collecting legally defensible evidence - vere .collecting legally defensible online ... the...

Download Collecting Legally Defensible Evidence - Vere .Collecting Legally Defensible Online ... The collection

Post on 24-Jun-2018

215 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • CollectingLegallyDefensibleOnlineEvidence:

    December2007CreatingastandardframeworkforInternetForensicInvestigations

    ToddG.Shipley,CFE,CFCECEOandPresidentDetectiveSergeant(Retired)Reno,NevadaPoliceDepartment

  • CopyrAll r

    ight 20ights re

    Dec

    007 Vereeserved

    ember2007

    Collecti

    e Softw worldw

    7

    ingLegallyDef

    ware wide

    fensibleOnline

    eEvidence

    Page2

  • CollectingLegallyDefensibleOnlineEvidence

    Copyright 2007 Vere Software All rights reserved worldwide

    Page3

    TableofContents

    BACKGROUND............................................................................................................................4

    WHOCONDUCTSINVESTIGATIONSONTHEINTERNET?.......................................................4

    CURRENTINVESTIGATIVEMETHODOLOGIES........................................................................6

    LEGALBACKGROUNDFORCONDUCTINGINVESTIGATIONSONTHEINTERNET................9

    LAWENFORCEMENTINTERNETINVESTIGATIVECOSTS.....................................................12

    CONCLUSION............................................................................................................................19

    APPENDIXAPERTINENTU.S.CASELAWREGARDINGINTERNETINVESTIGATIONS.....21

    REFERENCES.............................................................................................................................24

  • CollectingLegallyDefensibleOnlineEvidence

    Copyright 2007 Vere Software All rights reserved worldwide

    Page4

    BACKGROUNDCollectingevidencefromcomputers,networks,cellulartelephonesandassorteddigitalstoragedeviceshas

    rapidly become a standard practice in law enforcement investigations commonly referred to as digital

    forensics.ThecollectionofdigitalevidencefromtheInternetorInternetforensics isadisciplineofdigital

    forensicsthatdealswiththesecuringofdataasevidencefromtheInternet.Investigatingallegedcriminal

    activity committed on the Internet has been conducted almost since the Internets inception. The

    investigationandcollectionofonlineevidencehasbeenanongoingchallenge forthosetaskedwiththat

    collection.Thefactorsthatcontributetothechallengeinclude:

    therapidchangesintechnologyandtheabilityofinvestigatorstokeepupwiththattechnology,

    theinvestigatorslackofeducationontheInternetandthetechniquesrequiredtoinvestigateit,

    theinabilitytoproperlycollectInternetbasedevidence,

    thelackoftoolsspecificallydesignedforthispurpose,

    and, the inability to present the evidence collected in an understandablemanner to those notfamiliarwiththespecificsbehindtheInternet.

    Internetforensicsisauniquedisciplinewithindigitalforensics.Theuniquenesscomesfromthegeographic

    locationofthecrimescene.Internetinvestigatorsaccessdataoncomputerswithoutknowingthephysical

    locationofthatdata.ThismakesInternetforensicssingularlyuniqueamongsttheforensicdisciplines.

    WHOCONDUCTSINVESTIGATIONSONTHEINTERNET?Conducting investigations on the Internet has generally been thought of as the sole domain of law

    enforcement.Certainlythereareenoughcrimestoinvestigatefromchildexploitationtoauctionfraud.Law

    enforcement has taken an aggressive role in the lead to stop child exploitation online as evidenced by

    continuedfundingfromtheDepartmentofJusticesOfficeofJuvenileJusticeandDelinquencyPrevention

    (OJJDP)ofthe InternetCrimesAgainstChildrens (ICAC)TaskForcesnationwide. Millionsofdollars from

    the federalbudgethasbeendedicatedtothesetask forcesandadditionalmillionshavebeenspecifically

    dedicatedtotheNationalCenterforMissingandExploitedChildren(NCMEC)anditsimportantprograms.1

    1www.icactraining.organdwww.ncmec.org

  • CollectingLegallyDefensibleOnlineEvidence

    Copyright 2007 Vere Software All rights reserved worldwide

    Page5

    Many additional lawenforcement investigators, from local agencies to thehighest levelsof the federal

    government,areinvestigatingavarietyofcrimescommittedontheInternet,fromprostitutiontonetwork

    hacking.Still, lawenforcement investigatorsarenottheonlyonesconducting investigationsonline.Many

    other fieldsrequirethecollectionofevidenceeither fora judicial functionormerelyneedtoverifytheir

    actionstoasuperior.

    The legal system in the United States and elsewhere in the world has certain requirements for the

    introductionofinformationasevidenceinanycivilorcriminal

    proceeding. According to Wikipedia Digital evidence or

    electronic evidence is any probative information stored or

    transmittedindigitalformthatapartytoacourtcasemayuse

    at trial.2 With more and more information stored on the

    Internet,andaccessible to theaverageuser,moreandmore

    information of probative valuewill be located there. That

    being said, information from the Internet will be used by

    attorneysneedingtoconductduediligenceinvestigationsfortheirclients.Anyoneconductinganytypeof

    research for a civil proceeding of any kind uses the Internet. Research conducted by licensed private

    investigators for a client is commonly accomplished through the use of tools found on the Internet.

