U.S.. Department of Justice U.S
Office of Justice Programs National Institute of Justice
A Guide for First Responders
NIJ Guide
U.S. Department of Justice Office of Justice Programs 810 Seventh Street N.W. Washington, DC 20531
John Ashcroft Ashcroft Attorneyy General Attorne
Office of Justice Programs World Wide Web Site http://www.ojp.usdoj.gov
Cover photographs copyright © 2001 PhotoDisc, Inc.
National Institute of Justice World Wide Web Site http://www.ojp.usdoj.gov/nij
e n e c S e m i r C c i n o r t c e l E
Electronic Crime Scene Investigation: A Guide for First Responders
Written and Approved by the Technical Working Group for Electronic Crime Scene Investigation
July 2001
i
U.S. Department of Justice Office of Justice Programs National Institute of Justice
This document document is not not intended intended to create, create, does not not create, and may not be relied upon upon to create any any rights, substanti substantive ve or procedural, procedural, enforceable at law by any party party in any matter civil or criminal.
Opinions or points of view expressed in this document represent a consensus of the authors and do not necessarily represent the official position or policies of the U.S. Department of Justice. The products and manufacturers discussed in this document are presented for informational purposes only and do not constitute product approval or endorsement by the U.S. Department of Justice.
NCJ 187736 The National Institute of Justice is a component of the Office of Justice Programs, which also includes the Bureau Bureau of Justice Assistance, Assistance, the Bureau Bureau of Justice Statistics, the Office Office of Juvenile Juvenile Justice Justice and Delinquency Delinquency Pre Prevention, vention, and the Office for Victims of Crime.
ii
d r o w e r o F
The Intern Internet, et, compu computer ter networ networks, ks, and automat automated ed data systems systems present an enormous new opportunity for committing criminal activity. Computers and other electronic devices are being used increasin incr easingly gly to commit, commit, enabl enable, e, or support support crimes crimes perpet perpetrated rated against again st persons, persons, or organiz ganization ations, s, or property property.. Whether Whether the crime involves inv olves attacks against computer systems, systems, the information information they contain, conta in, or more more traditional traditional crimes crimes such such as murder murder,, mone money y laundering, deri ng, traf traffic ficking king,, or fraud fraud,, electr electronic onic ev evidenc idencee increasi increasingly ngly is involved. It is no surprise that law enforcement and criminal justice officials are being overwhelmed by the volume of investigations and prosecutions that involve electronic evidence. To assist State and local law enforcement agencies and prosecutorial offices offices with the growing growing volume volume of electronic crime, a seriess of reference serie reference guides guides regard regarding ing practices practices,, proc procedur edures, es, and decisionmaking processes for investigating investigating electronic crime is being prepared by technical working groups of practitioners and subject matter experts who are knowled knowledgeable geable about electronic crime. crim e. The practiti practitioner onerss and experts experts are are from Federal, Federal, State State,, and local law enforcement agencies; criminal justice agencies; offices of prosecutors prosecutors and district attorneys attorneys general; and academic, commercial, and professional organizatio organizations. ns. The series of guides will address the inv investigation estigation process from the crime crime scene first first responder responder,, to the laboratory laboratory,, to the courtcourtroom. Specifically Specifically,, the series of guides guides will address: address:
Crime scene investigations by first responders.
Examination of digital evidence.
Investigative uses of technology.
Investigating In vestigating electronic technology crimes.
Creating a digital evidence forensic unit.
Courtroom presentation of digital evidence.
Due to the rapidly changing nature of electronic and computer technologies and and of electronic electronic crime, effor efforts ts will be periodically undertaken to update the information contained within each of the guides. The guides, and any subsequent subsequent updates that are made to them, will be made available available on the National Institute Institute of Justice’s World Wide Web site (http://www.ojp.usdoj.gov/nij).
iii
I Technical Working Group for S Electronic Crime Scene C E Investigation G W T
The Technical Working Group for Electronic Crime Scene Investigation (TWGECSI) was a multidisciplinary group of practitioners and subject matter experts from across the United States and other nations. Each of the individual participants is experienced in the intricacies involved with electronic evidence in relation to recognition, niti on, docu document mentatio ation, n, coll collectio ection, n, and packag packaging. ing. To initiate initiate the working workin g group, a planning panel composed composed of a limited limited number of participants was selected to define the scope and breadth of the work. A series of guides was proposed in which each guide will focus on a different aspect of the discipline. The panel chose crime scene investigation as the first topic for incorporation into a guide.
Planning Panel Susan Ballou Program Manager for Forensic Sciences Office of Law Enforcement Standards National Institute of Standards and Technology Gaithersb Gaithersburg urg,, Maryland Maryland Jaime Carazo Special Agent United States Secret Service Electronic Crimes Branch Washington, ashington, D.C. Bill Crane Assistant Director Computer Crime Section National White Collar Crime Center Fairmont, West Virginia Virginia Fred Demma National Law Enforcement and Corrections Technology Center–Northeast Rome, New New York York
Grant Gottfried Special Projects National Center for Forensic Science Orland Orlando, o, Florid Floridaa Sam Guttman Assistant Inspector in Charge Forensic and Technical Services U.S. Postal Inspection Service Dulles, Dulles, Virginia irginia Jeffrey Herig Special Agent Florida Department of Law Enforcement Florida Computer Crime Center Tallahassee allahassee,, Florida Florida Tim Hutchison Sheriff Knox County Sheriff’s Office Knoxville, Knoxville, Tennessee ennessee David Icove Manager Manager,, Special Special Projects Projects U.S. TVA Police Knoxville, Knoxville, Tennessee ennessee
v
Bob Jarzen Sacramento County Laboratory of Forensic Science Sacramen Sacramento, to, California California Tom Johnson Dean School of Public Safety and Professional Studies University of New Haven West Haven, Connecticut Karen Matthews DOE Computer Forensic Laboratory Bolling AFB Washington, ashington, D.C. Mark Pollitt Unit Chief FBI–CART Washington, ashington, D.C. David Poole Director DoD Computer Forensics Laboratory Linthicum, Linthicum, Maryland Maryland Mary Riley Price Waterhouse Coopers, Coopers, LLP Washington, ashington, D.C. Kurt Schmid Director National HIDTA Program Washington, ashington, D.C. Howard A. Schmidt Corporate Security Officer Officer Microsoft Corp. Redmond, Redmond, Washington ashington
Raemarie Schmidt Computer Crime Specialist National White Collar Crime Center Computer Crime Section Fairmont, West Virginia Virginia Carl Selavka Massachusetts State Police Crime Laboratory Sudbury Sudbury,, Massachuse Massachusetts tts Steve Sepulveda United States Secret Service Washington, ashington, D.C. Todd Shipley Detective Sergeant Reno Police Department Financial/Computer Crimes Unit Reno, Reno, Neva Nevada da Chris Stippich Computer Crime Specialist Computer Crime Section National White Collar Crime Center Fairmont, West Virginia Virginia Carrie Morgan Whitcomb Director National Center for Forensic Science Orlan Orlando, do, Florid Floridaa Wayne Williams Sr. Sr. Litigation Counsel Computer Crime and Intellectual Property Section Criminal Division U.S. Department of Justice Washington, ashington, D.C.
TWGECSI Members Additional members were then incorporated into TWGECSI to provide a full technical working group. The individuals listed below below, along with those participants participants on the planning panel, worked together to produce this guide for electronic crime scene first responders.
vi
Abigail Abraham Assistant State’s Attorney Cook County State’s Attorney’s Office Chicag Chicago, o, Illino Illinois is
Michael Anderson President New New Technolog Technologies, ies, Inc Gresham, Gresham, Oregon Oregon
Keith Ackerman Head of CID Police HQ Hampshire Constabulary Winchester inchester,, Hants United Kingdom
Bill Baugh CEO Savannah Technology Group Savannah Savannah,, Georgia Georgia
Randy Bishop Special Agent in Charge U.S. Department of Energy Office of Inspector General Technology Crime Section Washington, ashington, D.C.
Fred Cotton Director of Training Services SEARCH The National Consortium for Justice Information and Statistics Sacramen Sacramento, to, California California
Steve Branigan Vice President of Product Development Lucent Technologies Murray Murray Hill, New New Jersey Jersey
Tony Crisp Lieutenant Maryville Police Department Maryville, Maryville, Tennessee ennessee
Paul Brown CyberEviden CyberEvidence, ce, Inc. The Woodlands, Woodlands, Texas
Mark Dale New York State Police Forensic Investigation Center Albany, Albany, New York York
Carleton Bryant Staff Attorney Knox County Sheriff’s Office Knoxville, Knoxville, Tennessee ennessee
Claude Davenport Senior SA United States Customs Service Sterling, Sterling, Virginia irginia
Christopher Bubb Deputy Attorney General New Jersey Division of Criminal Justice Trenton, Trenton, New Jersey Jersey
David Davies Photographic Examiner Federal Bureau of Investigation Investigation Washington, ashington, D.C.
Don Buchwald Project Engineer National Law Enforcement and Corrections Technology Center–West The Aerospace Corporation Los Angeles Angeles,, California California Cheri Carr Computer Forensic Lab Chief NASA Office of the Inspector General Network and Advanced Technology Protections Office Washington, ashington, D.C. Nick Cartwright Manager Canadian Police Research Centre Ottawa, Ottawa, Ontario Ontario Canada Ken Citarella Chief High Tech Crimes Bureau Westchester County District Attorney White Plains, New York Chuck Coe Director of Technical Services NASA Office of the Inspector General Network and Advanced Technology Protections Office Washington, ashington, D.C. Fred Cohen Sandia National Laboratories Cyber Defender Program Livermo Livermore, re, California California
Michael Donhauser Maryland State Police Columbia, Columbia, Maryland Maryland James Doyle Sergeant Detective Bureau New York City Police Department New York, York, New York York Michael Duncan Sergeant Royal Canadian Mounted Police Economic Crime Branch Technological Crime Section Ottawa, Ottawa, Ontario Ontario Canada Jim Dunne Group Supervisor Drug Enforcement Agency St. Louis, Louis, Missouri Missouri Chris Duque Detective Honolulu Police Department White Collar Crime Unit Honolulu, Honolulu, Hawaii Hawaii Doug Elrick Iowa DCI Crime Lab Des Moines, Moines, Iowa Iowa Paul French Computer Forensics Lab Manager New Technologies Technologies Armor Armor,, Inc. Gresham, Gresham, Oregon Oregon
vii
Gerald Friesen Electronic Search Coordinator Industry Canada Hull, Hull, Quebec Quebec Canada Pat Gilmore, Gilmore, CISSP CISSP Director Information Security Atomic Tangerine San Francisc Francisco, o, California California Gary Gordon Professor Economic Crime Programs Utica College WetStone Technologies Utica, Utica, New New York York Dan Henry Chief Deputy Marion County Sheriff’s Sheriff’s Department Ocala Ocala,, Florid Floridaa Jeff Hormann Special Agent In Charge Computer Crime Resident Agency U.S. Army CID Ft. Belvoir, Belvoir, Virginia Mary Horvath Program Manager FBI–CART Washington, ashington, D.C. Mel Joiner Officer Arizona Department of Public Safety Phoenix, Phoenix, Arizona Arizona Nigel Jones Detective Sergeant Computer Crime Unit Police Headquarters Kent County Constabulary Maidst Maidstone one,, Kent United Kingdom Jamie Kerr SGT/Project Manager RCMP Headquarters Training Directorate Ottawa, Ottawa, Ontario Ontario Canada Alan Kestner Assistant Attorney General Wisconsin Wisconsin Department of Justice Madison, Madison, Wisconsin isconsin Phil Kiracofe Sergeant Tallahassee Police Department Tallahassee allahassee,, Florida Florida
viii
Roland Lascola Program Manager FBI-CART Washington, ashington, D.C. Barry Leese Detective Sergeant Maryland State Police Computer Crimes Unit Columbia, Columbia, Maryland Maryland Glenn Lewis Computer Specialist SEARCH The National Consortium for Justice Information and Statistics Sacramen Sacramento, to, California California Chris Malinowski Forensic Computer Investigation Investigation University of New Haven West Haven, Connecticut Kevin Manson Director Cybercop.org St. Simons Simons Island, Island, Georgia Georgia Brenda Maples Lieutenant Memphis Police Department Memphis, Memphis, Tennessee ennessee Tim McAuliffe New York State Police Forensic Investigation Center Albany, Albany, New York York Michael McCartney Investigator New York State Attorney Attor ney General’s Gen eral’s Office Criminal Prosecution Bureau– Organized Crime Task Force Buffalo, Buffalo, New York Alan McDonald SSA Washington, ashington, D.C. Mark Menz SEARCH The National Consortium for Justice Information and Statistics Sacramen Sacramento, to, California California Dave Merkel AOL Investigations Reston, Reston, Virginia irginia Bill Moylan Detective Nassau County PD Computer Crime Section Crimes Against Property Squad Westbury, New York
Steve Nesbitt Director of Operations NASA Office of the Inspector General Network and Advanced Technology Protections Office Washington, ashington, D.C. Glen Nick Program Manager U.S. Customs Service Cyber Smuggling Center Fairfax, Virginia Robert O’Leary Detective New Jersey State Police High Technology Crimes & Investigations Investigations Support Unit West Trenton, Trenton, New Jersey Jersey Matt Parsons Special Agent/Division Agent/Division Chief Naval Criminal Investigative Service Washington, ashington, D.C. Mike Phelan Chief Computer Forensics Unit DEA Special Testing and Research Lab Lorton, Lorton, Virginia irginia Henry R. Reeve General Counsel/Deputy D.A. Denver District Attorney’s Office Denver Denver,, Colorado Colorado Jim Riccard Riccardi, i, Jr. Jr. Electronic Crime Specialist National Law Enforcement and Corrections Technology Center–Northeast Rome, Rome, New New York York David Roberts Deputy Executive Director SEARCH The National Consortium for Justice Information and Statistics Sacramen Sacramento, to, California California Leslie Russell Forensic Science Service Lambeth London London,, Englan England d United Kingdom
George Sidor Law Enforcement Security Consultant Jaws Technologies Inc. St. Albert, Albert, Alberta Alberta Canada William Spernow CISSP Research Director Information Security Strategies Group Gartn Gartner er,, Inc. Inc. Suwanee, Suwanee, Georgia Georgia Ronald Stevens Senior Investigator New York State Police Forensic Investigation Center Albany, Albany, New York York Gail Thackeray Special Counsel–Technology Crimes Arizona Attorney General’s Office Phoenix, Phoenix, Arizona Arizona Dwight Van de Vate Chief Deputy Knox County Sheriff’s Office Knoxville, Knoxville, Tennessee ennessee Jay Verhorevoort Lieutenant Davenport Davenport Police Department Davenpo Davenport, rt, Iowa Iowa Richard Vorder Bruegge Photographic Examiner Federal Bureau of Investigation Investigation Washington, ashington, D.C. Robert B. Wallace U.S. Department of Energy Germanto Germantown, wn, Maryland Maryland Craig Wilson Detective Sergeant Computer Crime Unit Police Headquarters Kent County Constabulary Maidst Maidstone one,, Kent United Kingdom Brian Zwit Chief Counsel (former) Environm Environment, ent, Science, Science, and Technology echnology National Association of Attorneys General Washington, ashington, D.C.
