Chain of Custody Steps for Computer Crime Evidence
|✅ Paper Type: Free Essay||✅ Subject: Information Technology|
|✅ Wordcount: 4008 words||✅ Published: 8th Feb 2020|
Computer crime has outpaced computer forensics investigations and the processing of digital evidence collection and techniques. The certified computer forensics examiner has many tools to investigate traditional computer crimes and has encountered challenges with investigating crimes over the Internet and with Web resources. Using a chain of custody and following steps to make digital evidence admissible in court are best practices to helping convict a cybercriminal.
Table of Contents
Computer Forensics Investigator
Computer Security Incidents and Response Team (CIRT)
Electronic Forensic Investigations
Protecting Computer Systems from Abuses
Steps Necessary to Make Electronic Evidence Admissible in Court
Computer crime is the use of a computer by a person in conjunction with an illegal activity. Computer crime is also known as cybercrime, electronic crime, e-crime, and high-tech crime (Computer Hope, 2018). A person committing a computer crime is known as a computer hacker or hacker. For instance, a hacker may obtain unauthorized access into a company or government computer system by penetrating from the outside or by being an employee on the inside. Even if the hacker did not destroy or steal any information, the hacker can be convicted of unauthorized access of a computer depending upon the state or federal law that has jurisdiction or the network owner’s acceptable use policy. Hacking is the act of unauthorized access and usually the first step in committing other cybercrimes.
Unauthorized access is trespassing into a computer system that goes beyond someone’s authorized access. Computer systems are designed and operated for specific users to access specific resources and nothing more. Anyone trying to access information above their access level is potentially breaking the law, again, depending upon the jurisdiction and the laws that pertain and the network owner’s use policies. One famous but highly controversial case involved a Massachusetts Institute of Technology (MIT) student, Aaron Swartz, who was indicted in 2011, for downloading millions of academic papers to make them available online outside the MIT network, was charged by a federal law, the Computer Fraud and Abuse Act of 1986 (CFAA). Swartz was an Internet activist who believed information should be freely available to everyone, not just people who have access to expensive universities. However, federal prosecutors argue it was unauthorized access, theft, and violating the terms of service, although the owner of the academic papers did not prosecute Swartz, nor did MIT. Many people in congress and private citizens called for the CFAA to be reformed. Sadly, Swartz committed suicide only a few months before trial in 2013, even after a plea bargain was offered for reduced a prison sentence that he did not want to serve and have a police record in his name (Zetter, 2015).
Our academic experts are ready and waiting to assist with any writing project you may have. From simple essay plans, through to full dissertations, you can guarantee we have a service perfectly matched to your needs.View our services
Types of Computer Crimes
Computer crimes are reported in the news nearly on a daily basis, related to stealing information such as health records and social security numbers in the millions of persons, stealing government and military secrets, stealing corporate secrets, holding private information ransom, stealing of credentials such as passwords and usernames, accessing and distributing child pornography, perpetrating corporate espionage, stealing bank information and funds, stealing intellectual property, harassing or cyberbullying and stalking online, deceiving someone into believing something that isn’t true such as scamming, conducting software piracy, deceiving a system to hide a true identity or spoofing, distributing destructive computer viruses and malware, and purposefully flooding a computer for the purpose of shutting it down, known as denial of service attack (Computer Hope, 2018). All of these activities are potential violations of cyber law and can carry criminal or civil penalties.
Computer Forensics Investigator
The computer forensics investigator is responsible for detecting cybercrimes by investigating computers, mobile telephones, and all devices that store data such as on a media Compact Device or a gaming console. The process to uncover digital information from a computer, device, or media is called eDiscovery. The eDiscovery is used to find inculpatory evidence which is incriminating proof to support a conviction of a cybercrime. An investigator uses computer forensics which Hayes defines as the “retrieval, analysis, and use of digital evidence in a civil or criminal investigation” (2015). A computer forensics investigator has to be knowledgeable about state, federal, and local laws and legal precedents, computer technology, how suspects hide information in computers, and most importantly how to utilize a scientific methodology accepted in court for the computer evidence to be admitted (Hayes, 2015). Computer forensics investigators have to document their actions to show how the evidence was collected, controlled, stored, and analyzed. They document the chain of events in an investigation in what is known as the chain of custody, explained further in this paper. The main purpose for using a computer forensics investigator is to better guarantee that the computer evidence will be admissible in court to support the defendant or the prosecution.
