While computer crime is becoming more prevalent in people’s lives, forensic science is working on tools to quickly identify criminal activity, collect evidence of the crime and use it in court. However, strict regulations are related to the process, and not following the recommendations, policies and data handling procedures would make the evidence dismissible by the criminal justice system. The below paper is prepared to review the current compliance issues, guidelines and regulations related to computer crime. While the categorization of computer related crime is valid at the present, the authors would like to state that cyber criminals come up with new methods every day, therefore, there is a need for fast-paced change within forensic science as well.
Keywords: computer crime, forensic science, regulation, criminal justice system
Computer Crime and the Legal System
Computer forensics, according to the Casey (2003) is “an application of computer investigation and analysis techniques in the interests of determining potential forensic evidence”. The level of criminal activity related to computers and internet is increasing every day, and that is the reason the forensic investigation methods have to be updated constantly. Since the start of the widespread usage of internet, and despite different security measures put in place to protect businesses and individuals from criminals, the growth of reported and unreported crime is challenging the legal system. The real topic of investigation the below paper is looking to reveal is how the criminal justice system and computer forensic laboratories can work together to achieve compliance, reliability, efficiency and overall better results. The paper is going to examine the most common computer related crimes, their investigation methods, looking at some of the recent examples in court and opportunities for development, process improvement and standardization. Computer forensic systems and software will also be examined to determine the main sources of information, while the procedures for obtaining, handling and protecting data will also be covered. According to a recent US-CERT white paper (2008), as computer forensics is a fairly new discipline, there are no standardized quality assurance systems in place, and the industry lacks integrity. This is one of the major challenges forensics face when trying to get digital evidence obtained admissible at court.
Types of Computer Crime
According to the Attorney General’s report for first responders, (2001), there are various emerging types of computer crime. The categorization of these crimes helps forensic scientists determine the right response, data collection method and the steps to take in order to start the investigation. The following main types of crimes are identified by the report and their main forensic investigation methods are determined below.
a, Auction fraud
This type of crime can be investigated by accessing account data, customer financial details and credit card records, online payment processing site logs, as well as written, phone and online communication. The main source of forensic evidence would be online activity logs.
b, Child exploitation and/or abuse
Most criminals engaging in child exploitation and abuse online carry out their activities on online forums such as chat logs. Emails, chat logs, video files and upload IP addresses can be accessed by investigators, as well as digital camera software to trace images, editing and other activities.
c, Computer intrusion
Address books, source codes, text files containing passwords, software that generates automatic logins, usernames, as well as Internet Protocol files can be accessed by investigators. It is also important to check for executable programs that are created to carry out intrusion and cause damage or obtain personal/financial information.
d, Death investigation
In case of death investigation, all communication; electronic or paper based needs to be assessed. Legal documents, wills and medical records should be obtained by the forensic team in order to determine the circumstances of the death.
e, Domestic violence
The most important data to be assessed by the forensic team regarding domestic violence is online or computer-based medical records, phone and email logs, as well as financial records. It is often hard to gain access to digital records without a warrant, as the victim and the suspect share the computer device and phone.
f, Economic fraud
Economic fraud and criminal activity has several facets. Checking for credit card skimmers, currency images, databases, identification records, access software of financial institutions is extremely important. Financial assets and records, alongside with account signatures should be examined in the forensic process.
g, E-mail threats, stalking and harassment
The main source of forensic evidence in this case is email and online logs. Therefore, in most instances, the seizure of computers and accessing the ISP records is necessary. Victim background search is evident for identifying the suspect, if unknown.
History logs, online and email logs are important in the process of investigation. Temporary internet files would provide proof of entry and a time log of events.
In this case of online crime, financial and account records would provide the forensic team with the most valuable information. Accessing image players and sports betting statistics would also prove to be useful.
j, Identity Theft
Both hardware and software tools and logs need to be accessed and devices seized in order to ensure that the methods of this crime are fully identified. Document templates, digital camera logs and software, signatures and scanners have to be analyzed. Online orders, erased files and fictitious loan application documents, financial agreements can also reveal the extent of the crime. As identity theft is usually carried out by groups, connection between members can be revealed during the assessment of transaction logs.
