The Trial

The trial may not be scheduled for some time, based on the backlog of the court that has jurisdiction in the case. In addition, the civil trial and criminal trial will occur at different times, although much of the investigation can be run in parallel. The following items provide guidance for courtroom testimony:

•  The prosecutor does not know what questions the defense attorney will ask.

•  The questions should be listened to carefully to understand and to determine that it is not a multiple-part or contradictory question.

•  The question should not be answered quickly. The prosecutor should be given time to object to the defense questions that are inappropriate, confusing, contradictory, or vague.

•  If the question is not understandable, the defense attorney should be asked to provide an explanation, or the question can be answered by stating: “I understand your question to be ...”.

•  Hearsay answers should not be given, which generally means that testimony as to personal conversations cannot be given.

•  Witnesses should not get angry, because it may affect their credibility.

•  Expert witnesses may need to be called.

Recovery of Damages

To recover the costs of damages, such as reconstructing data, reinstalling an uncontaminated system, repairing a system, or investigating a breach, a civil law suit can be filed against the suspect in either a superior court or a small claims court.

Post-Mortem Review

The purpose of the post-mortem review is to analyze the attack and close the security holes that led to the initial breach. In doing so, it may also be necessary to update the corporate security policy. All organizations should take the necessary security measures to limit their exposure and potential liability. The security policy should include an:

•  Incident response plan.

•  Information dissemination policy.

•  Incident reporting policy.

•  Electronic monitoring statement.

•  Audit trail policy.

•  Inclusion of a warning banner that should:

—  Prohibit unauthorized access.

—  Give notice that all electronic communications will be monitored.

Finally, many internal attacks can be avoided by conducting background checks on potential employees and consultants.

SUMMARY

Computer crime investigation is more an art than a science. It is a rapidly changing field that requires knowledge in many disciplines. Although it may seem esoteric, most investigations are based on traditional investigative procedures. Planning is integral to a successful investigation. For the internal investigator, an incident response plan should be formulated before an attack occurs. The incident response plan helps set the objective of the investigation and identifies each of the steps in the investigative process. For the external investigator, investigative planning may occur postincident. It is also important to realize that no individual has all the answers and that teamwork is essential. The use of a corporate CERT team is invaluable, but when no team is available the investigator may have the added responsibility of building a team of specialists.

The investigator’s main responsibility is to determine the nature and extent of the system attack. From there, with knowledge of the law and forensics, the investigative team may be able to piece together who committed the crime, how and why the crime was committed, and more importantly, what can be done to minimize the potential for any future attacks. For the near term, convictions will probably be few, but as the law matures and as investigations become more thorough, civil and criminal convictions will increase. In the meantime, it is extremely important that investigations be conducted so as to understand the seriousness of the attack and the overall effect on business operations.

Finally, to be successful the computer crime investigator must, at a minimum, have a thorough understanding of the law, the rules of evidence as they relate to computer crime, and computer forensics. With this knowledge, the investigator should be able to adapt to any number of situations involving computer abuse.