Criminal Investigations

In computer forensics, criminal and civil cases have different procedures. Criminal laws deal with the offenses against the individuals and the state. The law enforcement body of the state arrests the criminals and its judicial system conducts a trail. After that, the perpetrator is punished with fine, probation, imprisonment, or even capital punishment. In criminal cases, the forensic scientists with an authorized search warrant can forcibly seize the computer and other devices that may have been used for criminal purposes. When carrying out criminal investigations, the law enforcement agencies must follow the rules. For example, the Fourth Amendment to the U.S. Constitution and the Charter of Rights of Canada restrict government search and seizure to safeguards the rights of people, including people suspected of crimes. Besides, the Department of Justice (DOJ) regularly updates the information on search and seizure. The investigators can determine whether the crime was computer-related by asking some questions, such as:

What tool was used to commit the crime? Did the perpetrator breach someone else’s rights by email harassment? Was it a simple trespass? Was it vandalism or theft?

Following Legal Processes in Criminal Investigations: U.S. courts accept the legal processes discussed here; however, other countries may have different procedures. The legal processes of criminal investigation depend on the local customs, legislative standards, and the rules of evidence. Generally, criminal cases follow three stages:

The complaint The investigation The prosecution

The victim lodges a complaint, and then an examiner investigates the matter. After that, the examiner and a prosecutor acquire evidence and establish a case. Strong cases are considered for a later trial. For a criminal investigation, strong evidence and witnesses of the crime are required. Thereafter, the complainant approaches the police station and levels the allegation against the perpetrator. An officer at the police station interrogates the victim and writes a report about the offense. The law enforcement agents manage the report, and start an investigation or record the information in a “Police Blotter,” a register or electronic files that hold the list of crimes that have been committed in the past. Every police officer cannot be a computer expert; some are computer novices and others might be capable of retrieving information from a computer drive. The ISO standard explains two categories of police officers:

A digital evidence first responder (DEFR) arrives on the crime scene, assesses a situation, and sophisticatedly performs acquisition and preservation of evidence. A digital evidence specialist (DES) analyzes the data and determines if another specialist is needed to help with the analysis.

Civil Investigations

Civil investigations are not conducted because of crime but because of disputes or lawsuits in which the questions of property or money must be settled. The winning party must receive compensation in the form of payment, property, or services. Also, civil investigations are conducted by private investigators instead of law enforcement agents. In civil matters, the investigators and a defendant can negotiate over when the computer will be inspected and even what data will be required to check. When conducting the civil investigations, the private investigators use one or more of the following three methods to acquire relevant information.

Interrogations and interviews Record checking Physical surveillance

Privileges and Limitations of Civil Investigators: The civil investigators have no more privileges than common citizens. For example, to conduct interrogations and interview, the civil investigator can only converse with individuals who are willing to talk. Unlike criminal investigators, the civil investigator cannot arrest, threaten, or coerce individuals to obtain information. Using physical surveillance method, civil investigators can secretly eavesdrop on conversations between two or more people in public places. However, civil investigators cannot record voices through listening devices or tap a phone at private locations, because those are violations of laws protecting people’s privacy. To check the records or contents using a record-checking technique, a civil investigator must be given the consent of the related subject.

Administrative Investigation

Common types of administrative investigations stem from the corruption and misbehavior of employees, such as sexual harassment, bribe taking, stalking, and racial discrimination within any administrative agency, such as either a government agency or any corporation, which may lead to disciplinary action. The concerned agency, following its rules and regulations, has the legal right to conduct an administrative investigation against those employees who violate these rules and regulations. At a workplace, the investigators first examine the network and the computer system of the employee in question. In this way, the investigators can find evidence in emails, work management applications, and computer storage devices. External sources, such as social media, can also be helpful. Administrative investigations, in fact, are non-criminal in nature. However, some facts found in administrative investigations may involve the law enforcement agencies. For example, one employee committed sexual harassment via emails. When the investigators examined his mailbox, they discovered emails, along with the emails of sexual harassment, proving his connection with terrorist organizations. Private investigators, detectives, analysts, and clerks all can perform administrative investigations. The law enforcement agents become involved only if the case takes on a criminal nature.

Prerequisites for an Effective Investigation

Before carrying out the investigation, the examiner should recognize the proficiency level of the actors involved in the case, such as police offers or attorneys. To conduct an investigation and manage the computer forensics aspects of the case, the examiner must have DES training and sufficient information about the scope of the case, which includes the computer hardware, operating system, hard drive, and other devices. Also, the examiner should determine whether the necessary resources are available to conduct an investigation. Furthermore, he/she should also make sure that the right tools are available for acquiring and analyzing evidence.

Process Model for Computer Forensics Investigation

Many attempts have been made to develop a universally accepted process model for computer forensics investigations, but all in vain. In fact, the main reason for the failure of process models is that there is no process model developed so far that can be applied to the whole computer forensics field. Instead, the present process models only cover specific areas of computer forensics, such as law enforcement, cloud forensics, or mobile forensics. Some of the main process models are listed below.

The Systematic Digital Forensics Investigation Model (Agarwal et al., 2011) Framework for Digital Investigations (Kohn et al., 2006) The Enhanced Digital Investigations Process Model (Baryamureeba & Tushabe, 2004) An Extended Model of Cybercrime Investigations (Carrier & Spafford 2003)

The most common steps performed in computer forensics investigation include search and seizure, acquisition, analysis, and reporting.

Computer Forensics Lab and Investigations

A computer forensics lab is a place where the investigations are conducted and the evidence is stored. The evidence stored in the lab must not be destroyed or corrupted, so the lab must be physically secured.

Report Writing for High-Tech Investigations

The structure of the well-defined report contributes to reader’s ability to understand the information that the report writer is trying to provide. The investigators should ensure that the report’s sections are labeled and follow a regular numbering scheme. Also, make sure that the supporting material, such as tables and figures, are labeled and numbered consistently. Avoid using jargon, vague wording, and slang.

Maintaining Professional Conduct

Professional conduct is of paramount importance because it determines the credibility of the computer forensics investigator. Professional conduct includes ethical behavior and legal principles. When conducting an investigation, the examiner must adhere to legal principles and exhibit the highest level of ethical behavior. Professional conduct can be maintained by taking the following guidelines into consideration:

Maintain confidentiality during an investigation. To do so, don’t reveal the case’s sensitive information to anyone; only authorized people should be privy to this information, such as other investigators. Maintain objectivity during an investigation. To do so, the examiner should form an opinion based on his/her education, training, and experience. Expand technical knowledge continually. Maintain integrity. Don’t hurry to reach conclusions without considering all the available facts. To keep the integrity of fact finding during an investigation, the examiner must avoid bias or prejudice. Since the field of computer forensics is changing rapidly, the examiners must stay current with the most recent computer hardware and software, operating systems, forensic tools, and networking. Be aware of the most recent investigation techniques.

Computer Forensics Boot Camp

If you are aspiring for CCFE or CMFE certification, InfoSec Institute offers you an Authorized Computer Forensics Boot Camp Course that teaches you the necessary skills to investigate computer crimes and computer threats. Moreover, the InfoSec course has been one of the most awarded (42 industry awards) and trusted information security training vendors for 17 years. InfoSec also offers thousands of articles on all manner of security topics.