Chapter 04: Processing Crime and Incident Scenes

ISPs can investigate computer abuse committed by their customers.

False

If you follow police instructions to gather additional evidence without a search warrant after you have reported the crime, you run the risk of becoming an agent of law enforcement.

True

A judge can exclude evidence obtained from a poorly worded warrant.

True

The reason for the standard practice of securing an incident or crime scene is to expand the area of control beyond the scene's immediate location.

True

Corporate investigators always have the authority to seize all computer equipment during a corporate investigation.

False

The most common computer-related crime is check fraud.

True

Private-sector organizations include small to medium businesses, large corporations, and non-government organizations (NGOs), which always get funding from the government or other agencies.

False

Some cases involve dangerous settings. For these types of investigations, you must rely on the skills of hazardous materials (HAZMAT) teams to recover evidence from the scene.

True

If a company does not publish a policy stating that it reserves the right to inspect computing assets at will or display a warning banner, employees have an expectation of privacy.

True

When an investigator finds a mix of information, judges often issue a limiting phrase to the warrant, which allows the police to present all evidence together.

False

When federal courts are evaluating digital evidence from computer-generated records, what exception is applied to hearsay?

Business-records exception

Under what circumstances are digital records considered admissible?

They are business records

What type of records are considered data that the system maintains, such as system log files and proxy server logs?

Computer-generated

When was the Freedom of Information Act originally enacted?

1960s

Which is the most accurate statement about investigating and controlling computer incident scenes in private-sector environments as compared to crime scenes?

Investigating and controlling the scene is much easier in private sector environments.

At a minimum, what do most company policies require that employers have in order to initiate an investigation?

Reasonable suspicion that a law or policy is being violated.

When confidential business data are included with the criminal evidence, what are they referred to as?

Commingled data

What standard is used to determine whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest?

Probable cause

What do law enforcement investigators need in order to remove computers from a crime scene and transport them to a lab?

A warrant

In addition to environmental issues, what issues are the investigator's primary concerns when working at the scene to gather information about an incident or a crime?

Safety

When recovering evidence from a contaminated crime scene, the investigator should take measures to avoid damage to the drive from overheating. At what temperature should the investigator take action?

80 degrees or higher

What will allow the investigator to arrive at a scene, acquire the needed data, and return to the lab as quickly as possible?

An initial-response field kit

Which type of kit should include all the tools the investigator can afford to take to the field?

An extensive-response field kit

What type of evidence do courts consider evidence data in a computer to be?

Physical

The presence of police officers and other professionals who aren't part of the crime scene-processing team may result in the loss or corruption of data through which process?

Professional curiosity

When seizing computer evidence in criminal investigations, which organization's standards should be followed?

U.S. DOJ

Power should not be cut during an investigation involving a live computer, unless it is what type of system?

An older Windows or MS-DOS system

What type of files might lose essential network activity records if power is terminated without a proper shutdown?

Event logs

Which technique can be used for extracting evidence from large systems?

Sparse acquisition

What is required for real-time surveillance of a suspect's computer activity?

Sniffing data transmissions between a suspect's computer and a network server.

covert surveillance product

EnCase Enterprise Edition

you should rely on this when dealing with a terrorist attack

HAZMAT

a statement made while testifying at a hearing by someone other than an actual witness to the event

Hearsay

what most cases in the private sector environment are considered

Low-level investigations

agencies must comply with these laws and make documents they find and create available as public records

FOIA

sets standards for recovering, preserving, and examining digital evidence

SWGDE

fingerprints can be tested with these systems

AFIS

information unrelated to a computing investigation case

Innocent information

a data-collecting tool

Spector

in 2001 redefined how ISPs and large organizations operate and maintain their records

PATRIOT Act

Why should companies publish a policy stating their right to inspect computing assets at will?

If a company doesn't display a warning banner or publish a policy stating that it reserves the right to inspect computing assets at will, employees have an expectation of privacy. When an employee is being investigated, this expected privacy prevents the employer from legally conducting an intrusive investigation. A well-defined company policy, therefore, should state that an employer has the right to examine, inspect, or access any company-owned computing assets. If a company issues a policy statement to all employees, the employer can investigate digital assets at will without any privacy right restrictions; this practice might violate the privacy laws of countries in the EU, for example. As a standard practice, companies should use both warning banners and policy statements. For example, if an incident is escalated to a criminal complaint, prosecutors prefer showing juries warning banners instead of policy manuals. A warning banner leaves a much stronger impression on a jury.

Illustrate with an example the problems caused by commingled data.

ANSWER: Suppose that during an examination, you find adult and child pornography. Further examination of the subject's hard disk reveals that the employee has been collecting child pornography in separate folders on his workstation's hard drive. In the United States, possessing child pornography is a crime under federal and state criminal statutes. These situations aren't uncommon and make life difficult for investigators who don't want to be guilty of possession of this contraband on their forensic workstations.

