Handling Digital Evidence Information Technology Essay

A Suspect, 17 year old male, is a suspected online pedophile, using online chat, email and text messaging using web/internet to phone (eliminating in this scenario phone to phone text messaging), to entice children. He is also thought to be using information obtained through credit card fraud to pay for online activity and to camouflage his identity. Suspect has a Windows-based computer in his room, and only he has access to it. His mother reported seeing naked pictures of minors on his son’s computer screen several times, and also, mother reported that they are getting packages in the mail not sent to their addresses but addressed to different names. His son opens the packages and keeps the items.

Description of the use of computer operating system data you would use in investigating the case.

One can acquire important information, evidence, or intelligence information gathering using a computer’s operating system (OS) information, and they are as follow (Knetzger & Muraski, 2008):

The use of file date and time (creation date, last accessed, modified) – The operating system keeps a trail or record of file and its properties, such as the date and time a file is created, last access & last modified. This is important to an investigation because it backs up or it shows when the exact date was file was created, access and modified. For example, if Joe left work for a doctor’s appointment from noon to 2:00PM on 1/2/2011, and the file that is in question was created, access or modified at 1/2/011 at 1:00PM, it is safe to say that Joe was not the suspect because he was out of the office when the file was created, access or modified. Date created is when the file was originally generated. Date last access, is when the file was accessed by not modified. Date modified is when the file was last accessed and modified. Take note that these times are using the system clock. Therefore, if someone changes the date from 2011 to 2001, then the stamps will peculiar or different associated with the file date/time properties.

System date and time – There are many uses of the system date and time aside from the relation to file properties. The use of the time zone (Coordinated Universal Time – UTC) setting, such as knowing on email where or which time zone (or setting) it was sent from, for example, system logs uses system date and time also, such as when the last password was changed, when MS Outlook was last launched, when the last defrag was ran, etc.

File type (the use of file extension and file header) – File extensions are associated with its file type. A picture file, such as .jpg, .bmp, .png, will open a graphic application or program. A .doc file may open MS Word or WordPad. A .txt file will open a Text Editor. A video file will open a video file and so forth. Though, not all applications or file will open based on the file extension because of many reasons. One reason is an application may not be installed on a computer. If the file .xlsx was emailed to User A, whose machine does not have Excel installed, then even if he double clicks the file, the file will not open because the application associated with it is not installed on his machine. Keeping this in mind, many high-tech felons change the file extension to throw off an investigator, but that they do not know is that changing file extensions do not have the file header. A file header contains coded information. Therefore, if a .DOC file was changed to .TXT, the file header will still show that it’s a .DOC (in hexadecimal format). Forensic Analysis Applications read file headers and not file extensions (Spruill, 2010).

File path, folders and properties – Knowing where the file is stored, which folder it is store and its properties, such as file size, etc. Taking notes of all these information is important when gathering evidence. Knowing where the suspect is hiding the files, such as creating a folder and hiding it outside the “My Documents” folder is important.

Bookmarks and Favorites – These information shows where the user often visits. Using the “recently visited” sites is useful information too.

Logging & Registry – Keeps track of changes in password, installs/uninstalls, programs deleted, when a hardware device was installed, uninstalled, last connected, etc.

Recently used / ran programs – In Windows, clicking Start will show the last accessed, ran or used applications. For example, if a suspect reports that MS Outlook was never access on his computer, and it shows that it was last accessed “yesterday” then the application was accessed no more than 2 days ago.

Recent Documents (within an application) – This works the same as recently ran programs. This section will show the last documents accessed on the computer. Also, within an application, MS Word, for example, by clicking File (or the Office Icon), under the “Recent Documents” section shows the last documents accessed. The number of documents shown could be setup by the user.

And so forth —- Everything that falls under the tasks performed by the operating system, such as (Knetzger & Muraski, 2008), “processor management, system resources configuration, hardware device configuration, storage management, program interface and user interface” (p.36).

