Friday 29 March 2013

How to collect Evidence in respect of internet crime


Crime scenes on the Internet
The Internet is a medium through which material can be 
stored, relayed or shared. Despite its size and complexity, 
it is nothing more than a large computer network. 
Ultimately, any information on the Internet physically 
resides on one or more computer systems and, therefore, 
it could be retrieved through a forensic examination of 
those physical devices. However, some of this information 
may be volatile, e.g. instant messaging content; or it could 
be altered or deleted prior to the location and examination 
of those devices, e.g. website content. In such cases, it 
may be necessary to capture evidence directly from the 
Internet, possibly during ‘live’ interaction with a suspect
or by capturing live website content.

E-mail
E-mail is increasingly seen as the communications 
medium of choice, amongst a technically aware 
population. E-mail can be forensically retrieved from 
physical machines, although in certain circumstances 
it may be that only a small number of e-mails require 
retrieval and examination. Investigators may wish to 
obtain these from a victim’s computer system, without 
having to address possible delays in obtaining a forensic 
examination or causing significant inconvenience to 
the victim. In such circumstances, printed copies of 
the e-mails themselves, including header information, 
would be sufficient to evidence the sending / receipt and 
content of the e-mail. Header information is not normally 
visible to the reader of the e-mail, but it can be viewed 
through the user’s e-mail client program. The header 
contains detailed information about the sender, receiver, 
content and date of the message. Investigators should 
consult staff within their force Computer Crime Units or 
Telecommunications Single Point of Contact if they are 
under any doubt as to how to retrieve or interpret header 
information. Clearly any such evidential retrievals need 
to be exhibited in the conventional manner i.e. signed, 
dated and a continuity chain established

E-mail / Webmail / Internet Protocol Address
account information
Investigators seeking subscriber information relating
to e-mail, webmail or Internet connections should consult 
their force Telecommunications Single Points of Contact 
who are able to advise on the potential availability and 
nature of user or subscriber information. Any request
for Telecommunications Data is subject to the provisions 
of the Regulation of Investigatory Powers Act (RIPA) 2000.
Websites / Forum Postings / Blogs
Evidence relating to a crime committed in the United 
Kingdom may reside on a website, a forum posting or a 
web blog. Capturing this evidence may pose some major 
challenges, as the target machine(s) may be cited outside 
of the United Kingdom jurisdiction or evidence itself could 
be easily changed or deleted. In such cases, retrieval 
of the available evidence has a time critical element 
and investigators may resort to time and dated screen 
captures of the relevant material or ‘ripping’ the entire 
content of particular Internet sites. When viewing material 
on the Internet, with a view to evidential preservation, 
investigators should take care to use anonymous systems. 
Advice on the purchase and use of such systems should 
be obtained from the force Computer Crime or Open 
Source Intelligence Unit. Failure to utilise appropriate 
systems could lead to the compromise of current or 
future operations. Investigators should consult their force 
Computer Crime Unit if they wish to ‘rip’ and preserve 
website content.
Open Source Investigation
There is a public expectation that the Internet will be 
subject to routine ‘patrol’ by law enforcement agencies. 
As a result, many bodies actively engage in proactive 
attempts to monitor the Internet and to detect illegal 
activities. In some cases, this monitoring may evolve 
into ‘surveillance’, as defined under RIPA 2000. In such 
circumstances, investigators should seek an authority for 
directed surveillance, otherwise any evidence gathered 
may be subsequently ruled inadmissible. Once again, 
when conducting such activities, investigators should 
utilise anonymous systems which are not likely to 
reveal the fact that law enforcement is investigating that 
particular section of the Internet. 

Covert Interaction on the Internet
In circumstances where investigators wish to
covertly communicate with an online suspect, they
MUST utilise the skills of a trained, authorised Covert 
Internet Investigator (CII). CIIs have received specialist 
training which addresses the technical and legal issues 
relating to undercover operations on the Internet.
The interaction with the suspect(s) may be in the form
of e-mail messaging, instant messaging or through 
another online chat medium. When deploying CIIs, 
a directed surveillance authority must be in place, 
as well as a separate CII authority. Prior to deploying 
CIIs, investigators should discuss investigative options 
and evidential opportunities with the force department 
responsible for the co-ordination of undercover 
operations. The deployment of CIIs is governed by the 
National Standards in Covert Investigations, which are 
detailed in the Manual of Standards for the Deployment
of Covert Internet Investigators.
read more here;http://www.7safe.com/electronic_evidence/ACPO_guidelines_computer_evidence.pdf


Print Page

No comments:

Post a Comment