During an audit of a corporation's payroll records, a "dummy" employee (earning more than $60,000 a year) is discovered. The fraud examiners who are called into the case track the payroll and discover the fake employee's monthly paychecks are deposited electronically into a checking account at a local bank; with a court-appointed subpoena in hand, they also find out that the name on the account is fictitious. Further inquiries show that an electronic bill-paying service on the account regularly wires the monthly paycheck - minus one dollar to keep the account open - to an offshore bank. The fraud examiners try to obtain additional records from the overseas bank but are unsuccessful; their U.S. search authorizations aren't recognized. Interviews of employees working within the finance section of the corporation also are fruitless. The investigation comes to a temporary standstill and the examiners are discouraged. Unfortunately, they don't yet realize that the answer is right under their noses - in the company's computers.

The Internet, e-mail, financial software, and a variety of electronic gadgets have changed the business environment and the way fraud examiners conduct white-collar crime investigations. Incriminating evidence is no longer limited to paper trails but can be found on hard drives, servers, and compact discs. Electronic data can contain valuable evidence of wrongdoing that can put a fraudster behind bars faster than you can say, "delete it."

The fraud examiners in the opening scenario, after unsuccessfully following paper trails, decided to have a forensic analysis done on the payroll manager's computer. The analysis recovered deleted documents pertaining to the setup of the dummy employee. Subsequently, when the manager's home computer was seized and analyzed, the examiners found records on the offshore banking facility. When confronted with the information, the manager confessed to the fraud against the corporation.

Processing a Cyber Crime Scene

Most law enforcement personnel have been trained to collect fungible evidence such as narcotics, blood and latent impressions, but they aren't familiar with handling digital evidence. They know to use caution when dealing with foot impressions at the scene of a homicide, but they don't think twice about picking up a floppy disk and inserting it into a suspect's computer to view the contents. What most untrained investigators don't realize is that merely opening a file or booting up a computer will alter files and destroy any potential for using the data as evidence in a legal proceeding.
Imagine an incident in which a female employee claims that a male executive downloaded pornographic images onto her office computer. She reports the incident to her immediate supervisor who then has the company's computer expert retrieve and view the questionable files on the female employee's computer. The supervisor then fires the executive, who retaliates with a civil lawsuit for wrongful termination and slander.

During trial preparations, the executive's attorney hires a computer forensics expert to analyze the plaintiff's computer. The expert determines that the "last accessed" date of the pornographic files occurred after management began its inquiry into the alleged crime. The attorney consequently argues in court that the company's computer expert placed the questionable files on the plaintiff's computer to make himself look successful in the eyes of management. With the corporation's testimony somewhat impeached and the physical evidence tainted, the corporation's defense against the wrongful termination suit quickly evaporates and the fired executive is awarded a large settlement.

In a courtroom, the defense counsel often attacks the way evidence is collected and preserved and its chain of custody, rather than the actual analysis of the evidence. Errors in these areas can't be corrected at a later date and that's why the initial response to a computer-related offense should be handled like any other crime scene - with primary emphasis on securing and protecting potential evidence. The only difference is that - unlike a smoking gun at a crime scene - the majority of the evidence (floppy disk, etc.) will be latent and require forensic analysis.

Securing the Scene

The entire workstation, office or residence should be secured and protected to maintain the integrity of the scene. Consider wearing surgical gloves prior to touching anything within the office or workstation. Depending on access to the scene and the nature of the crime, fingerprint evidence could be important later in the fraud examination. Under no circumstances should anyone be allowed to remove items or to touch the computer, including shutting it down or exiting from active programs or files. However, if self-destructing software is in use, obviously, this rule changes.

It's always possible that the perpetrator has written or installed a program, such as Norton Wipeinfo or Evidence Eliminator, to cover his tracks. (Under normal circumstances, information concerning the program running will be displayed on the screen. If the program is running in the background on a Windows-based operating system, check the task bar at the lower right edge of the screen. This will provide information concerning all programs that were loaded from the start menu.) In this case, the examiners immediately should pull the plug connecting the Central Processing Unit (CPU) to its power source. The primary importance in this situation should be locating and identifying any fragile evidence that could be altered if not immediately collected. (Pulling the plug on a computer system may seem to violate most standard rules in crime scene processing but it could be the only way to avoid the loss of critical evidence in some instances. This procedure is no different than quickly investigating an outdoor crime scene complete with blood splatters and footprints just as it starts to rain; fragile evidence must be protected before it's destroyed. Pulling the plug to save critical evidence would be similar to placing protective plastic over foot impressions or blood splatter evidence during a rainstorm prior to taking photographs of the scene. Sometimes the emergency nature of a situation dictates the investigator's action.)

Backup media storage devices, which perhaps are kept in other rooms, also should be identified and secured after arriving on the scene. If the perpetrator has erased evidence from his hard drive, the incriminating data sometimes can be found on backup media. This is particularly imperative when dealing with large corporations or government offices, which often overwrite the drives within their e-mail servers on a daily basis due to the high volume of e-mail traffic.

Once the crime scene has been secured, it shouldn't be left unattended or unlocked until the fraud examiners have documented the area and collected the evidence. Specific instructions concerning access should be provided to the individual(s) guarding the scene; only investigative officials should be allowed to enter the area and the number of people involved in documenting and collecting evidence should be kept to a minimum. Fraud examiners also should maintain notes regarding how the scene was secured and the security personnel involved. [Note-taking is important during the entire process. The examiner should not only record the usual who, what, when, where, why, and how, but overall observations of the scene - the room's condition (clean, dirty, etc.) and its contents (furniture, computer equipment, files) and where the items are located. Examiners also should record the descriptions and location of potential evidence.]

