140 likes | 233 Views
Dr. Kent R. Kerley. Department of Sociology Mississippi State University 331 Etheredge Hall 325-7889 kerley@soc.msstate.edu. Police Responses to Computer Crime: Investigation and Detection. A Lecture Prepared for Computer Crime and Forensics (CS 4273) Fall 2003.
E N D
Dr. Kent R. Kerley Department of Sociology Mississippi State University 331 Etheredge Hall 325-7889 kerley@soc.msstate.edu
Police Responses to Computer Crime: Investigation and Detection A Lecture Prepared for Computer Crime and Forensics (CS 4273) Fall 2003
The Policing of Computer Crime: Who are the Major Players? • FBI – National Computer Crime Squad • U.S. Department of Justice – Computer Crime and Intellectual Property Section • Secret Service – Electronic Crimes Task Force • State Police agencies • State Crime Labs
FBI’s National Computer Crime Squad The NCCS lists these as its major targets: • Intrusions of the Public Switched Network (the telephone company) • Major computer network intrusions • Network integrity violations • Privacy violations • Industrial espionage • Pirated computer software • Other crimes where the computer is a major factor in committing the criminal offense
U.S. Department of Justice • The Criminal Division of DOJ created the Computer Crime and Intellectual Property Section • Their website is: http://www.cybercrime.gov/ • Instead of a novel at bedtime, try reading their 97-page manual called “Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations” • You can find it at: http://www.cybercrime.gov/s&smanual2002.htm
Computer Evidence: Searching and Seizing 1 • 4th Amendment protection against “unreasonable searches and seizures” applies to computer equipment and electronic files. • Individuals have a “reasonable expectation of privacy” pertaining to their use of computers, especially at home. [Katz v. U.S. 1967]
Computer Evidence: Searching and Seizing 2 • Because computer crimes are largely “hidden” it is rare to catch someone in the act. • The “plain view” doctrine [Horton v. California 1990] that police take advantage of for other types of crimes is not of much use for computer crimes. • Thus, police typically have to secure warrants to search for computer equipment and electronic files.
Computer Evidence: Searching and Seizing 3 • Computers are treated as “closed containers” for purposes of searching and seizing (e.g., filing cabinet, briefcase). • Warrants must be secured to search computer equipment for evidence of crimes. • Currently, judges are erring on the side of specificity and technical expertise in granting warrants to search computers.
Computer Evidence: Searching and Seizing 4 • There is a debate over whether the entire computer can be searched for criminal evidence with one general warrant. • In [U.S. v. David 1999], a circuit court ruled that computers contain multiple closed containers and that investigators must focus on the crimes delineated in the original search warrant. • However, in [U.S. v. Runyan 2001] and [U.S. v. Carey 2002] two circuit courts ruled that all files on a computer constitute one closed container. If additional incriminating evidence is found during a search, it can be used against the person.
Computer Evidence: Searching and Seizing (last one, I promise) So what steps should you take to secure a warrant? • Assemble a team consisting of a police agent, local prosecutor, and a computer expert. • Get as much information as possible about the system that will be searched (e.g., type, specs, software). • Develop a strategy for executing the search. • Draft a warrant with specific information about the process and product of the search.
Computer Evidence: Handling and Transporting When you get the warrant and locate the computer: • Search the computer and print out a hard copy of particular files at that time. • Search the computer and make an electronic copy of particular files at that time. • Create a duplicate electronic copy of the entire storage device on-site, and then later recreate a working copy of the storage device off-site for review. • Seize the equipment, remove it from the premises, and review its contents off-site.
Then What? • After you have legally seized a computer and have done a basic inventory of the system, what happens next? • Unless you are working in a large metropolitan police department or the person you arrested was not very computer savvy (e.g., no attempt to encrypt or hide files), you are probably going to be sending the computer to a federal or state law enforcement agency for in-depth forensic analysis.