|
|
|
The crime scene should be sketched and photographed before anything is touched. Sketches should be drawn to scale. Still photographs of critical pieces of evidence should be taken. At a minimum, the following should be captured:
If the computer is on, the investigator should capture what is on the monitor. This can be accomplished by videotaping what is on the screen. The best way to do this, without getting the “scrolling effect” caused by the video refresh, is to use an NTSC adapter. Every monitor has a specific refresh rate (i.e., horizontal: 30–66 KHz, vertical: 50–90 Hz) that identifies how frequently the screen’s image is redrawn. It is this redrawing process that causes the videotaped image to appear as if the vertical hold is not properly adjusted. The NTSC adapter is connected between the monitor and monitor cable and directs the incoming signal into the camcorder directly. Still photos are a good idea too. A flash should not be used, because it can “white out” the image. Even if the computer is off, the monitor should be checked for burnt-in images. This does not happen as much with the new monitors, but it may still help in the discovery of evidence. Once the investigator has reviewed and captured what is on the screen, he or she should pull the plug on the system. This is for PC-based systems only. Minisystems or mainframes must be logically powered down. A forensic analysis (i.e., a technical system review with a legal basis focused on evidence gathering) should be conducted on a forensic system in a controlled environment. If necessary, a forensic analysis can be conducted on site, but never by using the suspect system’s operating system or system utilities. The process that should be followed is discussed later in this chapter. The investigator should identify, mark, and pack all evidence according to the collection process under the Rules of Evidence. He or she should also identify and label all computer systems, cables, documents, and disks. Then, he or she should also seize all diskettes, backup tapes, optical disks, and printouts, making an entry for each in the evidence log. The printer should be examined, and if it uses ribbons, at least the ribbon should be taken as evidence. The investigator should keep in mind that many of the peripheral devices may contain crucial evidence in their memory or buffers. Some other items of evidence to consider are LAN servers and routers. The investigator must check with the manufacturer on how to output the memory buffers for each device, keeping in mind that most buffers are stored in volatile memory. Once the power is cut, the information may be lost. In addition, the investigator must examine all drawers, closets, and even the garbage for any forms of magnetic media (i.e., hard drives, floppy diskettes, tape cartridges, or optical disks) or documentation. Moreover, it seems that many computer-literate individuals conduct most of their correspondence and work product on a computer. This is an excellent source of leads, but the investigator must take care to avoid an invasion of privacy. Even media that appears to be destroyed can turn out to be quite useful. For example, one criminal case involved an American serviceman who contracted to have his wife killed and wrote the letter on his computer. In an attempt to destroy all the evidence, he cut up the floppy disk containing the letter into 17 pieces. The Secret Service was able to reconstruct the diskette and read almost all the information. The investigator should not overlook the obvious, especially hacker tools and any ill-gotten gains (i.e., password or credit card lists). These items help build a case when trying to show motive and opportunity. The State of California has equated hacker tools to that of burglary tools; the mere possession constitutes a crime. Possession of a Red Box, or any other telecommunications instrument that has been modified with the intent to defraud, is also prohibited under U.S.C. Section 1029. Finally, phones, answering machines, desk calendars, day-timers, fax machines, pocket organizers, and electronic watches are all sources of potential evidence. If the case warrants, the investigator should seize and analyze all sources of data — electronic and manual. He or she should also document all activity in an activity log and, if necessary, secure the crime scene. Surveillance Two forms of surveillance are used in computer crime investigations: physical and computer. Physical surveillance can be generated at the time of the abuse, through CCTV security cameras, or after the fact. When after the fact, physical surveillance is usually performed undercover. It can be used in an investigation to identify a subject’s personal habits, family life, spending habits, or associates. Computer surveillance is achieved in a number of ways. It is done passively through audit logs or actively by way of electronic monitoring. Electronic monitoring can be accomplished through keyboard monitoring, network sniffing, or line monitoring. In any case, it generally requires a warning notice or explicit statement in the corporate security policy indicating that the company can and will electronically monitor any and all system or network traffic. Without such a policy or warning notice, a warrant is normally required. Before conducting any electronic monitoring, the investigator should review Chapters 2500 and 2700 of the Electronic Communications Privacy Act (ECPA), Title 18 of the U.S. Code. (These chapters relate to keystroke monitoring or system administrators looking into someone’s account.) If the account holder has not been properly notified, the system administrator and the company can be guilty of a crime and liable for civil penalties. Failure to obtain a warrant could result in the evidence being suppressed, or worse yet, litigation by the suspect for invasion of privacy or violation of the ECPA.
|