Greg Schmidt Sr. Investigator EDS-Investigations/Technical Plano, Plano, Texas
ix
Chronology In May 1998, 1998, the National Cybercrime Cybercrime Training Training Partnership Partnership (NCTP), (NCTP), the Offic Officee of Law Enforceme Enforcement nt Standards Standards (OLES) (OLES),, and the National Institute of Justice (NIJ) collaborated on possible resources that could be implemented to counter electronic crime. Continuing meetings generated a desire to formulate one set of protocols that would address the process of electronic evidence from the crime scene through court presentations. NIJ selected the technical working group process as the way to achieve this goal but with the intent to create a publication flexible enough to allow implementation with any State and local law enforcement policy. policy. Using its “template for technical working groups, groups,”” NIJ established the Technical Working Group for Electronic Crime Scene Investigation Investigation (TWGECSI) (TWGECSI) to identify, identify, define, and establish basic criteria to assist agencies with electronic investigations investigations and prosecutions. In January 1999, planning panel panel members met at the National Institute of Standards and Technology (NIST) in Gaithersburg, Maryland, to review review the fast-paced fast-paced arena of electronic crime and prepare prepare the scope, scope, intent, intent, and objecti objectives ves of the the project. project. During During this meeting, the scope was was determined to be be too vast vast for incorporation into one guide. Thus evolved a plan for several guides, each targeting separate issues. Crime scene investigation investigation was selected as the topic for the first guide. The initial meeting of the full TWGECSI took place March 1999 at NIST. NIST. After After outlining tasks in a general meeting, the group separated into subgroups to draft the context of the chapters as identified by the planning panel. These chapters were Electronic Devices: Types and Potential Evidence; Investigative Tools and Equipment; Securing and Evaluating the Scene; Documenting the Scene; Evidence Evidence Collection; Collection; Packaging, Packaging, Transpor Transportation, tation, and Storage; and Forensic Examination by Crime Category. Category. The volume of work involved in preparing the text of these chapters required additional TWGECSI meetings. The planning panel did not convene again until May 2000. Due to the amount amount of time time that had transpired between between meetings, the planning panel reviewed reviewed the draft content and compared it with changes that had occurred in the electronic crime environment. environment.
x
These revisions to the draft were then sent to the full TWGECSI in anticipation of the next meeting. The full TWGECSI met again at NIST in August 2000, 2000, and through 2 days of intense intense discussion, edited most of the draft to represent represent the current current status of electronic crime investigation. With a few more sections requiring attention, attention, the plann planning ing panel panel met in in Seattle, Seattle, Washington ashington,, during September 2000 to continue the editing process. These final changes, changes, the glossary glossary,, and appendix appendixes es were then then critiqued critiqued and voted on by the whole TWGECSI during the final meeting in November 2000 at NIST. The final draft was then sent for content and editorial review to more than 80 organizations having expertise and knowledge in the electronic crime environment. environment. The returned comments were evaluated evaluated and incorporated into the document when possible. The first chapter, chapter, Electronic Devices: Types and Potential Evidence, incorporates photographic photographic representations of highlighted terms as a visual associative guide. At the end of the document are appendixes dixes containing containing a glossary glossary,, legal legal resources, resources, technical technical resources, resources, training training resources resources,, and referenc references, es, followed followed by a list of the the organorganizations to which a draft copy of the document was sent.
xi
s t n e m g d e l w o n k c A
The National Institute of Justice (NIJ) wishes to thank the members of the Technical Working Group for Electronic Crime Scene Investigation (TWGECSI) for their tireless dedication. There was a constant turnover turnover of of individuals individuals involved, involved, mainly as a result of job commitments and career changes. This dynamic environment env ironment resulted in a total of 94 individ individuals uals supplying their knowledge know ledge and expertise to the creation of the guide. All participants were keenly aware of the constant changes occurring in the field of electronics and strov strovee to update information during each respectivee meeting. This demonstrated the strong desire of the respectiv working group to produce a guide that could be flexible and serve as a backbone for future efforts to upgrade the guide. In addition, NIJ offers a sincere thank you to each agency and organization represented by the working group members. The work loss to each agency during the absence of key personnel is evidence of management’ss commitment and understanding of the importance management’ of standardization in forensic science. NIJ also also wishes wishes to thank Kathlee Kathleen n Higgins, Higgins, Dire Director ctor,, and Susan Susan Ballou, Ballo u, Prog Program ram Manager Manager,, of the Offic Officee of Law Enforcem Enforcement ent Standards, for providing providing management management and guidance guidance in bringing bringing the project to completion. NIJ would like to express appreciation for the input and support that Dr. Dr. David G. Boyd, Director of NIJ’s NIJ’s Office Office of Science and Techno echnology logy (OS&T (OS&T), ), and Trent Trent DePers DePersia, ia, Dr Dr.. Ray Downs, Downs, Dr Dr.. Richard Richa rd Rau, Rau, Saral Saralyn yn Borro Borrowman wman,, Amo Amon n Young oung,, and James James McNeil, McNe il, all of OS&T OS&T, ga gave ve the meetings meetings and and the document. document. A special thanks is extended extended to Aspen Systems Corporation, Corporation, specifically to Michel Michelee Coppola, Coppola, the assigned assigned editor editor,, for her her patience patience and skill in dealing with instantaneous transcription. In addition, NIJ wishes wishes to thank the law enforcement agencies, academic institutions, institutions, and commercial commercial organizations organizations worldwide worldwide that supplied supplied contact contact inform information ation,, refer reference ence material materials, s, and editoeditorial suggestions. Particular thanks goes to Michael R. Anderson, Anderson, President Presi dent of New New Techno Technologie logies, s, Inc. Inc.,, for contacting contacting agencies agencies knowledgeable know ledgeable in electronic evidence for inclusion in the appendix on technical resources.
xiii
s t n e t n o C
Foreword.......................... Fore word............................................... .......................................... ......................................... ....................iii iii Technical Working Group for Electronic Crime Scene In Investigation vestigation ..................... ......................................... ......................................... ...............................v ..........v Acknowledgments Ackno wledgments ..................... .......................................... ......................................... ............................xiii ........xiii Overview Overvie w ..................... ......................................... ......................................... .......................................... ..........................1 .....1 The Law Enforcement Response to Electronic Evidence..........1 The Latent Nature of Electronic Evidence Evidence .................. ................................2 ..............2 The Forensic Process.............................. Process................................................... ....................................2 ...............2 Introduction .................... ......................................... ......................................... ......................................... .......................5 ..5 Who Is the Intended Audience for This Guide? .................... ........................5 ....5 What is Electronic Evidence? .................... ........................................ ................................6 ............6 How Is Electronic Evidence Handled Handled at the Crime Scene? ......6 Is Your Your Agency Agency Prepared to Handle Electronic Evidence? Evidence?........7 ........7 Chapter 1. Electronic Electronic Devices: Types and Potential Evidence ......9 Computer Systems........................ Systems............................................ ......................................... ........................10 ...10 Components......................................................... Components..................................... ......................................... .....................12 12 Access Control Devices.... Devices........................ ......................................... ....................................12 ...............12 Answering Machines Machines.................... ........................................ ......................................... ........................13 ...13 Digital Cameras Cameras..................... ......................................... ......................................... ...............................13 ..........13 Handheld Devices (Personal Digital Assistants [PDAs], Electronic Organi Organizers)..................................... zers).......................................................... .........................14 ....14 Hard Drives ................... ........................................ .......................................... ......................................15 .................15 Memory Cards Cards................... ........................................ ......................................... ..................................15 ..............15 Modems ................... ....................................... ......................................... .......................................... ........................16 ...16 Network Components ..................... ......................................... ......................................... .....................16 16 Pagers ..................... ......................................... ......................................... .......................................... ........................18 ...18 Printers......................................... Printers..................... ......................................... .......................................... ........................18 ...18 Removable Remov able Storage Devices Devices and Media ..................... ..................................19 .............19 Scanners........................................... Scanners...................... ......................................... ......................................... .....................19 19 Telephones elephones.................. ....................................... ......................................... ......................................... .....................20 20 Miscellaneous Electronic Items .................... ........................................ ..........................20 ......20
xv
Chapter 2. Investigati Investigative ve Tools Tools and Equipment..................... Equipment. ............................23 ........23 Tool Kit ....................................... ............................................................ .......................................... ........................23 ...23 Chapter 3. Securing Securing and Evaluating Evaluating the Scene ............................25 ............................25 Chapter 4. Documenting the Scene ........................................ ..............................................27 ......27 Chapter 5. Evidence Collection ....................................... ....................................................29 .............29 Nonelectronic Evidence .......................................... ..........................................................29 ................29 Stand-Alo Stand-Alone ne and Laptop Laptop Computer Evidence Evidence ......... .............. ......... ......... ......30 .30 Computers in a Complex Environment Environment.................... ....................................32 ................32 Other Electronic Devices and Peripheral Peripheral Evidence ................33 Chapter Chapter 6. Packaging Packaging,, Transport ransportation ation,, and Storage Storage ......... .............. .......... ......35 .35 Chapter 7. Forensic Forensic Examination by Crime Category ................37 Auction Fraud (Online) ........................................ ............................................................ ....................37 37 Child Exploitation/Abuse Exploitation/Abuse ....................................... ........................................................37 .................37 Computer Intrusion Intrusion ....................................... ........................................................... ...........................38 .......38 Death Inv Investigation estigation ......................................... ............................................................. .........................38 .....38 Domestic Violence........................... iolence................................................ ......................................... ....................38 38 Economic Economic Fraud Fraud (Including (Including Online Online Fraud, Fraud, Counterf Counterfeiting eiting)) ....38 ....38 E-Mail Threats/Harassment/Stalking Threats/Harassment/Stalking ......................................3 ......................................39 9 Extortion ......................................... ............................................................. ......................................... .....................39 39 Gambling ......................................... ............................................................. ......................................... .....................39 39 Identity Theft.................. Theft ...................................... ......................................... ......................................39 .................39 Narcotics ......................................... .............................................................. ......................................... ....................40 40 Prostitution ........................................ ............................................................. ......................................40 .................40 Software Piracy ......................................... .............................................................. ...............................41 ..........41 Telecommunications Fraud ......................................... ......................................................41 .............41 Appendix A. Glossary ...................................... ........................................................... ............................47 .......47 Appendix B. Legal Legal Resources Resources List List ...................................... ..............................................53 ........53 Appendix C. Technical Technical Resources List ........................................5 ........................................55 5 Appendix D. Training Training Resources List ....................................... ..........................................73 ...73 Appendix E. References .......................................... .............................................................. ....................77 77 Appendix F. List List of Organizations Organizations ......................................... ..............................................81 .....81
xvi
Computers and other electronic devices are present in every aspect of modern modern life. At one time, a single computer filled an entire room; today, today, a computer can fit in the palm palm of your hand. The same technological advances that have helped law enforcement are being exploited by criminals.
w e i v r e v O
Computers can be used to commit crime, can contain evidence evidence of crime, and can even even be targets targets of crime. Understanding Understanding the role and nature of electronic evidence evidence that might be be found, how to to process a crime scene containing potential electronic evidence, and how an agency might respond to such situations are crucial issues. This guide represents the collected experience of the law enforceme enfo rcement nt community community,, acade academia, mia, and the priva private te sector in the recognitio recog nition, n, collec collection tion,, and preserv preservation ation of electroni electronicc evidence evidence in a variety of crime scenes.
The Law Enforcement Response to Electronic Evidence The law enforcement response to electronic evidence requires that offic of ficers, ers, in inves vestigat tigators, ors, fore forensic nsic exam examiners iners,, and manag managers ers all all play a role. This document serves as a guide for the first responder. A first responder responder may be be responsible for for the recognition, recognition, collection, preserv pres ervation ation,, trans transport portation ation,, and/o and/orr storage of electr electronic onic evidence. evidence. In today’s today’s world, this can include almost everyone everyone in the law law enforcement profession. Officers Officers may encounter electronic devices during their day-to-day duties. Investigators may direct the collection of electronic evidence, or may perform the the collection themselves. Forensic examiners may provide assistance at crime scenes and will perform examinations on the evidence. Managers have the responsibility of ensuring that personnel under their direction are adequately trained and equipped to properly handle electronic evidence. Each responder must understand the fragile nature of electronic evidence and the principles and procedures associated with its collection and preservation. Actions that have the potential to alter,, damag alter damage, e, or destroy destroy origin original al evidence evidence may may be closely closely scrutinized by the courts.
1
Procedures should be in effect that promote electronic crime scene investigation. Managers should determine who will provide particular levels of services and how these services will be funded. Personnel should be provided with initial and ongoing technical training. Oftentimes, Oftentimes, certain cases will demand demand a higher level level of exper expertis tise, e, traini training, ng, or equipm equipment ent,, and manag managers ers shoul should d have have a plan in place regarding how to respond to these cases. The demand for responses to electronic evidence is expected to increase for the foreseeable future. Such services require that dedicated resources be allocated for these purposes.
The La Latent Nat Natur ure e of Electronic Electronic Evidence Electronic evidence is information and data of investigative value that is stored on or transmitted by an electronic device. As such, electronic evidence is latent evidence in the same sense that fingerprints or DNA (deoxyribonucleic acid) evidence are latent. In its natural natural state, state, we cannot cannot “see” “see” what is contained contained in the physical physical object that holds our evidence. Equipment and software are required to make the evidence visible. Testimony may be required to explain the examination process and any process limitations. Electroni Electronicc evidenc evidencee is, by its very very nature, nature, fragile. fragile. It can can be altered, altered, damaged, damaged, or destroy destroyed ed by improper improper handli handling ng or improper improper examination. For this reason, reason, special precautions should be taken taken to document, document, collect, collect, preserv preserve, e, and examine examine this type of evidenc evidence. e. Failure to do so may render it unusable or lead to an inaccurate conclusion. This guide suggests methods that will help preserve the integrity of such evidence.
The Forensic Process The nature of electronic evidence is such that it poses special challenges for its admissibility in court. To To meet these challenges, follow proper forensic forensic procedures. These These procedures include, include, but are not not limit limited ed to, to, four four phases phases:: collec collectio tion, n, exami examinat nation ion,, analys analysis, is, and reporting. Although Although this guide concentrates on the collection phase, the nature of the the other three phases phases and what happens happens in each are also important to understand. 2
The collection phase involves involves the search search for, for, recognition of, collection of, and documentation documentation of electronic electronic evidence. evidence. The The collection phase can involve involve real-time and stored information that may be lost unless precautions are taken at the scene. The examination process helps to make the evidence visible and explain its origin and significance. This process should accomplish several several things. First, it should document document the content and state of the evidence in its totality. Such documentation allows all parties to discover what is contained in the evidence. Included in this process is the search for information that may be hidden or obscured. obscured. Once all the information information is visible, the process of data reductio reduction n can begin, begin, thereby thereby separatin separating g the “wheat” “wheat” from the the “chaff.” “chaff.” Given Given the tremendous amount amount of information that can be stored on computer computer storage media, media, this part of the the examination is is critical. Analysis differs from examination in that it looks at the product of the examination for its significance and probative value to the case. Examination is a technical review that is the province of the forensic forensic practitioner practitioner, while analysis analysis is performed performed by the investig investigativ ativee team. In some agencies, the same person or group will perform both these roles. A written report that outlines the examination process and the pertinent data recovered completes an examination. Examination notes must be preserved for discovery or testimony purposes. An examiner may need to testify about not only the conduct of the examination but also the validity of the procedure and his or her qualifications qualifications to conduct the examination.
