Chapter 1: Types of Computer-Based Investigations
Welcome to the 21st century, where almost everything in life is connected to an electronic device. There are digital cameras inside doorbells; your smartphone tracks your daily progress from work to home and back again; you get social media updates when you go to the gym, a show, or travel to a new city.
Your phone calls, bank access, and medical appointments are all tracked via digital technology. If it tracks your mundane daily activity, what about criminal or unethical behavior? That activity is also followed, and if you are a digital forensic investigator, you must know the repositories of the digital evidence and how to analyze it. There is almost no criminal activity that will not have digital evidence associated with it and, as an investigator, it is your job to find all available evidence, process it, and present findings to the finder of fact.
This chapter will introduce you to the different topics of computer-based investigations, from criminal acts investigated by the police to civil and potentially illegal actions performed by an employee or external third party that are examined by a nongovernmental investiga
While the goal is the same, to present evidence about an incident, the methods for each are slightly different. It is essential for you to understand the similarities between the investigations; being able to present evidence in a judicial proceeding and recognize the differences.
The topics that will be covered in this chapter are as follows:
- Differences in computer-based investigations
- Criminal investigations
- Corporate investigations
Differences in computer-based investigations
book is all about introducing a beginner to the realm of digital forensics. What is digital forensics? It is a division of forensics involving the recovery and analysis of data that has been recovered from digital devices. At one time, the term digital forensics
was treated as a synonym for computer forensics, but now it involves all devices capable of storing digital data. No matter what term is used, the goal is to identify, collect, and examine/analyze digital data while preserving its integrity. Digital forensics is not only about finding the artifact, it is a formal examination/analysis of the digital evidence to prove or to disprove whether the accused committed the violation.
It is not always about demonstrating that the suspect is guilty; as a forensic examiner, you also have that ethical obligation to find exculpatory evidence that will prove the subject's innocence. Your duty is to be an unbiased third party in presenting the findings of the investigation. In a criminal examination, your findings could deprive someone of their liberty, and in a corporate investigation, your findings may lead to a criminal investigation or cost someone their livelihood. As a digital forensic examiner, your conclusions can have an extraordinary impact on the subjects of the investigation.
be a digital forensic examiner, you need to have a desire to ask questions, have specialized equipment, and have the required training. From teaching people interested in the field, I have found the best students can critically examine the facts and circumstances being presented and, using that ability, can focus their efforts on efficiently reaching an accurate conclusion. Unfortunately, I find many students want to use a "find evidence" button, find all the artifacts, and print up a thousand-page report and call it a day. That is not digital forensics.
Digital forensics is not finding the artifact. By artifact, I am talking about an incriminating Google search in browser history, an incriminating email between the subject and a co-conspirator, and illicit images found in the filesystem. Artifacts are breadcrumbs leading to the identity of the person conducting the illegal activity. However, on their own, they do not identify the user who created these artifacts or the one who is responsible for their creation indirectly. One of the biggest challenges in this field is to determine what is colloquially known as the "idiot behind the keyboard." You want to tie the user to the specific subject and to do that, you have to analyze – that is the key word–the digital evidence to associate it with a particular user.
If you are in the IT field, you will understand networking and computer operating systems, but you will lack knowledge of how to preserve evidence, maintain a chain of custody, and present it in a criminal/administrative proceeding.
If you are an investigator, you will understand the chain of custody, evidence preservation, and testifying in a criminal/administrative proceeding. However, you may lack experience in the digital field. To be an effective digital forensic examiner, you have to be part of both those worlds. You have to understand how data is created, shared, and saved in the digital realm and be able to preserve that evidence in a forensically sound manner and testify in proceedings. Sometimes, the ability to talk in front of a large group while answering hard questions posed to you by attorneys from both sides is the hardest part of the field.
As with any field, the way you get better and more effective is to practice, to conduct real and mock examinations, to receive training, and have the willingness to reach out to your peers for advice. Since you are reading this book, you are taking that first step. You could be reading the text on your own, using it as a textbook for a college course you are taking, or using it in a corporate training session. The reason does not matter. Reading this book will put you on the road to be a more effective digital forensic examiner.
What is cybercrime? What crimes does a digital forensic examiner investigate? A digital forensic examiner may investigate any alleged wrongdoing that touches on the digital world. Nearly everyone possesses a mobile device. Sometimes, a person owns or uses multiple mobile devices and laptops and the traditional desktop. All of these sources have the ability to maintain a significant amount of information as it relates to the investigation. For example, I investigated a crime against a person where the victim was physically unable to communicate with the police. How does that become a crime that requires the use of a digital forensic examiner?
