dfm covers
 
 

Proactive Computer Forensics

Written by DFM team



Proactive Computer Forensics – Preparing for Search & Seizure 

Scott Zimmerman

In Scott's final article in the series, he examines Search & Seizure procedures used by US Federal LE organizations and by international organizations. 

The practice of computer forensics has become more economically feasible in recent years and some larger organizations have begun to add internal computer crime investigation personnel to their rosters.  Similarly, a growing number of commercial companies offer forensic services to other businesses and to governments. These services often include data recovery from erased or physically damaged media, in-house incident response and litigation support, such as providing expert witnesses.  


However, a great amount of computer crime investigation experience lies with Law Enforcement (LE) organizations.  The goal of this article is to provide non-LE personnel with the guidelines they need to gather evidence and conduct forensic examinations in accordance with law enforcement standards.  What better way to meet these standards than to follow the same procedures used by law enforcement?


Search & Seizure – How to Search and What to Seize

By answering a series of questions, individuals involved in an investigation can plan their approach to collecting evidence.  The context is computer crime investigation and as such the role of a given computer at the scene will fall into one of four broad categories:


  • Was the computer itself the objective of the crime?  If the perpetrator broke into a facility and stole the computer, the computer would be the objective.
  • Was the computer a tool used to commit the offense?  If the perpetrator used his home computer to compromise an online banking site, the site would be the objective; the computer would be a tool.
  • Is the computer only indirectly related to the incident?  Picture a suspect who generated false credit reports and credit card numbers on his desktop machine and sold the bogus information to people who were laundering money.  The suspect kept track of what he sold, to whom, using an accounting software package installed on a laptop. The credit reports and card numbers would be the objective; the desktop machine would be the tool; the laptop would be indirectly related to the crime.
  • Was the computer used for multiple tasks or stages of the crime?  In the example above, if the suspect generated false credit information on the same laptop he used to record his financial records, the laptop would have been used as a tool and as a storage device.  It would then be both directly and indirectly related to the crime.


To read Scott Zimmerman's article make sure you're a subscriber. If not, join today!



 
Please make cache directory writable.
 

Submit an Article

Call for Articles

We are keen to publish new articles from all aspects of digital forensics. Click to contact us with your completed article or article ideas.

Featured Book

Learning iOS Forensics

A practical hands-on guide to acquire and analyse iOS devices with the latest forensic techniques and tools.

Meet the Authors

Andrew Harbison

Andrew Harbison is a Director and IT Forensics Lead at Grant Thornton

 

Coming up in the Next issue of Digital Forensics Magazine

Coming up in Issue 38 on sale from February 2019:


Crowd Sourcing Digital Evidence The Risk v The Reward

All digital devices used today can be considered as a potential source for digital evidence. Andrew Ryan investigates the current state in the art of crowd sourced digital evidence. Read More »

Recovery of Forensic Artifacts from Deleted Jump-List in Windows 10

Jump-Lists are widely discussed in forensics community since the release of Windows 7 and are having more capabilities to reveal forensics artifacts in Windows 10. Read More »

Subscribe today


Operacion Bitcoin

The article is an actual case study of an Interpol investigation carried out in association with CertUY that has been ongoing for some months. It is written by the first hacker sent to prison in Uruguay who is currently out on bail pending sentencing. Read More »

Every Issue
Plus the usual Competition, Book Reviews, 360, IRQ, Legal

Click here to read more about the next issue