You survey the remaining content of the subject's drive and find that he's a lead engineer for the team developing your company's latest high-tech bicycle. He has placed the child pornography images in a subfolder where the bicycle plans are stored. By doing so, he has commingled contraband with company's confidential design plans for the bicycle. Your discovery poses two problems in dealing with this contraband evidence. First, you must report the crime to the police; all U.S. states and most countries have legal and moral codes when evidence of sexual exploitation of children is found. Second, you must also protect sensitive company information. Letting the high-tech bicycle information become part of the criminal evidence might make it public record, and the design work will then be available to competitors. Your first step is to ask your organization's attorney how to deal with the commingled contraband data and sensitive design plans.

Briefly describe the process of obtaining a search warrant.

With probable cause, a police officer can obtain a search warrant from a judge that authorizes a search and seizure of specific evidence related to the criminal complaint.

The Fourth Amendment states that only warrants "particularly describing the place to be searched and the persons or things to be seized" can be issued.

What is the plain view doctrine?

When approaching or investigating a crime scene, you might find evidence related to the crime but not in the location the warrant specifies. You might also find evidence of another unrelated crime. In these situations, this evidence is subject to the plain view doctrine. The plain view doctrine states that objects falling in the direct sight of an officer who has the right to be in a location are subject to seizure without a warrant and can be introduced into evidence. For the plain view doctrine to apply, three criteria must be met:

• The officer is where he or she has a legal right to be.

• Ordinary senses must not be enhanced by advanced technology in any way, such as with binoculars.

• Any discovery must be by chance.

How can you determine who is in charge of an investigation?

Private-sector investigations usually require only one person to respond to an incident or crime scene. Processing evidence usually involves acquiring an image of a suspect's drive. In law enforcement, however, many investigations need additional staff to collect all evidence quickly. For large-scale investigations, a crime or incident scene leader should be designated. Anyone assigned to a large-scale investigation scene should cooperate with the designated leader to ensure that the team addresses all details when collecting evidence.

Describe the process of preparing an investigation team.

Before you initiate the search and seizure of digital evidence at incident or crime scenes, you must review all the available facts, plans, and objectives with the investigation team you have assembled. The goal of scene processing is to collect and secure digital evidence successfully. The better prepared you are, the fewer problems you encounter when you carry out the plan to collect data.

Keep in mind that digital evidence is volatile. Develop the skills to assess the facts quickly, make your plan, gather the needed resources, and collect data from the incident or crime scene. In some digital investigations, responding slowly might result in the loss of important evidence for the case.

How can you secure a computer incident or crime scene?

Investigators secure an incident or crime scene to preserve the evidence and to keep information about the incident or crime confidential. Information made public could jeopardize the investigation. If you're in charge of securing a digital incident or crime scene, use barrier tape to prevent bystanders from entering the scene accidentally, and ask police officers or security guards to prevent others from entering the scene or taking photos and videos with smartphones and other digital devices. Legal authority for an incident scene includes trespassing violations; for a crime scene, it includes obstructing justice or failing to comply with a police officer. Access to the scene should be restricted to only those people who have a specific reason to be there. The reason for the standard practice of securing an incident or crime scene is to expand the area of control beyond the scene's immediate location. In this way, you avoid overlooking an area that might be part of the scene. Shrinking the scene's perimeter is easier than expanding it.

Give some guidelines on how to video record a computer incident or crime scene.

Take video and still recordings of the area around the computer or digital device. Start by recording the overall scene, and then record details with close-up shots, including the back of all computers. Before recording the back of each computer, place numbered or lettered labels on each cable to help identify which cable is connected to which plug, in case you need to reassemble components at the lab. Make sure you take close-ups of all cable connections, including keyloggers (devices used to log keystrokes) and dongle devices used with software as part of the licensing agreement. Record the area around the computer, including the floor and ceiling, and all access points to the computer, such as doors and windows. Be sure to look under any tables or desks for anything taped to the underside of a table or desk drawer or on the floor out of view. If the area has ceiling panels—false ceiling tiles—remove them and record that area, too. Slowly pan or zoom the camera to prevent blurring in the video image, and maintain a camera log for all shots you take.

Describe how to use a journal when processing a major incident or crime scene.

Keep a journal to document your activities. Include the date and time you arrive on the scene, the people you encounter, and notes on every important task you perform. Update the journal as you process the scene. With mobile devices, you can easily record a log of what you're doing; just be sure to check who has access to your mobile device.

What should you do when working on an Internet investigation and the suspect's computer is on?

If you're working on a network or Internet investigation and the computer is on, save data in any current applications as safely as possible and record all active windows or shell sessions. Don't examine folders or network connections or press any keys unless it's necessary. For systems that are powered on and running, photograph the screens. If windows are open but minimized, expanding them so that you can photograph them is safe. As a precaution, write down the contents of each window.