3
n o i t c u d o r t n I
This guide is intended for use by law enforcement and other responders who have the responsibility for protecting an electronic crime scene scene and for for the recognitio recognition, n, collec collection tion,, and preserv preservaation of electronic electronic evidence. It is not all-inclusive. all-inclusive. Rather Rather,, it deals with the most common situations encountered with electronic evidence. Technology Technology is advancing at such a rapid rate that the suggestions in this guide must be examined through the prism of current technology and the practices adjusted as appropriate. It is recognized that all crime scenes are unique and the judgment of the first responder/investigator should be given deference in the implementation of this guide. Furthermore, Furthermore, those responsible responsible offiofficers or support personnel with special training should also adjust their practices as the circumstances (including their level of experience, rienc e, cond condition itions, s, and availab available le equipment) equipment) warrant. warrant. This This publication is not intended to address forensic analysis. Circumstances of indiv individual idual cases cases and Feder Federal, al, State State,, and local local laws/ru laws/rules les may require actions other than those described in this guide. When dealing with electronic evidence, general forensic forensic and procedural principles should be applied:
Actions taken to secure and collect electronic evidence should not change that evidence.
Persons conducting examination of electronic evidence should be trained for the purpose.
Activity relat Activity relating ing to the seizu seizure, re, exam examinati ination, on, stora storage, ge, or transfer of electronic evidence should be fully documented, preserved, and available available for review review..
Who Is the Intended Audience for This Guide?
Anyone encountering a crime scene that might contain electronic evidence.
Anyone processing a crime scene that involves electronic evidence.
Anyone supervising someone who processes such a crime scene.
Anyone managing an organization that processes such a crime scene.
5
Without having the necessary skills Without skills and training, no responder should attempt to explore the contents or recover data from a computer (e.g., do not touch the the keyboard keyboard or click the mouse) or other electronic device other than to record what is visible on its display.
What Is Electronic Evidence? Electronic evidence is information and data of investigative value that is stored on or transmitted by an electronic device. Such evidence is acquired when data or physical items are collected and stored for examination purposes. Electronic evidence:
Is often latent in the same sense as fingerprints or DNA evidence.
Can transcend borders with ease and speed.
Is fragile fragile and can be easily easily altered, altered, damag damaged, ed, or destroy destroyed. ed.
Is sometimes time-sensiti time-sensitive. ve.
How Is Electronic Evidence Handled at the Crime Scene? Precautionss must be Precaution be taken in in the collectio collection, n, pres preserv ervation ation,, and examination of electronic evidence. Handling electronic evidence at the crime scene normally consists of the following steps:
Recognition and identification of the evidence.
Documentation of the crime scene.
Collection and preservation of the evidence.
Packaging and transportation of the evidence.
The information in this document assumes that:
6
The necessary legal authority to search for and seize the suspected evidence has been obtained.
The crime scene has been secured and documented (photographically and/or by sketch or notes).
Crime scene protectiv protectivee equipment (glov (gloves, es, etc.) is being being used as necessary.
Note: First responders should use caution when seizing electronic devices. The improper access of data stored in electronic devices may violate provisions provisions of of certain Federal laws, including the Electronic Communications Priv Privacy acy Act. Additional legal process may be necessary. Please consult your local prosecutor before accessing stored data on a device. Because of the fragile nature of electronic electro nic evidence, evidence, exami examination nation should should be done by approp appropriate riate personnel.
Is Your Agency Prepared to t o Handl Handle e Electronic Evidence? This document recommends that every agency identify local computer experts before they are needed. These experts should be “on call” for situations that that are beyond beyond the technical expertise expertise of the first responder or department. (Similar services are in place for toxic waste emergencies.) It is also recommended that investigative plans be developed in compliance with departmental policy and Federa Federal, l, State, and local local laws laws.. In partic particular ular,, under the Priv Privacy acy Protection Prot ection Act, with certain certain exceptio exceptions, ns, it is unlawful unlawful for an agent agent to search for or seize certain materials possessed by a person reasonably believed to have a purpose of disseminating information to the public. For For example, seizure of First Amendment materials materials such as drafts of newsletters or Web pages may implicate the Privacy Protection Act. This document may help in:
Assessing resources.
Developing procedures.
Assigning roles and tasks.
Considering officer safety.
Identifying and documenting equipment and supplies to bring to the scene.
7
Elect ectrroni onicc Devic De vices: es: Type ypess and an d 1 El r Potential Evidence e t p a h C
Electronic evidence can be found in many of the new types of electronic devices available to today’s consumers. This chapter displays a wide variety of the types of electronic devices commonly encountered encountered in crime crime scenes, provides a general descripdescription of each type of device, device, and describes its common uses. In In addition, it presents the potential evidence evidence that may may be found found in each type of equipment. Many electronic devices contain memory that requires continuous power power to maintain the information, such as a battery or AC power. power. Data can be easily lost by unplugging the power source or allowing the battery to discharge. (Note: After determining determining the mode of collection collec tion,, colle collect ct and store store the pow power er supply supply adaptor adaptor or cable, cable, if present, with the recovered recovered device.) Printer
CPU Location
Telephone
Diskettes
Monitor
Keyboard
Software
Counterfeit Documents
9
Computer Sys Systems tems
Computer Monitor
Description: A computer system typically consists of a main base unit, somet sometimes imes called called a central central process processing ing unit unit (CPU), (CPU), data storstorage dev devices, ices, a monitor monitor,, key keyboar board, d, and mous mouse. e. It may be a stand stand-alone or it may be connected to a network. There are many types of computer computer systems systems such such as laptops, laptops, desk desktops, tops, to tower wer systems, systems, modular modu lar rack-mou rack-mounted nted systems, systems, minic minicompu omputers, ters, and mainfram mainframee computers. Additional components components include include modems, printers, scanners, scann ers, docki docking ng stations, stations, and externa externall data storage storage devices devices.. For example, example, a desktop is a computer computer system consisting consisting of a case, motherbo moth erboard, ard, CPU, and data stor storage, age, with an ext external ernal key keyboar board d and mouse. Primary Uses: For all types of computing functions and informati info rmation on storage, storage, inclu including ding word word processing processing,, calcul calculation ations, s, communica comm unications tions,, and graphics. graphics.
Laptop
Potential Evidence: Evidence is most commonly found in files that are stored on hard drives and storage devices and media. Examples are:
User-Created Files User-created files may contain important evidence of criminal User-created activity such as address books and database files that may prove criminal association, association, still or moving moving pictures pictures that may be evievidence of pedophile pedophile activity, activity, and communications communications between criminals such as by e-mail e-mail or letters. Also, drug deal lists may often be found in spreadsheets.
10
Address books.
E-mail files.
Audio/video files.
Image/graphics files.
Calendars.
Internet bookmarks/favorites.
Database files.
Spreadsheet files.
Documents or text files.
User-Protected Files Users have the opportunity to hide evidence in a variety of forms. For example, example, they may encrypt encrypt or password-protect password-protect data data that are important to them. They may also hide files on a hard disk or within other files or deliberately hide incriminating evidence evidence files under an innocuous name. Port Replicator
Compressed files.
Misnamed files.
Encrypted files.
Password-protected files.
Hidden files.
Steganography.
Evidence can also be found in files and other data areas created as a routine function of the computer’s operating system. In many cases, the user is not aware aware that that data are being written written to these these areas. Passwor Passwords, ds, Internet activi activity ty,, and temporary temporary backup files files are examples of data that can often be recovered and examined.
Docking Station
Note: There are components of files that may have evidentiary value va lue includin including g the date and time time of creation, creation, modi modific fication ation,, deletion,, acces tion access, s, user name or identif identificatio ication, n, and fil filee attribu attributes. tes. Eve Even n turning the system on can modify some of this information.
Computer-Created Files
Server
Backup files.
Log files.
Configuration files.
Printer spool files.
Cookies.
Swap files.
Hidden files.
System files.
History files.
Temporary files.
Other Data Areas Areas
Bad clusters.
Other partitions.
Computer Computer date, time, and password.
Reserved areas.
Slack space.
Software registration information.
Deleted files.
Free space.
Hidden partitions.
System areas.
Lost clusters.
Unallocated space.
Metadata.
11
Components Central Processing Units (CPUs) PIIIXeon Processor
PIII Processor
G4 Processor
“chip,”” it is a microprocessor microprocessor locatDescription: Often called the “chip, ed inside the computer. The microprocessor is located in the main computer box on a printed circuit board with other electronic components. Primary Uses: Performs all arithmetic and logical functions in the computer. Controls the operation of the computer. Potential Evidence: The device itself may be evidence of component comp onent theft, coun counterfei terfeiting, ting, or remark remarking. ing.
Memory Memor y CPUs
Description: Removable circuit board(s) inside the computer. Information stored here is usually not retained when the computer is powered down. Primary Uses: Stores user’s programs and data while computer is in operation.
Memory
Potential Evidence: The device itself may be evidence of component comp onent theft, coun counterfei terfeiting, ting, or remark remarking. ing.
Access Control Devices Smart Card
Biometric Scanner
Parallel Dongle
12
Smart Sma rt Cards, Cards, Don Dongle gles, s, Biom Biometr etric ic Sca Scanne nners rs Description: A smart card is a small handheld device that contains a microprocessor that is capable of storing a monetary value, encryption key key or authentication information (password), digital certificate, or other information. A dongle is a small small device that that plugs into a computer port that contains types of information similar to information on a smart card. A biometric scanner is a device connected to a computer system that recognizes physical characterist charac teristics ics of an indi individu vidual al (e.g. (e.g.,, fing fingerprin erprint, t, vo voice, ice, retina retina). ).
Primary Uses: Provides access control to computers or programs or functions as an encryption key.
USB Dongles
Potential Evidence: Identification/authentication information of of the card and the the user, user, lev level el of access, configur conf iguration ations, s, perm permissio issions, ns, and the the device device itself. itself.
Parallel Dongle
Answering Machines
Answering Machine
Description: An electronic device that is part of a telephone or connected between a telephone and the landline connection. Some models use a magnetic tape or tapes, tapes, while others others use an electronic (digital) recording system. Primary Uses: Records voice messages from callers when the called party is unavailable or chooses not to answer a telephone call. Usually plays a message from the called party before recording the message. Note: Since batteries have have a limited life, data could be be lost if they fail.. Therefore, fail Therefore, appr appropri opriate ate personnel personnel (e.g., evi evidenc dencee custodian, custodian, lab chief, forensic examiner) examiner) should should be informed that a device device powered by batteries is in need of immediate attention. Potential Evidence: Answering machines can store voice messages messa ges and, and, in some some cases, cases, time and and date infor information mation about when the message was left. They may also contain other voice recordings.
Caller identification information.
Deleted messages.
Last number called.
Memo.
Phone numbers and names.
Tapes.
Digital Cameras Description: Camera, digital recording recording device device for images and video, with related storage storage media and conversion conversion hardware hardware capable of transferring images and video to computer media. QuickCam
13
Snappy Device (video capture device)
Primary Uses: Digital cameras capture images and/or video in a digital format that is easily transferred to computer storage media for viewing and/or editing. Digital Cameras
Potential Evidence:
Images.
Time and date stamp.
Removable cartridges.
Video.
Sound.
Video Phone
Handheld De Devices vices (Personal Digital Assistants Assis tants [PD [PDAs], As], Electr Electronic onic Organizers) Casio PDA
Palm Cradle
Palm in Cradle
Description: A personal digital assistant (PDA) is a small device that can inclu include de comp computing uting,, teleph telephone/f one/fax, ax, pagi paging, ng, netw networki orking, ng, and other features. It is typically used as a personal organizer. organizer. A handheld computer approaches the full functionality of a desktop computer system. Some do not contain contain disk drives, drives, but may contain PC card card slots slots that can can hold a modem, modem, hard dri drive, ve, or other other device. They usually include the ability to synchronize their data with other computer systems, systems, most commonly commonly by a connection in a cradle (see photo). If If a cradle is present, attempt to locate locate the associated handheld device. Primary Uses: Hand Handheld held compu computing, ting, stor storage, age, and comm communica unica-tion devices capable of storage of information. Note: Since batteries have have a limited life, life, data could be lost if if they fail.. Therefore, fail Therefore, appro appropriat priatee personnel personnel (e.g., evi evidence dence custodian custodian,, lab chief, forensic examiner) examiner) should be informed that a device powered by batteries is in need of immediate attention. Potential Evidence:
Address book.
Password.
Appointment calendars/ information.
Phone book.
Text messages.
Voice messages.
Documents.
E-mail.
Handwriting.
PDAs
14
Hard Drives Hard Drive
External Hard Drive Pack
Removable Hard Drive Tray
Description: A sealed box containing rigid platters (disks) coated with a substance capable of storing data magnetically. Can be encountered in the case of a PC as well as externally in a standalone case. Primary Uses: Storage of information such as computer prog pr ogra rams ms,, te text xt,, pi pict ctur ures es,, vi vide deo, o, mu mult ltim imed edia ia fil files es,, et etc. c. Potential Evidence: See potential evidence under computer systems.
Micr icrodrive ive
2.5-inch IDE IDE 5.25-inch IDE 2.5-inch IDE Hard Drive Hard Drive w/ Hard Drive cover (laptop) (Quantum removed Bigfoot)
3.5-inch IDE Hard Drive w/ cover removed
Memory Cards Memory Stick
Flash Card in PCMCIA Adaptor
Removable able electronic storage devices, Description: Remov which do not lose the information when power is removed from the card. It may even be possible to recover erased images from memory cards. Memory cards can store hundreds of images in a credit cardsize module. Used in a variety of devices, devices, including computers comp uters,, digi digital tal cameras, cameras, and PDAs. PDAs. Examp Examples les are memor memory y sticks, sticks, smart cards cards,, flash memo memory ry,, and flash cards.
Smart Media Card
Primary Uses: Pro Provides vides additional, additional, remo remova vable ble methods of storing and transporting information. information. Floppy Disk Adaptor/ Memory Stick
Compact Flash Card
Potential Evidence: See potential evidence under computer systems.
Smart Media Floppy
Memory Cards
15
Modems
External Modem
Ricochet Modem
Description: Mod Modems ems,, int intern ernal al and and exter external nal (ana (analog log,, DS DSL, L, ISD ISDN, N, cable) cab le),, wi wirel reless ess mode modems, ms, PC cards. cards. Primary Uses: A modem is used to facilitate electronic communication by allowing the computer to access other computers and/or networks netw orks via a telephone telephone line, wir wireless eless,, or other commun communicati ications ons medium. Potential Evidence: The device itself.
Wireless Modem
Internal Modem
PCMCIA Modem
External Modem
Network Components Local Area Network (LAN) Card or Network Interface Card (NIC) Internal Network Interface Card
Note: These components are indicative of a computer network. See discussion on network system evidence in chapter 5 before handling the computer system or any connected devices. Description: Netw Network ork cards, cards, assoc associated iated cables. cables. Network cards also can be wireless.