In addition, if the law officer is not an expert, and is only there to gather information, he must act as the legal advisor, and leave the technical system administration to the technical experts, such as a Forensic Specialist. Leave the technical work to the technical experts so that evidence is secured and preserved properly.

Your specific investigation relative to how the individual obtained credit card data.

In this scenario, the suspect obtained credit card data through internet chat rooms. He went to internet chat rooms, such as ICQ (I Seek You) and Internet Relay Chat (IRC) to meet like-minded/ill-minded individuals and obtained for free and some with a minimal fee credit card information. Online internet chat is a great way for criminals to communicate and share information without sacrificing their identity.

Other ways to get credit card information are as follow (Knetzger & Muraski, 2008, pp.99-101):

Dumpster Driving – Where offenders filter through people’s trash or garbage cans to look for credit card information, such as bills that are tossed out in the garbage, preapproved credit card application, etc. People put their trash cans in the curb, in the public area, having lower or no level of privacy, where offenders could easily go through them.

Shoulder Surfing – Offenders looking over someone’s shoulder while he or she is making a transaction using an ATM, for example, and stealing the password, then later on stealing his or her ATM card.

Social Engineering – Offenders convincing (engineering to believe) unsuspected individuals to provide his or her username and password.

Inside Access to Credit Card Information – Offenders actually stealing within a company they work for. For example, working at a department store where customer’s credit card information is easy access.

Credit Card Number Generating Software – Offenders can easily buy this program that can generate valid credit card numbers, where they can just attach bogus names, addresses, etc. with the number to make a fake identity for the use of the credit card.

Skimming – The copying of the information of a credit card stored in the magnetic strip on the back of the credit card using a “small handheld device known as ‘skimmer’” (Knetzger & Muraski, 2008).

Email and Web Site Scams – Faking unsuspected individuals to go to a counterfeit site where they provide their information thinking that the site is genuine. In 2005, there was a phishing scam where emails were sent to eBay members reporting to change their password for identity theft security. Members were taken to a fake site, but looked genuine having the same look and feel of the authentic eBay site, where they provided their information to change their password. Taking a closer look by technical experts, the site address or Universal Resource Locator (URL), was pointing elsewhere. Millions of members were victimized (eBay, 2008)

Steal it – The actual stealing of credit cards by offenders by breaking into cars and homes, mugging, etc.

Specifics in terms of use of identity theft and high-tech crime investigative protocols.

According to Knetzger & Muraski (2008), there are several steps for investigating identity theft and high-tech online-based crimes and they are as follow (p.141):

The complaint is received, and then the complaint is determined as to the type of the complaint it is.

Create an image (evidentiary carbon copy) of the evidence.

Working on the copy, get all pertinent information from the email by expanding the header to full view, and also information from other web address, digital files, etc.

Determining the origin of evidence, such as uncovering the source IP address.

Using the IP Address Lookup to determine the ISP of source IP address, or originating IP address. An IP Address Lookup is a tool to provide more/readable information of an IP addresses. For example: 74.125.87.104 is www.google.com.

After finding out the ISP, subpoena the ISP company for records relevant to the evidence found above, such as the originator of the email, for example.

Document and safely secure and preserve all digital evidence so later it used for testing, analysis and/or recreated for court. In addition to documenting and preserving evidence, a proper maintenance of chain of custody is also a must.

In addition to the steps above, law enforcement must also recommend to victims to acquire a complete copy of their credit report, so that they can review illegal transactions. Also, if they have not already done so, to have them apply to the three (3) major credit reporting bureaus: Experian, Equifax and TransUnion for future protection.

Lastly, for identity theft, law enforcement must ask important pertinent questions relating to identity theft so that successful investigation is more successful. According to According to Knetzger & Muraski (2008), the following questionnaire should be asked or given to the victim to answer, then must be included in the case file (pp.72-73):

• What is your Social Security number?

