Betting Shop computer investigation Essay Example for Free

Betting Shop computer investigation Essay The task given to me for the following essay was: Assume you have been called in to investigate suspected incidences of computer crime enacted through the computer system at a local betting office. Describe how you would conduct the search and seizure operation. Also explain why you would conduct the operation in the manner you describe. Keywords: Electronic, Evidence, Investigation, Computers, Seizure, Forensic, Computing Introduction I was recently given the task of Head of Forensic Computing Investigation into Operation Gamble. Operation Gamble had been in place for over 12 weeks, in this time it had become obvious that there was every possibility that some kind of computer crimes were being committed on a everyday basis. This job entails making sure that nothing is overlooked, that everything is done in a methodical manner, everything needs logging in one way or another. There are many things to think about , and many that need acting upon, decisions often need to be made on site at the time of the search. Hopefully this essay will inform the reader of a little knowledge into the world of forensic computing investigation. Also that it will become clear that the successful prosecution of offenders means that the investigation must be done thoroughly from start to finish. ACPO state there are 4 principles that should be adhered to at all times, so when reading this must be took into consideration. The four principles are as follows:- Principle 1: No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court. Principle 2: In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions. Principle 3: An audit trail or other record of all processes applied to computer based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result. Principle 4: The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to. Ruth Suttons investigation into a local betting shop. Firstly I was called into the office and was allocated a new case, which involved investigating a betting shop that may have been involved in some kind of fraud or computer misuse. I wasnt given any information in detail. Without having much detailed information I have to prepare the investigation as though I am looking for every kind of electronic crime there is. With an open mind it makes the investigation much more through and lengthy, maybe turning up more clues to what has been occurring in this particular establishment. Also as I have been put in charge of this investigation I make sure that all staff that had been drafted in to help with this investigation had the expertise to do so, they all needed to be aware how volatile forensic data is, how easily evidence can be lost, changed, or altered and therefore inadmissible in court. If I were to be given this case and was previously made aware that it was child pornography that I was looking for this would set my mind thinking, and turning into the direction of looking for not only images but perhaps photography equipment, chat logs, email, internet usage logs. On the other hand it is a much different case for fraud. Accounting would be looked into address books, credit card data, calendars, credit card skimmers, the list just goes on and on. Having no idea could turn up more things as child porn can often be attached to a ring, perhaps in that ring credit card fraud is being used to purchase entry to child porn sights, so with my open mind and that of my colleagues I start my investigation. Within the ACPO (Association Of Chief Police Officers) guidelines there are 4 stages that are involved in gaining forensic evidence. They are: 1. Acquiring the evidence 2. Identifying the evidence 3. Evaluating any evidence found 4. Presenting the evidence. For the purposes of my investigation in fact all forensic computing investigations, the first 3 rules are paramount as they all rely upon each other being performed correctly. Although it must be said if any of the rules are not followed correctly this wouldnt even get as far as the presenting Evidence rule, as there could be no successful prosecution. Preparation Knowing this is a retail betting shop, the first decision to be made is the time that we will serve our warrant to search the premises. After not much deliberation it is decided to carry out the search before opening time, I was aware that the manager opened up every morning at 8am so meeting him as he opened up would be the best policy. The reason for this decision is that with less staff and no customers there would be less chance of anyone being able to tamper with any networks, data, or any other relevant evidence. In the past it has been known for one member of staff to distract an investigator, while another removes vital evidence. As time went on 3 other members of staff arrived for work, they were all taken aside and asked details of what there job involved, where there individual workstation was and any usernames, passwords or encryption keys that may be relevant to the case. On Entry On entry it was most important to visually identify anything that could be possible evidence. The following items were identified and noted down: 1. Computer 2. Laptop 3. Usb stick 4. Digital camera 5. Printer 6. Scanner 7. Mobile Phones 8. Cds Dvds 9. PDA All these items could be relevant in gaining evidence as they all may contain relevant data. My reasons for each item were as follows: 1. Computer This is obvious that looking for forensic data the desktop computer could hold lots of evidence. 2. Laptop Same reasons as above. 3. Usb Stick This could also contain data. 4. Digital Camera may contain images or even files of any data 5. Printer Printers have their own memory now so this could contain much needed evidence. 