Identify the Type of System

It is imperative to learn as much as possible about the target computer systems. If possible, the investigator should obtain the configuration of the system, including the network environment (if any), hardware, and software. The following questions should be answered before the seizure:

•  Who are the system experts? They should be part of the team.

•  Is a security system in place on the system? If so, what kind? Are passwords used? Can a root password be obtained?

•  Where is the system located? Will simultaneous raids be required?

•  What are the required media supplies to be obtained in advance of the operation?

•  What law has been violated? Are there elements of proof? If yes, these should be the focus of the search and seizure.

•  What is the probable cause? Is a warrant necessary?

•  Will the analysis of the computer system be conducted on site, in the investigator’s office, or in a forensics lab?

Identify the Search and Seizure Team Members

There are different rules for search and seizure based on who is conducting the search. Under the Fourth Amendment, law enforcement must obtain a warrant, which must be based on probable cause. In either case, a team should be identified and should consist of these members:

•  The lead investigator.

•  The information security department.

•  The legal department.

•  Technical assistance — the system administrator as long as he or she is not a suspect.

If a corporate CERT team is already organized, this process is already complete. A chain of command must be established, and who is to be in charge must be determined. This person is responsible for delegating assignments to each of the team members. A media liaison should be identified if the attack is to be disclosed, to control the flow of information to the media.

Obtaining and Serving Search Warrants

If it is believed that the suspect has crucial evidence at his or her home or office, a search warrant will be required to seize the evidence. If a search warrant is going to be needed, it should be done as quickly as possible before the intruder can do further damage. The investigator must establish that a crime has been committed and that the suspect is somehow involved in the criminal activity. He or she must also show why a search of the suspect’s home or office is required. The victim may be asked to accompany law enforcement when serving the warrant to identify property or programs.

If it is necessary to take documents when serving the search warrant, they should be copied onto a colored paper to prevent the defense from inferring that what might have been found was left by the person serving the warrant.

Is the System at Risk?

Before the execution of the plan, the investigative team should ascertain if the suspect, if known, is currently working on the system. If so, the team must be prepared to move swiftly, so that evidence is not destroyed. The investigator should determine if the computer is protected by any physical or logical access control systems and be prepared to respond to such systems. It should also be decided early, what will be done if the computer is on at the commencement of the seizure. The goal of this planning is to minimize any risk of evidence contamination or destruction.

Executing the Plan

The first step in executing the plan is to secure the scene, which includes securing the power, network servers, and telecommunications links. If the suspect is near the system, it may be necessary to physically remove him or her. It may be best to execute the search and seizure after normal business hours to avoid any physical confrontation. Keep in mind that even if a search is conducted after hours, the suspect may still have remote access to the system through a LAN-based modem connection, PC-based modem connection, or Internet connection.

The area should be entered slowly so as not to disturb or destroy evidence. The entire situation should be evaluated. In no other type of investigation can evidence be destroyed more quickly. The keyboard should not be touched, because this action may invoke a Trojan horse or some other rogue or malicious program. The computer should not be turned off unless it appears to be active (i.e., formatting the disk, deleting files, or initiating some I/O process). The disk activity light should be looked at, as well as listening for disk usage. If the computer must be turned off, the wall plug should be pulled, rather than using the On/Off switch. Notes, documentation, passwords, and encryption codes should be looked for. The following questions must be answered to control the scene effectively:

•  Is the computer system turned on?

•  Is there a modem attached? If so,

—  Are there internal modems?

—  Are telephone lines connected to the computer?

•  Is the system connected to a LAN?

The investigator may wish to videotape the entire evidence collection process. There are two different opinions on this. The first is that if the search and seizure is videotaped, any mistakes can nullify the whole operation. The second opinion is that if the evidence collection process is videotaped, many of the claims by the defense can be silenced. In either case, investigators should be cautious about what is said if the audio is turned on.