• What is your cell phone and/or pager number?

• What is your e-mail address?

• How did you become aware of the identity theft?

• When did you first become aware of the identity theft?

• Do you know when the identity theft first began?

• What fraudulent activity has been committed in your name?

• If a purse or wallet was stolen, what documents were kept in your wallet or purse? Include Social Security numbers, driver’s license numbers, credit card numbers, and so forth.

• To your knowledge, has your mail ever been stolen in the past?

• Do you have a post office box?

• What do you normally do with junk mail (e.g., credit card offers)? Shred them or just throw them away?

• Do you put outgoing mail in your mailbox or deliver it to a stand-alone mail receptacle or the post office?

• What other crimes have you been the victim of (e.g., burglary, theft)?

• Have you recently misplaced any financial documents (e.g.,debit/credit cards)?

• Have you recently viewed a copy of your credit history?

• Do you have a personal Web site or have you posted your personal information to any Web site (e.g., genealogy sites, blogs) or is it listed in any open source directories (e.g., white pages, birthday sites)?

• Have you recently used your credit card to purchase services over the phone or online?

• Have you recently filled out any online forms that included your personal information?

• Do you use your Social Security number as a unique identifier for medical records, mortgage records, and so forth?

• What schools or colleges have you attended? Dates of attendance?

• Is your Social Security number or driver’s license number printed on your checks?

• What financial institutions do you do business with?

• Do you use online banking, bill pay services, or purchase items on online auction sites?

• What utility companies provide your power, light, phone, and Internet services?

• What credit cards, including merchant credit cards, do you have in your name?

• Do you know who may have stolen your identity?

• Have you recently received and replied to any e-mail messages that requested personal information from you?

Method(s) you would employ in e-mail tracking.

According to Knetzger & Muraski (2008), the following are steps to tracking emails (p.164):

Make an evidentiary copy or copies of the e-mail message – Never work off of the original for preservation. Damaging the original copy cannot be used as evidence, and changes cannot be reversed and accepted in court.

Expanding email message to full email header (from basic view), shows more information such as date and time stamp, IP address or addresses and routing.

Work backward chronologically from the most recent timestamp to the oldest timestamp and examine the associated IP addresses – An IP address or IP addresses (where the email was routed before getting to its destination), shows which Internet Service Provider (ISP), the email originated from. From the full email header, date and timestamps are also shown to reveal the date it was sent from an ISP, received, routed, etc…

Perform a WHOIS after acquiring the IP address or IP addresses taken from the email full view. WHOIS is an internet application or function that will allow you to search an IP and gives back information of the said IP or domain owner or registrant.

Subpoena the appropriate ISP company to get records of domain registrant of said email sender who may be the suspect for sending the email at said source, date and time.

Specifics in terms of chat investigation protocols you would employ.

Steps to employ when investigating pedophiles using chat rooms, instead messenger, e-mail or other online communication methods are as follow (Knetzger & Muraski, 2008):

Create a fictitious online identity (undercover), such as creating fictitious accounts on chat, email, instant messaging, networking sites, photos, etc… to make the investigator appear like a minor.

Setup logging to automatically log activities on chat, instant message, and so on, to keep track of all online communication.

Visit online chat rooms that generally is used or visited by minors and young adults

Readily respond to other chatters that start communicating and pretend to be a minor even if the investigator is not a minor. It is recommended not to initiate the communication.

All efforts to send or any activities pertaining to pornography, child pornography, and other harmful material must be documented.

If an offline meeting is suggested and offered, readily respond and agree to the meeting.

Arrange a “sting operation” to arrest the suspect at the agreed meeting place, date and time.

Make the arrest

Specific techniques for online intelligence gathering you would employ.

