Chapter 1. The Scope of Computer Forensics

Computer forensics is a science because of the accepted practices used for acquiring and examining the evidence and its admissibility in court. Additionally, the tools used to retrieve and analyze digital evidence have been subjected to scientific testing over many years. In fact, the word forensics means “to bring to court.” This definition infers that digital evidence used in an investigation needs to be retrieved, handled, and analyzed in a forensically sound manner. Forensically sound means that, during the acquisition of digital evidence and throughout the investigative process, the evidence must remain in its original state. Moreover, everyone who has been in contact with the evidence must be accounted for and documented in the Chain of Custody form.

The use of computer forensics is sometimes used as incriminating evidence in criminal cases and is often referred to as inculpatory evidence. However, digital evidence can be used as exculpatory evidence, or evidence used to prove the innocence of a defendant.

Note, however, that the National Academy of Sciences has identified digital forensics as a subset of cybersecurity.

When federal agents searched Enron offices in late 2001, they found that employees had been shredding a large number of documents. Computer forensic examiners were needed to retrieve evidence from computer hard drives. The amount of digital data recovered was estimated to be equivalent to 10 times the size of the Library of Congress.

Control, ownership, and intent

Chain of events

Prevalence

Endurance (tampering with evidence)

Admissibility

Accessibility

In cases involving possession of child pornography, the defendant commonly claims that he was unaware that the images were stored on his computer. The prosecution must prove that the defendant knew of their existence and that the pictures were of minors. Email often shows that images were shared, by the suspect, with other pedophiles. Ultimately, this helps prove the suspect’s guilt and enables prosecution for the possession of child pornography using a computer to commit a child sex crime and distribute illegal images. A process known as MD5 hashing can be used to verify that an image from one computer is the same as that on another computer.

Email is very valuable to investigators because even if the defendant tries to tamper with email on his or her computer, it is still accessible from other sources. For example, email files can potentially be found on the suspect’s computer or the recipient’s computer. The email service can also be served a subpoena or search warrant to turn over email files stored on its email servers. Email files can also often be acquired from smartphones, like BlackBerries and iPhones, and other devices, like an iTouch or iPad.

Nevertheless, what is clear is that an employee’s email is the property of an individual’s employer. Therefore, a company can search an employee’s email without the consent of the individual. In 2009, in the case of Stengart vs. Loving Care Agency, Inc., the New Jersey Superior Court, Appellate Division, reiterated that an employer may access and read an employee’s email without the employee’s consent when the employee uses the company’s technology to access email. Therefore, gaining access to email communications is often easier than gaining access to other methods of communication.

Most professional computer forensics imaging and analysis software, including AccessData’s FTK application, contains a user interface that can filter by file type and separate images. These image files are grouped together and include image files that the software carved away from other files. For example, if an email or a Microsoft Word document contained an image, the application would remove it and group it with other image files that it found.

X-Ways Forensics analysis software and other forensic tools allow the investigator to filter all images with a skin tone ratio. The result is that, for the most part, only images of people are displayed after the search is run. Photographs have been used for many years in the courtroom, but digital images today provide more information than traditional film photography.

The use of skimmers at automated teller machines (ATMs) has resulted in the theft of millions of dollars worldwide. A skimmer (see Figure 1.2) is a device used to capture the data stored on the magnetic stripe of an ATM card, credit card, or debit card. Surveillance video can be critical to the successful capture of these criminals.

Closed-circuit television (CCTV) is the use of video transmitted to a particular location. In the city of London, there are an estimated 500,000 CCTV cameras. These cameras have been used to investigate tourists who have been robbed of their possessions or the high-profile cases like the poisoning of former Russian spy Alexander Litvenko in 2006.

Computer forensics investigators have a variety of forensic tools to choose from, including some that enhance the quality of video being analyzed. Other tools provide customizable stills at predetermined points in a video. These image stills are valuable because they can be included in an investigator’s report. More importantly, these tools provide the investigator with an efficient method of identifying when in the video the important incriminating evidence exists without having to watch the video from start to finish. Moreover, if the video content is disturbing, the investigator does not have to be subjected to watching the entire distressing video.

