
Transportation of evidence
Analysis & Presentation
Computer Forensics and Cyber Crime, 2
nd
ed.
Britz
2009 Pearson Education, Upper Saddle River, NJ 07458.
All Rights Reserved.
6
Rely on traditional methods to gather
information & prepare for scene arrival
Factors to consider:
Location, size, type, & number of computers at scene
Potential danger to personnel & volatility of evidence
Need for judicial authority of call
Need for expertise or non-departmental experts
Social engineering
Dumpster diving

Computer Forensics and Cyber Crime, 2
nd
ed.
Britz
2009 Pearson Education, Upper Saddle River, NJ 07458.
All Rights Reserved.
7
Four Corners rule must stay within parameters
Include as much as the judicial climate will allow, yet be specific
Should be reviewed by computer experts & legal counsel prior to
application
Probable Cause Three Elements
Probable cause that a crime has been committed
Probable cause that evidence of a crime exists
Probable cause that extant evidence resides in a particular location
Scope will be based on rationale
Seizing Equipment
Must also justify the seizure (not just the search) of equipment
Highly recommended that investigators request explicit permission to
seizure all hardware and storage devices that are constitutionally
justifiable
Criminal contraband, fruits of the crime, & those items criminally
possessed may be seized without probable cause
Computer Forensics and Cyber Crime, 2
nd
ed.
Britz
2009 Pearson Education, Upper Saddle River, NJ 07458.
All Rights Reserved.
8
No-Knock Warrants
Nature of the offense
Potential for evidence destruction
Sophistication and maturity of the target
Absence of the resident
Secondary/Multiple Warrants
May need a second warrant for contents of the computer
Quite common
Multiple warrants necessary in networked computers
Recommendation have a magistrate standing by
MUST BE SPECIFIC!!!
Computer Forensics and Cyber Crime, 2
nd
ed.
Britz
2009 Pearson Education, Upper Saddle River, NJ 07458.
All Rights Reserved.
9
On-Scene Personnel investigators may play
multiple roles
Case Supervisor
Arrest Team
Scene Security Team
Interview & Interrogation Team
Sketch and Photo Team
Physical Search Team
Seizure Team
Computer Forensics and Cyber Crime, 2
nd
ed.
Britz
2009 Pearson Education, Upper Saddle River, NJ 07458.
All Rights Reserved.
10

Evidence tape
Packing tape
Evidence storage
containers & labels
Miscellaneous writing &
labeling materials
Sanitary materials
Flashlight
Extra batteries
List of contacts


Mobile carts or evidence
transport units
Wireless
communications
Photographic equipment
Nonmagnetic
screwdrivers & hex
wrenches
Small diagonal cutters
Hammer or nail puller
Computer Forensics and Cyber Crime, 2
nd
ed.
Britz
2009 Pearson Education, Upper Saddle River, NJ 07458.
All Rights Reserved.
11
Multiple boot disks
Backup hardware and
miscellaneous
computer peripherals
Anti-virus software
Imaging software
Application software
Forensic software
Extra media
Extra cables, serial port
connectors, and gender
changers
Extension cords and/or
power strips
Surge protectors and/or
UPS
Open purchase order
Computer Forensics and Cyber Crime, 2
nd
ed.
Britz
2009 Pearson Education, Upper Saddle River, NJ 07458.
All Rights Reserved.
12
Knock, Notice, and Document
Securing the Crime Scene
Determining Need for Additional Assistance
Computer Forensics and Cyber Crime, 2
nd
ed.
Britz
2009 Pearson Education, Upper Saddle River, NJ 07458.
All Rights Reserved.
13
Date, time, and description of
computer, including physical
damage
Identifying information of all
personnel
Identifying information of all
present (i.e. witnesses and
suspects)
All investigative clues
uncovered and developing leads
Investigative software used
Chronology of all actions taken
Type and status of network
connection
Verification of network
connection
Status of computer
Computer activity
Computer desktop
System date/time
Tree structure (if relevant and
possible)
Image verification
Chain of custody
Identification of all
material or
equipment seized

Computer Forensics and Cyber Crime, 2
nd
ed.
Britz
2009 Pearson Education, Upper Saddle River, NJ 07458.
All Rights Reserved.
14
Dont overlook non-digital evidence!!
Trace evidence may be important to put suspect at
the scene (hair, fiber, fingerprints, etc.)
Other non-computer evidence
Circumstantial connections (post-it notes, computer printouts,
even type of paper)
Ex. Software counterfeiting labels, DVD burners,
packaging, etc.
Evidence of passwords around the computer
Digital evidence
Located on hard disks, computer peripherals, and external
storage devices

Computer Forensics and Cyber Crime, 2
nd
ed.
Britz
2009 Pearson Education, Upper Saddle River, NJ 07458.
All Rights Reserved.
15
Desktops
Monitors
Keyboards
Telephones
Wallets/purses
Clothing
Trash cans and recycle bins
Printers
Inside the computer itself

Computer Forensics and Cyber Crime, 2
nd
ed.
Britz
2009 Pearson Education, Upper Saddle River, NJ 07458.
All Rights Reserved.
16
Photograph & Sketch before any seizure
Computers which can not be seized or removed
from the scene:
Imaging & Verification
Seizing computers
Prior to powering off status of the computer should be
documented by photos, sketches, and notes
This should include the back of the computer and connections
Once powered off evidence tape should be placed over all
disk openings
Labeling of cords & empty slots

Computer Forensics and Cyber Crime, 2
nd
ed.
Britz
2009 Pearson Education, Upper Saddle River, NJ 07458.
All Rights Reserved.
17
Document, document, document
Chain of custody log
Label (at a minimum: investigators initials, date found, and location
of evidence)
Factors to consider in packaging & transport
Temperature
Dust
Magnetic fields
Corrosive elements
Static electricity
At Lab
Maintenance of chain of custody
All components stored together


Computer Forensics and Cyber Crime, 2
nd
ed.
Britz
2009 Pearson Education, Upper Saddle River, NJ 07458.
All Rights Reserved.
18
Unique problems with computer-related
evidence
Steps in a traditional investigation should be
incorporated with those unique to computer-
related investigations
Warrants should be specific & based on
probable cause
Documentation is essential
Computer Forensics and Cyber Crime, 2
nd
ed.
Britz
2009 Pearson Education, Upper Saddle River, NJ 07458.
All Rights Reserved.
19