With the advent of technology, law enforcement has seen a change in the types of crimes committed as well has how crimes are committed. Officers are still faced with what are perceived as ”traditional” crimes that involve tangible, physical evidence left at a crime scene with an oftentimes unknown suspect. In addition to those traditional crimes, however, officers on the street today are faced with the less familiar computer crimes, which do not conform as well to classic processes and procedures that have been the foundation of criminal investigation for years. Consequently, individual officers and organizations must meet the challenges that technology has brought, by ensuring that appropriate measures are taken to effectively deal with computer crime, including adequate training, dedication of resources, and comprehensive laboratory and examination support, in addition to familiarity with significant issues and appropriate policies and procedures for legal testimony.
Although law enforcement has become more intimately familiar with computer crime during the last decade, it is apparent that consensus regarding the scope of computer crime has not been completely reached and that the perception of the scope is affected by one’s occupation, such as a law enforcement officer or a computer scientist. Computer crime, unlike traditional crimes, is one that necessitates multidisciplinary efforts to investigate and solve cases. While law enforcement is accustomed to working with forensic scientists in a crime lab, and perhaps evidence technicians in the field, no other crime requires multidisciplinary efforts of this magnitude. For instance, law enforcement must potentially work with computer professionals, security professionals, information technologists, and forensic scientists to solve these complex crimes. Some of the law enforcement skills, such as basic investigation skills, are useful for computer crime cases, but issues such as digital evidence collection require personnel who are more specially trained than basic investigators.
Computer Crime and Digital Evidence
It is essential to have an understanding of computer crime and digital evidence prior to further exploring computer forensics. The most consensus-based types of computer crime include the following: (1) the computer as a target of crime, (2) the computer as a tool to commit a crime, and (3) the computer as incidental to crime. An example of a computer as a target of crime would be a case in which a perpetrator hacks into a computer network. An example of a computer being used as a tool to commit a crime would be online fraud or the dissemination of child pornography. Finally, an example in which a computer is incidental to crime would be a case in which a computer is used to write a threatening letter to someone (Brenner 2001).
The term digital implies the representation of information using numbers, specifically binary digits (bits) and hexadecimal values. Digital evidence, then, is ”any and all digital data that can establish that a crime has been committed or can provide a link between crime and its victim or a crime and its perpetrator” (Casey 2004, 668). So one goal of an investigation of computer crime would be to identify and seize any digital evidence associated with the criminal activity.
Scope and Activities of Computer Forensics
Literally, computer forensics is ”computer science for answering legal questions.” Nelson et al. (2004) describe computer forensics as ”obtaining and analyzing digital information for use as evidence” in court cases. Lacks and Bryce (2005) propose a definition of computer forensics that incorporates policing, forensic, and legal aspects, and further demonstrates the multidisciplinary nature of the work. Further they indicate that ”Computer for-ensics draws upon not only technical skills and criminal investigative skills, but also on the combination and effective utilization of both of these skills sets within the court system” (Lacks and Bryce 2005,246). In contrast, what is sometimes missed, however, is that computer forensics applies basic investigative principles in a digital environment. Hence, the basic methodologies reflect long-accepted tenets of the criminal investigation process and include the following:
• Acquire the evidence without altering or damaging the original.
• Authenticate that your recovered evidence is the same as the originally seized data.
• Analyze the data without modifying it (Kruse and Heiser 2002, 3)
In addition to the definition of computer forensics, it is important to recognize activities associated with computer forensics and used for the investigation of computer crime. These include (1) media and electronic device analysis, (2) data communication and analysis, and (3) research and development activities (Lacks and Bryce 2005, 247). Practically speaking, the analysis of media and electronic devices includes more that analyzing computers or computer media, such as CDs and thumb drives; other media include personal digital assistants (PDAs), pagers, and cell phones. Data communication analyses emphasize Internet-based analyses, including but not limited to network intrusions and data acquisition. Computer forensic research and development is the most important of these three activities because these processes serve as the ”crime analysis” for computer crime and allow investigators to identify trends in computer crimes (Lacks and Bryce 2005).
Training and Support for Computer Forensics
Despite advancements in technology and the increase in computer crime during the last decade, law enforcement struggles with limited resources with which to respond. Not only is technology for responding to computer crime limited, qualified human resources are limited as well. For law enforcement to be qualified to respond to computer crimes using computer foren-sics, the assumption is made that the officers have received adequate training and/or education. What is happening, however, is that computer crime and computer foren-sics are not part of most basic police academy instruction and are a limited part of in-service training. Therefore, officers currently employed in law enforcement agencies have minimal opportunities for training, and those that are ”qualified” are often self-taught computer aficionados.
Casey (2004) proposes that persons who specialize in computer crime in law enforcement organizations should be classified into three groups based on their levels of knowledge and training: digital crime scene technicians, digital evidence examiners, and digital investigators. Digital crime scene technicians are essentially first responders to a crime scene and are responsible for identifying and collecting evidence, specifically digital evidence. Digital evidence examiners are responsible for processing digital evidence, and would use computer forensics to perform this examination; Casey recommends that those personnel who perform this kind of examination should be certified in this area. Finally, digital investigators are those who are responsible for reconstructing the crime using information from the technicians and examiners. Ideally digital investigators would be a multidisciplinary team consisting of law enforcement officers, forensic examiners, attorneys, and computer security professionals, each of which plays a key role in solving computer crimes.
Typically law enforcement organizations recognize certifications, as Casey (2004) proposes, from state training bodies or POST commissions. What appears to be a trend for computer crime and forensics is the development of professional organizations that support law enforcement in these areas and sometimes offer certifications. The International Association of Computer Investigative Specialists (IACIS), for example, is an international volunteer nonprofit corporation composed of law enforcement professionals dedicated to education in the field of forensic computer science, and includes members from federal, state, local, and international law enforcement organizations. IACIS members have been trained and certified in the forensic science of seizing and processing computer systems. IACIS also assists in the creation of policies and procedures, training personnel, and certifying forensic examiners in the recovery of evidence from computer systems (http://www.cops.org).
Another useful organization that is currently helping law enforcement respond to these challenges is the High Technology Crime Investigators Association (HTCIA), which encourages, promotes, aids, and effects the voluntary interchange of data, information, experience, ideas, and knowledge about methods, processes, and techniques relating to investigations and security in advanced technologies (http://www.htcia.org).
Future Prospects
Unfortunately, as law enforcement begins to make strides in addressing computer crime with computer forensics—and becomes more technologically savvy in the process—perpetrators of these crimes are simultaneously embracing technological advancements. Law enforcement must make a concerted effort and maintain a strong commitment if computer crime prevention, as opposed to just computer crime response, will ever be the norm. Understanding the phenomena and dedicating adequate resources to response efforts can greatly benefit those who must deal with these contemporary issues in an acceptable manner.