Ultimately, in the courtroom, video evidence can be the most compelling type of evidence for a jury to convict a criminal.

As Figure 1.3 shows, the client computer is a computer that requests a resource from a server computer. The primary purpose of a web server is to deliver HTML documents and related resources (like images) in response to client computer requests. The easiest way to remember what a client and a server do is to think of a client as a customer and a server as providing a service. Most professional computer forensics tools can image the contents of RAM effectively while the computer is powered on. A number of open source RAM analysis tools also are available.

Cellular telephones are often used to track down suspects. In the recent murder investigation of Fred Jablin, Detective Coby Kelley obtained a warrant for suspect Piper Rountree’s cellular telephone records. Because cellular telephone towers keep track of your cellular telephone as you move from one cell zone to another, the detective was able to locate the suspect in Richmond, Virginia, as she was heading east on I-64 toward the Norfolk airport. Later the cellular telephone was found transmitting from Baltimore, Maryland. After further investigation, it was discovered that Rountree had booked a flight from Baltimore to Texas in her sister’s name. Piper Rountree maintained that she had never left Houston, Texas, but the cellphone forensics proved otherwise and was critical to establishing Rountree’s guilt.

More information about the use of cellular telephones, in computer forensics investigations, will be discussed in Chapter 9 – Mobile Forensics.

Simply locating and retrieving the evidentiary files is not enough. An expert computer forensics examiner must have extensive investigative abilities, which will allow him to associate that evidence with an individual; the examiner should be able to use digital evidence to demonstrate control, ownership, and intent. For example, an investigator must be able to prove that a suspect was in control of a computer when the files were stored in memory. An example of control in this scenario is if the user used a login and password to access the computer. Ownership is another important factor when trying to prove guilt. This can be proved when the investigator can demonstrate that the suspect created a file, modified a file, or emailed the file to someone. Finally, intent is generally vital to the successful prosecution of a criminal. In computer forensics, defendants might argue that they did not intend to visit a particular website or that they inadvertently downloaded images but never viewed them. Therefore, the computer forensics investigator is also obligated to prove that a website was accessed multiple times or perhaps that an image was viewed on a number of occasions and subsequently distributed to others, to prove intent.

Criminal investigators are typically required to reconstruct the events of a crime. Technology has facilitated this reconstruction process. A suspect can be tracked through his use of an MTA MetroCard, linked to a credit card, in the New York City Subway or through an E-Z Pass tollbooth payment. In early 2014, Queens County (NY) prosecutors charged a taxi driver, Rodolfo Sanchez, with grand larceny, theft of service, and possession of stolen property for a scheme after an E-Z Pass transmitter and its records showed that the driver had evaded paying numerous MTA (Metropolitan Transportation Authority) bridge and tunnel tolls. A suspect can also be potentially tracked by cellular telephone usage.

Computer forensic investigation occupations exist in law enforcement at the local, county, state, federal, and international levels. However, the private sector also has extensive opportunities for computer forensics examiners. Most accounting firms have a computer forensics laboratory, and the major firms have multiple laboratories nationwide. Corporations often procure the services of an accounting firm’s computer forensics division in their investigations. Much of their business is derived from eDiscovery (electronic discovery), which refers to the recovery of digitally stored data. The need for this recovery could be necessitated by litigation with another corporation or could be in response to a request for information from the Securities and Exchange Commission (SEC). eDiscovery services are generally associated with civil litigation.

Skilled computer forensics examiners also have job opportunities within private investigation firms. These firms will be retained by individuals who are involved in litigation. Other times, they are retained by individuals going through divorce proceedings that involve a contested settlement or accusations of infidelity. This is especially true when a contentious custody battle ensues. It could be argued that the growth of cellular telephone forensics was prompted by some people investigating their spouse’s calls to identify infidelity.