Typically, a computer incident, or cyber incident, is a security breach of a computer system. The U.S. Department of Justice (DOJ) uses the term “cyber incident” as opposed to computer incident whereby using a broad definition to encompass the motivations of cyber criminals who might be foreign actors such as terrorists who have political motivations and governments who have geopolitical motivations. The DOJ defines cyber incident as “[a]n event occurring on or conducted through a computer network that actually or imminently jeopardizes the integrity, confidentiality, or availability of computers” (Congressional Research Service & Finklea, 2017). More so pertaining to the corporate world, Technopedia defines computer incident as “a warning that there may be a threat to information security” or that a breach has already occurred (Technopedia, 2018). Therefore, a breach of a computer network that is soon to occur or that has already occurred is known as a computer security incident.
Computer Security Incidents and Response Team (CIRT)
The Detecting of computer security incidents or breaches is the job of the Computer Incident and Response Team (CIRT), also known as Security CIRT or SCIRT. Many large and small organizations and governments have (S)CIRTs in their Information Technology staffs. The purpose if the CIRT is to identify, control, and minimize the negative effects from a computer security incident.
Electronic Forensic Investigations
Computer crimes and computer security incidents are detected or solved by using electronic forensic investigations and techniques. The certified computer forensics examiner has the skill to conduct an investigation on a live computer system, otherwise known as live forensics. An example of live forensics is analyzing system memory on the spot with the system running. Further techniques used by the examiner have to be performed on a computer that has been turned off. Typically, the examiner removes the hard drive on a computer, makes an exact copy or image of the hard drive and then performs analysis with various software tools that record the results. Another skill the examiner has is to perform is data recovery whereby data has been previously deleted, damaged, or lost, even on purpose by the suspect. Password recovery is another skill the examiner can perform with specifically designed utilities that law enforcement usually has access. Password recovery is used to open password protected files and encrypted hard drives. File carving is another technique that an examiner uses to recover files that have been separated in pieces by the hard drive. This technique is used to gather files from the unallocated drive space. File filtering is a technique the examiner uses to locate files based upon an exact copy cryptographic hash such as SHA1 or MD5. This technique can only identify an exact copy. Another technique is searching for files by entering in keywords or strings which help the examiner analyze malware. To find out the origins of emails, the examiner uses mail header analysis and to find out the timeline of events, the examiner uses specialized software that put the events of the computer together to develop a timeline of events before and after the computer crime event being investigated (InfoSec, 2018) .
Network investigations are more challenging to the he examiner because there are more variables and the network conditions are always in flux when examining a live system of the Internet. The examiner uses techniques specialized for network security incidents such as network sniffing. To identify and search for images, the examiner uses graphical image analysis. These are some of the main techniques that the certified examiner uses in the profession of computer forensics (InfoSec, 2018).
Computer use policy is an agreement between the user and the manager or owner of the computer system or network. Computer use policy, or otherwise known as Acceptable Use Policy (AUP) states the terms, conditions, and guidelines for using the computer. The purpose of the computer use policy is to avoid conflicts and to settle conflicts between employers and employees and between the owner of a computer system and the general user of that system such as a university and its student or faculty member. A properly written computer use policy spells out acceptable behavior while using the computer and describes who has the authority to seize computer evidence, control, transport, and store it, and analyze it to prepare it for litigation purposes (Nelson, Phillips, & Steuart, 2016).
Protecting Computer Systems from Abuses
Companies and governments need to protect their systems and assets from computer abuses while at the same time protect an individual’s right to privacy and protections under the constitution such as the fourth amendment which is freedom from unlawful search and seizure. Outside a corporation or government, a computer forensics investigator needs a valid search warrant to seize computer evidence, while inside the government or corporation, the computer use policy acts as the warrant when violations occur. Companies and governments want to avoid litigation because court fees are expensive and time consuming which takes away from production efforts of their employees. Nonetheless, legal disputes occur and computer evidence is used to solve legal disputes (Nelson, Phillips, & Steuart, 2016).
Security Use Policy
Security use policy is similar to computer use policy. In many cases security use policy is issued by computer pop-up notifications when a user signs into a network. A common security use policy states that the user agrees to monitor for suspicious computer activity and should not expect a right to privacy while using the company or government computer system. Again, the purpose of the security use policy is to avoid conflicts and to help settle disputes.
