Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet, Third Edition
by Eoghan Casey cmdLabs, Baltimore, Maryland, USA
Technical Editor Brent E. Turvey, Forensic Solutions LLC, Sitka, Alaska, USA
Contributors: Susan W. Brenner (University of Dayton School of Law), Bert-Jaap Koops (Tilburg University, Netherlands), Tessa Robinson (Law Library, Dublin, Ireland), Bradley Schatz (Schatz Forensic Pty. Ltd., Queensland), Terrance Maguire (cmdLabs), Monique M. Ferraro (Technology Forensics, LLC, Connecticut), Michael McGrath, Christopher Daywalt (cmdLabs)
Digital evidence - evidence that is stored on or transmitted by computers - can play a major role in any investigation, including homicide, child exploitation, computer intrusions and corporate malfeasance. The scope of computer crime has expanded further with the proliferation of networks, embedded systems, mobile devices and industrial control systems. Digital evidence from these systems can help establish when events occurred, where victims and suspects were, with whom they communicated, and may even show their intent to commit a crime.
Despite the ubiquity of computer-facilitated crime, few people are well-versed in the technical, investigative and legal issues related to digital evidence. As a result, digital evidence is often overlooked, collected incorrectly or analyzed ineffectively.
Digital Evidence and Computer Crime, Third Edition is completely updated, providing the knowledge necessary to uncover and use digital evidence effectively in any kind of investigation. The first and second editions introduced thousands of practitioners to this field, and this third edition expands on the material presented in previous editions to help digital forensic practitioners further develop their skills. The textbook teaches digital investigation and forensic methodologies, how computers and networks function, how they can be involved in crimes, and how they can be used as a source of evidence. This book is suitable for incident responders, forensic analysts, police and lawyers. Case examples and practitioner's tips are provided throughout each chapter to emphasize important concepts.
New chapters include coverage of:
• Handling digital crime scenes • Investigating violent crimes • Applying the scientific method to digital investigations • Legal issues from both the U.S. and European perspectives
|Product dimensions:||7.90(w) x 9.30(h) x 1.90(d)|
About the Author
Eoghan Casey is founding partner of cmdLabs, author of the foundational book Digital Evidence and Computer Crime, and coauthor of Malware Forensics. For over a decade, he has dedicated himself to advancing the practice of incident handling and digital forensics. He helps client organizations handle security breaches and analyzes digital evidence in a wide range of investigations, including network intrusions with international scope. He has testified in civil and criminal cases, and has submitted expert reports and prepared trial exhibits for computer forensic and cyber-crime cases. Eoghan has performed thousands of forensic acquisitions and examinations, including Windows and UNIX systems, Enterprise servers, smart phones, cell phones, network logs, backup tapes, and database systems. He has performed vulnerability assessments, deployed and maintained intrusion detection systems, firewalls and public key infrastructures, and developed policies, procedures, and educational programs for a variety of organizations. In addition, he conducts research and teaches graduate students at Johns Hopkins University Information Security Institute, is editor of the Handbook of Digital Forensics and Investigation, and is Editor-in-Chief of Elsevier's International Journal of Digital Investigation.
Read an Excerpt
Chapter 3: Modus Operandi, Motive and TechnologyThis can take the form of misusing and abusing department resources and violating the public trust, including but not limited to things like inappropriate telephone charges, vehicle use, and desertion of one's assigned duties. And we are not talking about small misallocations, but rather large ones such as in the example, which are symptomatic of ongoing patterns of departmental resource misuse and abuse.
As in Example 2, criminal activity in these instances can also take on the form of the distribution of pornographic materials (an officer allegedly e-mailed a digital photograph of his genitals to the 17-year-old girl), which, depending on the circumstances, can have serious legal consequences.
In both examples, technology facilitated criminal behavior in terms of providing both the mechanisms for initial contact between the involved parties, and a means for communication and illicit materials sharing between the parties over great distances. But as we have shown, less complex and "immediate" technologies do exist which have facilitated the same type of behavior in the past.