As computer forensics grows in importance, and as we embrace new technologies, continuing needs arise for new software and hardware solutions. Software and hardware companies, like AccessData, Guidance Software, BlackBag, and Paraben, employ and need individuals skilled in both computer science and investigations. Some of the larger law firms around the world also have employed computer forensics investigators or contracted the services of computer forensics consultants as the need for this type of expertise increases. Moreover, in many cases, computer forensics examiners have been called to the stand at trials to testify as expert witnesses.

Financial systems across the world also rely heavily on electronic communications and the digital storage of customer account information. Credit card fraud, wire fraud, and other instances of financial fraud have quickly pushed financial institutions to develop and invest in the field of computer forensics to capture and convict criminals. This capability provides financial institutions with a greater knowledge of criminal activity and strategies and tactics for improving computer security.

Other types of organizations training or engaging the services of computer forensics investigators are Department of Defense agencies, including the United States Air Force, Army, and Navy. The Internal Revenue Service (IRS) is one of the oldest government agencies involved in computer forensics. Federal agencies such as the Federal Bureau of Investigation (FBI), Department of Homeland Security (DHS), Immigration Customs Enforcement (ICE), Drug Enforcement Agency (DEA), and U.S. Secret Service have computer forensics laboratories as well. For the FBI, this knowledge is critical, whether it’s for a white-collar crime involving money laundering or perhaps the electronic communications of Al-Qaida terrorist operatives. The Secret Service also increasingly utilizes computer forensics in its investigations, including counterfeiting investigations.

In October 2001, President Bush signed the USA PATRIOT Act into law (H.R. 3162). One of the provisions of the act was to establish a nationwide network of Electronic Crimes Task Forces. The network consists of federal, state, and local law enforcement, in addition to prosecutors, academia, and private industry. This force is charged with protection of the United States’s critical infrastructures. Moreover, the expertise of computer forensics examiners is imperative to the successful investigation of attacks on infrastructures, including the financial system and the power grid.

Clearly, jobs for computer forensics investigators are available in many sectors of the economy, propelled by the digitization of our personal information. Theft of our personal information and attacks on our critical infrastructures will only increase, so there will continue to be a need for expertise in the field of computer forensics. The scope of the discipline has expanded so much that specialized positions have emerged. Some examiners are trained to seize digital devices and then create images of files on those devices. These images of stored files are then transferred to another area of the laboratory, where the image is searched for files that are specifically linked to the investigation. Later, another team might be responsible for writing the report and making the evidence available through a secure website. The latter is a procedure known as discovery, whereby both defense and prosecution lawyers can view the evidence.

Specialization within the field of computer forensics is also apparent when it comes to different types of devices. Mobile forensics investigators focus on cellular telephone evidence, and now Mac forensics specialists focus on Apple computers and devices such as an iPad or an iPod.

In 2001, the USA PATRIOT Act mandated that the United States Secret Service expand its successful New York Electronic Crimes Task Force and establish ECTFs nationwide. The following year, in response to a lack of coordination of law enforcement agencies prior to the events of September 11, 2001, the Department of Homeland Security (DHS) was formed. Its primary responsibility was to protect the United States from terrorist attacks and also to effectively respond to natural disasters. The Secret Service then became an agency within the DHS. In April 2003, the PROTECT Act (also known as the Amber Alert Bill) gave full authorization to the USSS to manage investigations involving child abuse and provided greater funding and resources to these efforts. In 2007, the agency established the National Computer Forensics Institute (NCFI) as a partnership between the USSS and the DHS, the Alabama District Attorneys Association, the State of Alabama, and the city of Hoover, AL. NCFI provides computer forensics training to law enforcement, prosecutors, and judges. The NCFI facility is comprised of high-technology classrooms, a computer forensics laboratory, and a mock courtroom. In reality, the USSS is typically less involved with child exploitation cases, given its focus on financial crimes. The FBI, the DHS-ICE, and the Postal Inspector’s Service are more involved in child abuse cases.

