Crime scenes on the Internet
The Internet is a medium through which material can be
stored, relayed or shared. Despite its size and complexity,
it is nothing more than a large computer network.
Ultimately, any information on the Internet physically
resides on one or more computer systems and, therefore,
it could be retrieved through a forensic examination of
those physical devices. However, some of this information
may be volatile, e.g. instant messaging content; or it could
be altered or deleted prior to the location and examination
of those devices, e.g. website content. In such cases, it
may be necessary to capture evidence directly from the
Internet, possibly during ‘live’ interaction with a suspect
or by capturing live website content.
E-mail is increasingly seen as the communications
medium of choice, amongst a technically aware
population. E-mail can be forensically retrieved from
physical machines, although in certain circumstances
it may be that only a small number of e-mails require
retrieval and examination. Investigators may wish to
obtain these from a victim’s computer system, without
having to address possible delays in obtaining a forensic
examination or causing significant inconvenience to
the victim. In such circumstances, printed copies of
the e-mails themselves, including header information,
would be sufficient to evidence the sending / receipt and
content of the e-mail. Header information is not normally
visible to the reader of the e-mail, but it can be viewed
through the user’s e-mail client program. The header
contains detailed information about the sender, receiver,
content and date of the message. Investigators should
consult staff within their force Computer Crime Units or
Telecommunications Single Point of Contact if they are
under any doubt as to how to retrieve or interpret header
information. Clearly any such evidential retrievals need
to be exhibited in the conventional manner i.e. signed,
dated and a continuity chain established
E-mail / Webmail / Internet Protocol Address
account information
Investigators seeking subscriber information relating
to e-mail, webmail or Internet connections should consult
their force Telecommunications Single Points of Contact
who are able to advise on the potential availability and
nature of user or subscriber information. Any request
for Telecommunications Data is subject to the provisions
of the Regulation of Investigatory Powers Act (RIPA) 2000.
Websites / Forum Postings / Blogs
Evidence relating to a crime committed in the United
Kingdom may reside on a website, a forum posting or a
web blog. Capturing this evidence may pose some major
challenges, as the target machine(s) may be cited outside
of the United Kingdom jurisdiction or evidence itself could
be easily changed or deleted. In such cases, retrieval
of the available evidence has a time critical element
and investigators may resort to time and dated screen
captures of the relevant material or ‘ripping’ the entire
content of particular Internet sites. When viewing material
on the Internet, with a view to evidential preservation,
investigators should take care to use anonymous systems.
Advice on the purchase and use of such systems should
be obtained from the force Computer Crime or Open
Source Intelligence Unit. Failure to utilise appropriate
systems could lead to the compromise of current or
future operations. Investigators should consult their force
Computer Crime Unit if they wish to ‘rip’ and preserve
website content.
Open Source Investigation
There is a public expectation that the Internet will be
subject to routine ‘patrol’ by law enforcement agencies.
As a result, many bodies actively engage in proactive
attempts to monitor the Internet and to detect illegal
activities. In some cases, this monitoring may evolve
into ‘surveillance’, as defined under RIPA 2000. In such
circumstances, investigators should seek an authority for
directed surveillance, otherwise any evidence gathered
may be subsequently ruled inadmissible. Once again,
when conducting such activities, investigators should
utilise anonymous systems which are not likely to
reveal the fact that law enforcement is investigating that
particular section of the Internet.
Covert Interaction on the Internet
In circumstances where investigators wish to
covertly communicate with an online suspect, they
MUST utilise the skills of a trained, authorised Covert
Internet Investigator (CII). CIIs have received specialist
training which addresses the technical and legal issues
relating to undercover operations on the Internet.
The interaction with the suspect(s) may be in the form
of e-mail messaging, instant messaging or through
another online chat medium. When deploying CIIs,
a directed surveillance authority must be in place,
as well as a separate CII authority. Prior to deploying
CIIs, investigators should discuss investigative options
and evidential opportunities with the force department
responsible for the co-ordination of undercover
operations. The deployment of CIIs is governed by the
National Standards in Covert Investigations, which are
detailed in the Manual of Standards for the Deployment
of Covert Internet Investigators.
read more here;http://www.7safe.com/electronic_evidence/ACPO_guidelines_computer_evidence.pdf
No comments:
Post a Comment