6. Scanner May have been used to scan fraudulent documents (if there is any damage or imperfections to the glass this could show that a particular document was created with its use. 7. Mobile Phones Mobile phones have own operating system, could contain not only contacts but also images, files, and time logs etc, lots of relevant data. 8. Cds Dvds Another item that could contain lots of data. 9. PDA This like a mobile phone has its own operating system and could be used to store relevant data, contacts, time logs etc. Before any searches in drawers or anything was moved the whole area was photographed, picturing where all the above items were exactly in relation to the shop. This is done to document the evidence in a visual manner, that can be looked at after things have been moved to unsurface perhaps more clues, for example If a computer mouse was sitting on the left hand side of the desk, perhaps the manager is right handed so it could lead to a clue that perhaps a left handed member of staff uses that desk, which the computer is sitting on. Photographs were taken of the computer screen as it was on and had the user names on it, this was also documented by text. The computer felt quite warm so this could give clues as to whether it had been left on overnight or perhaps used before we had gained entry to the premises. Photographs were also taken of all the cables at the back of the computer, so as reconstructing at a later stage would be easier, also the cables were labelled. The desktop computer was then switched off by removing the power from the computer not the wall socket. The laptop was the next item to be dealt with, it was switched off so removal of the battery was next. Next a search took place which would involve looking in drawers, cupboards etc. The items I was looking for were: 1. Any paper work that may give some clues to any passwords that may have been used 2. Memory Cards 3. Credit card Skimmers 4. Address books 5. Appointment cards/books 6. GPS SAT NAV equipment 7. CCTV footage Most of these items were found lurking in and around the vicinity of the desk where the desktop computer was located, other than the CCTV footage that was located in the DVD recorder next to the kitchen door. The DVD recorder contained a DVD- rw (DVD re- writable), which was left in place until also photographed and noted while in situ. The rest of the items were subsequently photographed and logged before anything else was done. The reasons for seizing these items were as follows: 1. Paperwork passwords, contacts etc. 2. Memory Cards Data, Images 3. Credit card skimmers Evidence in itself or even more so if there is data contained on the magnetic strip. 4. Address books Contacts 5. Appointment cards/books verify evidence of suspects whereabouts 6. GPS SAT NAV Travel logs, previous places visited 7. CCTV Evidence to say who has been in the premises, and when as the camera will have its own time logs. The manger was then asked a few questions about any passwords or encryption keys he may have been aware of, this was done to try and gain any extra information regarding passwords, encryption etc, as this could all save time when it comes to imaging and gaining access to files. All the questions and answers were noted down in a methodical manner. Seizing the evidence The decision was made by myself to take the equipment, rather than live image at the suspected crime scene, as there was no network, wireless or otherwise, I felt this was the best decision to make as the imaging could be done under labatory conditions. Also as there was quite an amount of electronic data that would need to be imaged, this would take far too long and would not be efficient to do so. Although it is seen best for the raw electronic data to be accessed least as possible due to its volatile nature, this would only have to be done the once in the lab, once imaged they actual items (pc, laptop) would not need to be handled again as the image would be an exact copy. Fingerprinting would need to be done, but this could not occur until all equipment had been imaged, as the chemicals used can be destructive The laptop was known to have Bluetooth capability, and wifi so this had to be put into a shielded box, so as that it could not receive any signals from anywhere else. The mobile phone and PDA were treated in the same manner. The boxes were tagged and everything noted so as to start the chain of evidence for these items. All that had to be done now was to actually bag up all the evidence. This has to be done and sealed in anti static bags, and all written down in a methodical manner. This was done item by item individually as each item was tagged and bagged it had to be logged in a chain of evidence. This took quite a long time but this job cannot be rushed, as anything missed could be fatal to a prosecution. Next was the issue of transportation, this would need to be done strategically so as not to damage any possible data evidence. These would have to be kept away from any magnetic fields, e. g. speakers, radios etc, so they were removed with a van that had storage boxes within so as the seized equipment would not get too warm, cold, or anything else happen to them. Evaluating the Evidence This is where the real investigation continues, and where more light may be shed on the situation concerning electronic data found. Encase was used to image the hard drive of the desktop computer and laptop, and various other software was used for the acquisition of the other electronic items. Once imaged work would begin on searching labouredly through the data. To finish this investigation could take quite a few man-hours, as there is so much data to work through. Now is when this case is turned over to the other specialists that I work alongside. Conclusion Alas my work has ended now in this case as I have finished my job of searching the crime scene and seizing the evidence, after a full week of preparation before the actual search, I am quite pleased with the result. I am no clearer about any crimes that were or may have been committed, but hopefully due to myself carrying out the investigation thoroughly I have led the way for a successful prosecution to go ahead. References :- National hi-tech crime unit (2008) The ACPO Good Practice Guide for Computer-Based Electronic Evidence www. acpo. police. uk/asp/policies/Data/gpg_computer_based_evidence_v3. pdf [accessed 05/05/2008]. Computer Crime: ACPO Guidelines (2008) http://www. dataclinic. co. uk/computer-ACPO. htm [accessed 07/05/08].