The need for international collaboration, especially cooperation with law enforcement in Europe, has become more important since the events of September 11, 2001. Therefore, in 2009 the USSS established the first European Electronic Crimes Task Force, based in Rome, Italy. The following year, the USSS established the United Kingdom Electronic Crimes Task Force.

INTERPOL’s Incident Response Team (IRT) has provided computer forensics expertise on a number of high-profile international investigations. In a 2008 report, computer forensics examiners from law enforcement in Australia and Singapore examined 609GB of data on eight laptops, two external hard drives, and three USB thumb drives at the request of the Columbian authorities. The hardware and software belonged to the Fuerzas Armadas Revolucionarias de Colombia (FARC). FARC is an antigovernment terrorist organization in Columbia, which is largely funded through its control of illegal drug trafficking, primarily the trafficking of cocaine. Columbian investigators contacted INTERPOL to examine the seized laptops in an effort to have unbiased investigators view the digital evidence to corroborate assertions that the digital evidence had been handled in a forensically sound manner.

At the 2008 ICPO-INTERPOL General Assembly in St. Petersburg, Russian approval was made for the creation of an INTERPOL Computer Forensics Analysis Unit. This unit provides training and assistance on computer forensics investigations and has been charged with the development of international standards for the search, seizure, and investigation of electronic evidence.

INTERPOL has worked for many years on fighting crimes against children. Similar to NCMEC, since 2001, INTERPOL has maintained a database of exploited children, referred to as the INTERPOL Child Abuse Image Database (ICAID). Subsequently, in 2009, ICAID was replaced by the International Child Sexual Exploitation image database (ICSE DB). The database is accessible to law enforcement in real time around the world. This powerful database incorporates image comparison software to link victims with places. INTERPOL also works with other agencies worldwide to fight child abuse, including COSPOL Internet Related Child Abuse Material Project (CIRCAMP) and the Virtual Global Taskforce. CIRCAMP is a European law enforcement network, that monitors the Internet to detect child pornography and child abuse. The Virtual Global Taskforce has the same purpose and mission but is a global network of law enforcement agencies fighting online child abuse.

INTERPOL has been successful in coordinating international efforts to apprehend suspected pedophiles. Following a 2006 police raid on Internet predators in Norway, investigators discovered a laptop containing nearly 800 horrifying images of young boys. Nearly 100 of the images depicted a middle-aged, white male watching these boys being abused. The authorities requested the assistance of INTERPOL to track down the unknown predator. INTERPOL initiated a massive manhunt and solicited help from the public through the media. Within 48 hours of the appeal for help, INTERPOL and Immigration and Customs Enforcement (ICE) arrested 60-year-old Wayne Nelson Corliss of Union, New Jersey.

Reports after the events of 9/11 cited the lack of information sharing between government agencies, like the NSA, CIA, and FBI, as being a major impediment to preventing the terrorist attacks. For example, Ziad Jarrah, who hijacked the United Airlines Flight 93 on September 11, 2001, which crashed in Pennsylvania, was stopped by local police for speeding on September 9. The state trooper had no intelligence to detain Jarrah and did not know that he was being tracked by the FBI.

Local law enforcement collects information and then adds this information to fusion centers. The type of information collected includes surveillance camera footage, license plate numbers, and suspicious activity reports. The suspicious activity reports can include reports about individuals taking photographs of government buildings, making maps, or holding unusual group meetings.

The fusion centers reportedly maintain databases of information for just about every American—information that includes unlisted cellular telephones numbers, drivers’ license information, and insurance claims. The fusion centers also collect information from relatively unknown data mining companies such as Entersect. Entersect provides information to human resources about potential hires and their criminal records, litigation and bankruptcy histories, education, and employment references. It also provides a service to law enforcement known as Entersect Police Online. According to its website (entersect.net) they can provide law enforcement with access to 12 billion online records covering 98 percent of the U.S. population. Fusion centers also utilize other commercial database vendors, like Lexis-Nexis.

