dfm covers
 
 

Proactive Computer Forensics

Written by DFM team



Proactive Computer Forensics – Preparing for Search & Seizure 

Scott Zimmerman

In Scott's final article in the series, he examines Search & Seizure procedures used by US Federal LE organizations and by international organizations. 

The practice of computer forensics has become more economically feasible in recent years and some larger organizations have begun to add internal computer crime investigation personnel to their rosters.  Similarly, a growing number of commercial companies offer forensic services to other businesses and to governments. These services often include data recovery from erased or physically damaged media, in-house incident response and litigation support, such as providing expert witnesses.  


However, a great amount of computer crime investigation experience lies with Law Enforcement (LE) organizations.  The goal of this article is to provide non-LE personnel with the guidelines they need to gather evidence and conduct forensic examinations in accordance with law enforcement standards.  What better way to meet these standards than to follow the same procedures used by law enforcement?


Search & Seizure – How to Search and What to Seize

By answering a series of questions, individuals involved in an investigation can plan their approach to collecting evidence.  The context is computer crime investigation and as such the role of a given computer at the scene will fall into one of four broad categories:


  • Was the computer itself the objective of the crime?  If the perpetrator broke into a facility and stole the computer, the computer would be the objective.
  • Was the computer a tool used to commit the offense?  If the perpetrator used his home computer to compromise an online banking site, the site would be the objective; the computer would be a tool.
  • Is the computer only indirectly related to the incident?  Picture a suspect who generated false credit reports and credit card numbers on his desktop machine and sold the bogus information to people who were laundering money.  The suspect kept track of what he sold, to whom, using an accounting software package installed on a laptop. The credit reports and card numbers would be the objective; the desktop machine would be the tool; the laptop would be indirectly related to the crime.
  • Was the computer used for multiple tasks or stages of the crime?  In the example above, if the suspect generated false credit information on the same laptop he used to record his financial records, the laptop would have been used as a tool and as a storage device.  It would then be both directly and indirectly related to the crime.


To read Scott Zimmerman's article make sure you're a subscriber. If not, join today!



 
Please make cache directory writable.
 

Submit an Article

Call for Articles

We are keen to publish new articles from all aspects of digital forensics. Click to contact us with your completed article or article ideas.

Featured Book

Learning iOS Forensics

A practical hands-on guide to acquire and analyse iOS devices with the latest forensic techniques and tools.

Meet the Authors

George Bailey

George Bailey is an IT security professional with over 15 years of experience

 

Coming up in the Next issue of Digital Forensics Magazine

Coming up in Issue 31 on sale from May 2017:


DDOS Attacks on Mobile Devices

Denial of service attacks (DoS), distributed denial of service attacks (DDoS) and reflector attacks (DRDoS) are well known and documented. More recently however we have seen that these attacks have been directed at mobile communication devices.  Read More »

Advancements in Windows Hibernation File Forensics

Brian Gerdon looks at how the windows hibernation files can be a valuable source of information for digital forensic investigators. Read More »

Subscribe today


Testing Damage Sustainability on SD Cards

A growing number of companies and agencies are now specializing in repair and recovery of data and not on the forensic examination of the data. Read More »

Every Issue
Plus the usual Competition, Book Reviews, 360, IRQ, Legal

Click here to read more about the next issue