Wireless Network Interface Card
Primary Uses: A LAN/NIC card is used to connect computers. Cards allow for the exchange of information and resource sharing. Potential Evidence: The device device itself, itself, MA MAC C (mediaa access contro (medi control) l) access address address..
Route Ro uters, rs, Hu Hubs, bs, an and d Swi Switc tche hess
Power Adapter
Router
Ethernet Hub
16
Wireless PCMCIA Card
Description: These electronic devices are used in networked computer systems. Routers, switches, swit ches, and hubs hubs provide provide a means of connecting different computers or networks. They can frequently be recognized by the presence of multiple cable connections.
Standard RJ-45 Ethernet Cable
PCMCIA Network Interface Card
10Mbps or 10/100Mbps Autosensing Ethernet Hub
Cable or xDSL Modem
Wired Hub
NBG600
Power Adapter
Primary Uses: Equipment used to distribute distribu te and facilitate the distributio distribution n of data through networks.
CableFREE NCF600 CableFREE NBG600 PC Card in NetBlaster a Notebook
Potential Evidence: The devices themselves. selv es. Also, Also, for routers routers,, conf configur iguration ation files. files.
CableFREE ISA/PCI Card in a Desktop
Servers
Standard RJ-45 Ethernet Cable
Cable or xDSL Modem
Wireless Hub
Description: A server is a computer that provides some service for other computers connected to it via a network. Any computer, including a laptop, laptop, can be configured configured as a server server.. Server
resources such as e-mail, file Primary Uses: Provides shared resources storage, stor age, Web page services, services, and print print services services for a network. network.
Potential Evidence: See potential evidence under computer systems.
Network Cables and Connectors different colors, colors, thicknesses, Description: Network cables can be different and shapes and have different connectors, depending on the components they are connected to. RJ-11 Phone Cable
Primary Uses: Connects components of a computer network. Potential Evidence: The devices themselves.
RJ45 LAN Cable & RJ11 Phone Cable
Network Cable Dongle & PC Network Card
Centronics Printer Cable
SCSI SC SI Ca Cabl ble e
Ultrawide SCSI Cable
Parallel Port Printer Cable
Serial Cable & Mouse
PS2 Cable
PS2 Cable With PS2 AT Adapter
USB Cable With A&B Connectors
SCSI Cable
Audio/Visual Cables
17
Pagers RIM Pager
handheld, portable electronic electronic device device that can conDescription: A handheld, tain volatil volatilee evidence evidence (telephon (telephonee numbers, numbers, vo voice ice mail, e-mai e-mail). l). Cell phones and personal digital assistants also can be used as paging devices.
Single Pager
Primary Uses: For sending and receiving electronic messages, numeric numer ic (phone (phone numbers numbers,, etc.) and and alphanum alphanumeric eric (text, (text, often including e-mail). Pagers
Note: Since batteries have have a limited life, life, data could be lost if if they fail.. Therefore, fail Therefore, appro appropriat priatee personnel personnel (e.g., evi evidence dence custodian custodian,, lab chief, forensic examiner) examiner) should be informed that a device powered by batteries is in need of immediate attention. Potential Evidence:
Address information.
Text messages.
E-mail.
Voice messages messages..
Phone numbers.
Printers Multifunction Device
Inkjet Printer
Inkjet Printer
18
Description: One of a variety of printing printing systems, including therthermal,, las mal laser er,, ink inkjet jet,, and imp impact act,, con connec nected ted to to the compu computer ter via via a cable cable (serial, (ser ial, para parallel, llel, uni univer versal sal serial serial bus bus (USB), (USB), fi fire rewire wire)) or accessed accessed via via an infrared port. Some printers contain a memory buffer buffer,, allowin allowing g them to receive and store multiple page documents while they are printing. Some models may also contain a hard drive. Printt text text,, imag images, es, etc., fro from m the the comp computer uter to pape paperr. Primary Uses: Prin
Potential Evidence: Prin Printers ters may maintain maintain usage usage logs, time and date info informati rmation, on, and, if attach attached ed to to a netw network, ork, the they y may may store store network identity information. information. In addition, unique characteristics characteristics may allow for identification of a printer.
Documents.
Superimposed images on the roller.
Hard drive.
Ink cartridges.
Time Time and date stamp.
Network identity/ information.
User usage log.
Removable Storage Devices and Media
Syquest Cartridge
Mediaa used used to stor storee electrica electrical, l, magn magnetic, etic, or digita digitall Description: Medi inform inf ormati ation on (e. (e.g., g., flo flopp ppy y dis disks, ks, CDs CDs,, DVD VDs, s, car cartri tridge dges, s, tap tape). e).
Primary Uses: Portable devices that can store computer prog pr ogra rams ms,, te text xt,, pi pict ctur ures es,, vi vide deo, o, mu mult ltim imed edia ia file files, s, et etc. c. External CDROM Drive
Recordable CD
New types of storage devices and media come on the market frequently; these are a few examples of how they appear.
Potential Evidence: See potential evidence under computer systems.
External Zip Drive Jaz Cartridge
Zip Cartridge
DAT Tape Reader
LS-120 Floppy Disk
DLT Tape Cartridge
DVD RAM Cartridge
Tape Drive
External Media Disk Drive
8mm and 4mm Tapes
3.5-inch Floppy Diskette
Scanners Flatbed Scanner
Description: An optical device connected to a computer, computer, which passes a document past a scanning device (or vice versa) and sends it to the computer as a file. Primary Uses: Con Conve verts rts docum document ents, s, pic pictur tures, es, etc etc., ., to electro electronic nic files, fi les, which can then be view viewed, ed, manip manipulate ulated, d, or trans transmitted mitted on a computer.
Sheetfed Scanner
Handheld Scanner
Potential Evidence: The device itself may be evidence. Having the capability to scan may help prove prove illegal illegal activity (e.g., (e.g., child pornogra porn ography phy,, check frau fraud, d, coun counterfe terfeiting iting,, iden identity tity theft) theft).. In addiaddition, imperfections such such as marks on the glass may allow allow for unique identification of a scanner used to process documents.
19
Telephones Cordless
Cellular Phones
itself (as with with cell phones), phones), or a Description: A handset either by itself remote base station (cordless), (cordless), or connected directly to the landline system. Draws Draws power from from an internal battery, battery, electrical plug-in, or directly directly from from the telephone system.
Primary Uses: Two-way communication from one instrument to anothe ano therr, usi using ng land land lines, lines, rad radio io trans transmis missio sion, n, cel cellul lular ar syste systems, ms, or a combination. Phones are capable of storing information. Note: Since batteries have have a limited life, life, data could be lost if if they fail.. Therefore, fail Therefore, appro appropriat priatee personnel personnel (e.g., evi evidence dence custodian custodian,, lab chief, forensic examiner) examiner) should be informed that a device powered by batteries is in need of immediate attention. Potential Evidence: Many telephones can store store names, phone numbers, and caller caller identificatio identification n information. information. Additionally Additionally,, some cellular telephones telephones can store appointment appointment information, information, receiv receivee electronic mail and pages, pages, and may act as a voice voice recorder. recorder.
Appointment calendars/inform calendars/information. ation. Password.
Caller identification information.
Phone book.
Electronic serial number.
Text messages.
E-mail.
Voice mail.
Memo.
Web browsers.
Miscellaneous Electronic Items Caller ID Box
Cellular Phone Cloning Equipment
There are many additional types of electronic equipment that are too numerous to be listed that might be found at a crime scene. Howev However, er, there are many nonnontraditional devices devices that can be an excellent source of Cellular investigative information and/or evidence. Examples Phone Cloning are credit card skimmers, skimmers, cell phone cloning equipequipEquipment ment,, caller ID boxes ment boxes,, audi audio o recorder recorders, s, and Web TV TV. Fax machin machines, es, copie copiers, rs, and multifu multifunctio nction n machines machines may have internal storage devices and may contain information of evidentiary value.
REMINDER: The search of this type of evidence may require a search warrant. warrant. See note in the Introduction, page 7.
20
Copiers
Copier
Some copiers maintain user access records and history of copies made. Copiers with the scan once/print many feature allow documents to be scanned once into memory memory,, and then printed later. later.
Potential Evidence:
Documents.
Time and date stamp.
User usage log.
Credit Card Skimmers Credit card skimmers are used to read information contained on the magnetic stripe on plastic cards.
Potential Evidence: Cardholder information contained on the tracks of the magnetic stripe includes: Credit Card Skimmer
Card expiration date.
User’s address.
Credit card numbers.
User’s name.
Digital Watches
Credit Card Skimmer
Credit Card Skimmer— Laptop
There are several types of digital watches available that can function as pagers that store digital messages. They may store additional information information such as address books, appointment calendars, calendars, e-mail, and notes. Some Some also have have the capability of synchronizing synchronizing information with computers.
Potential Evidence:
Address book.
Notes.
Appointment calendars.
Phone numbers.
E-mail.
Facsimile Machines Fax Machine
Facsimile (fax) machines can store preprogrammed phone numbers and a history of transmitted and received documents. In addition, some contain memory allowing multiple-page faxes to be scanned in and sent at a later time as well as allowing incoming faxes to be held in memory and printed later. Some may store hundreds of pages of incoming and/or outgoing faxes.
21
Potential Evidence:
Documents.
Phone numbers.
Film cartridge.
Send/receive log.
Global Positioning Systems (GPS) Global Positioning Systems can provide information on previous travel tra vel via destinat destination ion informat information, ion, way points, points, and routes. routes. Some automatically store the previous destinations and include travel logs.
Potential Evidence:
22
Home.
Way point coordinates.
Previouss destinations. Previou
Way point name.
Travel logs.
2 Investigative Tools and Equipment r e t p a h C
Principle: Special tools and equipment may be required to collect electronic evidence. Experience has shown that advances in technology may dictate changes in the tools and equipment required. Policy: There should be access to the tools and equipment necessary sar y to doc docume ument, nt, dis discon connec nect, t, rem remov ove, e, pac packag kage, e, and tra transp nspor ortt electronic evidence.
Procedure: Preparations should be made to acquire the equipment required to collect electronic evidence. The needed tools and equipment are dictated by each aspect of the process: documentation, tio n, col collec lectio tion, n, pac packag kaging ing,, and trans transpor portat tation ion..
Tool Kit Departments should have general crime scene processing tools (e.g., (e. g., cam camera eras, s, not notepa epads, ds, sk sketc etchp hpads ads,, ev evide idence nce fo forms rms,, cri crime me sce scene ne tape, markers). The following following are additional additional items that may be be useful at an electronic crime scene.
Documentatio Documen tation n Tools Tools
Cable tags.
Indelible felt tip markers.
Stick-on labels.
Disassembly Disasse mbly and Removal Tools A variety of nonmagnetic sizes and types of:
Flat-blade and Philips-type screwdrivers.
Hex-nut drivers.
Needle-nose pliers.
Secure-bit drivers.
Small tweezers.
23
Specialized scre Specialized screwdr wdriv ivers ers (man (manufac ufacture turer-s r-specif pecific, ic, e.g., Comp Compaq, aq, Macintosh).
Standard pliers.
Star-type nut drivers.
Wire cutters.
Package and Transport Supplies
Antistatic bags.
Antistatic bubble wrap.
Cable ties.
Evidence bags.
Evidence tape.
Packing materials (avoid (avoid materials that can produce static electricity such as styrofoam or styrofoam peanuts).
Packing tape.
Sturdy boxes of various sizes.
Other Items Items that also should be included within a department’s tool kit are:
24
Gloves.
Hand truck.
Large rubber bands.
List of contact telephone numbers for assistance.
Magnifying glass.
Printer paper.
Seizure disk.
Small flashlight.
Unused floppy diskettes (31 / 2 and 51 / 4 inch).
3 Securing and Evaluating the Scene r e t p a h C
Principle: The first responder should take steps to ensure the safety of all persons at the scene and to protect the integrity of all evidence, evidence, both traditional and electronic. electronic. Policy: All activities should be in compliance with departmental policy polic y and Federal, Federal, State, and local local laws. laws. (Addition (Additional al resources resources are referenced in appendix B.) Procedure: After securing the scene and all persons on the scene, the first responder should visually identify potential evidence, both conventional conventional (physical) (physical) and electronic, electronic, and determine if perishable evidence exists. The first responder should evaluate the scene and formulate a search plan. Secure and evaluate the scene:
Follow jurisdictional policy for securing the crime scene. This Follow would include ensuring that all persons are removed from the immediate area from which evidence is to be collected. At this point in the investigation do not alter the condition of any elecis off, off, lea leave ve it off. If it is is on, lea leave ve it on. tronic devices: If it is
Protect perishable data physically and electronically. electronically. Perishable data may be found found on pagers, caller ID boxes, boxes, electronic electr onic organiz organizers, ers, cell phones, phones, and other other similar similar devices devices.. The first responder should always keep in mind that any device containing perishable data should be immediately secured, documente docu mented, d, and/o and/orr phot photogra ographed phed..
Identify telephone lines attached to devices such as modems and caller caller ID box boxes. es. Docume Document, nt, disco disconnec nnect, t, and label label each each telephone line from from the wall rather rather than the device, device, when possible. There may also be other communications lines present for LAN/ethernet connections. Consult appropriate personnel/agency personnel/agenc y in these cases.
25
Key eyboa boards rds,, the com comput puter er mous mouse, e, dis diske kette ttes, s, CD CDs, s, or othe otherr compocomponents may have latent fingerprints or other physical evidence that should be preserved. Chemicals used in processing latent prints can damage equipment equipment and data. Therefore, Therefore, latent prints should be collected after electronic evidence recovery is complete.
Conduct preliminary interviews:
26
Separate and identif Separate identify y all persons persons (witn (witnesses esses,, subje subjects, cts, or othothers) at the scene and record their location at time of entry.
Consistent with departmental policy policy and applicable law law, obtain from these individuals information such as:
Owners and/or users of electronic devices found at the scene, sce ne, as well well as passw passwor ords ds (see (see belo below) w),, use userr names, names, and Internet service provider.
Passwords. Any Passwords. Any passwords required to access the system, software, or data. (An individu individual al may have have multiple passwords wo rds,, e.g e.g., ., BIO BIOS, S, sys system tem log login, in, net netwo work rk or ISP ISP,, app applic licati ation on files fi les,, enc encryp ryptio tion n pass pass phr phrase ase,, e-m e-mail ail,, acc access ess tok token, en, sch schededuler,, or contac uler contactt list.) list.)
Purpose of the system.
Any unique security schemes or destructive devices.
Any offsite data storage.
Any documentation explaining the hardware or software installed on the system.
4 Documenting the Scene r e t p a h C
Principle: Documentation of the scene creates a permanent historical record of the scene. Documentation is an ongoing process throughout the investigation. investigation. It is important to accurately record the location and condition of computers, storage media, other electronic electronic devices, and conventional conventional evidence. evidence. Policy: Documentation of the scene should be created and maintained in compliance compliance with departmental policy policy and Federal, State, and local laws. Procedure: The scene should be documented in detail. Initial documentation of the physical scene:
Observe and document document the physical physical scene, such as the position of the mouse and the location of components relative to each other (e.g., a mouse on the left left side of the computer computer may indiindicate a left-handed user).
Document the condition and location of the computer system, including inclu ding pow power er status status of the the computer computer (on, (on, of off, f, or in sleep sleep mode). Most computers have status lights that indicate the computer comp uter is on. on. Likew Likewise, ise, if fan noise noise is heard, heard, the system system is probably on. Furthermore, if the computer system is warm, warm, that may also indicate that it is on or was recently turned off.