As a result of their secrecy and the amount of personal information collected, fusion centers have been shrouded in controversy. Civil liberties organizations, like the American Civil Liberties Union (ACLU), have frowned upon their zeal for collecting personal information and their lack of oversight. These fusion centers are a combination of both law enforcement and corporate personnel. Some have questioned the role of local law enforcement in monitoring suspicious activity. For example, in 2008, Duane Kerzic was arrested by Amtrak Police at Penn Station in New York after he was spotted on a train platform taking a photo of a train. He was handcuffed in a holding cell. It transpired that Kerzic was actually trying to win Amtrak’s annual photo contest.

Although the role of fusion centers can be categorized as counterterrorism, they may well play an active role in future computer forensics investigations. Fusion centers provide a clear indication of the type of digital information being collected and stored.

Carnegie Mellon’s Computer Emergency Response Team (CERT) has developed a number of computer forensics tools exclusively for law enforcement. Training on these tools has been available through CERT’s Virtual Training Environment (VTE).

Headquartered in Glynco, Georgia, the Federal Law Enforcement Training Center (FLETC) is an interagency law enforcement training organization for more than 80 federal agencies nationwide. One of the programs it provides is the Seized Computer Evidence Recovery Specialist (SCERS). FLETC also provides training in topics such as Mac forensics and network forensics.

The National White Collar Crime Center (NW3C) is an agency that delivers training and investigative support to law enforcement and those who prosecute criminal cases. NW3C hosts classes in various aspects of computer forensics, including cellphone forensics, online investigations, operating systems, file systems, and acquisition and handling of digital evidence. The Secure Techniques for Onsite Preview (STOP) class is one of its well-recognized courses. The class is for probation/parole officers, detectives, and officers who perform spot checks or home visits and need to quickly check a computer in a forensically sound manner. For example, a parole officer might need to check for images on the home computer of a convicted sex offender.

INTERPOL has provided computer forensics investigative support globally for law enforcement. In April 2009, University College Dublin (UCD) and INTERPOL launched an e-crime investigation training initiative. Not only did this initiative provide training, but it also facilitated academic exchanges in the field of computer forensics to further the skills of computer forensics examiners. UCD has a prestigious Master of Science in Forensic Computing and Cybercrime investigation degree program that is exclusively available to law enforcement worldwide.

The High Tech Crime Investigation Association (HTCIA) is an organization that was established to facilitate the exchange of information for computer forensics professionals in law enforcement and prosecution. However, it is not a formal training organization. Membership is available to security professionals and computer forensics researchers, as well as teachers in academia. Professionals associated with criminal defense are prohibited from joining the organization. The HTCIA has local chapters around the United States that have monthly meetings featuring guest speakers from the private and public sectors. The HTCIA also provides training in the latest computer forensics tools and investigative techniques.

Another organization committed to the exchange of ideas and practices in computer forensics is the Computer Technology Investigators Network (CTIN). CTIN membership is open to law enforcement, corporate security professionals, and members of the academic community. Finally, InfraGard is a public-private agency of the FBI, which promotes the exchange of information between the private and public sectors on issues related to terrorism, intelligence, and security matters. InfraGard has established local chapters nationally, and membership is open to all U.S. citizens, who are subject to an FBI background check.

The following is a list of computer forensics certifications available that are beneficial to legitimizing the credentials of a computer forensics examiner. However, the list is not an exhaustive one.

John Mellon was an active member of IACIS before he founded the International Society of Forensic Computer Examiners (ISFCE). He developed a certificate known as the Certified Computer Examiner (CCE), which was first awarded in 2003. The ISFCE has four testing centers and provides a proficiency test for the American Society of Crime Laboratories Directors/Laboratory Accreditation Board (ASCLD/LAB), which is recognized as the pinnacle of certifications for forensic laboratories. ASCLD is a nonprofit, professional society of crime laboratory directors and forensic science managers who seek to promote excellence in the field of forensic science, including computer forensics. The United States Secret Service and many other law enforcement computer forensics laboratories are accredited by ASCLD/LAB, which is a testament to the prestige that this certification carries.