Well, in this case, she had maintained communication with the suspect of that crime via a website and instant messaging on her mobile device. While they did not directly have evidence relating to the crime being investigated, they had evidence about the relationship between the victim and the suspect. In the 21st century, almost any crime may have evidence stored in a digital format. Now, there are some crimes where someone will have used their computer as a tool to commit the crime, such as sending harassing emails, fraud and forgery, hacking, corporate espionage, or the trafficking of illicit images.
occupation will dictate your response to a situation; if you are law enforcement, you will have one set of procedures to follow, while if you are in the corporate world, you will have a different set of procedures to follow. While some processes may overlap in different fields, each one has its unique differences, which is what we will discuss next.
law enforcement professional, your first consideration will be officer safety. Is the scene secure to process and secure evidence? When the investigation starts, you may take part in one or more roles. The most basic positions are as follows:
- The first responder
- The investigator
- Crime scene technician
Depending on the size of your agency, you may fill one position or all three, and you may report to one or more supervisors. Now, in the matter of digital evidence, it is preferable that the person in charge of the crime scene has some knowledge of the fragility of digital evidence. That allows personnel to enact the proper procedures to ensure that the evidence is not corrupted.
Let's talk about what each role does.
The first responders
are the first ones on the scene. They secure what may be a chaotic scene. They will identify the following:
- Potential victims
- Potential suspects
- How best to maintain control
They will do this until the investigator arrives. The first responder's primary mission is to make the scene safe and secure and ensure that no one can contaminate the evidence. As you can imagine, crime scenes can vary from a dynamic crime scene to the relatively static crime scene, depending on the nature of the crime. In both scenarios, the first responder must have basic knowledge of what items could contain digital evidence when they secure the scene. We would not want to have subjects grabbing cell phones or laptops and using them for any activity.
So, how does a first responder protect the crime scene? Just like you see in TV shows and movies, yellow crime scene tape is the most common method. It is the most straightforward visible sign of a crime scene barrier, and in our culture, people recognize the barrier being presented by
that thin piece of yellow plastic. One or more personnel will have to monitor the crime scene to regulate who can cross that line and enter the scene.
The investigator will
respond to the scene after being requested by the first responder. Upon arriving
at the scene, the first responder and the investigator will coordinate, and information sharing will now start. The first responder will provide the basic information, which typically involves the five Ws and one H, specifically the who, what, when, where, why, and how, about the incident.
The first responder will also provide information about any actions they or anyone else had taken before the arrival of the investigator. For example, the investigator will want to know whether the first responder(s) touched anything, moved anything, or changed anything within the crime scene. This could be a physical action such as applying first aid to a victim or turning a computer on or off. I remember an examination I did where the first responders did not reveal that they had accessed the victim's computer. While conducting my examination, I did a timeline analysis and saw an abnormality in the activity after the victim had died. The abnormality was caused by the unreported actions of the first responders. What's important to understand here is that the first responders' actions were not wrong. What created complications is that they did not report the actions, which led to additional work and explanations.
The investigator takes charge of the scene and directs all activity. They will direct the other team members' investigative efforts to ensure the proper documentation is completed regarding the seizure of evidence. Sometimes, the first responder will seize evidence and turn it over to the investigator. A chain of custody document must be completed and maintained showing who found the item and who maintained control until the completion of the judicial or administrative proceeding.
Crime scene technician
Finally, we come
to the crime scene technician. This can be a sworn or unsworn position
within the law enforcement agency. They have specialized training in the collection of evidence. This could be physical evidence, such as fingerprints, tool comparison, the collection of biological fluids, and crime scene photography, all of which require specialized training and equipment. The collection of digital evidence requires the same level of expertise that the collection of physical evidence does.
We can put law enforcement jobs into two basic groups: Sworn: May take an oath to support the laws in their jurisdiction; they have the power to make arrests and carry firearms. Non-sworn: May take an oath but do not have powers to arrest. These positions are typically crime scene analyst or law enforcement support technicians.
The crime scene technician is responsible for the preservation of evidence and starting the chain of custody. Some actions they could carry out include the acquisition of volatile memory of a computer system, creating forensic images of the storage devices, or creating the logical forensic image of logical files from a server. The evidence will be bagged and tagged and transported to a secure location. What do I mean by bagged and tagged? They will place all the evidence or the containers holding the digital evidence in the appropriate storage container. A tag will then be filled out with the identifiers to specify which investigation the evidence belongs to, who collected it, and what evidence is contained within the container.
As we go through the rest
of this book, we will cover the duties of the crime scene technician in greater detail.
A law enforcement
officer may be a first responder, investigator, or crime scene technician and, in all roles, is an agent of the government. Depending on your...