Identify and document related electronic components that will not be collected.
Photograph the entire scene to create a visual record as noted by the first responder. The complete room should be recorded with 360 degrees of coverage, coverage, when possible. possible.
Photograph the front of the computer as well as the monitor screen and other components. Also take written notes on what appears on the monitor screen. Active programs may require videotaping or more extensi extensive ve documentation of monitor screen activity.
27
Note: Movement of a computer system while the system is running may cause changes to to system data. data. Therefore, Therefore, the system should not be moved until it has been safely powered down as described in chapter 5.
28
Additional documentation of the system will be performed during the collection phase.
Collection ection 5 Evidence Coll r e t p a h C
REMINDER: The search for and collection of evidence at an electronic crime scene may require a search warrant. warrant. See note note in the Introduction, page 7.
Principle: Comp Computer uter evide evidence, nce, like all all other other eviden evidence, ce, must be be handled carefully and in a manner that preserves its evidentiary value. This relates not just to the physical integrity of an item or device, but also to the electronic data it contains. Certain types of computer compu ter ev evidenc idence, e, there therefore fore,, requ require ire speci special al collec collection, tion, packa packagging, and transportation. transportation. Consideration should be given given to protect protect data that may be susceptible to damage or alteration from electromagnetic fields fields such as those generated generated by static electricity electricity,, magnets, radi radio o trans transmitter mitters, s, and other de devices vices.. Policy: Electronic evidence should be collected according to departmental guidelines. In the absence of departmental guidelines outlining procedures for for electronic evidence collection, the following procedures are suggested. Note: Prior to collection of evidence, it is assumed that locating and documenting has been done as described in chapters 3 and 4. Recognize that other other types of evidence evidence such as trace, biological, or latent prints may exist. Follow your agency’s protocol regardDestructiv uctivee techniques techniques (e.g., (e.g., use of fining evidence collection. Destr gerprint processing chemicals) should be postponed until after electronic evidence recovery is done.
Nonelectronic Evidence Recovery of nonelectronic evidence can be crucial in the inv investiestigation of electronic crime. Proper care should be taken to ensure that such evidence is recover recovered ed and preserved preserved.. Items relevant to subsequent examination of electronic evidence may exist in other formss (e.g., writ form written ten passwords passwords and and other handwrit handwritten ten notes, notes, blank pads of paper with indented writing, writing, hardware and and software manuals, calen calendars dars,, liter literatur ature, e, text or grap graphical hical comp computer uter prin printouts touts,, and photographs) and should be secured and preserved for future
29
analysis. These items frequently are in close proximity to the computer or related hardware items. All evidence should be identified, tified, secured, secured, and preserv preserved ed in compliance compliance with with department departmental al policies.
Stand-Alone and Laptop Computer Evidence CAUTION: Multiple computers may indicate a computer network. Likewise, Likewise, computers located at businesses businesses are often networked. networked. In In these situations, situations, specialized knowledge knowledge about the system is required to effectively recover evidence and reduce your potential for civil liability. When a computer network is encountered, encountered, contact the forensic forensic computer expert in your department or outside consultant identified by your department for assistance. Computer systems in a complex environment are addressed later in this chapter. A “stand-alone” “stand-alone” personal computer computer is a computer not not connected to a network or other computer. Stand-alones may be desktop machines or laptops. Laptops Laptops incor incorpora porate te a computer computer,, monitor monitor,, keyboar keyboard, d, and mouse mouse into a single portable unit. Laptops differ from other computers in that they can be powered by electricity or a battery source. Therefore, they require require the removal removal of the battery in addition to stand-alone power-down procedures. If the computer is on, document existing existing conditions and call your expert or consultant. If an expert or consultant is not available, continue with the following following procedure:
Procedure: After securing the scene per chapter chapter 3, read all all steps below below before taking any action (or evidentiary data may be altered). a. Record Record in notes all actions actions you you take and any any changes changes that you observe observe in the the monitor monitor,, computer computer,, printer printer,, or other other periph peripherals erals that result from your actions. b. Observe Observe the monitor monitor and determine determine if it is on, off, off, or in in sleep sleep mode. Then decide which of the following situations applies and follow the steps for that situation.
30
Situation 1: Monitor is on and work product and/or desktop is visible. 1. Photograph screen and record record information information displayed. 2. Pro Procee ceed d to ste step p c.
Situation 2: Monitor is on and screen is blank (sleep mode) or screen saver (picture) is visible. 1. Move Move the mouse mouse slightly (without (without pushing pushing buttons). buttons). The screen should change and show work product or request a password. 2. If mouse mouse movement movement does not cause a change in the screen, DO NOT perform any other keystrokes or mouse operations. 3. Photograph the screen and record the information information displayed. displayed. 4. Pro Procee ceed d to ste step p c.
Situation 3: Monitor is off. 1. Mak Makee a not notee of of “of “off” f” sta status tus.. 2. Turn the the monitor monitor on, on, then determ determine ine if the the monitor monitor statu statuss is as described in either situation 1 or 2 above and follow those steps. c. Regar Regardle dless ss of the the power power stat statee of the compu computer ter (on (on,, of off, f, or sleep sleep mode), remov removee the power power source cable from the computer— computer— NOT from the wall outlet. If dealing with a laptop, laptop, in addition to removing the power power cord, remov removee the battery pack. The battery is removed to prevent any power to the system. Some laptops have a second battery in the multipurpose bay instead of a floppy drive or CD drive. Check for this possibility and remove that battery as well. d. Check for outs outside ide conn connecti ectivity vity (e.g (e.g., ., telep telephone hone mode modem, m, cable cable,, ISDN,, DSL) ISDN DSL).. If a telephon telephonee connection connection is is present, present, attem attempt pt to identify the telephone number. e. To avoid avoid damage damage to potential potential evide evidence, nce, remo remove ve any any floppy floppy disks that that are present, present, packa package ge the disk separat separately ely,, and label label the package. If available, available, insert either a seizure seizure disk or a blank blank floppy disk. Do NOT remove CDs or touch the CD drive. f. Place tape over over all the the drive drive slots and over over the power connector connector.. g. Re Reco cord rd make make,, mo mode del, l, an and d seria seriall numbe numbers rs.. h. Photograph and diagram the connections connections of the computer computer and the corresponding cables.
31
i. Label Label all connector connectorss and cable cable ends (inclu (including ding connec connections tions to to peripheral devices) to allow for exact reassembly at a later time. Label unused unused connection ports ports as “unused.” “unused.” Identify laptop computer docking stations in an effort to identify other storage media. j. Record or log evidence according to departmental procedures. k. If transp transport ort is requir required, ed, pack package age the compo components nents as fragile fragile cargo (see chapter 6).
Computers in a Complex Environment Business environments environments frequently have multiple computers connected to each each other other, to a central central server server,, or both. both. Securing Securing and processing a crime scene where the computer systems are networked poses special problems, problems, as improper shutdow shutdown n may destroy data. This can result in loss of evidence and potential severe civil liability. When investigating criminal activity in a known business business environment, environment, the presence of a computer network network should shou ld be planned planned for for in advance, advance, if possible, possible, and appropr appropriate iate expert assistance obtained. It should be noted that computer networks can also be found in a home environment and the same concerns exist.
Disconnect Here
10Base2 Connector Disconnect Here
10BaseT Connector
32
The possibility of various operating systems and complex hardware configurations requiring different shutdown procedures make the processing of a network crime scene beyond the scope of this guide. Howev However er,, it is important that computer networks networks be recognized and identified, identified, so that expert expert assistance can be obtained if one is encountered. Appendix C provides a list of technical resources that can be contacted for assistance. Indications that a computer network may be present include:
The presence of multiple computer systems.
The presence of cables and and connectors, such as those those depicted in the pictures pictures at left, running between between computers computers or central central devices such as hubs.
Information provided provided by informants or individ individuals uals at the scene.
The presence of network components as depicted in chapter 1.
Other Electronic Devices and Peripheral Peripher al Evidence The electronic devices such as the ones in the list below may contain potential evidence associated with criminal activity. activity. Unless an emergency emergenc y exists, the device device should not be operated. Should it be necessary to access information information from the device, device, all actions associated with the manipulation of the device should be documented to preserve the authenticity of the information. Many of the items listed below may contain data that could be lost if not handled properly.. For more detailed information properly information on these devices, devices, see chapter 1. Examples of other electronic devices (including computer peripherals):
Audio recorders.
Flash memory cards.
Answering machines.
Cables.
Floppies, Floppies, diskettes diskettes,, CD–ROMs.
Caller ID devices.
GPS devices.
Cellular telephones.
Pagers.
Chips. (When components such as chips chips are found found in quantity, quantity, it may be indicati indicative ve of chip theft.)
Palm Pilots/electronic organizers.
PCMCIA cards.
Printers Printers (if acti active, ve, allow allow to complete printing).
Copy machines.
Databank/Organizer Databank/Organizer digital.
Removable media.
Digital cameras (still and video).
Scanners Scanners (film, (film, flatbed, flatbed, watches, watches, etc. etc.). ).
Dongle or other hardware protection devices (keys) for software.
Smart cards/secure ID tokens.
Telephones elephones (including (including speed dialer dialers, s, etc.). etc.).
Drive duplicators.
VCRs.
External drives.
Wireless access point.
Fax machines.
Note: When seizing removable removable media, ensure that you take the associated associated devi device ce that created created the the media (e.g. (e.g.,, tape driv drive, e, cartridge drives such as Zip®, Jaz®, ORB, ORB, Clik Clik!™ !™,, Syqu Syques est, t, LS-1 LS-120 20). ).
33
ackk a gi ging ng,, Tran ansp spor orta tatition on,, an andd 6 Pac Storage r e t p a h C
Principle: Actio Actions ns taken taken should should not add, add, modi modify fy,, or destroy destroy data data stored on a computer or other media. Computers are fragile electronic instruments instruments that are sensitive sensitive to temperature, temperature, humidity humidity,, physical phys ical shock, shock, static electricit electricity y, and magnetic magnetic sources. sources. Therefore Therefore,, special precautions precautions should be taken when packaging, packaging, transporting, and storing electronic evidence. evidence. To To maintain chain of custody of electronic electronic evidenc evidence, e, docu document ment its packagin packaging, g, trans transport portation ation,, and storage. Policy: Ensure that proper procedures are followed for packaging, transporting, and storing electronic electronic evidence evidence to avoid avoid alteration, loss, phys physical ical damag damage, e, or destr destructio uction n of of data. data. Packaging procedure: a. Ensure Ensure that that all collecte collected d electroni electronicc evievidence is properly properly document documented, ed, label labeled, ed, and inventoried before packaging. b. Pay special special attentio attention n to latent latent or trace trace evidence and take actions to preserve it. c. Pack magne magnetic tic media media in antistat antistatic ic packagpackaging (paper or antistatic plastic bags). Avoid using materials that can produce static electricity, electricity, such as standard plastic bags. d. Avo void id fol foldin ding, g, ben bendin ding, g, or scr scratc atchin hing g computer media such as diskettes, CD–ROMs, CD–R OMs, and tapes tapes.. e. Ensure Ensure that all contain containers ers used to hold hold eviden evidence ce are properly labeled.
Note: If multiple multiple computer systems are collected, label each system so that it can be reassembled as found (e.g., System A–mouse, A–mo use, key keyboar board, d, moni monitor tor,, main base unit; Syst System em B–mo B–mouse, use, keyboar ke yboard, d, moni monitor tor,, main base unit) unit)..
35
Transportation procedure: a. Keep electronic evidence evidence away away from from magnetic magnetic sources. Radio transmitt tran smitters, ers, speak speaker er magnets, magnets, and heated heated seats seats are example exampless of items that can damage electronic evidence. b. Avoid storing storing electronic evidence evidence in vehicles vehicles for prolonged prolonged periods peri ods of time. time. Condition Conditionss of excessiv excessivee heat, cold, or humidity humidity can damage electronic evidence. c. Ensure Ensure that computers computers and and other componen components ts that are not packpackaged in containers are secured in the vehicle to avoid shock and excessive excessive vibrations. vibrations. For example, example, computers may be placed on the vehicle floor and monitors placed on the seat with the screen down and secured by a seat belt. d. Maintain the the chain of custody custody on all evidence evidence transported. transported.
Storage procedure: a. Ensure that evidence evidence is inv inventoried entoried in accordance with with departmental policies. b. Store evidence evidence in a secure area away from temperature temperature and humidity extremes. extremes. Protect it from magnetic sources, sources, moisture, dust, and other harmful particles or contaminants.
Note: Be aware aware that that potential potential evi evidence dence such such as dates dates,, times times,, and systems configurations may be lost as a result of prolonged storage. Since batteries have have a limited life, data could be lost lost if they fail.. Therefore, fail Therefore, appro appropriat priatee personnel personnel (e.g., evi evidence dence custodian custodian,, lab chief, forensic examiner) examiner) should be informed that a device powered by batteries is in need of immediate attention.
36
7 Forensic Examination by r Crime Category e t p a h Auction Fraud (Online) C
The following outline should help officers/investigators identify the common findings of a forensic examination as they relate to specific crime categories. This outline will also help define the scope of the examination to be performed. (This information is also presented as a matrix at the end of this chapter.)
Account data regarding online auction sites.
Accounting/bookkeeping software and associated data files.
Address books.
Calendar.
Chat logs.
Customer information/credit information/credit card data.
Databases.
Digital camera software.
E-mail/notes/letters.
Financial/asset records.
Image files.
Internet activity logs.
Internet browser history/cache files.
Online financial institution access software.
Records/documents Records/documents of “testimonials.”
Telephone records.
Child Exploitation/Abuse
Chat logs.
Images.
Date and time stamps.
Internet activity logs.
Digital camera software.
Movie files.
E-mail/notes/letters.
Games.
Graphic editing and viewing software.
User-created directory and file names that classify images.
37
Computer Intrusion
Address books.
Internet relay chat (IRC) logs.
Configuration files.
E-mail/notes/letters.
Source code.
Executable programs.
Internet activity logs.
Text files (user names and passwords).
Internet protocol (IP) address and user name.
Death Investigation Investigation
Address books.
Internet activity logs.
Diaries.
Legal documents and wills.
E-mail/notes/letters.
Medical records.
Financial/asset records.
Telephone records.
Images.
Domestic Violenc Violence e
Address books.
Financial/asset records.
Diaries.
Medical records.
E-mail/notes/letters.
Telephone records.
Economic Fraud (Including Online Fraud Fraud,, Counte Counterf rfeit eiting) ing)
38
Address books.
False financial transaction forms.
Calendar.
Check, Check, curren currency cy,, and money money order images.
False identification. identification.
Financial/asset records.
Credit card skimmers.
Images of signatures.
Customer information/credit information/credit card data.
Internet activity logs.
Online financial institution access software.
Databases.
E-mail/notes/letters.
E-Mail Threa Threats/Harassment/Stalking ts/Harassment/Stalking
Address books.
Internet activity logs.
Diaries.
Legal documents.
E-mail/notes/letters.
Telephone records.
Financial/asset records.
Victim background research.
Images.
Extortion
Date and time stamps.
Internet activity logs.
E-mail/notes/letters.
