FEATURED IN INVESTIGATION
American law enforcement agencies have much to be proud of. According to the FBI’s Uniform Crime Reports (UCR), from 1995–2004 violent crime fell 32 percent nationwide and property crime decreased by 23.4 percent. Many argue this dramatic reduction in crime is the result of significant changes in social demographics, not the efficiency of law enforcement. Demographics are certainly a factor, but without question, the management and implementation of modern police strategies has impacted crime rates.
Today, a relatively new and very different challenge faces your agency—the computer criminal. In a recent survey of more than 2,000 organizations, the FBI collected some interesting data. Eighty-seven percent of the survey respondents reported some type of computer security incident within the previous 12 months. Here’s a list of the type of security incidents reported in the survey sorted by percentage:
• Viruses, worms, Trojans: 83.7 percent;
• Spyware: 79.5 percent;
• Port scans: 32.9 percent;
• Sabotage of data or network: 22.7 percent;
• Pornography (adult): 22.4 percent;
• Laptop/Desktop/PDA theft: 15.5 percent;
• Insider abuse of computers (pirated software/music): 15 percent;
• Denial of Service (DoS): 14.5 percent;
• Network intrusion: 14.2 percent;
• Financial fraud: 8.4 percent;
• Telecom fraud: 5.3 percent;
• Unauthorized access to intellectual property: 3.9 percent;
• Wireless network misuse: 2.9 percent;
• Website defacement: 2.7 percent; and
• Child pornography: 2.6 percent.
Computer crime is on the rise, and your agency must respond to this growing menace. Fortunately, the federal government and many of the nation’s largest law enforcement agencies have been battling the cyber criminal for years, so there’s a vast base of knowledge your agency can draw on when investigating computer crimes.
A computer crime investigation requires a consistent, repeatable and documented investigative methodology. In most cases, an incident response should include six components: detection, initial response, investigative strategy, evidence/data collection, reporting and disposition.
The detection of computer crimes, as in most crimes, occurs when someone outside the law enforcement community identifies suspicious activity or data on a computer system. The vast majority of computer crimes are reported to law enforcement agencies by computer system/network specialists or other law enforcement agencies investigating an incident.
Once an incident has been reported, you must answer two questions: 1) Did a crime occur? and 2) if so, does your agency have jurisdiction for the investigation and prosecution of the crime? When dealing with street crime, these questions are fairly easy to answer. Not so easy when dealing with computer crime.
If you refer to the previous incident type list, you can see there are some serious crimes, such as child pornography, financial fraud and equipment theft. You certainly would begin a criminal investigation if someone reported they found child porn on the computer system of a local business in your city, but what about a complaint from a local business that a former employee, now living out of state, connected to the business’ internal network and copied a file containing its entire customer list?
Jurisdiction issues require an awareness of applicable statutes. For example, in California, Penal Code Section 502 subsection j states:
“For purposes of bringing a civil or a criminal action under this section, a person who causes, by any means, the access of a computer, computer system, or computer network in one jurisdiction from another jurisdiction is deemed to have personally accessed the computer, computer system, or computer network in each jurisdiction.”
So, in the above incident, if the local business was in California, or, the former employee illegally accessed the computer from California, then a California law enforcement agency has jurisdiction for this offense. Most states have similar statutes.
Once you’ve determined a crime has occurred and you have jurisdiction, take the necessary time to determine an investigative strategy. In my view, this is the most important step in a computer crime investigation because everything that occurs from this point forward will be impacted by your strategy.
The challenge: defining a strategy that satisfies conflicting goals. Solving most computer crimes involves collaboration between criminal investigators and computer specialists. Although I abhor generalizations, I’ve been around enough cops and information-technology (IT) experts to confidently chart the general behavior tendencies of each. As you can see in the table to the right, about the only thing they have in common is a tendency to be arrogant.
So, how do you define a strategy that works? First, determine who’s in charge of the investigation. Assuming the goal of the investigation is to identify suspects and prosecute them, I always prefer the criminal investigator lead the investigation.
Second, identify a small team to assist in the investigation. Many organizations have a computer security incident response team (CSIRT) they activate any time a security incident occurs. Such teams commonly conduct their own incident investigation prior to contacting law enforcement officials. This is tough on the investigator because evidence may have been altered and misleading assumptions may lead the CSIRT to improper conclusions.
When beginning a computer crime investigation, I suggest the lead investigator assemble the investigation team in a conference room with ample whiteboards. The goal of this meeting is to adopt a documented investigative strategy. Important: You must get the computer technicians away from the computer systems and force them to take a broad view of the incident. Do not allow any laptop computers, PDAs or cell phones in this meeting because you need the undivided attention of this team to adopt an investigative strategy. The main focus of this strategy meeting is to define and separate facts and assumptions, document the details of the incident detection and initial response, and determine the evidence collection and analysis strategy. Do not adjourn until you’ve defined and documented the investigative strategy.
Armed with a solid investigative strategy, the investigation now focuses on evidence/data collection and analysis. No doubt about it, this requires very specialized tools and skills. Unfortunately, most medium and small law enforcement organizations do not have investigators with these skills. Because of this, many agencies reach out to specialists to assist them. These specialists may come from other law enforcement agencies, regional computer-crime task forces or consultants with a law enforcement background and computer-forensic expertise.
The collection of computer crime evidence is a tedious process. Seasoned computer investigators treat suspect computers as a crime scene, and during the initial response they focus on containment. You should do the same. If the computer containing criminal evidence is powered on, this means the crime scene it contains is constantly changing. The operating system performs many system tasks even when the computer is idle, moving data to and from disk and memory. The network subsystem reads and writes data to and from the network. In essence, a live computer contains a volatile and constantly changing environment.
Important: A live computer system may contain valuable evidence in volatile memory. If you shut this machine down, this evidence is gone forever. The days of pulling all the wires, bagging, tagging and sticking the box in an evidence locker are long gone. Your investigative strategy document should identify the computer(s) that house potential evidence and whether these systems are powered on. You must analyze these computers for evidence before you shut them down.
There are two important components in electronic evidence: 1) live data collection, and 2) forensic duplication. You must use live data collection techniques if the computer containing evidence is powered on. Forensic duplication, the preferred evidence-collection technique, involves creating an exact, bit-by-bit duplication of a disk for data collection and analysis. This allows you to preserve the original disk as best evidence.
Many sophisticated tools exist to assist you in both live data collection and forensic duplication tasks. One of the most popular tools used by law enforcement is EnCase from Guidance Software of Pasadena, Calif. EnCase has been validated by many courts, and Guidance Software is very active in the legal community.
I strongly recommend you create a toolkit of data-collection tools to assist you in your investigations. I prefer to use a customized laptop computer containing my collection of tools to conduct investigations. There are many resources available to guide you in the evidence-collections steps (see “Resources,” p. 61).
Most criminal investigators are very good at documenting their investigations. A few rounds with a feisty defense attorney taught me early in my career to keep detailed notes on my cases. As in any type of investigation, you must document every step of your computer-crime investigations. This means you must write down every command you type and where the results of these commands are collected. Example: The very first thing I do when conducting an initial live response is take a digital photograph of the computer monitor. This allows me to capture what programs were running (at least the programs that have a graphical component). Next, I capture the system date and time. I use a checklist to record each step of my evidence collection. This reminds me of the steps I need to take and in what order, and keeps me consistent in the way I conduct my investigations.
I cannot emphasize enough the importance of keeping detailed investigative notes of your investigations. A long time may elapse between the time you collect evidence in a case and the day you need to explain what you did to a jury.
At this point in your investigation you have conducted an initial response, collaboratively formulated a response strategy, collected the evidence and documented your findings. Now you must decide the case disposition. I prefer to present the details of my investigations to peers or colleagues prior to submitting them to the prosecuting attorney. This peer review provides me impartial feedback on the strengths and weaknesses of my case and investigative strategy. Many times during these reviews I uncover ideas and concepts that make me a better investigator.
Whatever disposition you stamp on your case, I have one more suggestion: Write a brief record of the investigation and keep it in a file on your computer. I keep a Microsoft Excel spreadsheet that contains a row for each of the investigations I’ve been involved in. I record the case number, date, crime type, victim name, computer type(s), operating system, hours spent and brief description of the incident. Over time, this list will impress you with the number of cases you’ve been involved in. It’s also a great tool to establish your credibility when your credentials are challenged. Finally, it documents your experience when seeking certifications that require you to prove you have a few years of experience.
Computer crime is on the rise, and law enforcement agencies at all levels must respond. I’ve described in this article the importance of following a proven and consistent incident response methodology. I also encourage you to follow these recommendations:
• Build an incident response toolkit;
• Set up a computer lab of old computers and practice using your toolkit;
• Establish a network of experts and seek out specific resources and expertise when needed;
• Trust your investigative instincts; don’t lose your bearings in complex technology cases; and
• Seek out training and certification courses.
These efforts will help make you a better investigator.
Criminal Investigator Computer Specialist
Trained to collect evidence and Trained to fix system problems
solve crimes quickly
Documents everything Resists documentation
Resists assumptions Quick to draw conclusions
Slow down and evaluate Hurry up and fix
Patience is a virtue Patience is a curse
Focus on facts Focus on technology
Solves crimes Solves problems
Determine the unknown Reluctant to acknowledge the unknown
Tends to be arrogant Tends to be arrogant
Driven by criminal statutes Driven by corporate policy
Wide focus Narrow focus
Understands law enforcement Understands technology
Keeps investigations quiet Likes to talk
• Guidance Software—www.guidancesoftware.com. Makes the EnCase application.
• The Sleuth Kit and the Autopsy Browser—www.sleuthkit.org. Linux-based, open source forensic applications (free).
• Foundstone—www.foundstone.com. This division of McAfee offers forensic tools and consulting resources.
• Sysinternals—www.sysinternals.com. Offers exceptional tools (free) for Windows investigations.
• SANS Institute—www.sans.org. Offers computer security training, certification and research.
• U.S. Department of Justice Computer Crime & Intellectual Property Section—www.cybercrime.gov. A comprehensive site with breaking news as well as investigative
information and training opportunities.
• Carnegie Melon Software Engineering Institute Coordination Center—www.cert.org. This federally funded research and development center studies Internet security vulnerabilities, researches long-term changes in networked systems and posts alerts, reports, training opportunities, etc.
Michael Spohn is president of Enforcer Software Technologies, LLC, based in San Clemente, Calif., a company that provides software and consulting services to state and local government agencies. He holds a California Advanced P.O.S.T Certificate and worked as a police officer for the cities of San Clemente and Newport Beach, Calif. He earned a bachelor’s degree in political science and a master’s degree in public administration from California State University at Fullerton. Contact him at email@example.com or 949/361-9913.
Bunting S, Wei W. EnCase Certified Examiner Study Guide. Sybex: 2006.
Harris S, et al. Gray Hat Hacking—The Ethical Hacker’s Handbook. McGraw-Hill Osborne Media: 2004.
Prosise C, Mandia, K. Incident Response: Investigating Computer Crime. McGraw-Hill Companies: 2001.
Mandia K, et al. Incident Response & Computer Forensics, 2nd Edition. McGraw-Hill Osborne Media: 2003.
“Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations.” U.S. Department of Justice. www.cybercrime.gov/s&smanual2002.htm.