READ: Computer Evidence

Processing the Electronic Crime Scene

Basic computer and device knowledge is now critical in many investigations and thus is a part of all forensic investigator training. This is so that when computer evidence is seized from a crime scene or suspect, that it is collected and preserved in a manner such that data can be recovered and remain admissible to court as evidence.

When entering a crime scene where electronic or computer evidence is going to be collected, it is important that the investigator have some specialized equipment to properly handle and collect the evidence. Some specialty tools needed include anti-static bags to prevent static discharges which can cause damage in some computer components, nonmagnetic tools to avoid erasing or disturbing sensitive data stored on the computer with magnetic components and special radio frequency shielding material to block incoming calls, texts or emails that may disturb or alter the device and evidence.

Once at the scene, the investigators should follow typical electronic evidence guidelines such as:

• Secure all devices and ensure that they are blocked from radio frequency signals that could alter evidence.

• Make sure that the evidence is kept secure so that no one has unauthorized access to the equipment.

• Investigators should never accept help from any unauthorized person when securing electronic equipment. It could be someone connected to the crime trying to delete or alter evidence!

• Make sure that nothing on the device is altered while you are securing it. Even the smallest alterations can render evidence unusable.

• If the device is off, leave it off!

• If the device is on, check the computer for commands to get rid of data such as deleting, formatting, wiping, copying, and uploading.

• Check to be sure that the computer isn't being controlled remotely by another device and that the webcam isn't activated!

• Next, investigators will need to obtain as much information as possible about who had access to the computer including things such as all usernames and passwords, and security programs on the computer.

• Investigators must document all locations and identifying information such as serial numbers in the the crime scene report documents, and photos or video. A photo should be made of the screen of the device if it is on to show what was on the screen when it was found.

• Electronic devices, once secured and documented can be packed in paper, cardboard or anti-static packages. They should not be packed in plastic because of the risk of static and condensation from any fluids (such as blood) that may be present on the device.

Steps in obtaining forensic evidence from a device:

1. The investigator first makes a copy of the hard drive, all files, and all parts of the device in which he or she intends to search for evidence. An investigator ALWAYS works from a copy of the device rather than the device itself to avoid losing or altering valuable data and evidence!

2. The investigator will try to recover deleted data from the files using special applications for this purpose.

3. The investigator will use other applications to uncover hidden files and decrypt encrypted files.

4. The investigator must document every step and application used when conducting an electronic analysis investigation. The evidence collected may not go to court for years, so it is important to have an accurate, written record to both review and present.

While computers and devices can provide clues to crimes that occur in our surrounding environment, crimes can also occur within the digital world! Common types of computer or electronic crime include digital piracy, website hacking, and cyber bullying.

 Digital piracy is downloading to copy and share material that is protected by copyright. Examples of this include illegally downloading music or movie content or "ripping" content from DVDs or CDs. While it is common, it is also acrime that is investigated in forensic science! Piracy can be detected by examining a computer or device for signs of an illegal copy of content. Copies of the illegal content may have a digital watermark. A digital watermark is a pattern of data inserted into a digital image, audio or video file that identifies the owner of the copyright for the content as well as the rights to use the content. It is generally imperceptible to the user of the content and is only detected by a special program that specifically extracts digital watermarks.

Website hacking is the use of a computer to gain unauthorized access to data in a system. It is a concern of nearly everyone; all from the average person with an email account to the administrators of the most secure websites worry that the security of their online information will be vulnerable to an attack.

It is such a concern that the Secret Service along with the FBI, Department of Homeland Security and all state law enforcement agencies have departments specifically assigned to address hacking groups such as the famous hacker group called "Anonymous"! This is a big problem without any easy answers. Hackers have many methods, but one of the more common is accessing the information on a computer through the "backdoor". The backdoor is a hole in the security of a computer system deliberately left in place by authorized programmers or repair personnel, but these can also be left behind by malicious intruders to get back into a system after having breached it once. It is synonymous to a trap door, which is a hidden software or hardware apparatus used to circumvent security mechanisms. Those who work to catch hackers often use a security measure known as a "honeypot". A honeypot is a lure set up to trap hackers and users with malicious intent as they attempt to gain entry into a computer system.

Georgia Virtual, Handwriting Analysis and Computer Forensics, CC BY-NC-SA 3.0