Temporary Internet files.
History log.
User names.
Gambling
Address books.
Financial/asset records.
Calendar.
Image players.
Customer database and player records.
Internet activity logs.
Online financial institution access software.
Sports betting statistics.
Identification Identification templates.
Customer information/credit information/credit card data.
Electronic money.
E-mail/notes/letters.
Identity Theft
Hardware and software tools.
Birth certificates.
Backdrops.
Check cashing cards.
Credit card generators.
Credit card reader/writer.
Digital photo images for photo identification. identification.
Digital cameras.
Driver’s license.
Scanners.
Electronic signatures.
39
Fictitious vehicle registrations.
Proof of auto insurance documents. Scanned signatures. Social security cards.
Internet activity related to ID theft.
Negotiable instruments.
Business checks.
Cashiers checks.
Counterfeit money.
Credit card numbers.
Fictitious court documents.
Fictitious gift certificates.
Fictitious loan documents.
E-mails and newsgroup postings.
Erased documents.
Fictitious sales receipts.
Online orders.
Money orders.
Online trading information.
Personal checks.
Stock transfer documents.
Travelers checks.
Vehicle transfer documentation.
System files and file slack.
World Wide Web activity at forgery sites.
Narcotics
Address books.
False identification. identification.
Calendar.
Financial/asset records.
Databases.
Internet activity logs.
Drug recipes.
Prescription form images.
E-mail/notes/letters.
Prostitution
40
Address books.
False identification. identification.
Biographies.
Financial/asset records.
Calendar.
Internet activity logs.
Customer database/records.
Medical records.
E-mail/notes/letters.
World Wide Web page advertising.
Software Piracy
Chat logs.
E-mail/notes/letters.
Image files of software certificates.
Internet activity logs.
Serial numbers.
Software cracking information and utilities.
User-created directory and file names that classify copyrighted software.
At a physical physical scene, look for duplication and packaging material. material.
Telecommunications Fraud
Cloning software.
Financial/asset records.
Customer database/records.
“How “How to phreak” phreak” manuals. manuals.
Electronic Serial Number (ESN)/Mobile Identification Identification Number (MIN) pair records.
Internet activity.
Telephone records.
E-mail/notes/letters.
The follo following wing infor informatio mation, n, when ava available ilable,, should should be documented to assist in the forensic examination:
Case summary.
Passwords.
Internet protocol address(es).
Points of contact.
Supporting documents.
Type of crime.
Keyword lists.
Nicknames.
41
Sex Crimes
Crimes Against Persons
Fraud/Other Financial Crime
s e u b g n e n n s A n o / i o o c i i i n k t s i o c y i c a t g a o l e n t s / S t a l d t r u a u d t i a t a t i t o n e s V i r e a n t / r a u I n F r e f s P i r u n o h l i v g r n c p t n i h e F e i c o n T i c e m E x s t i t u t h I e s t a i l T s s m i o n p u t o m r t i b l i t i t y c o t w a r c o m d i l d r o e a o m - M a r a u c t o m o n x t o a m e n a r o f t e l e a u h C P D D E H A C E c E G I d N S T F r General Information:
Databases
Financial/asset records
Medical records
E-Mail/notes/letters
Telephone records
Specific Information: Account data
Accounting/bookkeeping software
Address books
Backdrops
Biographies
Birth certificates
Calendar Chat logs
Check, currency currency,, and money order images
Check cashing cards
Cloning software
Configuration files Counterfeit money
Credit card generators
Credit card numbers
Credit card reader/writer
Credit card skimmers Customer database/ records
Customer information/ credit card data Date and time stamps
Digital cameras/software/ images
Diaries
Driver’s license
Drug recipes Electronic money Electronic signatures
42
Sex Crimes
Crimes Against Persons
Fraud/Other Financial Crime
s e u g n n s n e A b n / i o o o i i i c n a t a t l e n t s / t a l k d r u s u d i o y t g c c i i t t a S i t o n e s t V i o r e a n t / r a u I n F r a e f i r a u n o h l i P v r n s m p t n i c h e F e i c g T c E x t i t u t h I e s t a i l T s s m i o n p u t o m r t i o b l i n t i t y o t i a r e c o m d i l d r o s e a o m - M a r a u c t o m o n x t o a m e n a r c f t w e l e a u h C P D D E H A C E c E G I d N S o T F r Specific Information (Cont): Erased Internet documents
ESN/MIN pair records
Executable programs False financial transaction forms
False identification
Fictitious court documents
Fictitious gift certificates
Fictitious loan documents
Fictitious sales receipts
Fictitious vehicle registrations
Games Graphic editing and viewing software
History log
“How to phreak” manuals Images
Images of signatures Image files of software certificates
Image play pl ayers ers Internet activity logs
Internet browser history/cache files
IRC chat logs
Legal documents and wills Online financial institution access software
Online orders and trading information
Prescription form images Records/documents of “testimonials”
IP address and user name
Movie files
(Continued)
43
Sex Crimes
Crimes Against Persons
Fraud/Other Financial Crime
e u s b g n e n s n n A o i o / i o i c s i u d a t l e n s / t a l k y i c a t o n i u g c i t d r t t a t S e f s i r u n i t a o n v e s V i o r e a n t / r a u I n t F r a h P o g l i n p t I n i c h e F e r i c o i n T i c e m E x t i t u t h e s t a i l T s s m t i o n p u t o m r t i m b l t i t y c o t w a r c o m d i l d r o s e a o m - M a r a u c m c o n x t o G a d e n a r o f t e l e r a u h E I N S T F C P D D E H A C o E Specific Information (Cont): Scanners/scanned signatures
Serial numbers
Social security cards Software cracking information and utilities
Source code
Sports betting statistics Stock transfer documents
System files and file slack
Temporary Internet files
User names
User-created User-created directory and file names that classify copyrighted software User-created User-created directory and file names that classify images
Vehicle insurance and transfer documentation
Victim background research
Web activity at forgery sites Web page advertising
44
The views and opinions of authors expressed herein do not necessarily reflect those of the United States Gov Government. ernment.
s herein to any specific commercial commercial products, products, processes, e Reference or servi services ces by by trade trade name, trade trademark mark,, manu manufact facturer urer,, or other otherwise wise not necessarily constitute constitute or imply imply its endorsement, endorsement, recom c does favoring by the United States States Government. Government. i mendation, or favoring information and statements contained in this document d The shall not be used for the purposes of advertising or to imply endorsement or recommendation of the United States n the Government. e With respect to information information contained in this publication, neither p the United States Government nor any of its employees make any warranty warranty,, express or implied, implied, including but not limited limited to the p warranties of merchantability and fitness for a particular purpose. Further,, neither the United Further United States Government Government nor any of its A employees assume any legal liability or responsibility for the accuracy,, comp accuracy completene leteness, ss, or usefu usefulness lness of any any informa information, tion, appar apparaatus, prod product, uct, or process process disclosed disclosed;; nor do they they represent represent that that its use would not infringe on privately owned rights.
45
A Glossary token: In Window Windowss NT, NT, an internal security card that is x Access when users log on. It contains the security IDs (SIDs) i generated for the user and all the groups to which the user belongs. A copy d ofuser.the access token is assigned to every process launched by the n BIOS: Basic Input Output System. The set of routines stored in memory that enable a computer to start the operating e read-only system and to communicate with the various devices in the syssuch as disk disk dri drive ves, s, ke keybo yboard ard,, mon monito itorr, pr print inter er,, and commu commu- p tem such nication ports. p Buffer: An area area of memory memory,, ofte often n referred referred to as a “cache, “cache,”” used A to speed up access to devices. It is used for temporary storage of data read from or waiting to be sent to a device such as a hard disk, dis k, CD CD-R -ROM OM,, pr print inter er,, or tap tapee dri drive ve..
Clik!™: A portable disk disk drive, drive, also known known as a PocketZip PocketZip disk. The external drive connects to the computer via the USB port or a PC card, the latter containing a removable removable cartridge slot slot within the card itself. CD-R: Compact disk-recordable. A disk to which data can be written but not erased. CD-RW: Compact disk-rewritable. disk-rewritable. A disk to which data can be written and erased. Compressed file: A file that has been reduced in size through a compression algorithm to save disk space. The act of compressing a file will make it unreadable to most programs until the file is uncompressed. Cookies: Small text files stored on a computer while the user is browsing brow sing the Internet. These little pieces of data store information such as e-mail e-mail identif identificatio ication, n, pass passwor words, ds, and history history of pages pages the user has visited.
47
CPU: Central processing unit. The computational and control unit of a computer computer.. Located Located inside inside a computer computer,, it is the “brain” “brain” that performs perfor ms all arithmetic arithmetic,, logic, and control control functions functions in a computer computer.. Deleted files: If a subject knows there are incriminating files on the computer, computer, he or she may delete them in an effort effort to eliminate the evidence. Many computer users think that this actually eliminates the information. Howev However er,, depending on how how the files are deleted, in many instances instances a forensic examiner examiner is able to recover all or part of the original data. Digital evidence: Information stored or transmitted in binary form that may be relied upon in court. Docking station: A device to which a laptop or notebook computer can be attached for use as a desktop desktop computer, computer, usually having a connector for externally connected devices such as hard har d driv drives, es, sca scanne nners, rs, ke keyb yboar oards, ds, mon monito itors, rs, and pr print inters ers.. Written en note notes, s, audio audio/vid /videotap eotapes, es, prin printed ted form forms, s, Documentation: Writt sketches, and/or photographs photographs that that form a detailed record of the scene,, ev scene evidenc idencee recover recovered, ed, and actions actions taken taken during during the search search of the scene.
Dongle: Also called a hardware hardware key key, a dongle is a copy copy protection device supplied with software that plugs into a computer port, often the parallel port on a PC. The software sends a code to that port and the key key responds responds by reading out its serial number number,, which verifies its presence to the program. The key hinders software duplication because each copy of the program is tied to a unique number numb er,, whic which h is diffic difficult ult to obtain, obtain, and the key key has to be programmed with that number. DSL: Digital subscriber line. Protocols designed to allow highspeed data communication over the existing telephone lines between end-users and telephone companies. Duplicate digital evidence: A duplicate is an accurate digital reproduction of all data objects contained on the original physical item. DVD: Digital versatile disk. Similar in appearance to a compact disk, but can store larger amounts of of data.
48
Electromagnetic fields: The field of force associated with electric charge in motion having both electric and magnetic components and containing a definite amount of electromagnetic energy. Examples of devices that produce electromagnetic fields include speakers and radio transmitters frequently found in the trunk of the patrol car. Electronic device: A device that operates on principles governing the behavior behavior of electrons. See chapter 1 for examples, which includ inc ludee comput computer er syste systems, ms, sca scann nners ers,, pr print inters ers,, etc etc.. Electronic evidence: Electronic evidence is information and data of investigative value that is stored on or transmitted by an electronic device. Encryption: Any procedure used in cryptography to convert plain text into ciphertext in order to prevent anyone but the intended recipient from reading that data. First responder: The initial responding law enforcement officer and/or other public safety off official icial arriving at the scene. Hidden data: Many computer systems include an option to protect information from the casual user by hiding it. A cursory examinati exam ination on may not display display hidden hidden files, files, direc directorie tories, s, or partipartitions to the untrained viewer. A forensic examination will document the presence of this type of information. ISDN: Integrated services digital network. A high-speed digital telephone line for high-speed network communications. ISP: Internet service provider. An organization that provides access to the Internet. Small Internet service providers provide service via modem and ISDN, while the larger larger ones also offer offer priva pri vate te line hooku hookups ps (e.g., (e.g., T1, fract fractional ional T1). Jaz®: A high-capacity removable hard disk system. Latent: Prese Present, nt, altho although ugh not not visible, visible, bu butt capable capable of becomi becoming ng visible. LS-120: Laser Servo-120 is a floppy disk technology that holds 120MB. LS-120 LS-120 drives drives use a dual-gap dual-gap head, which reads and and
49
writes 120MB disks as well as standard 3.5-inch 1.44MB and 720KB floppies.
Magnetic media: A disk, disk, ta tape pe,, ca cart rtri ridg dge, e, di disk sket ette te,, or cass casset ette te that that is used to store data magnetically. Misnamed files and files with altered extensions: One simple way to disguise a file’s contents is to change the file’s name to something innocuous. innocuous. For example, example, if an investigator investigator was was looking for spreadsheets by searching for for a particular file file extension, extension, such as “.XLS,” “.XLS,” a file whose extension extension had been changed by the the user to “.DOC” would not not appear as a result of the search. Forensic Forensic examiners use special techniques to determine if this has occurred, which the casual user would not normally be aware of. Modem: A device used by computers to communicate over telephone lines. It is recognized by connection to a phone line. Network: A group of computers connected to one another to share information and resources. Networked system: A computer connected to a network. ORB: A high-capacity removable hard disk system. ORB drives use magnetoresistive (MR) read/write head technology. Original electronic evidence: Physical items and those data objects that are associated with those items at the time of seizure. Password-protected files: Many software programs include the Password-protected ability to protect a file using a password. One type of password protection is sometimes sometimes called “access denial.” denial.” If this feature is used, the data will be present present on the disk in the normal manner manner,, but the software program will not open or display the file without the user entering the password. password. In many many cases, forensic examiners examiners are able to bypass this feature. Peripheral devices: An auxiliary device such as a printer, modem, or data storage system system that works works in conjunction conjunction with a computer. Phreaking: Telephone hacking.
50
B
Port: An interface by which a computer communicates with another device or system. Personal computers have various types of ports. Internally Internally,, there are several several ports for connecting connecting disk drives drives,, display display screens screens,, and keyb keyboard oards. s. Externa Externally lly,, personal personal comcomputers puters hav havee ports ports for connecting connecting modems, modems, printers, printers, mice, and other peripheral devices.
x i Port replicator: A device containing common PC ports such as d serial, serial, parallel, parallel, and networ network k ports that that plugs into into a notebook notebook comcomputer. puter. A port replicator is similar to a docking station but docking n stations normally provide capability for additional expansion e boards. spool files: Print jobs that are not printed directly are p Printer stored in spool files on disk. p Removable media: Items Items (e.g., (e.g., flopp floppy y disks, disks, CDs, CDs, DVDs, VDs, store data and can be easily removed. removed. A cartridges, tape) that store Screen saver: A utility program that prevents a monitor from being etched by an unchanging image. It also can provide access control. Seizure disk: A specially prepared floppy disk designed to protect the computer system from accidental alteration of data. Server: A computer that provides some service for other computers connected to it via a network. Sleep mode: Power conservation status that suspends the hard drive and monitor resulting in a blank screen to conserve energy, sometimes referred to as suspend mode. Stand-alone computer: A computer not connected to a network or other computer. Steganography: The art and science of communicating in a way that hides the existence of the communication. It is used to hide a file inside another another.. For example, example, a child pornography pornography image can be hidden hidden inside inside another another graphic graphic image file, file, audio file, file, or other other file format.
