Computer Crime Investigation

Computer Crime Investigation: A Comprehensive Guide for GIAC GCIH Certification

Introduction to Computer Crime Investigation

Computer crime investigation is a critical component of incident response and cyber investigations, forming a key knowledge area within the GIAC GCIH (GIAC Certified Incident Handler) certification. Understanding how computer crimes are investigated, the legal frameworks involved, and the procedural requirements for handling digital evidence is essential for any incident handler operating in today's threat landscape.

Why Computer Crime Investigation Is Important

Computer crime investigation is important for several reasons:

1. Legal Accountability: Proper investigation techniques ensure that cybercriminals can be identified, prosecuted, and held accountable for their actions. Without rigorous investigative procedures, cases may be dismissed due to improperly handled evidence.

2. Organizational Protection: Organizations that understand investigative processes can better protect themselves by preserving evidence correctly, cooperating with law enforcement, and ensuring their internal response aligns with legal requirements.

3. Evidence Integrity: Computer crime investigation establishes the chain of custody and ensures that digital evidence is collected, preserved, and presented in a manner that maintains its integrity and admissibility in court.

4. Incident Containment and Recovery: Investigative techniques help incident handlers understand the full scope of a compromise, enabling more effective containment and recovery strategies.

5. Deterrence: A well-documented and executed investigation capability serves as a deterrent to both internal and external threat actors.

What Is Computer Crime Investigation?

Computer crime investigation is the systematic process of identifying, collecting, examining, analyzing, and presenting digital evidence related to criminal activity involving computers and networks. It encompasses:

Types of Computer Crimes:
- Unauthorized access to computer systems (hacking)
- Denial of Service (DoS/DDoS) attacks
- Malware distribution (viruses, worms, ransomware, trojans)
- Data theft and exfiltration
- Identity theft and fraud
- Intellectual property theft
- Insider threats
- Cyberterrorism and cyber espionage
- Child exploitation material
- Network intrusions and advanced persistent threats (APTs)

Legal Frameworks and Laws:
- Computer Fraud and Abuse Act (CFAA) – The primary U.S. federal law addressing computer crimes, making it illegal to access a computer without authorization or to exceed authorized access.
- Electronic Communications Privacy Act (ECPA) – Governs wiretapping and electronic eavesdropping, including stored electronic communications.
- Wiretap Act (Title III) – Addresses real-time interception of communications.
- Stored Communications Act (SCA) – Part of ECPA; addresses access to stored electronic communications.
- Pen Register and Trap and Trace Statute – Covers collection of metadata (non-content) information.
- Fourth Amendment – Protects against unreasonable searches and seizures, directly impacting how digital evidence is obtained.
- State-level computer crime laws – Many states have their own statutes addressing computer crimes.
- International frameworks such as the Budapest Convention on Cybercrime.

Key Roles in Computer Crime Investigation:
- Incident handlers who detect and initially respond to incidents
- Digital forensic examiners who collect and analyze evidence
- Law enforcement officers and agents (FBI, Secret Service, local law enforcement)
- Prosecutors who present cases in court
- Corporate counsel who advise on legal obligations and liability

How Computer Crime Investigation Works

The computer crime investigation process follows a structured methodology:

1. Detection and Identification
The investigation begins when a potential computer crime is detected through intrusion detection systems, log analysis, user reports, or other monitoring mechanisms. The incident handler must determine whether the activity constitutes a potential crime and whether law enforcement should be contacted.

2. Initial Response and Notification
- Notify management and legal counsel
- Determine whether to involve law enforcement (this decision should ideally be made in advance as part of the incident response plan)
- Assess the scope and severity of the incident
- Begin documenting everything from the outset

3. Evidence Collection and Preservation
This is one of the most critical phases. Key principles include:

- Chain of Custody: Maintain a detailed, documented record of who handled the evidence, when, where, and what was done with it. Any break in the chain of custody can render evidence inadmissible.
- Order of Volatility: Collect evidence starting with the most volatile data first (RFC 3227):
  1. CPU registers, cache
  2. Routing tables, ARP cache, process table, kernel statistics, memory (RAM)
  3. Temporary file systems
  4. Disk storage
  5. Remote logging and monitoring data
  6. Physical configuration, network topology
  7. Archival media (backups, tapes)
- Forensic Imaging: Create bit-for-bit copies (forensic images) of storage media rather than working on original evidence. Tools like dd, FTK Imager, and EnCase are commonly used.
- Hashing: Generate cryptographic hashes (MD5, SHA-1, SHA-256) of evidence to verify integrity. The hash of the original must match the hash of the forensic copy.
- Write Blockers: Use hardware or software write blockers to prevent any modification of original evidence during imaging.
- Documentation: Photograph the scene, document system states, record serial numbers, note date/time stamps, and maintain detailed notes throughout the process.

4. Examination and Analysis
- Analyze forensic images, log files, network traffic captures, memory dumps, and other evidence
- Reconstruct the timeline of events
- Identify indicators of compromise (IOCs)
- Determine the attack vector, tools used, and scope of the compromise
- Correlate evidence from multiple sources

5. Reporting
- Document all findings in a clear, comprehensive report
- Include methodology, tools used, evidence examined, and conclusions
- The report should be understandable to both technical and non-technical audiences (including judges and juries)

6. Legal Proceedings
- Evidence may be presented in criminal court, civil court, or administrative proceedings
- The investigator may serve as an expert witness
- The standards for evidence admissibility must be met (relevance, authenticity, reliability)

Key Concepts for the GCIH Exam

Search and Seizure Considerations:
- Consent: An authorized person can consent to a search, which may eliminate the need for a warrant. Employers generally can consent to searches of company-owned systems.
- Warrants: Law enforcement typically needs a warrant based on probable cause to search and seize digital evidence. There are exceptions (exigent circumstances, plain view doctrine, border searches).
- Private vs. Government Searches: The Fourth Amendment restricts government searches, not private party searches. However, if a private party acts as an agent of the government, Fourth Amendment protections apply.
- Exigent Circumstances: Law enforcement may act without a warrant if evidence is in imminent danger of being destroyed.

