The computer: high-tech instrument of crime.
Statistics suggest that the law enforcement community must act quickly and decisively to meet the challenge presented by the criminal use of computers. For example:
* Over 4.7 million personal computers were sold in the United States in 1988, as compared with 386,500 in 1980
* An estimated 60 percent of personal computers are now networked
* $500 million is lost annually through illegal use of telephone access codes
* $1 trillion is moved electronically each week, and
* Only 11 percent of computer crime is reported.
While the law enforcement community, in general, often thinks of computer crime as high-tech crime, a growing segment of the population looks at computers and the data they store as nothing more than electronic paper. They feel very comfortable keeping their records, whether legal or illegal, in this format.
In order to address the legitimate need for access to computers and the information they contain, law enforcement must develop a structured approach to examine computer evidence. The examination of this evidence can provide investigative and intelligence information, and at the same time, preserve the information for subsequent admission in court.
PRESERVING COMPUTER EVIDENCE
As more and more records are converted from paper to electronic storage, individuals are becoming more and more computer literate. Unfortunately, a growing number of individuals use their computer knowledge for illegal activities.
While there is no typical computer case, the majority fall into the broad category of white-collar crime. During investigations of these cases, several problems repeatedly occur. However, by following the guidelines offered in this article, law enforcement agencies can protect valuable computer evidence.
Conduct Preliminary Examinations
Investigators should take immediate action to protect a computer's memory. Often, investigators attempt to generate investigative and intelligence information on site. While this approach is reasonable and should be encouraged, it is equally important that the computer be protected from any input introduced unintentionally by investigators.
For instance, many computer systems update files to the current date when read. In order to preserve the evidence in the same condition as it was when seized, steps must be taken to ensure that no dates are changed and nothing is written into or deleted from the computer's memory. Specialized software currently on the market protects the computer's memory and should always be used before an examination.
Investigators should also consider that anyone conducting a preliminary examination may be called on to testify concerning the procedures followed and the accuracy of the results. Because of this possibility, documented policy and protocol detailing steps to follow during examinations must be established. Examiners should closely follow guidelines set by their particular agency to avoid any legal discrepancies.
Seize Supporting Software
When investigators seize a computer, they should also take all supporting software and documentation. This simple action eliminates a host of problems that may arise during the examination of the computer. It is logical, but not necessarily correct, to assume that the software that runs the seized computer is common and commercially available.
As commercial software is developed and marketed, manufacturers add new features and correct previously identified problems. Once the manufacturer revises the old programs, the data seized may not be compatible with the particular version of the same software. Therefore, it is good policy to seize all software, documentation, handwritten notes, and any other related items found near the computer.
Seize the Entire Computer System
Many of the items connected to the seized computer are probably standard pieces of equipment found in any computer facility. However, it only takes one unique, nonstandard piece of equipment to render a system incompatible with others. For this reason, it is best to seize all the equipment related to the computer. If it turns out that some of the items are not needed for the examination, they can be quickly returned to the site.
The FBI Laboratory does not recommend that investigators remove and submit the hard drive (memory), located inside the computer, for examination. The manner in which the computer is set up internally is often crucial to reading, displaying, and printing the data on the hard drive. Thus, removing just the hard drive may be useless to the investigation.
In light of technical considerations, it may be appropriate to use an expert as a consultant in the execution of these types of search warrants. This is especially true if investigators do not seize the entire system. Concerns regarding incompatibilities of computer systems should be stated in the supporting affidavit as justification if investigators plan to seize the entire computer system.
Package Equipment Properly
If investigators need to ship the computer to another facility for examination, they should package it properly. Oftentimes, examinations take an inordinate amount of time because poorly packaged computers are damaged in shipment and must be subsequently repaired.
Likewise, shipment of computer diskettes and other memory devices requires certain precautions. Because of the potential hazard of static electric discharge, these items should not be shipped in plastic evidence envelopes. In addition, the evidence should be marked to avoid exposure to strong magnetic fields, such as those generated by x-ray machines.
COMPUTER ANALYSIS AND RESPONSE TEAM
To assist with investigations involving computers as evidence, the FBI Laboratory established the Computer Analysis and Response Team (CART) at FBI Headquarters. Computer professionals with a variety of experience and expertise, along with a sensitivity to the needs of the law enforcement community, staff the team. The CART has a full range of hardware available, as well as unique utility software useful in forensic examinations of computer-related evidence.
Limited by the number of technical personnel available to conduct these investigations, this service is available to police agencies authorized to submit evidence to the FBI for forensic examination. In addition to its traditional forensic examination, the FBI Laboratory's CART provides on-site field support to both Bureau field offices and local police departments. Approval for this on-site support depends on the individual case, the resources available, and the needs of the requesting agency.
The FBI Laboratory has seen the submission of computer evidence double and then double again in the past few years, reflecting the proliferation of computers in society. With the role of the computer becoming more predominant in society, its impact is felt in every law enforcement investigative program. Therefore, it is important for law enforcement to have the necessary knowledge and procedures ready to address adequately the examination of computer evidence and records.
|Printer friendly Cite/link Email Feedback|
|Author:||Noblett, Michael G.|
|Publication:||The FBI Law Enforcement Bulletin|
|Date:||Jun 1, 1993|
|Previous Article:||Eyesight standards: correcting myths.|
|Next Article:||Elevator vandalism squad.|