51
System administrator: The individual who has legitimate supervisory rights over a computer system. The administrator maintains the highest access to the system. Also can be known as sysop, sysadmin, sysad min, and system operator operator.. Temporary and swap files: Many computers use operating systems and applications that store data temporarily on the hard drive. driv e. These files, files, which are generally generally hidden and inaccessible, may contain information that the inv investigator estigator finds useful. USB: Universal Serial Bus. A hardware interface for low-speed periph per iphera erals ls such as the keybo keyboard ard,, mou mouse, se, joy joysti stick, ck, sca scanne nnerr, printer prin ter,, and telephony telephony devices. devices. Volatile memory: Memory that loses its content when power is turned off or lost. Zip®: A 3.5-inch removable disk drive. The drive is bundled with software that can catalog disks and lock the files for security.
52
B Legal
Resources List
x Publications i Searching and Seizing Computers and Obtaining Electronic ashing ington ton,, D.C D.C.: .: U. U.S. S. Evidence in Criminal Investigations. Investigations. Wash d Department of Justice, Computer Crime and Intellectual Section, March 2001. (Online under n Property http://www.cybercrime.gov/searchmanual.htm.) e Pr Prosecuting osecuting Cases That Involve Involve Computers: A Resource Resource for (CD-R -ROM) OM),, Natio National nal White and Local Prosecutors (CD p State Collar Crime Center, Center, 2001. (See http://www http://www.nctp.or .nctp.org g and p http://www.training.nw3c.org for information). A Web Sites Computer Crime and Intellectual Property Section of the U.S. Department of Justice, 202–514–10 202–514–1026, 26, http://www.cybercrime.gov. National Cybercrime Cybercrime Training Training Partnership, Partnership, 877–628–7 877–628–7674, 674, http://www.nctp.org. Infobin, http://www http://www.infobin.or .infobin.org/cfid/ispli g/cfid/isplist.htm. st.htm.
53
C Technical
Resources List
x i National d Computer Analysis Response Team n FBI Laboratory 935 Pennsylvania Avenue N.W. ashington, DC 20535 e Washington, Phone: Phone: 202–324 202–324–930 –9307 7 p http://www.fbi.gov/programs/lab/ org/cart.htm p High Tech Tech Crime Consortium Headquarters A International 1506 North Stevens Street Tacoma, WA 98406–3826 Phone: Phone: 253–752 253–752–242 –2427 7 Fax: Fax: 253–752 253–752–243 –2430 0 E-mail:
[email protected] http://www.HighTechCrimeCops.or g
Information Systems Security Association (ISSA) 7044 South 13th Street Oak Creek Creek,, WI 53154 53154 Phone: Phone: 800–370 800–370–477 –4772 2 http://www.issa.org Internal Revenue Service Criminal Investigation Division Rich Mendrop Computer Investigative Specialist Program Manager 2433 South Kirkwood Court Denver Denver,, CO 80222 Phone: Phone: 303–756 303–756–064 –0646 6
National Aeronautics and Space Administration Cheri Carr Computer Forensic Lab Chief NASA Office of the Inspector General Network and Advanced Technology Protections Office Office 300 E Street S.W. Washington, ashington, DC 20546 Phone: Phone: 202–358 202–358–429 –4298 8 National Aeronautics and Space Administration Charles Coe Director of Technical Services NASA Office of the Inspector General Network and Advanced Technology Protections Office Office 300 E Street S.W. Washington, ashington, DC 20546 Phone: Phone: 202–358 202–358–257 –2573 3 National Aeronautics and Space Administration Steve Nesbitt Director of Operations NASA Office of the Inspector General Network and Advanced Technology Protections Office Office 300 E Street S.W. Washington, ashington, DC 20546 Phone: Phone: 202–358 202–358–257 –2576 6
E-mail: richard.mendrop@ci
[email protected] .irs.gov v
55
National Center for Forensic Science University of Central Florida P.O. Box 162367 Orlando Orl ando,, FL 328 32816 16 Phone: Phon e: 407– 407–823 823–646 –6469 9 Fax:: 407– Fax 407–823 823–316 –3162 2 http://www.ncfs.ucf.edu National Criminal Justice Computer Laboratory and Training Center SEARCH SEA RCH Group Group,, Inc Inc.. 7311 Greenhav Greenhaven en Drive, Drive, Suite 145 Sacrame Sacr amento nto,, CA 95831 95831 Phone: Phon e: 916– 916–392 392–255 –2550 0 http://www.search.org National Law Enforcement and Corrections Technology Technology Center (NLECTC)–Northeast 26 Electronic Parkway Rome Ro me,, NY 1344 13441 1 Phone: Phon e: 888– 888–338 338–058 –0584 4 Fax:: 315– Fax 315–330 330–431 –4315 5 http://www.nlectc.org National Law Enforcement and Corrections Technology Technology Center (NLECTC)–West c/o The Aerospace Corporation 2350 East El Segundo Boulevard El Segun Segundo, do, CA 90245 90245 Phone: Phon e: 888– 888–548 548–161 –1618 8 Fax:: 310– Fax 310–336 336–222 –2227 7 http://www.nlectc.org National Railroad Passenger Corporation (NRPC) (AMTRAK) Office of Inspector General Office of Investigations William D. Purdy Senior Special Agent 10 G Street Street N.E., Suite 3E–400 Washing ashington, ton, DC 20002 Phone: Phon e: 202– 202–906 906–431 –4318 8 E-mail: E-mai l: oigagent
[email protected] @aol.com m
56
National White Collar Crime Center 7401 Beaufont Springs Drive Richmond, Richmo nd, VA 23225 Phone: Phon e: 800 800–221 –221–442 –4424 4 http://www.nw3c.org Scientific Working Working Group on Digital Evidence http://www.for-swg.org/swgdein.htm Social Security Administration Office of Inspector General Electronic Crime Team Team 4–S–1 Operations Building 6401 Security Boulevard Baltim Bal timore, ore, MD 21235 21235 Phone: Phon e: 410 410–965 –965–742 –7421 1 Fax:: 410 Fax 410–965 –965–570 –5705 5 U.S. Customs Service’s Cyber Smuggling Center 11320 Random Random Hills Hills,, Suite 400 400 Fairfax, Fairf ax, VA 22030 Phone: Phon e: 703 703–293 –293–800 –8005 5 Fax:: 703 Fax 703–293 –293–912 –9127 7 U.S. Department of Defense DoD Computer Forensics Laboratory 911 Elkridge Elkridge Landing Landing Road, Road, Suite 300 300 Linthi Lin thicum cum,, MD 21090 21090 Phone: 410–981 410–981–0100/8 –0100/877–981–3 77–981–3235 235 U.S. Department of Defense Office of Inspector General Defense Criminal Investigative Service David E. Trosch Special Agent Program Progra m Manager Manager,, Comput Computer er Forensics Program 400 Army Navy Drive Arlington, Arling ton, VA 22202 Phone: Phon e: 703 703–604 –604–873 –8733 3 E-mail: E-mai l: dtrosc dtrosch@dodig
[email protected] .osd.mil il http://www.dodig.osd.mil/d http://www .dodig.osd.mil/dcis/dcismain.html cis/dcismain.html
U.S. Department of Energy Office of the Inspector General Technology Crimes Section 1000 Independence Independence Avenue, Avenue, 5A–235 Washingt ashington, on, DC 20585 Phone: Pho ne: 202 202–586 –586–993 –9939 9 Fax:: 202 Fax 202–586 –586–075 –0754 4 E-mail: E-mai l: tech.cr tech.crime@hq
[email protected] .doe.gov v U.S. Department of Justice Criminal Division Computer Crime and Intellectual Property Section (CCIPS) Duty Attorney 1301 New York Avenue N.W. Washingt ashington, on, DC 20530 Phone: Pho ne: 202 202–514 –514–102 –1026 6 http://www.cybercrime.gov U.S. Department of Justice Drug Enforcement Administration Michael J. Phelan Group Supervisor Computer Forensics Special Testing and Research Lab 10555 Furnace Road Lorton,, VA 22079 Lorton Phone: Pho ne: 703 703–495 –495–678 –6787 7 Fax:: 703 Fax 703–495 –495–679 –6794 4 E-mail: E-mai l: mphela mphelan@erols
[email protected] .com U.S. Department of Transportation Transportation Office of Inspector General Jacquie Wente Special Agent 111 North North Canal, Canal, Sui Suite te 677 Chicago Chi cago,, IL 6060 60606 6 Phone: Pho ne: 312 312–353 –353–010 –0106 6 E-mail: E-mai l: wentej
[email protected] @oig.dot.gov t.gov
U.S. Department of the Treasury Bureau of Alcohol, Alcohol, Tobacco and Firearms Technical Support Division Visual Information Branch Jack L. L. Hunter Hunter,, Jr Jr.. Audio and Video Forensic Enhancement Specialist 650 Massachusetts Avenue N.W. Room 3220 Washingt ashington, on, DC 20226–0013 20226–0013 Phone: Pho ne: 202 202–927 –927–803 –8037 7 Fax:: 202 Fax 202–927 –927–868 –8682 2 E-mail: E-mai l: jlhunt jlhunter@atfh
[email protected] q.atf.treas.g reas.gov ov U. S. Postal Inspection Service Digital Evidence 22433 Randolph Drive Dulles,, VA 20104–10 Dulles 20104–1000 00 Phone: Pho ne: 703 703–406 –406–792 –7927 7 U.S. Secret Service Electronic Crimes Branch 950 H Street N.W. Washingt ashington, on, DC 20223 Phone: Pho ne: 202 202–406 –406–585 –5850 0 Fax:: 202 Fax 202–406 –406–923 –9233 3 Veterans Affairs Office of the Inspector General Robert Friel Program Progra m Director, Director, Compu Computer ter Crimes and Forensics 801 I Street Street N.W., N.W., Suite 1064 1064 Washingt ashington, on, DC 20001 Phone: Pho ne: 202 202–565 –565–570 –5701 1 E-mail: E-mai l: robert robert.friel .friel@mail. @mail.va.g va.gov ov
57
By State Alabama Alabama Attorney General’s Office Donna Don na Whi White, te, S/A 11 South Union Street Montgomery Montgom ery,, AL 36130 36130 Phone: Phon e: 334– 334–242 242–734 –7345 5 E-mail: E-mai l: dwhite
[email protected] @ago.state.al. ate.al.us us Alabama Bureau of Investigation Internet Crimes Against Children Unit Glenn Taylor Agent 716 Arcadia Circle Huntsville, Huntsv ille, AL 35801 Phone: Phon e: 256– 256–539 539–402 –4028 8 E-mail: E-m ail: tgt tgtjr@ jr@aol. aol.com com Homewood Police Department Wade Morgan 1833 29th Avenue Avenue South Homewood, Home wood, AL 35209 Phone: Phon e: 205– 205–877 877–863 –8637 7 E-mail: E-mai l: morg morgan64@be an64@bellsout llsouth.net h.net Hoover Police Department Det. Michael Alexiou FBI Innocent Images Task Force, Birmingham 100 Municipal Drive Hoover Hoov er,, AL 35216 Phone: Phon e: 205– 205–444 444–779 –7798 8 Pager: Pag er: 205– 205–819– 819–050 0507 7 Mobile: Mobi le: 205 205–567 –567–751 –7516 6 E-mail: E-mai l: alexio alexioum@ci.
[email protected] hoover er.al.us .al.us
58
Alaska Alaska State Troopers Troopers Sgt. Curt Harris White Collar Crime Section 5700 East Tudor Road Anchorage, Anchor age, AK 99507 Phone: Phon e: 907 907–269 –269–562 –5627 7 E-mail: E-mai l: curtis curtis_harri _harris@dps.
[email protected] state.ak.us k.us Anchorage Police Department Det. Glen Klinkhart/Sgt. Ross Plummer 4501 South Bragaw Street Anchorage, Anchor age, AK 99507–1 99507–1599 599 Phone: 907–786 907–786–8767/9 –8767/907–786–8 07–786–8778 778 E-mail: E-mai l: gklinkh gklinkhart@ci.