Many other vendor-neutral certifications are available to the public. The Certified Computer Forensics Examiner (CCFE) certification is offered by the Information Assurance Certification Review Board (IACRB). To attain the CCFE, the candidate must successfully demonstrate a mastery of the following domains:

Law, ethics, and legal issues

The investigation process

Computer forensic tools

Hard disk evidence recovery and integrity

Digital device recovery and integrity

File system forensics

Evidence analysis and correlation

Evidence recovery of Windows-based systems

Network and volatile memory forensics

Report writing

The Certified Forensic Consultant (CFC) certification, awarded by the American College of Forensics Examiners International (ACFEI), focuses on the legal aspects of computer forensics within the United States. The program educates students in the following areas:

The litigation process

Federal rules of evidence

The discovery process

Note taking

Site inspection

The written report

The retainer letter

Types of witness

The expert witness report

Preparing for deposition

What to expect at deposition

Preparing for trial

Testifying at trial

What to bring to court

The business of forensic consulting

The ACFEI also provides training and assessment for the Certified Forensic Accountant (Cr.FA) certification. A forensic accountant is an individual who has an accounting background and is involved with financial investigations.

Since its formation in 1989, the SANS (SysAdmin, Audit, Network, Security) Institute has provided training to security professionals in both the public and private sectors. SANS also provides training in computer forensics and hosts a class called Computer Forensic Investigations and Incident Response. This course provides the training required to achieve the certification of GIAC Certified Forensic Analyst (GCFA). Founded in 1999, the Global Information Assurance Certification (GIAC) provides skills assessments for security professionals.

The Certified Security Incident Handler (CSIH) program is an excellent course for a computer forensics investigator to take. The certificate program is offered by CERT (Computer Emergency Response Team) and is a division of the Software Engineering Institute (SEI) at Carnegie Mellon University. SEI is a federally funded research and development center sponsored by the Department of Defense (DoD). CERT provides training to network administrators and other technical support staff. The training includes the identification of existing and potential threats to networks. Moreover, CERT trains security professionals on how to handle security breaches. CERT has a renowned forensics team that works closely with law enforcement on research projects for gap areas not addressed by commercial tools for computer forensics investigators.

It is quite common for a computer forensics investigator, particularly in the private sector, to be a Certified Information Systems Security Professional (CISSP). The certification is offered by the International Information Systems Security Certification Consortium (ISC)². The certification has been formally approved by the DoD in its Information Assurance Technical and Managerial categories. This important well-regarded certification is achieved after successful completion of an examination of the Common Body of Knowledge (CBK). The CBK covers the following domains of security:

Access control

Application development security

Business continuity and disaster recovery planning

Cryptography

Information security governance and risk management

Legal, regulations, investigations, and compliance

Operations security

Physical security

Security architecture and design

Telecommunications and network security

To pass the CISSP examination, the examinee must score at least 700 out of 1,000 points from 250 multiple-choice questions. A CISSP applicant must prove that he has a minimum of five years’ experience in 2 or more of the 10 domains. The applicant is also subject to a criminal background check and must abide by the CISSP Code of Ethics. Once approved for the certification, a CISSP must attain Continuing Professional Credits (CPE) to maintain his certification.

Another recognized security certification often held by computer forensics examiners is the Certified Information Security Manager (CISM). Like the CISSP certification, the CISM certification is for security professionals. It differs from the CISSP, however, because the CISM is a certification for information security managers with experience in the following areas:

Information security governance

Information risk management

Information security program development

Information security program management

Incident management and response

As with the CISSP certification, anyone with CISM certification has a continuing professional education requirement so that they stay up-to-date with the latest knowledge in information security management.

AccessData provides an AccessData Bootcamp and classes in Windows Forensics, Mac Forensics, Internet Forensics, and Mobile Forensics. Its best-known certification is the AccessData Certified Examiner (ACE). The exam tests the user’s competencies with the FTK Imager, Registry Viewer, and PRTK tools.