Recipes, financial records and internet activity should be analyzed by the forensic team to identify the crime and collect evidence for the prosecution.
Online prostitution is usually ran through some legal channels, such as personal advertisement of dating sites. Therefore, accessing financial records, transactions, internet activity and emails is the most effective way of identifying criminal activity.
m, Software piracy
Software piracy costs companies billions of dollars each year. Internet activity logs, directories, crack files and password creators should be identified after the seizure of computers or accessing internet records.
n, Telecommunications fraud
Apart from internet activity, forensic investigators need to look for u “How to phreak” manuals, databases with electronic serial numbers and identification numbers, as well as traces of cloning software.
Electronic Evidence in Court
Submitting electronic evidence to the court to support prosecutors and getting the evidence admissible is regulated in the United States. There are various legal areas related to obtaining and submitting evidence at court. The Fourth Amendment of the Constitution, quoted by the US-CERT report (2008) protects individuals against unreasonable search and seizure and the Fifth Amendment protects suspects from self-incrimination. The US Statutory Law covers the process of obtaining evidence; Wiretrap Act, Pen Registers and Trap and Trace Devices Statute, Stored Wired and Electronic Communication Act. Without complying the above legislation, forensics can face serious consequences beyond the evidence being dismissed by the court. Individuals and teams can face fines or even imprisonment. (US-CERT, 2008)
As Ami-Narh and Williams (2008) confirm, the formal elementary requirements need to be met in order to get the evidence accepted. This involves taking into consideration documentation requirements, measures for protecting evidence from tempering and according to the authors. “An act that may constitute a computer crime that is actionable in one country may be acceptable in another”. (p. 5.) The forensic investigation processes, however, are standard throughout the country and provide a clear guideline for first responders. Starting with the identification of the incident that needs investigation, the search and seizure would take place next. The next step is the preservation of evidence in order to prevent activity that would possibly damage or modify digital information. The analysis is the step when investigators determine the significance of each data, reconstruct fragments and decode data. In the final step, reporting takes place when the investigator records the findings and summarizes the evidence.
Obtaining information and seizure is regulated by privacy law, and without a search warrant, there is no validity of the evidence collected. Warrants, when issued are usually containing limitations to be considered by forensics. The authors quote the famous case of Wisconsin v. Schroeder when investigators obtained a warrant in an online harassment case. When child exploitation evidence was discovered during the investigation, a second warrant needed to be obtained for the other case, and the first investigation had to be put on hold.
The fragility of digital evidence calls for advanced preservation methods. System shutdowns, altering without traces, access log records and identification of users need to be considered when putting measures in place. Basic protection of digital evidence includes virus scans and firewalls, and in order to get the evidence accepted by the court, the investigator needs to demonstrate that the data was not accessed or altered in any way before it was presented. Still, there are several challenges computer forensic investigators need to face; such as the spoliation of evidence, as seen in the Associates International, Inc. v. American Fundware, Inc. case. The defendant was accused that they deliberately erased financial and company records to avoid prosecution based on evidence.
Intentional misinterpretation can also cause confusion in court. Proving the originality of the evidence and eliminating fabricated data is an advanced digital forensic method. As a summary, “the admissibility of findings in a court of law are determined by the rules of evidence, which demand that the accuracy of the methods used to collect the evidence is known and that the evidence is not tampered with in the process of its analysis. (Ami-Narh and Williams, 2008, p. 6.)
Obtaining Evidence from Internet and Web Resources
There are two main types of evidence collected by computer forensics: persistent and volatile data. (US-CERT, 2008) Web resources can identify and retrieve volatile data from servers and internet server providers. It is important that the forensic team has the relevant knowledge, technical skills and tools to access and analyze this type of data. There are several forensic internet tools available for criminal investigators. Helix is one of the most valuable tools on the internet that allow the retrieval of volatile data; such as screen captures, memory dumps, internet browsing, download and communication history. It also has built-in features that allow users to secure information obtained and ensure that all the data is documented, including date and time stamps, IP addresses and validation documents. Encryption of data is one of the main challenges of computer forensics, and it is important that a software providing the service does have a reliable encoding and encrypting system. Collecting and analyzing Windows registry files, network connection data, environment variables, IP address modification logs, chat logs and other details needed for online crime investigation is equally important. Secure storage and transfer of data is also a feature of an advanced computer forensics program. User data is usually encrypted, as well as financial logs, reports, passwords and user names, therefore, the compilation of data report and analysis manually would usually take a team a long time. That is the reason why there are different versions of forensic software available. Aperio, developed by the same company provides advanced features and analysis methods for law enforcement and government agencies.