    Companies conducting investigations into Intellectual Property (IP) theft commonly use the Internet to

    trackthemisuseoftheircompaniesIP.Additionally,thoseconductingcompetitiveintelligencefindmuchof

    whattheyneedthroughtheuseoftheInternet.Theseareonlyafewexamplesofthekindofoccupations

    whousethe Internettoconducttheir investigations,quitea fewofthembeingnonlawenforcementor

    crimeorientedinvestigations.Infact,thelargeruseoftheInternetasaninvestigativetoolisprobablydone

    bymanypersonnelotherthanthoseinlawenforcement.

    The online investigative situation is no different around the world. According to Abhaya Induruwa,

    DepartmentofComputing,CanterburyChristChurchUniversity,UK, inapresentationduring theSecond

    InternationalWorkshoponDigitalForensicsandIncidentAnalysis,Samos,Greece,2728August2007,of

    around140,000policeofficersintheUK,barely1,000havebeentrainedtohandledigitalevidenceatthe

    2http://en.wikipedia.org/wiki/Digital_evidence

    ThereisapublicexpectationthattheInternetwillbe

    subjecttoroutinepatrolbylawenforcementagencies.APCOGoodPracticeGuideforComputerBasedElectronic

    Evidence

  • CollectingLegallyDefensibleOnlineEvidence

    Copyright 2007 Vere Software All rights reserved worldwide

    Page6

    basic level and fewer than 250 of them are currentlywith Computer CrimeUnits or have higher level

    forensicskills.Withthatbeingsaid,intheUKaccordingtotheAssociationofChiefPoliceOfficers(ACPO)

    GoodPracticeGuideforComputerBasedElectronicEvidence,Asaresult,manybodiesactivelyengage in

    proactiveattemptstomonitortheInternetandtodetectillegalactivities.

    CURRENTINVESTIGATIVEMETHODOLOGIES

    CurrentlawenforcementinvestigativemethodologiesfortheInternetarevariedandmany.Someagencies

    havededicatedthenecessaryresourcestoconduct investigationsandstillmanyothershave ignoredthe

    Internet and the crime conducted there, either out of ignorance or negligence. No standard process

    currentlyexists to guidean investigator, at any levelwithin the

    government (local, state or federal), military or those

    investigatingtheInternetforacorporation.Thishascausedalack

    of understanding among those assigned these tasks, and has

    caused the development of a variety of practices within this

    community.Toaddtothelackofconsistentpractices,thelackof

    specialized tools in this area has driven the adoption of tools

    specifically designed for other purposes. These tools have

    sometimesprovidedtheinvestigatorwithinsufficientsupportfor

    BestEvidencepractices.However, investigatorseveradapting to theirchangingworld,proceededahead

    andhaveputmanycriminalsinprisonbasedontheirabilitytocollectevidencefromtheInternetwithtools

    notdesignedforevidencecollection.

    ThemostsignificantadoptionofstandardizedinvestigativemethodsforInternetevidencecollectioniswith

    theInternetCrimesAgainstChildren(ICAC)TaskForces(TFs).Sincetheirinceptioninthelate1990s,The

    ICACTFshavegrown froma fewtask forcestoover46acrosstheUnitedStates.Themanagingworking

    groupofthetaskforceshasstandardizedthemethodstheyuseforinvestigatingchildexploitationonthe

    Internet. These standardsguide the task forcemembersanddictateappropriateactionsduringon line

    childpredatorinvestigations.

    ThelawenforcementguideElectronicCrimeScene

    Investigation,AGuideforFirstRespondersisthefirstinaseriesofguidesfundedbytheNationalInstituteofJustice(NIJ),U.S.Departmentof

    Justice

  • CollectingLegallyDefensibleOnlineEvidence

    Copyright 2007 Vere Software All rights reserved worldwide

    Page7

    ManyfederalagenciesinvestpersonnelresourcesintheinvestigationofcrimecommittedontheInternet.

    For example the Federal Trade Commission (FTC) investigates identity theft, the Federal Bureau of

    Investigation investigatesterrorism,theSecretService investigatescreditcard fraudandthe Immigration

    andCustomsEnforcement investigatescounterfeitpharmaceuticalsalesoverthe Internet.Amongstallof

    theseagencies,nocommonstandardmethodologyexistsfortheseonlineinvestigations.

    TheNational Instituteof Justice (NIJ), adivisionof theOfficeof JusticePrograms (OJP),Departmentof

    Justice, through the Office of Law Enforcement Standards (OLES) at NIST (the National Institute of

    StandardsandTechnology) startedproducingguides for lawenforcement regarding the investigationof

    technology.ThefirstintheseriesElectronicCrimeSceneInvestigation,AGuideforFirstresponderswas

    an initialguidethatexposedmany in lawenforcementt

Recommended

View more >