Using Digital Forensics and Investigative Techniques to Identify Cybercrime Suspects
Copyright
Syngress is an imprint of Elsevier
The Boulevard, Langford Lane, Kidlington, Oxford, OX5 1GB, UK
225 Wyman Street, Waltham, MA 02451, USA
First published 2013
Copyright 2013 Elsevier Inc. All rights reserved.
The material in this book is excerpted from Placing the Suspect Behind the Keyboard: Using Digital Forensics and Investigative Techniques to Identify Cybercrime Suspects.
No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publishers permissions policies and our arrangement with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions.
This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein).
Notices
Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods, professional practices, or medical treatment may become necessary.
Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information, methods, compounds, or experiments described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility.
To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein.
Trademarks/Registered Trademarks: Brand names mentioned in this book are protected by their respective trademarks and are acknowledged.
British Library Cataloguing in Publication Data
A catalogue record for this book is available from the British Library
Library of Congress Cataloging-in-Publication Data
A catalog record for this book is available from the Library of Congress
ISBN: 978-0-12-409506-9
For information on all Syngress publications visit our website at store.elsevier.com
This book has been manufactured using Print On Demand technology. Each copy is produced to order and is limited to black ink. The online version of this book will show color figures where appropriate.
Chapter 1
Investigative Case Management
Introduction
Basic Case Tracking
The Case Name
Note Taking
Analyzing Your Notes
Analysis with Spreadsheets
Analysis with Databases
Analysis Using Charts
Analysis Using Maps
Fresh Set of Eyes
Summary
Bibliography
. A case with any amount electronic evidence from a single storage device will quickly overwhelm a system of binders.
Figure 1.1 Finding a single document in a shelf of binders can take more time than necessary compared to searching an electronic folder.
Investigative case management enables you to find information quickly and help you understand your investigation as a whole. Comprehending your reconstruction of the incident in your investigation will allow to you see the totality of the reconstructed incident as if you were there when it occurred. You will have more Eureka! moments when data can be seen as a whole and inferences between suspects and acts stand out clearly among all information.
There may be a few investigators and analysts who can keep a neat desk during complex cases whilst the rest of us struggle to keep ahead of growing mounds of paper. Hundreds of pages are printed to be sorted throughout the case, duplicates of forms, photos, mail, court orders, and evidence requests are constantly generated to be filed in some manner, and this can quickly engulf anyone. With multiple cases and exams of multiple storage devices in each case generating even more case records, a common scene of the work area can appear to look like the results of a small office hurricane. Work areas that are cluttered and disorganized will also coincidently consist of cases that are not solved quickly, or even solved at all. This chapter intends to give methods of controlling information and analyzing it at the same time.
1.1.1 Basic Case Tracking
If there is one rule to remember, it is to handle evidence and information as it is collected. As long as each item is bagged and tagged in your system, the odds of losing or overlooking information are minimized. Bagging and tagging can easily be accomplished using logs where evidence or information that arrives is logged on paper, as it arrives, and filed away.
Tip
A Stitch in Time Saves Nine
I have never seen success with any method of evidence that does not involve handling it immediately when collected. Evidence that is placed aside to deal with at a later time usually results in lost or missing evidence or forgetting where items of evidence originated. Handle it as soon as you touch it or you may never see it again.
All other methods of dealing with evidence make your case management that much easier. If you have a good system already, perhaps it can be made better using one of the methods described. And if one suggestion saves you minutes or hours over a period of time, then it is a worthwhile change to make.
Although electronic data can be reproduced and fingerprint cards photocopied and scanned, the reproductions of the actual physical items cannot be cloned. The storage of these types of items requires safe storage within a secured facility. Physical evidence storage is vitally important, but this will not be the focus of this chapter. The focus is to manage your investigation information so that suspects can be clearly identified and evidence supporting suppositions are evident.
1.1.2 The Case Name
Before you can analyze your own information, you need to be able to find it. As seemingly unimportant it sounds, naming your cases deserves some attention. Depending upon your agency or organization, there may be an automated system for case names and you have no choice other than what the system gives you. There is nothing wrong with that as an internal system is already in place.
But what if you are responsible for creating the name for all your cases? In that instance, especially if there is more than one person that works cases in your organization, having any system is better than having more than one system or no system at all. shows a simple case numbering system that is based on the date the case was created with an additional sequential number if more than one case is drawn on that particular day.