A more reactive aspect of the relationship between MO and technology, from the criminal's point of view, involves the relationship between the advancement of crime detection technologies in the forensic sciences, and a criminal's knowledge of them.
Successful criminals are arguably those who avoid detection and identification, or at the very least capture. The problem for criminals is that as they incorporate new and existing technologies into their MO which make their criminal behavior or identity more difficult to detect, theforensic sciences have made advances to become more competent at crime detection. Subsequently, criminals that are looking to make a career, or even a hobby, for themselves with their illegal activity must rise to the meet that challenge. That is to say, as criminals learn about new forensic technologies and techniques being applied to their particular area of criminal behavior, they must be willing to modify their MO, if possible, in order to circumvent those efforts.
But even an extremely skillful, motivated, and flexible offender may only learn of a new forensic technology when it has been applied to one of their crimes and resulted in their identification and/or capture. While this encounter can teach them something that they may never forget in the commission of future crimes, in such cases the damage will already have been done.
This text is replete with examples of such instances, so we will not adduce specifics in this chapter.
Motive and Technology
The term motive refers to the emotional, psychological, or material need that impels, and is satisfied by, a behavior (Turvey 1999). Criminal motive is generally technology independent. That is to say, the psychological or material needs that are nurtured and satisfied by a criminal's pattern of behavior tend to be separate from the technology of the day. The same motives that exist today have arguably existed throughout recorded history, in one form or another. However, it may also be argued that existing motives (i.e. sexual fetishes) can evolve with the employment of, or association of, offense activities with specific technologies. Towards understanding these issues, this section will demonstrate how an existing behavioral motivational typology may be applied within the context of computer- and Internetrelated criminal behavior.
In 1979, A. Nicholas Groth, an American clinical psychologist working with both victims and offender populations, published a study of over 500 rapists. In his study, he found that rape, like other crimes involving behaviors that satisfy emotional needs, is complex and multi-determined. That is to say, the act of rape itself serves a number of psychological needs and purposes (motives) for the offender. The purpose of his work was clinical, to understand the motivations of rapists for the purpose of the development of effective treatment plans (Groth 1979).
Eventually the Groth rapist motivational typology was taken and modified by the FBI's National Center for the Analysis of Violent Crime (NCAVC) and its affiliates (Hazelwood et al. 1991; Burgess and Hazelwood 1995).
This author has found, through casework, that this behaviorally based motivational classification system, with some modifications, is useful for understanding the psychological basis for most criminal behavior. The basic psychological needs, or motives, that impel human criminal behaviors remain essentially the same across different types of criminals, despite their behavioral expression, which may involve computer crimes, stalking, harassment, kidnapping, child molestation, terrorism, sexual assault, homicide, and/or arson. This is not to say that the motivational typology presented here should be considered the final word in terms of all specific offender motivations. But in terms of general types of psychological needs that are being satisfied by offender behavior, they are fairly inclusive, and fairly useful.
Below, the author gives a proposed behavioral motivational typology (Turvey 1999), and examples, adapted from Burgess and Hazelwood (1995), with some input from Geberth (1996). This author takes credit largely for the shift in emphasis from classifying offenders - to classifying offense behaviors (turning it from an inductive labeling system to a deductive tool)...
Table of Contents
|1.||Introduction to Digital Evidence||1|
|2.||The Language of Cybercrime||15|
|3.||Modus Operandi, Motive and Technology||25|
|4.||Applying Forensic Science to Computers||41|
|5.||Digital Evidence on Computer Networks||75|
|6.||Digital Evidence on the Internet||99|
|7.||Digital Evidence at the Transport and Network Layers||121|
|8.||Digital Evidence on the Data-Link and Physical Layers||145|
|9.||Using Digital Evidence and Behavioral Evidence Analysis in an Investigation||161|
|12.||Digital Evidence as Alibi||199|
|13.||Laws, Jurisdiction, Search and Seizure||207|
|14.||Thoughts for the Future||223|
|Appendix 1||Summary of Resources||231|
|Appendix 2||Multimedia Supplement||243|