A Look at the People

If possible, conduct initial interviews with personnel at the scene prior to searching for evidence; they may help find pertinent material before it's altered. In the primary stages of an investigation, it's likely that the potential suspects haven't formulated their denials or alibis. If their initial accounts of the events don't correspond with subsequent interviews or the forensic analysis of the evidence, it could prove extremely important to the fraud examination. Also, keep in mind when identifying interview targets that more than one person could have access to the crime scene and/or computer in question if work shifts are in effect. One good interview source is the company's system administrator, who's knowledgeable about the computer network, user identifications and passwords.

The 1,000-word Picture

Prior to collecting any evidence, fraud examiners should photograph the scene to depict its original condition. The key to quality crime-scene photography is to start with the overall scene and then move down to the smallest piece of evidence. Begin with several photographs that establish the location of the scene (i.e., the exterior of the office building and a sign showing the suite number). Next, take an entry photograph (what the examiner sees as he enters the room), followed by a series of "360 degree" photographs, or overlapping photos that depict the entire crime scene.
Detailed notes of each photograph should be kept in a log including the camera height (measurement from the floor); the distance between the item and the camera, the time the photo was taken; whether a flash attachment was used; and the type of camera, film, lens, and filter, if any.

If the computer is on when the crime scene is secured, take photographs of the contents displayed on the monitor. If a screen saver is obstructing the view, press one of the "arrow" keys to deactivate it; do not press any other keys. The "arrow" keys don't write to any document, but merely change the location of the cursor. Also, take photographs of the immediate work area, including computer disks, handwritten notes, and other computer equipment. Only photographs that don't require touching or moving items should be taken at this point.

Consider doing a crime-scene sketch if it can provide additional details concerning the layout of the scene. Sometimes physical obstructions make a particular angle easier to sketch than to photograph. Again, the rule of thumb for crime-scene sketching is to go from the overall scene to the smallest piece of evidence, which may require several sketches to depict the scene accurately. Also, consider doing a sketch that shows the location of the crime scene in relation to other offices or workstations.

Collecting the Evidence

The natural instinct of most investigators confronted with a cyber crime is to seize the suspected CPU as the first item of evidence. In reality, due to the time involved and number of steps required to seize a CPU properly, this should be one of the last items removed from the crime scene.

The area should be searched in a circular motion with the CPU being at the center of the circle. As items of evidence are located, they should be photographed, identified within notes, and then collected. Entries within the evidence log should contain descriptions of the items (including model and serial number, if applicable); and any visible markings, their condition, the manner in which they were marked for evidence, and where they were found. Remember to maintain an accurate chain of custody during the collection process.

As technology is constantly changing, fraud examiners may find electronic equipment that's not immediately identifiable. Whenever in doubt, seize it as potential evidence because the item may be a piece of electronic media - such as a "thumbdrive," "clik" drive or other storage devices - with which the examiner isn't familiar.

Also, remember that the search shouldn't be limited to electronic items. Handwritten notes, personal organizers, calendars, trash cans, and scraps of paper could contain passwords or IP addresses that are valuable to the fraud examination. Printed technical documents and publications in the room also might shed light on the type of computer crime committed.

Seizing the Computer

Shutting down and seizing an operational CPU may present the greatest challenge within a cyber crime scene. In some instances, such as with a Microsoft Windows-based system, merely pulling the power cord from the wall is sufficient; however, for some computers (such as a Unix-based operating system), their operating systems must go through specific shutdown procedures before the power supply is disconnected or certain data can be lost or corrupted. For this reason, fraud examiners should conduct the shutdown step with the aid of a trained computer forensics expert.

Once the computer is turned off, photograph and label all connectors and plugs leading to and from the CPU prior to disassembly. This will aid in reconstructing the system in the forensic analysis laboratory and will provide courtroom documentation of the computer's original setup. Place labels on both ends of each cable and then put corresponding tape on the devices to which the cables are connected. For example, an examiner would label the printer port on a CPU as "Port 1." He then would mark the end of the cable that connects to that port as "Port 1." The other end of the cable that connects to the printer would be labeled as "Printer," and the corresponding port on the printer would be marked as "Printer." If more than one computer is involved, the labels might read "1 - Port 1" for the cable associated with CPU No. 1 and "2 - Port 1" for the cable associated with CPU No. 2, etc.

Whatever type of labeling system is used, it should be simple. There are many nonstandard cables, and there may be multiple combinations that will fit but not work correctly. For example, with some Sun Systems and Unix-based units, they must have the right mouse, keyboard and monitor to work properly. If you have seized three or four similar systems within the same scene, it's extremely easy to get the cables and peripherals confused. Consequently, all cables that connect to peripherals also must be collected.

After photographing and labeling all the ports and cables, the disassembly can begin. It's best to start with the peripherals and then move to the CPU. Don't be in a rush but double-check that all ports and cables are labeled as the disassembly progresses. All electronic media should be wrapped in static-free bubble wrap for transport. Most importantly, items that could contain electronic evidence shouldn't be transported in close proximity to any radio equipment (such as the trunk of a police vehicle where the radio is mounted) because magnetic interference could destroy the data.

The importance of properly processing a cyber crime scene can't be understated. Not only is electronic evidence delicate in nature, but the way it's recorded and collected often determines whether or not it will be legally useful to a case. It's important that fraud examiners respect a cyber crime scene and recognize that even the most unassuming item can be potentially lethal to a defense counsel in a courtroom.

Michael Redmond, CFE, is the lead forensic technician for the Department of Energy Computer Forensic Laboratory in Aiken, S.C.