According to Knetzger & Muraski (2008), the three (3) basic requirements to searching the internet for intelligence information are (p.213):

Knowing where to search – Such as using search engines to search the internet. There are several search engines. Some to mention are www.google.com, www.yahoo.com, www.bing.com, www.aolsearch.com, etc. There are also online groups/forums where like-minded people, such as criminals, meet. There are chat rooms such as Internet Relay Chat (IRC) and you can use www.searchirc.com to search keywords, such as “child pornography” and it will give results of chat rooms available for child pornography, messages and who posted the messages relating to “child pornography.” Other chat rooms are Yahoo Chat Groups, ICQ (I Seek You), etc. And also networking sites such as Facebook, Myspace, Friendster, etc.

Knowing how to search effectively – There are different sites where one can acquire information intelligence, such as open-source and closed-source sites. For Example, an investigator can used an open-source to search for a person or witness’ contact information to assist him with his investigation, to get closer to the suspect or get leads. He may also use a closed source such as the National Crime Information Center (NCIC) to find out the criminal history of a suspect. Effectively

Knowing what to do with the information – Is the most important step the acquisition of information gathering. The use of important information that applies to an investigation or investigations is intelligence information. Keeping records found regarding how to make a cotton candy does or may not apply to investigation of how to create a bomb, for example. Knowing what is useful and what is not is important, and how valuable the information is.

Method or methods you would employ for exceptions to the search warrant requirement to obtain information.

In this scenario, the consent by the parent of a minor, who is 17-years-old, is enough to make a search without a search warrant. Though, there are legal points to remember regarding consent (Knetzger & Muraski, 2008), and they are:

Must be given and specified voluntarily and knowingly.

Must be understood by a regular/typical person.

Keep away from using broad, general terms. Be more specific and exact with the consent regarding search of a computer and other storage devices.

It is required to get a consent to seize if the computer needs to be removed from its original place.

It is advised that consent is put in writing, even if it is not mandatory, and that the right to refuse, and how to revoke his or her consent are also spelled out in writing.

When obtaining consent from people who jointly own a computer and are present, both must consent to the search, but may be able to consent to individual user/logon names unique to only him or her. Although, in this case, it is only the minor who uses his computer and his parent consented to the search and seizure.

Procedures you would follow for obtaining a search warrant if necessary.

Probable cause is a must for all search warrants to be issued. Probably cause is a “reasonable ground for supposing that a charge is well-founded” (Merriam-Webster Online Dictionary, n.d.), such as in this case, the mother reporting her own child about pornography on his computer. Therefore, all information and intelligence information gathered from the investigations (talking to mother and witnesses, detailed facts of events, etc… that ascertains the suspect, location, person or persons, and items to be searched) should be all written in an affidavit, which can then be as foundation of probable cause. “This information (on the affidavit) must be deemed reliable and ultimately approved by a judge, court commissioner, or magistrate” (Knetzger & Muraski, 2008, p.242).

Methods you would use to extract, transport, and store digital evidence from the suspects PC.

According to Knetzger & Muraski (2008), there are protocols to follow by law enforcement when extracting, gathering, transporting digital evidence, and they are (p.282).

Preserve the original evidence by not damaging it, such as placing the item near heat or water, or by working on the original evidence. When imaging a hard drive, make sure to make a copy, and then put aside the original for protection. Make a copy of the copy, and analysis should be done on the clone of the clone of the hard drive. Analysis should be done by the expert, a Forensic Specialist, and using a Forensics Software. Functions of Computer Forensic Software are (Knetzger & Muraski, 2008): Acquire digital evidence or data files; Clone/preserve digital evidence; Analyze digital evidence files; Separate and categorize data files by type; Compare evidence files to lists of known contraband files; Recover deleted or hidden data; Crack or recover passwords to allow access to encrypted data; and Systematically report findings in a paper report (p.295).

Placing digital evidence in protective storage to preserve in unspoiled stage, such as placing hard drives in non-static, padded containers, and away from heat or liquid.

Photographing the location having wide/far shots, medium shots and close-up shots, and document, record, or even photographing anything on the computer screen, for example, that will be lost when the computer is shut down.

