dfm covers
 
 

Proactive Computer Forensics

Written by DFM team



Proactive Computer Forensics – Preparing for Search & Seizure 

Scott Zimmerman

In Scott's final article in the series, he examines Search & Seizure procedures used by US Federal LE organizations and by international organizations. 

The practice of computer forensics has become more economically feasible in recent years and some larger organizations have begun to add internal computer crime investigation personnel to their rosters.  Similarly, a growing number of commercial companies offer forensic services to other businesses and to governments. These services often include data recovery from erased or physically damaged media, in-house incident response and litigation support, such as providing expert witnesses.  


However, a great amount of computer crime investigation experience lies with Law Enforcement (LE) organizations.  The goal of this article is to provide non-LE personnel with the guidelines they need to gather evidence and conduct forensic examinations in accordance with law enforcement standards.  What better way to meet these standards than to follow the same procedures used by law enforcement?


Search & Seizure – How to Search and What to Seize

By answering a series of questions, individuals involved in an investigation can plan their approach to collecting evidence.  The context is computer crime investigation and as such the role of a given computer at the scene will fall into one of four broad categories:


  • Was the computer itself the objective of the crime?  If the perpetrator broke into a facility and stole the computer, the computer would be the objective.
  • Was the computer a tool used to commit the offense?  If the perpetrator used his home computer to compromise an online banking site, the site would be the objective; the computer would be a tool.
  • Is the computer only indirectly related to the incident?  Picture a suspect who generated false credit reports and credit card numbers on his desktop machine and sold the bogus information to people who were laundering money.  The suspect kept track of what he sold, to whom, using an accounting software package installed on a laptop. The credit reports and card numbers would be the objective; the desktop machine would be the tool; the laptop would be indirectly related to the crime.
  • Was the computer used for multiple tasks or stages of the crime?  In the example above, if the suspect generated false credit information on the same laptop he used to record his financial records, the laptop would have been used as a tool and as a storage device.  It would then be both directly and indirectly related to the crime.


To read Scott Zimmerman's article make sure you're a subscriber. If not, join today!



 
Please make cache directory writable.
 

Submit an Article

Call for Articles

We are keen to publish new articles from all aspects of digital forensics. Click to contact us with your completed article or article ideas.

Featured Book

Learning iOS Forensics

A practical hands-on guide to acquire and analyse iOS devices with the latest forensic techniques and tools.

Meet the Authors

Scott C. Zimmerman

Scott C. Zimmerman is a CISSP qualified Information Security consultant and presenter

 

Coming up in the Next issue of Digital Forensics Magazine

Coming up in Issue 39 on sale from February 2019:


Making Sense of Digital Forensic International Standards

To many the complexity of Standards, their numbering and obscure contents fail to make practical sense and confuse the entry points for effective use. A roadmap is provided in this paper for Standard information access and optimal use. Read More »

Evidentiary Challenges: Social media, the Dark Web, and Admissibility

This article takes a look at two categories of remote evidence: social media, and the dark web. We will also examine two interesting cases: The Target store credit card breach; and the civil case of Fero v Excellus Health Plan, Inc. Read More »

Subscribe today


Vehicle Data Forensics on Unsupported Systems

The article will help readers understand how to approach a vehicle from a digital forensics’ perspective, it will cover a range of infotainment units from popular manufacturers, data extraction methods and examples of data types found which may be considered intelligence and or used as digital evidence. Read More »

Every Issue
Plus the usual Competition, Book Reviews, 360, IRQ, Legal

Click here to read more about the next issue