Computer evidence is also called digital evidence since the evidence is stored in binary form and transmitted the same way on a computer. Computer and digital evidence are used to prosecute all types of crimes, not only electronic crimes. Emails, hard drives, mobile phones, disc media, and gaming systems potentially contain digital evidence left for a forensics investigator to collect, analyze, and prepare for court.
Types of Evidence
An email may show the intent of a cybercriminal. A floppy disk may hold the evidence to convict a serial killer on the loose for decades. A mobile phone chip may hold evidence of colluding with other criminals in a spamming operation to defraud hundreds of thousands of dollars from innocent victims (National Institute of Justice, 2016). The types of computer evidence that can be recovered from a computer, electronic devices, and media are many.
Techniques to obtain evidence
Collecting evidence from a computer, a digital device, or a media source is more straight forward than collecting evidence from the Internet and Web resources because the Internet and the Internet of Things is a network of tens billions of computers where anonymity is easy to maintain (Hegarty, Attwood, & Lamb, 2014). However, computer forensics examiners are gaining more experience every day and applying more techniques to solve computer crimes.
Nagy examined a real world criminal case where a man named John Spencer hacked into his ex-girlfriend’s social media and email accounts and impersonated her. Nagy used several forensics tools to discover and reconstruct Spencer’s Internet history. Using manual tools, it took him more than one year to find the correct software tools for web history mining. Depending upon the examiner, there are many tools on the market to examine what is relevant in this computer crime. One is discovering the memory or cache history to see what was browsed. The second is looking at the email headers. Additionally, looking for stored passwords is possible because the browsers such as Firefox stores passwords in the file signons.sqlite while Internet Explorer stores passwords in the Registry (Nagy, 2012). Automated tools such as email sniffers and intrusion detection software can help speed up the investigation and eDiscover process related to Internet and Web resources.
The purpose of documenting evidence is to answer basic questions about the authenticity and credibility of the evidence. There are various frameworks developed by many different scholars and legal teams that deal with different types of media collection. This paper will describe only the basic documentation of electronic evidence and the steps necessary to make the electronic evidence admissible in court.
Steps necessary to Make Electronic Evidence Admissible in Court
Unlike many forms of traditional physical evidence, electronic evidence can be altered or differ greatly from the time it was discovered until the time it is admissible in court. There are three major steps necessary to make electronic evidence admissible in court; namely, authenticity, creditability, and corroboration . (American Bar Association, Thompson, & Templeton, n.d.). Within these steps one has to be prepared to defend counter claims about hearsay evidence, however, there are many legal precedents taking place frequently that pave the way for established norms, thus, making the admission of digital evidence more widely accepted as opposed to years in the past. These days, the authentication of Websites, emails, text messages, online chats, voicemail, and cloud data are becoming more widely accepted. Lawyers use the Federal Rules of Evidence which influences the admissibility of digital evidence and expert witness testimony (Hayes, 2015).
Chain of Custody
A chain-of-custody is the “chronological documentation and/or paper trail showing the seizure, custody, control, transfer, analysis, and disposition of evidence, physical or electronic.” Because evidence can be used to convict someone in a court of law or set them free, the disposition of evidence has to be able to stand up to legal challenges as to the veracity of its authenticity.
Documenting a chain of custody is important because it demonstrates that the evidence is solid from the time it was discovered, how it was handled, how it was processed, how it was stored, and who had access to it during the process. The evidence has to hold up for months, sometimes years before a trial so the documentation is crucial to the successful result desired in a court case. A properly written chain of custody should show a chronological history of the events which transpired, leaving out no details. Because electronic evidence can be altered, the chain of custody is very important to show the evidence has not changed since it was originally discovered (EDRM Duke Law, 2018).
Contents of Chain of Custody
A chain of custody commonly comprises the following: case number; time, date, and location the evidence was acquired; the investigator’s name and signature; name of the person believed to own the media or computer; details about the media or the computer such as the computer manufacturer, model, type, storage capacity, and serial number; reason why the computer or media was collected, physical description of the computer and whether it was powered on or off; hash values of the computer or media and hash values of the result, signature of anyone taking or providing evidence, and any relevant comments (Coons, 2015) Conclusion
As computer crimes have increased with the increase of digital devices usage worldwide,, so has the law enforcement efforts to catch and convict cybercriminals. The resources spent to combat cybercrime do not seem to abate the criminal incidents that occur daily. However, the certified computer forensics examiner will continue to influence this important field of scientific technology.
