dfm covers
 
 

Proactive Computer Forensics

Written by DFM team



Proactive Computer Forensics – Preparing for Search & Seizure 

Scott Zimmerman

In Scott's final article in the series, he examines Search & Seizure procedures used by US Federal LE organizations and by international organizations. 

The practice of computer forensics has become more economically feasible in recent years and some larger organizations have begun to add internal computer crime investigation personnel to their rosters.  Similarly, a growing number of commercial companies offer forensic services to other businesses and to governments. These services often include data recovery from erased or physically damaged media, in-house incident response and litigation support, such as providing expert witnesses.  


However, a great amount of computer crime investigation experience lies with Law Enforcement (LE) organizations.  The goal of this article is to provide non-LE personnel with the guidelines they need to gather evidence and conduct forensic examinations in accordance with law enforcement standards.  What better way to meet these standards than to follow the same procedures used by law enforcement?


Search & Seizure – How to Search and What to Seize

By answering a series of questions, individuals involved in an investigation can plan their approach to collecting evidence.  The context is computer crime investigation and as such the role of a given computer at the scene will fall into one of four broad categories:


  • Was the computer itself the objective of the crime?  If the perpetrator broke into a facility and stole the computer, the computer would be the objective.
  • Was the computer a tool used to commit the offense?  If the perpetrator used his home computer to compromise an online banking site, the site would be the objective; the computer would be a tool.
  • Is the computer only indirectly related to the incident?  Picture a suspect who generated false credit reports and credit card numbers on his desktop machine and sold the bogus information to people who were laundering money.  The suspect kept track of what he sold, to whom, using an accounting software package installed on a laptop. The credit reports and card numbers would be the objective; the desktop machine would be the tool; the laptop would be indirectly related to the crime.
  • Was the computer used for multiple tasks or stages of the crime?  In the example above, if the suspect generated false credit information on the same laptop he used to record his financial records, the laptop would have been used as a tool and as a storage device.  It would then be both directly and indirectly related to the crime.


To read Scott Zimmerman's article make sure you're a subscriber. If not, join today!



 
Please make cache directory writable.
 

Submit an Article

Call for Articles

We are keen to publish new articles from all aspects of digital forensics. Click to contact us with your completed article or article ideas.

Featured Book

Learning iOS Forensics

A practical hands-on guide to acquire and analyse iOS devices with the latest forensic techniques and tools.

Meet the Authors

Scott C. Zimmerman

Scott C. Zimmerman is a CISSP qualified Information Security consultant and presenter

 

Coming up in the Next issue of Digital Forensics Magazine

Graph Database Technology

Attackers examine how your assets are connected, looking for a vulnerable part of the network, and navigating via methods such as “spear phishing.” What they’re really doing is abstracting out the graph of your networked systems, which is the set of security dependencies. Read More »


Fraudulent Use of Digital Images and Detection Survey

This article looks at the basic concepts related to image forgery; the types, detection procedure algorithms and all possible techniques to detect malicious signatures ibased on forgery types and detection techniques. Read More »

Subscribe today


Discovery in the Cloud: An Investigator’s Close Look at Unexpected Risks and Challenges

Documents residing in cloud storage accounts are increasingly coming into scope in digital forensic investigations such as IP theft, regulatory, corruption, merger clearance and civil matters.  Read More »


Every Issue
Plus the usual Competition, Book Reviews, 360, IRQ, Legal

Click here to read more about the future issues