Keep the suspect away from electronic devices and computer/s to avoid possible damage that the suspect can impose.

Properly power down computers and electronic devices to prevent further loss of digital evidence. It is recommended for computers to be unplugged from the rear of the computer, instead of unplugging the cord from the wall only. For laptops, unplug AC adapter and also remove the battery. (Knetzger & Muraski, 2008).

Again, placing computers and digital electronic components in proper storage, protective containers, such as putting hard drives in padded, protective, non-static bags. Also making sure, again, to not place these items near heat, liquid, radio waves or from being damaged by the suspect or other individuals.

Recording serial numbers and identifying symbols or markings for each evidence items.

Seal and label evidence items.

Never leave evidence items unattended and to maintain proper chain of custody. “Once the materials are safely at the police station or agency headquarters, generally they will be completely inventoried before being secured in an evidence locker or other secure holding facility” (Knetzger & Muraski, 2008).

Methods you would use to research and recover computer files deleted by the suspect.

Check the recycle bin

Use Forensic Software to recover deleted files

Check backup devices, such as tape drives, CDs, DVD, thumb drives, external hard drives, PDA, iPod, iPhones, videos, photos, camera and camera memo chips, email, hard copy such as printouts, etc.

In addition, the two (2) important things to remember regarding deleted files are importance of time, and the way the hard drive or hard drives are set-up. Also, if the files are deleted, but the recycle bin is not emptied, then there’s a great chance of recovering the file or files. But if the recycle bin has been emptied, then the more time that elapses, the greater chance the file or files deleted will be gone by being overwritten by new ones, such as creating new files, or even just restarting the system, or running the hard drive defragment tools. As far as the drive setup, partitioned drives and how the operating system is installed make a difference. If the OS is installed on the C: drive and all data files are saved on D: and if the suspect deletes a data file on D, there’s a likelihood that a temporary file is saved in the system temporarily folder on C: especially if the suspect is not high-tech knowledgeable.

Methods you would use to access data files encrypted by the suspect.

“Encryption is a big challenge to the law enforcement community because it can range from difficult to impossible to defeat” (Knetzger & Muraski, 2008, p.301).

To try, working on a non-evidentiary copy, try to decrypt using a free encryption software available online. If lucky, an investigator could acquire a program used for encryption to decode the encrypted file.

Also, if lucky, by being provided the username and password by the suspect, or by using password cracking programs.

Real-Life Case & Commentary and Its Impact to Current Methods for Handling Digital Evidence

USA today (2010) reports that the U.S. Justice Department’s new research shows that one-third of sex crimes against minors are committed by minors themselves, and that seven (7) out of eight (8) are ages 12 years-old minimum, and 7% only of offenders are girls, which makes 93% of offenders are young men. Also, teen offenders 14 years old and older must now register as sexual predator if they commit the crime and must register every 3 months, as a requirement of the Adam Walsh Child Protection and Safety Act of 2006, according to USA Today (2010).

There is none online that shows a real-life case that relate to the scenario I have used. The public juvenile sexual predator registry does not allow me to view a certain name so that I can further research the case. No success.

The impact of real-life cases to current method is the Daubert Challenge Law. According to the US Legal (n.d.), the Daubert Challenge Law is a “hearing conducted before the judge where the validity and admissibility of expert testimony is challenged by opposing counsel. The expert is required to demonstrate that his or her methodology and reasoning are scientifically valid and can be applied to the facts of the case.” In the digital world, the Daubert Challenge is used for the acceptance of Forensic Tools. There are five (5) standard analysis/challenges for every tool that is used and they are: Tool must be falsifiable, refutable and testable; Tool have been subjected to peer review and publication; Has a known or potential error rate; The existence and maintenance of standards and controls concerning its operation; and The degree to which the theory and technique is generally accepted by the relevant scientific community. (Spruill, 2010).