Guidance Software also provides training and assessment for computer forensics examiners. A student who can demonstrate proficiency with EnCase can become an EnCase Certified Examiner (EnCE).

X-Ways Forensics provides regular training and assessment with the X-Ways Forensics bit-stream imaging tool and also the WinHex product. Typically, an X-Ways instructor conducts a 5-day class, beginning with a 2-day session on file systems. The remaining days focus on the forensic tools.

The ACE and EnCE certifications, as well as X-Ways Forensics training, are open to professionals from both the private and public sectors.

An effective computer forensics investigator should possess skills in a number of areas, including computer science, criminal justice, law, mathematics, writing, forensic science, and linguistics. These skills can be gained through various avenues, such as on-the-job training (common in law enforcement), degree programs at colleges, or certification courses. Those who want to pursue a career in computer forensics have many opportunities in both the private and public sectors.

The advent of the personal computer in the 1980s increased computer usage in the home and prompted an increase in computer-related crime. Subsequently, government agencies began to devote resources to computer forensics, evidenced by the establishment of the Computer Analysis and Response Team (CART) at the FBI. The introduction of web browsers in the 1990s stimulated a huge migration of personal computer users to the Internet and ultimately made the Internet a valuable resource for finding information about suspects and also a source of incriminating evidence. Many agencies within the Department of Homeland Security (DHS) use computer forensics. For example, the Internet has facilitated international criminal networks, so INTERPOL has greatly enhanced its computer forensics capabilities. The need for international collaboration between DHS and other countries already exists but will continue to grow, especially in the field of computer forensics.

Table 1.1 provides a brief historical perspective of computer forensics.

BitLocker: An encryption tool that was introduced with the Ultimate and Enterprise editions of Microsoft Windows Vista, which allows for encryption at the file, folder, or drive level.

bit-stream imaging tool: A tool that produces a bit-for-bit copy of original media, including files marked for deletion.

Chain of Custody: Documentation of each person who has been in contact with evidence, from its seizure, to its investigation, to its submission to court.

client computer: A computer that requests a resource from a server computer.

closed-circuit television (CCTV): Use of video that is transmitted to a particular location.

Computer Analysis and Response Team (CART): A unit within the FBI that is responsible for providing support for investigations that require skilled computer forensics examinations.

computer forensics: The retrieval, analysis, and use of digital evidence in a civil or criminal investigation.

computer security: Prevention of unauthorized access to computers and their associated resources.

Computer Technology Investigators Network (CTIN): An organization committed to the exchange of ideas and practices in computer forensics.

eDiscovery: The recovery of digitally stored data.

Electronic Crimes Task Force (ECTF): Nationwide centers used to collaboratively investigate cybercrimes.

encryption: The process of scrambling plain text into an unreadable format using a mathematical formula.

exculpatory evidence: Evidence used to prove the innocence of a defendant.

Federal Law Enforcement Training Center (FLETC): An interagency law enforcement training organization for more than 80 federal agencies nationwide.

file metadata: Information about a file that can include the creation, modified and last access dates, and also the user who created the file.

forensic accountant: An individual who has an accounting background and is involved with financial investigations.

forensics: To bring to court.

GPS (Global Positioning System): Is a device that receives communications from orbiting satellites to determine geographic location.

High Tech Crime Investigation Association (HTCIA): An organization that was established to facilitate the exchange of information between computer forensics in law enforcement and prosecution.

inculpatory evidence: Incriminating evidence often used to convict a criminal.

InfraGard: A public-private agency of the FBI that promotes the exchange of information between the private and public sectors on issues related to terrorism, intelligence, and security matters.

INTERPOL: The world’s largest international police organization, representing 188 member countries.

National Center for Missing and Exploited Children (NCMEC): An agency mandated to help locate missing children and combat the (sexual) exploitation of children.