Importance of Security and Computer Use Policies
There are different guidelines in place in order to maintain the integrity of data and prevent interference, damage. Computer use policies within the forensic laboratory need to be developed in order to increase the credibility of the lab and the quality of data provided. The preservation of evidence involves taking steps to preserve data and information collected by the forensic team. This involves protecting files from being deleted, setting up access logs and controls, as well as sealing sealed devices. Assigning authentication, considering safety regulations within the office to avoid unauthorized access or temperance is necessary in computer forensic agencies, according to the Attorney General’s report. (2001) A security policy needs to be adjusted to the needs of the laboratory and the legal requirements alike. The policies need to relate to the capturing, preservation, accessing and processing of the evidence. Security would also involve ensuring that only qualified and competent users are able to access evidence and process data. Firewalls, change detection and virus protection systems need to be in place to avoid the loss, damage and modification of the evidence collected, according to Taylor et al. (2007) The authors call for policies for accessing forensic competency, compliance and readiness. System security needs to be assessed on a regular basis, and this calls for specific measures to be put in place.
Recovering Files and Evidence from Computers and Electronic Devices
There are several types of electronic devices present within everyday life and companies. Most of these devices are equipped with a physical memory that is powered by electricity. Memory data can be lost when power is disconnected suddenly. Computer systems contain user-created files, logs, access and login information, as well as media files. User-created files can be documents, calendars, media files, images and emails. However, the challenging task for forensics would be to identify and decode hidden or user-protected files or data. The other type of digital evidence is computer-created files, containing backup data, cookies of internet browsers, swap and internet files, temporary files that can be retrieved, printing records and spools, history logs. In case of investigating online criminal activity, these logs can provide forensics with valuable information and help prosecutors determine the criminal profile of
the suspect. Other data areas can include computer date, time, passwords, deleted files, bad clusters, software registration information and metadata can also help prosecution.
There are different components of digital devices and computers to be accessed and analyzed during the computer forensic laboratory. These are: memory, CPU, access control devices such as smart cards, dongles, external drives, biometric scanners, answering machines, digital cameras, handheld and mobile devices such as smart mobile phones, PDA-s, pagers, memory cards and modems. Network cables and servers can also contain information created at the time of the crime. Printers, scanners, online phones and printing, image software memory and logs can also have evidence stored. Retrieving data from GPS systems can also help prosecutors locate the suspect at the time of the crime.
Crime scene processing tools need to be present during the seizure in order to secure and document the evidence. Cable tags, felt tip markers, notebooks and labels are essential for processing crime scenes. Adequate and effective tools need to be present to disassemble and remove evidence; for example screwdrivers. For the transportation of the evidence, there is a need for evidence tape, cable ties, packaging materials, evidence bags, boxes, bubble wrap and sealing tape. A seizure disk also needs to be created as well as storage for copying data from devices.
When securing and validating the scene, Federal, State and local policies, laws need to be taken into consideration. After the visual identification of the evidence, the first responder needs to determine whether there is a risk of damage to the evidence and whether there is perishable evidence present. (for example computer being logged into a chat room that times users out automatically) All persons need to be removed from the scene and phone lines, connections, internet cables, speed and ISP-s need to be identified. After securing the scene, evidence collection can take place. During the investigation, further data might be needed in order to access information. Conducting preliminary interviews, recording people on the premises, gaining access to systems through passwords provided by persons on the scene would speed up the process of evidence collection.
Importance of Documentation in Chain of Custody
In order to preserve the chain of custody, there is a need for detailed documentation of the different stages of evidence collection; from the identification to the creation of the report. The initial documentation of the scene would include the observation notes of the physical evidence identified and the location of the devices. The condition of the device or evidence also needs to be reported in the documentation. Any electronic components that will not be collected also need to be described. Photography, sketches and videography can be used to accurately document the scene. The first responder is also required to take notes based on witness statements, door locations, open windows, doors, signs of activity on the devices. The photography of the individual evidence objects would help their identification at court. It is also important to identify non-digital type of evidence that might help prosecutors; such as biological, fingerprints or trace. However, when the main purpose of the investigation is to obtain digital evidence, all destructive procedures involving chemicals that would affect computer systems should be postponed.