Evidence Admissibility:
- Evidence must be relevant – it must relate to the case
- Evidence must be authentic – it must be what it claims to be
- Evidence must be reliable – the collection and preservation process must be sound
- Best Evidence Rule: Original evidence is preferred over copies, though forensic images with verified hashes are generally accepted
- Hearsay Rule: Computer-generated records may be considered hearsay, but there are exceptions (business records exception under Federal Rule of Evidence 803(6))
- Daubert Standard: Expert testimony and scientific evidence must be based on reliable methodology

Types of Evidence:
- Real/Physical Evidence: Tangible items (hard drives, USB devices, computers)
- Documentary Evidence: Written or recorded information (log files, emails, documents)
- Testimonial Evidence: Witness statements and expert testimony
- Demonstrative Evidence: Charts, diagrams, reconstructions used to illustrate points

Important Distinctions:
- Criminal vs. Civil cases: Criminal cases have a higher burden of proof (beyond a reasonable doubt) compared to civil cases (preponderance of evidence).
- Federal vs. State jurisdiction: Jurisdiction depends on where the crime occurred, where the perpetrator is located, and the nature of the crime.
- First Responder vs. Forensic Examiner: The incident handler (first responder) focuses on containment and initial evidence preservation; the forensic examiner conducts the detailed analysis.

Working with Law Enforcement:
- Establish relationships with law enforcement before an incident occurs
- Understand when and how to report incidents
- Know what information law enforcement will need
- Be aware that involving law enforcement may mean losing control of the investigation and evidence
- Organizations should weigh the benefits of prosecution against potential negative publicity

Common Pitfalls in Computer Crime Investigation:
- Failing to maintain proper chain of custody
- Working directly on original evidence instead of forensic copies
- Not collecting volatile evidence before shutting down systems
- Inadequate documentation
- Failing to establish proper authority to search (consent, warrant)
- Contaminating evidence by installing software on suspect systems
- Not involving legal counsel early in the process
- Losing evidence due to log rotation or automatic cleanup processes

Exam Tips: Answering Questions on Computer Crime Investigation

1. Know the Order of Volatility: Questions about evidence collection order appear frequently. Remember that the most volatile evidence (CPU registers, RAM) should be collected first, and the least volatile (archival media) collected last. Memorize the RFC 3227 order.

2. Understand Chain of Custody: Expect questions testing your understanding of what constitutes proper chain of custody. Any gap or undocumented handling can compromise the entire investigation. Always choose the answer that involves the most thorough documentation.

3. Focus on Legal Distinctions: Be able to distinguish between criminal and civil proceedings, understand the different burdens of proof, and know when a warrant is required versus when consent suffices. Pay attention to who has authority to consent to a search of organizational systems.

4. Remember the Fourth Amendment: It applies to government searches, not private searches. However, a private citizen directed by law enforcement to conduct a search becomes a government agent, and Fourth Amendment protections then apply.

5. Evidence Handling Best Practices: Always choose the answer that involves creating a forensic image first, verifying hashes, using write blockers, and documenting every step. Never work on original evidence.

6. Read Questions Carefully: Many questions test scenario-based decision-making. Pay attention to whether the question is about a corporate investigation (where different rules may apply regarding employee privacy and consent) versus a law enforcement investigation.

7. Know Key Laws: Be familiar with the CFAA, ECPA, and the Wiretap Act. Understand what each law covers and how they apply to different investigative scenarios. Know the difference between intercepting communications in real-time (Wiretap Act) versus accessing stored communications (Stored Communications Act).

8. Prioritize Preservation: In any scenario question, the priority should always be to preserve evidence before conducting analysis. If a question asks about the first step, think about what needs to be preserved and documented before taking any investigative action.

9. Understand Jurisdictional Issues: Computer crimes often cross state and international boundaries. Know that federal agencies typically handle cases involving interstate or international crimes, critical infrastructure, or cases exceeding certain monetary thresholds.

10. Business Records Exception: Understand that computer-generated business records maintained in the normal course of business may be admissible under the business records exception to the hearsay rule. This is a frequently tested concept.

11. Eliminate Obviously Wrong Answers: In multiple-choice scenarios, eliminate answers that suggest working on original evidence, skipping documentation, or failing to involve legal counsel. These are almost always incorrect.

12. Think Like an Incident Handler: The GCIH exam focuses on the incident handler's perspective. Your role is to detect, respond, preserve, and coordinate – not necessarily to conduct the full forensic investigation or prosecution yourself. Choose answers that reflect proper coordination with forensic specialists and law enforcement when appropriate.

Summary

Computer crime investigation is a multidisciplinary field that combines technical skills with legal knowledge and procedural rigor. For the GCIH exam, focus on understanding the investigative process, evidence handling requirements, legal frameworks, and the incident handler's role in supporting investigations. Mastering these concepts will not only help you pass the exam but will also make you a more effective incident handler in real-world scenarios.