National White Collar Crime Center (NW3C): An agency that delivers training and investigative support to law enforcement and those who prosecute criminal cases.

random access memory (RAM): Often referred to as short-term memory or volatile memory because its contents largely disappear when the computer is powered down. A user’s current activity and processes, including Internet activity, are stored in RAM.

Regional Computer Forensics Laboratory (RCFL): An FBI-sponsored laboratory that trains law enforcement in the use of computer forensics tools and collaboratively works on criminal investigations.

skimmer: A device used to capture the information stored in the magnetic strip of an ATM card, credit card, or debit card.

spoliation of evidence: Hiding, altering, or destroying evidence related to an investigation.

tampering with evidence: The concealment, destruction, alteration, or falsification of evidence.

web server: Delivers HTML documents and related resources in response to client computer requests.

2. What is computer forensics, and how is it used in investigations?

A. Computer forensics is the use of evidence to solve computer crimes.

B. Computer forensics is the use of digital evidence to solve a crime.

C. Computer forensics is used only to find deleted files on a computer.

D. Computer forensics is used only to examine desktop and laptop computers.

2. A Chain of Custody form is used to document which of the following?

A. Law enforcement officers who arrest and imprison a criminal suspect

B. A chain of letters or emails used in an investigation

C. Anyone who has been in contact with evidence in a case

D. None of the above

3. Which of the following can be of evidentiary value to a computer forensics examiner?

A. A compact disc

B. An Xbox

C. A digital camera

D. All of the above

4. Which of the following statements best describes a bit-stream imaging tool?

A. A bit-stream imaging tool produces a bit-for-bit copy of the original media.

B. A bit-stream imaging tool often provides the examiner with deleted files.

C. Neither A or B is correct.

D. Both A and B are correct.

5. Which of the following are benefits of email evidence?

A. Email evidence generally exists in multiple areas.

B. It can often be found easier than other types of evidence.

C. It has been accepted as admissible evidence in a number of cases.

D. All of the above.

6. Which of the following statements is not true about photo images?

A. Images can possess evidence of where the suspect has been.

B. Images cannot be easily found using bit-stream imaging tools such as FTK.

C. An image can identify the make and model of the digital camera.

D. Basically just one type of digital image is used today.

7. Which of the following terms best describes the hiding, altering, or destroying of evidence related to an investigation?

A. Spoliation of evidence

B. Manipulation of evidence

C. Inculpatory evidence

D. Exculpatory evidence

8. The Computer Analysis and Response Team (CART) is a unit of which government agency?

A. USSS

B. FBI

C. CIA

D. ICE

9. Which of the following acts established the Department of Homeland Security and mandated that the United States Secret Service establish Electronic Crime Task Forces nationwide?

A. Health Insurance Portability and Accountability Act

B. Children’s Online Privacy Protection Act

C. The PROTECT Act

D. The USA PATRIOT Act

10. Which of the following statements is not true about Regional Computer Forensics Laboratories (RCFLs)?

A. RCFLs can be used by criminal defense lawyers.

B. The establishment of RCFLs has been sponsored by the FBI.

C. RCFLs not only are used for investigations, but also provide computer forensics training.

D. RCFLs exist in both the United States and Europe.

2. Computer ________ is the use of digital evidence in a criminal investigation.

3. Computer ________ is the prevention of unauthorized access to computers and their associated resources.

4. A defendant can prove his innocence with the use of ________ evidence.

5. The process of scrambling plain text into an unreadable format using a mathematical formula is called ________.

6. The world’s largest international police organization is called ________.

7. Short-term, volatile memory, the contents of which disappear when a computer is powered down, is called ________ access memory.

8. A(n) ________ is a device used to capture the information stored in the magnetic strip of an ATM, credit, or debit card.

9. A(n) ________ server delivers HTML documents and related resources in response to client computer requests.

10. ________ is a public-private agency of the FBI, which promotes the exchange of information between the private and public sectors on issues related to terrorism, intelligence, and security matters.

Detail the types of digital evidence you will need for this investigation.