- 201810132042491628489137201810140940581232201100Computer Hope 2018 Computer CrimeComputer Hope. (2018, June 22). Computer Crime. Retrieved October 14, 2018, from https://www.computerhope.com/jargon/c/compcrim.htm
- American Bar Association Thompson L L Templeton B Mobile Devices: New Challenges for Admissibility of Electronic Evidence.American Bar Association, Thompson, L. L., & Templeton, B. (n.d.). Mobile Devices: New Challenges for Admissibility of Electronic Evidence. SciTech Lawyer, , . Retrieved October 14, 2018, from https://www.americanbar.org/content/dam/aba/events/science_technology/mobiledevices_new_challenges_admissibility_of_electronic_device.authcheckdam.pdf 20181014191516167831659
- Congressional Research Service Finklea K 2017 Justice Department’s Role in Cyber IncidentCongressional Research Service, & Finklea, K. (2017, August 23). Justice Department’s Role in Cyber Incident. Retrieved October 14, 2018, from https://fas.org/sgp/crs/misc/R44926.pdf 201810141338371712169409
- Coons P 2015 How to Document Your Chain of Custody and Why It’s ImportantCoons, P. (2015, July 1). How to Document Your Chain of Custody and Why It’s Important. Retrieved October 13, 2018, from http://www.d4discovery.com/discover-more/how-to-document-your-chain-of-custody-and-why-its-important#sthash.dUt7TmLf.dpbs
- EDRM Duke Law 2018 Chain of Custody DefinitionEDRM Duke Law. (2018). Chain of Custody Definition. Retrieved October 13, 2018, from https://www.edrm.net/glossary/chain-of-custody/
- Hayes D R 2015 Practical Guide to Computer Forensics InvestigationsHayes, D. R. (2015). A Practical Guide to Computer Forensics Investigations. Indianapolis, IN: Pearson. 20180928020352175028443
- Hegarty R C Attwood A Lamb D 2014 Digital evidence challenges in the internet of things.Hegarty, R. C., Attwood, A., & Lamb, D. (2014). Digital evidence challenges in the internet of things. ResearchGate, January, . Retrieved October 14, 2018, from https://www.researchgate.net/publication/288660566_Digital_evidence_challenges_in_the_internet_of_things 20181014181836963086486
- InfoSec 2018 Computer Forensics: Forensic Techniques, Part 1InfoSec. (2018). Computer Forensics: Forensic Techniques, Part 1. Retrieved October 14, 2018, from https://resources.infosecinstitute.com/category/computerforensics/introduction/areas-of-study/digital-forensics/forensic-techniques-part-1/#gref 201810150537241733863473
- Nagy Z 201207 Using Forensic Techniques for Internet Activity ReconstructionNagy, Z. (2012, July). Using Forensic Techniques for Internet Activity Reconstruction. KosIsland, GREECE: ResearchGate. 20181015062006227601528
- National Institute of Justice 2016 Digital Evidence and ForensicsNational Institute of Justice. (2016, April 14). Digital Evidence and Forensics. Retrieved October 14, 2018, from https://www.nij.gov/topics/forensics/evidence/digital/Pages/welcome.aspx 201810141747201901116372
- Nelson B Phillips A Steuart C 2016 Guide to computer forensics and investigationsNelson, B., Phillips, A., & Steuart, C. (2016). Guide to computer forensics and investigations (5th ed.). Boston, MA: Cengage. 20181011230932976241350
- Technopedia 2018 Security Incident DefinitionTechnopedia. (2018). Security Incident Definition. Retrieved October 14, 2018, from https://www.techopedia.com/definition/15957/security-incident 20181014134946485310673
- Zetter K 2015 Most Controversial Hacking Cases of the Past DecadeZetter, K. (2015, August 26). The Most Controversial Hacking Cases of the Past Decade. Retrieved October 14, 2018, from https://www.wired.com/2015/10/cfaa-computer-fraud-abuse-act-most-controversial-computer-hacking-cases/ 20181014103832345229029
Cite This Work
To export a reference to this article please select a referencing stye below:
Related ServicesView all
DMCA / Removal Request
If you are the original writer of this essay and no longer wish to have your work published on UKEssays.com then please: