Due to the ongoing business procedures of an organization, a computer crime investigation is complicated by several factors. The investigation process could affect critical operations. As such, it’s important to have an action plan in place for handling reports of suspected computer crimes, and a designated committee should be created beforehand. This committee should formulate prior correspondence with law enforcement, identify when and whether to call in law enforcement, protocol for reporting computer crimes and for handling and processing reports of computer crime, preparations for and conducting investigations, and ensure the proper collection of evidence.
When a computer crime is suspected, precautionary measures should be taken to not alert the suspect once a crime has been reported. The first step should be a preliminary investigation to discern whether a crime has been committed. This preliminary investigation could entail inspection of audit records and system logs, interviewing witnesses, and ascertaining the damage. It’s very important to know when disclosure to authorities is required by law.
The timing of this disclosure is critical. Law enforcement agencies in the United States are obligated by the Fourth Amendment to the U.S. Constitution, which states that a warrant must be obtained prior to a search for evidence. Private citizens are not bound by the Fourth Amendment and can engage in a search for evidence without a warrant.
The exception would be if a private individual were asked to search for evidence by a member of law enforcement. In these situations a warrant would be required because the private individual is acting as an agent of law enforcement. An exception to the search warrant requirement for law enforcement officers is the Exigent Circumstances Doctrine. In accordance with this doctrine, if probable cause is apparent and destruction of the evidence is believed to be imminent, the search can be done without the delay of obtaining a warrant.
Role of the First Responder
The first responder is the first person to encounter a crime scene. A first responder has the expertise and skill to deal with the incident. The first responder may be an officer, security personnel, or a member of the IT staff or incident response team. The first responder is responsible for determining the magnitude and scope of the crime scene, securing it, and preserving evidence.
Securing the scene is critical to both criminal investigations and internal incidents. Both use computer forensics to collect evidence. The methods for investigating internal policy violations and criminal law violations are basically the same. Depending on the circumstances the internal investigations may not need the involvement of law enforcement. Once the crime scene has been established, the first responder must then set up a perimeter to contain it.
Protecting the crime scene requires blocking off the area where evidence resides. Everything contained in an area should be treated as possible evidence. This includes functioning and nonfunctioning workstations, laptops, servers, handheld PDAs, manuals, and any other items contained in the area of the crime. Until a crime scene has been processed, all non-investigating persons should be prevented from entering the area, and those present at the time of the incident should be documented. The first responder must not touch anything contained in the crime scene.
Preserving volatile evidence is another responsibility of the first responder. Traditional forensics may also be used to ascertain the identity of the individual behind the crime. Law enforcement may collect DNA, fingerprints, hair, fibers, or other physical evidence.
The Computer Crime Investigator
When the investigator arrives on the scene, it is the first priority for the first responder to give that investigator as much information as possible. If the first responder touched or came in contact with anything, it is critical the investigator be alerted so that it can be included in the report.
Any observations should be noted as this may offer insight into resolving the incident. If a member of the incident response team arrives first and collects some evidence, the person in charge of the team should turn over that evidence to the investigator along with any relevant information. If more than one team member collected evidence, documentation needs to be provided to the investigator detailing what each person saw and did.
The appointed investigator should clearly communicate they are leading the process and that all information or decisions made should be approved by them. A chain of custody should also be established. There must be a record of who handled or possessed evidence during the course of the investigation.
If the first responder has conducted an initial search for evidence, the investigator will need to determine what qualifies as evidence and where it resides. If extra evidence is discovered, the perimeter securing the scene may change. The investigator will either call on crime scene technicians to begin to process the scene once the boundaries are established, or the investigator will perform the duties of the technician. The investigator or a designated person stays at the scene until all evidence has been properly collected and transported.
The Crime Scene Technician
Crime scene technicians are individuals who have been trained in computer forensics, and have the knowledge, skills, and tools necessary to process a crime scene. Technicians are in charge of safeguarding and preserving evidence through meticulous procedure.
The technician may obtain data from a system’s memory. They can also take images of hard disks before shutting them down. All physical evidence is sealed in a bag and tagged to identify it as a specific piece of evidence. Information describing the evidence is added to a log so that precise inventory of each piece exists.
Evidence is packaged to reduce the risk of exposure or damage such as that from electrostatic discharge or jostling during transport. Once evidence reaches its destination, it’s kept under lock and key to prevent tampering; until it is properly examined and analyzed. Those involved in the investigation process have different responsibilities, and the people in each role must have specific knowledge to perform it properly.