During the packaging, transportation and storage of computer evidence, no action should be taken to damage, destroy or modify data stored on the devices collected, according to the Attorney General’s report. (2001, p. 35.) Documentation and labeling of the collected evidence while preserving potential latent or trace evidence is a primary criteria of the chain of custody. Magnetic media needs to be sealed in an antistatic packaging material. The protection of CD-Roms and external drives from damage is also important. The storage room of evidence needs to be secure, at suitable condition, free from extreme weather conditions, light or dampness.
Without documenting all the steps of evidence collection, the forensic analyst and first responder risks the admissibility of the evidence in court. Therefore, every measure needs to be followed, internal policies should be created by individual agencies and state departments to preserve the integrity of evidence and increase the credibility of the unit. Without the right tools and identification methods, skills and knowledge, data collection frameworks, knowledge of the privacy law, criminal requirements for warrants, teams can face not only the loss of credibility, but possible prosecution as well. The protection of digital evidence is just as important as preserving fingerprints and hair samples, however, the fragility of digitally stored data is somewhat higher.
Following the standard forensic investigation processes when obtaining digital evidence is the first step towards compliance. The order or identification, search and seizure, preservation, examination, analysis and reported, accompanied by strict and straightforward documentation would ensure that the chain of custody is preserved.
While computer-related crime has been continuously evolving in the past two decades, it is still creating new challenges for forensic teams. The correct identification of computer crimes and assessment of potential physical and digital evidence would help professionals create an effective framework for finding, securing and documenting the right type of evidence that would be admissible in court.
The main challenge is the lack of standardized guideline for all laboratories and the various software applications present on the forensic scene. As criminals are becoming smarter in concealing their online and computer-based activities, there is a need for constant development of procedures, compliance documents, encoding systems and quality assurance policies. Without them, and the full compliance of the digital forensic teams in the United States, many criminals could escape prosecution based on the lack of documentation or adherence to policies. The above paper has attempted to review the main policies, recommendations and procedures associated with processing digital evidence and securing crime scenes, data, creating reports. However, as the regulatory environment and the attitude of courts towards computer evidence vary, there is still a need for a standardized federal legislation system that would cover all forensic teams and laboratories and set quality standards in the industry. For that, there is a need for supportive discourse between forensic scientists, software developers, internet companies, prosecutors and legal experts. In the light of the above report, the authors believe that creating a standardized regulation of the industry would increase the success rate of laboratories and create a high standard of compliance throughout the industry, ensuring that all evidence collected could be used to preserve law and justice in the country.
Buckles, Thomas (2007). Crime scene investigation, criminalistics, and the law. Clifton Park, New York. Delmar
Swanson, C., Chamelin, N., Territo, L., Taylor, R. (2011) Criminal investigation. McGraw-Hill. Chapter One.
Ami-Narh, J., Williams, P. (2008) Digital forensics and the legal system: A dilemma of our times. Australian Digital Forensics Conference. Edith Cowan University Research Online.
Strengthening Forensic science in the United States: A path forward. National Academy of Sciences. Committee on Identifying the Needs of the Forensic Sciences Community, National Research Council. 2011. Web.
The Forensic Use of Bioinformation: Ethical Issues. Nuffield Council on Bioethics. 2011. Web.
Casey, E. (2003) Handbook of computer Crime Investigation, Forensic Tools and Technology. Academic Press.
Thomas, D., Frocht, K. (2004) Legal methods of using computer forensic techniques for computer crime analysis and investigation. Issues in Information Systems. Vol. V. No. 2. 2004.
Kadir, R. M. The Scope and the Nature of Computer Crimes Statutes ‐ A Critical Comparative Study. German Law Journal Vol. 11 No. 06
Taylor, C., Endicott-Popovsky, B., Frincke, D. (2007) Specifying digital forensics: A forensics policy approach. Digital Investigation 4S (2007) S101–S104