Storage, Preservation, and Transportation

All evidence must packed and preserved to prevent contamination. It should be protected against heat, extreme cold, humidity, water, magnetic fields, and vibration. The evidence must be protected for future use in court and for return to the original owner. If the evidence is not properly protected, the person or agency responsible for the collection and storage of the evidence may be held liable for damages. Therefore, the proper packing materials should be used whenever possible.

Documents and disks (e.g., hard, floppy, and optical) should be seized and stored in appropriate containers to prevent their destruction. For example, hard disks should be packed in a static-free bag within a cardboard box with a foam container. It may be best to rely on the system administrator or a technical advisor on how to best protect a particular type of system, especially mini-systems or mainframes.

Finally, evidence should be transported to a location where it can be stored and locked. Sometimes, the systems are too large to transport, thus the forensic examination of the system may need to take place on site.

Evidence Presented in Court

Each piece of evidence that is used to prove or disprove a material fact must be presented in court. After the initial seizure, the evidence is stored until needed for trial. Each time the evidence is transported to and from the courthouse for the trial, it must be handled with the same care as with the original seizure. In addition, the chain of custody must continue to be followed. This process will continue until all testimony related to the evidence is completed. Once the trial is over, the evidence can be returned to the victim (i.e., owner).

Evidence Returned to Victim

The final destination of most types of evidence is back with its original owner. Some types of evidence, such as drugs or paraphernalia are destroyed after the trial. Any evidence gathered during a search, even though maintained by law enforcement, is legally under the control of the courts. Even though a seized item may be the victim’s and may even have the victim’s name on it, it may not be returned to the victim unless the suspect signs a release, or after a hearing by the court. However, many victims do not want to go to trial. They just want to get their property back.

Many investigations merely need the information on a disk to prove or disprove a fact in question, thus there is no need to seize the entire system. Once a schematic of the system is drawn or photographed, the hard disk can be removed and then transported to a forensic lab for copying. Mirror copies of the suspect disk are obtained by using forensic software and then one of those copies can be returned to the victim so that he or she can resume business operations.

CONDUCTING COMPUTER CRIME INVESTIGATION

The computer crime investigation should start immediately following the report of any alleged criminal activity. Many processes ranging from reporting and containment to analysis and eradication should be accomplished as soon as possible after the attack. An incident response plan should be formulated, and a Computer Emergency Response Team (CERT) should be organized before the attack. The incident response plan will help set the objective of the investigation and will identify each of the steps in the investigative process.

The use of a corporate CERT is invaluable. Due to the numerous complexities of any computer-related crime, it is extremely advantageous to have a single group that is acutely familiar with the incident response plan to call upon. The CERT team should be a technically astute group, knowledgeable in the area of legal investigations, the corporate security policy (especially the incident response plan), the severity levels of various attacks, and the company position on information dissemination and disclosure.

The incident response plan should be part of the overall corporate computer security policy. The plan should identify reporting requirements, severity levels, and guidelines to protect the crime scene and preserve evidence. The priorities of the investigation will vary from organization to organization, but the issues of containment and eradication are reasonably standard, which is to minimize any additional loss and resume business as quickly as possible.

Detection and Containment

Before any investigation can take place, the system intrusion or abusive conduct must first be detected. The closer the detection is to the actual intrusion not only helps to minimize system damage, but also assists in the identification of potential suspects.

To date, most computer crimes have either been detected by accident or through the laborious review of lengthy audit trails. Although audit trails can assist in providing user accountability, their detection value is somewhat diminished because of the amount of information that must be reviewed and because these reviews are always postincident. Accidental detection is usually made through the observation of increased resource utilization or inspection of suspicious activity. However, this is not effective due to the sporadic nature of this type of detection.

These types of reactive or passive detection schemes are no longer acceptable. Proactive and automated detection techniques must be instituted to minimize the amount of system damage in the wake of an attack. Real-time intrusion monitoring can help in the identification and apprehension of potential suspects, and automated filtering techniques can be used to make audit data more useful.

Once an incident is detected, it is essential to minimize the risk of any further loss. This may mean shutting down the system and reloading clean copies of the operating system and application programs. However, failure to contain a known situation (i.e., a system penetration) may result in increased liability for the victim organization. For example, if a company’s system has been compromised by an external attacker and the company failed to shut down the intruder, hoping to trace him or her, the company may be held liable for any additional harm caused by the attacker.