[email protected] anchorage.ak.us e.ak.us
[email protected] University of Alaska at Fairbanks Police Department Marc Poeschel Coordinator P.O. Box 755560 Fairbanks, Fairb anks, AK 99775 Phone: Phon e: 907 907–474 –474–772 –7721 1 E-mail: E-mai l: fyglock
[email protected] @uaf.edu u
Arizona Arizona Attorney General’s Office Technology Crimes 1275 West Washington Street Phoenix Phoe nix,, AZ 85007 85007 Phone: Phon e: 602 602–542 –542–388 –3881 1 Fax:: 602 Fax 602–542 –542–599 –5997 7
Arkansas University of Arkansas at Little Rock Police Department William (Bill) Reardon/Bobby Floyd 2801 South University Avenue Avenue Little Rock, AR 72204 Phone: 501–569 501–569–8793/5 –8793/501–569–8 01–569–8794 794 E-mail: E-mai l: wcrear wcreardon@ual
[email protected] [email protected]
California Bureau of Medi-Cal Fraud and Elder Abuse Luis Salazar Senior Legal Analyst/Computer Forensic Team Coordinator 110 West West A Street, Suite 1100 San Die Diego, go, CA 92101 92101 Phone: Pho ne: 619 619–645 –645–243 –2432 2 Fax:: 619 Fax 619–645 –645–245 –2455 5 E-mail: E-mai l: SALA SALAZAL@hd ZAL@hdcdojnet cdojnet.state. .state.ca.us ca.us California Franchise Tax Tax Board Boar d Investigations Inv estigations Bureau Ashraf L. Massoud Special Agent 100 North North Barranca Barranca Street, Street, Suite 600 600 West Covina, Covina, CA 91791–1600 91791–1600 Phone: Pho ne: 626 626–859 –859–467 –4678 8 E-mail: E-mai l: ashraf ashraf_mass _massoud@ft
[email protected] b.ca.gov a.gov Kern County Sheriff’s Department Tom Fugitt 1350 Norris Road Bakersfi Baker sfield, eld, CA 93308 Phone: Pho ne: 661 661–391 –391–772 –7728 8 E-mail: E-mai l: fugitt
[email protected] @co.kern.ca.u rn.ca.uss
Modesto Police Department 600 10th Street Modest Mod esto, o, CA 953 95353 53 Phone: Pho ne: 209 209–572 –572–950 –9500, 0, ext ext.. 291 29119 19 North Bay High Technology Evidence Analysis Team (HEAT) Sgt. Dave Bettin 1125 Third Street Napa Na pa,, CA 945 94559 59 Phone: Pho ne: 707 707–253 –253–450 –4500 0 Regional Computer Forensic Laboratory at San Diego 9797 Aero Drive San Diego, Diego, CA 92123–18 92123–1800 00 Phone: Pho ne: 858 858–499 –499–779 –7799 9 Fax:: 858 Fax 858–499 –499–779 –7798 8 E-mail: E-mai l: rcfl@r
[email protected] cfl.org g http://www.rcfl.org Sacramento Valley Hi-Tech Crimes Task Force Hi-Tech Crimes Division Sacramento County Sheriff’s Department Lt. Mike Tsuchida P.O. Box 988 Sacramento, Sacram ento, CA 95812–09 95812–0998 98 Phone: Pho ne: 916 916–874 –874–303 –3030 0 E-mail: E-mai l: miket
[email protected] @sna.com om San Diego High Technology Crimes Economic Fraud Division David Decker District Attorney’ Attorney’ss Office, Office, County of San Diego Suite 1020 San Die Diego, go, CA 92101 92101 Phone: Pho ne: 619 619–531 –531–366 –3660 0 E-mail: E-mai l: ddecke ddecke@sdcda. @sdcda.org org
Los Angeles Police Department Computer Crime Unit Det. Terry D. Willis 150 North Los Angeles Street Los Ang Angeles eles,, CA 90012 90012 Phone: Pho ne: 213 213–485 –485–379 –3795 5
59
Silicon Valley High Tech Crime Task Force Rapid Enforcement Allied Computer Team (REACT) c/o Federal Bureau of Investigation Nick Muyo 950 South Bascom Avenue, Suite 3011 San Jose Jose,, CA 95128 95128 Phone: Phon e: 408– 408–494 494–716 –7161 1 Pager: Pag er: 408– 408–994– 994–326 3264 4 E-mail: E-mai l: sharx91
[email protected] @aol.com m Southern California High Technology Technology Crime Task Force Sgt. Woody Gish Commercial Crimes Bureau Los Angeles County Sheriff’s Department 11515 South South Colima Colima Road, Road, Room M104 M104 Whitti Whi ttier er,, CA 90604 90604 Phone: Phon e: 562– 562–946 946–794 –7942 2 U.S. Customs Service Frank Day Senior Special Agent Computer Investigative Specialist 3403 10th Street, Suite 600 River Ri versid side, e, CA 92501 Phone: Phon e: 906– 906–276 276–666 –6664, 4, ext ext.. 231 E-mail: E-m ail: FDa FDay@us
[email protected] a.nett
Colorado Denver District Attorney’s Office Henry R. Reeve General Counsel/Deputy D.A. 303 West West Colfax Avenue, Avenue, Suite 1300 Denver Den ver,, CO 80204 Phone: Phon e: 720– 720–913 913–900 –9000 0 Department of Public Safety Colorado Bureau of Investigation Computer Crime Investigation 690 Kipling Kipling Street, Suite 3000 Denver Den ver,, Colorad Colorado o 80215 80215 Phone: Phon e: 303– 303–239 239–429 –4292 2 Fax:: 303– Fax 303–239 239–578 –5788 8 E-mail: E-mai l: Collin Collin.Reese@
[email protected] cdps.state.co tate.co.us .us
60
Connecticut Connecticut Department of Public Safety Division of Scientific Services Forensic Science Laboratory Computer Crimes and Electronic Evidence Unit 278 Colony Street Meriden Mer iden,, CT 064 06451 51 Phone: Phon e: 203 203–639 –639–649 –6492 2 Fax:: 203 Fax 203–630 –630–376 –3760 0 E-mail: E-mai l: arusse arussell@nwc
[email protected] 3.org g Connecticut Department of Revenue Services Special Investigations Section 25 Sigourney Street Hartfo Har tford, rd, CT 06106 06106 Phone: Phon e: 860 860–297 –297–587 –5877 7 Fax:: 860 Fax 860–297 –297–562 –5625 5 E-mail: E-mai l: Cal.Me Cal.Mellor@po
[email protected] .state.ct.us .ct.us Yale University Police Department Sgt. Dan Rainville 98–100 Sachem Street New Ne w Haven, Haven, CT 06511 06511 Phone: Phon e: 203 203–432 –432–795 –7958 8 E-mail: E-mai l: daniel. daniel.rain rainville@y
[email protected] ale.edu
Delaware Delaware State Police High Technology Technology Crimes Unit 1575 McKee McKee Road, Suite 204 Dover Do ver,, DE 19904 19904 Det. Steve Whalen Phone: Phon e: 302 302–739 –739–276 –2761 1 E-mail: E-mai l: swhale swhalen@stat
[email protected] e.de.us Det. Daniel Wille Willey y Phone: Phon e: 302 302–739 –739–802 –8020 0 E-mail: E-mai l: dawi dawilley@s
[email protected]. tate.de.us us Sgt. Robert Moses Phone: Phon e: 302 302–739 –739–246 –2467 7 E-Mail:: romos E-Mail romoses@st
[email protected] ate.de.uss Capt. David Citro Phone: Phon e: 302 302–734 –734–139 –1399 9 E-mail: E-mai l: dcitro@ dcitro@state. state.de.us de.us
New Castle County Police Department Criminal Investigations Unit Det. Christopher M. Shanahan/ Det. Edward E. Whatley 3601 North DuPont Highway New Ne w Castle, Castle, DE 19720 19720 Phone: Pho ne: 302 302–395 –395–811 –8110 0 E-mail: E-mai l: cshanah
[email protected] [email protected] w-castle.de. tle.de.us us
[email protected]
Institute of Police Technology Technology and Management Computer Forensics Laboratory University of North Florida 12000 Alumni Drive Jacksonv Jackso nville, ille, FL 32224–26 32224–2678 78 Phone: Pho ne: 904 904–620 –620–478 –4786 6 Fax:: 904 Fax 904–620 –620–245 –2453 3 http://www.iptm.org
University of Delaware Police Department Capt. Stephen M. Bunting 101 MOB 700 Pilottown Road Lewes Le wes,, DE 1995 19958 8 Phone: Pho ne: 302 302–645 –645–433 –4334 4 E-mail: E-mai l: sbun sbunting@ud
[email protected] el.edu
Office of Statewide Prosecution High Technology Crimes Thomas A. Sadaka Special Counsel 135 West West Central Boulevard Boulevard,, Suite 1000 Orlando Orl ando,, FL 3280 32801 1 Phone: Pho ne: 407 407–245 –245–089 –0893 3 Fax:: 407 Fax 407–245 –245–035 –0356 6
District of Columbia
Pinellas County Sheriff’s Office Det. Matthew Miller 10750 Ulmerton Road Largo, Lar go, FL 337 33778 78 E-mail: E-mai l: mxmi mxmiller@co
[email protected] .pinellas.fl. as.fl.us us
Metropolitan Police Department Special Investigations Division Computer Crimes and Forensics Unit Investigator Tim Milloff 300 Indiana Avenue N.W., N.W., Room 3019 Washingt ashington, on, DC 20001 Phone: 202–727 202–727–4252/2 –4252/202–727–1 02–727–1010 010 E-mail: E-mai l: tmilo tmiloff@
[email protected] leo.gov v
Florida Florida Atlantic University Police Department Det. Wilfredo Hernandez 777 Glad Glades es Road, Road, #49 Bocaa Raton, Boc Raton, FL 33431 33431 Phone: Pho ne: 561 561–297 –297–237 –2371 1 Fax:: 561 Fax 561–297 –297–356 –3565 5 Gainsville Police Department Criminal Investigations/Computer Unit Det. Jim Ehrat 721 N.W. N.W. Sixth Street Gainsv Gai nsvill ille, e, FL 32601 32601 Phone: Pho ne: 352 352–334 –334–248 –2488 8 E-mail: E-mai l: ehratjj
[email protected] @ci.gainesvil nesville.fl.u le.fl.uss
Georgia Georgia Bureau of Investigation Financial Investigations Unit Steve Edwards Special Agent in Charge 5255 Snapfing Snapfinger er Drive, Drive, Suite 150 150 Decatur Dec atur,, GA 30035 30035 Phone: Pho ne: 770 770–987 –987–232 –2323 3 Fax:: 770 Fax 770–987 –987–977 –9775 5 E-mail: E-mai l: ste steve.edw ve.edwards@G
[email protected] BI.state.ga. ate.ga.us us
Hawaii Honolulu Police Department White Collar Crime Unit Det. Chris Duque 801 South Beretania Street Honolu Hon olulu, lu, HI 96819 96819 Phone: Pho ne: 808 808–529 –529–311 –3112 2
61
Idaho Ada County Sheriff’s Office Det. Lon Lon Anders Anderson, on, CFCE 7200 Barrister Drive Boise, Boi se, ID 837 83704 04 Phone: Phon e: 208– 208–377 377–669 –6691 1
Illinois Illinois State Police Computer Crimes Investigation Unit Division of Operations Operational Services Command Statewide Special Investigations Bureau 500 Illes Illes Park Park Place, Place, Suite 104 Springf Spr ingfield ield,, IL 62718 Phone: Phon e: 217– 217–524 524–957 –9572 2 Fax:: 217– Fax 217–785 785–679 –6793 3 Illinois State Police Computer Crimes Investigation Unit Master Sgt. James Murray 9511 West West Harrison Street Des Plaines Plaines,, IL 60016–1 60016–1562 562 Phone: Phon e: 847– 847–294 294–454 –4549 9 E-mail: E-mai l: jamurr jamurray@leo.
[email protected] gov Tazewell County State’s Attorney CID Det. Dave Frank 342 Court Court Street Street,, Sui Suite te 6 Pekin, Peki n, IL 61554– 61554–3298 3298 Phone: Phon e: 309– 309–477 477–220 –2205, 5, ext ext.. 400 Fax:: 309– Fax 309–477 477–272 –2729 9 E-mail: E-mai l: sain sainv@taze
[email protected] well.com om
Indiana Evansville Police Department Det. J. Walker/Det. Walker/Det. Craig Jordan Fraud Investigations 15 N.W. N.W. Martin Martin Luther King, King, Jr Jr., ., Boule Boulevar vard d Evans Ev ansvil ville le IN, 4770 47708 8 Phone: 812–436 812–436–7995/81 –7995/812–436–7 2–436–7994 994 E-mail: Jwalker@ev
[email protected] ansvillepolice.com
[email protected]
62
Indiana State Police Det. David L. Lloyd Computer Crime Unit 5811 Ellison Road Fort Wayne, IN 46750 46750 Phone: Phon e: 219 219–432 –432–866 –8661 1 E-mail E-m ail:: isp ispdet det@aol @aol.com .com Indianapolis Police Department Det. William J. Howard 901 North North Post Post Road, Road, Room 115 Indiana Ind ianapoli polis, s, IN 46219 Phone: Phon e: 317 317–327 –327–346 –3461 1 E-mail: E-mai l: vulcan@n vulcan@netdire etdirect.net ct.net
Iowa Iowa Division of Criminal Investigation Doug Elrick Criminalist 502 East Ninth Street Des Moin Moines, es, IA 50319 50319 Phone: Phon e: 515 515–281 –281–366 –3666 6 Fax:: 515 Fax 515–281 –281–763 –7638 8 E-mail: E-mai l: elrick@
[email protected] dps.state.ia. ate.ia.us us
Kansas Kansas Bureau of Investigation High Technology Crime Inv Investigation estigation Unit (HTCIU) David J. Schroeder Senior Special Agent 1620 S.W. Tyler Street Topeka, KS 66612–1 66612–1837 837 Phone: Phon e: 785 785–296 –296–822 –8222 2 Fax:: 785 Fax 785–296 –296–052 –0525 5 E-mail: E-mai l: schroed schroeder@kbi
[email protected]. .state.ks.us ks.us Olathe Police Department Sgt. Edward McGillivray 501 East 56 Highway Olathe Ola the,, KS 6606 66061 1 Phone: Phon e: 913 913–782 –782–450 –4500 0 E-mail: E-mai l: emcgil emcgillivr livray@olat
[email protected] heks.org g
Wichita Police Department Forensic Computer Crimes Unit Det. Shaun Price/Det. Randy Stone 455 North North Main, Main, Sixth Floor Lab Wichi ichita, ta, KS 67202 67202 Phone: 316–268 316–268–4102/3 –4102/316–268–4 16–268–4128 128 E-mail: E-mai l: forens forensics@ks
[email protected] cable.com m
[email protected] [email protected]
Kentucky Boone County Sheriff Det. Daren Harris P.O. Box 198 Burlin Bur lingto gton, n, KY 41005 41005 Phone: Pho ne: 859 859–334 –334–217 –2175 5 E-mail: E-mai l: dharri dharris@boone s@boonecountyk countyky y.org
Louisiana Gonzales Police Department Officer Victoria Smith 120 South Irma Boulevard Gonzal Gon zales, es, LA 70737 70737 Phone: Pho ne: 225 225–647 –647–751 –7511 1 Fax:: 225 Fax 225–647 –647–954 –9544 4 E-mail: E-mai l: vsmit
[email protected] [email protected] ov Louisiana Department of Justice Criminal Division High Technology Technology Crime Unit P.O. Box 94095 Baton Bat on Rouge, Rouge, LA 70804 70804 James L. Piker, Assistant Attorney General Section Chief, Chief, High Technology Technology Crime Crime Unit Investigator Inv estigator Clayton Rives Phone: Pho ne: 225 225–342 –342–755 –7552 2 Fax:: 225 Fax 225–342 –342–789 –7893 3 E-mail: E-mai l: Piker
[email protected] [email protected]. tate.la.us us
[email protected] Scott Turner Turner,, Comput Computer er Forensic Examiner Examiner Phone: Pho ne: 225 225–342 –342–406 –4060 0 Fax:: 225 Fax 225–342 –342–348 –3482 2 E-mail: E-mai l: TurnerS
[email protected] @ag.state.la.u te.la.uss
Maine Maine Computer Crimes Task Task Force 171 Park Street Lewis Le wiston, ton, ME 04240 04240 Det. James C. Rioux Phone: Pho ne: 207 207–784 –784–642 –6422, 2, ext ext.. 250 Investigator Mike Webber Phone: Pho ne: 207 207–784 –784–642 –6422, 2, ext ext.. 255 Det. Thomas Bureau Phone: Pho ne: 207 207–784 –784–642 –6422, 2, ext ext.. 256
Maryland Anne Arundel County Police Department Computer Crimes Unit Sgt. Terry M. Crowe 41 Community Place Crownsvi Cro wnsville, lle, MD 21032 Phone: Pho ne: 410 410–222 –222–341 –3419 9 Fax:: 410 Fax 410–987 –987–743 –7433 3 E-mail: E-mai l: terrym terrymcrow
[email protected] [email protected] m Department of Maryland State Police Computer Crimes Unit D/SGT Barry E. Leese Unit Commander 7155–C Columbia Gateway Drive Columb Col umbia, ia, MD 21046 21046 Phone: Pho ne: 410 410–290 –290–162 –1620 0 Fax:: 410 Fax 410–290 –290–183 –1831 1 Montgomery County Police Computer Crime Unit Det. Brian Ford 2350 Research Boulevard Rockvil Roc kville, le, MD 20850 20850 Phone: Pho ne: 301 301–840 –840–259 –2599 9 E-mail: E-mai l: CCU@c
[email protected] o.mo.md.us d.us
63
Massachusetts Massachusetts Office of the Attorney General High Tech and Computer Crime Division John Joh n Grossman Grossman,, Chi Chief ef Assistant Attorney General One Ashburton Place Boston Bos ton,, MA 021 02108 08 Phone: Phon e: 617– 617–727 727–220 –2200 0
Michigan Michigan Department of Attorney General High Tech Crime Unit 18050 Deering Livo Li vonia nia,, MI 48152 48152 Phone: Phon e: 734– 734–525 525–415 –4151 1 Fax:: 734– Fax 734–525 525–437 –4372 2 Oakland County Sheriff’s Department Computer Crimes Unit Det./Sgt. Det./S gt. Joe Duke, CFCE 1201 North Telegraph Road Pontiac, Pont iac, MI 483 48341 41 Phone: Phon e: 248– 248–858 858–494 –4942 2 Fax:: 248– Fax 248–858 858–956 –9565 5 Pager: Pag er: 248– 248–580– 580–404 4047 7
Minnesota Ramsey County Sheriff’s Department 14 West Kellogg Boulevard St. Pau Paul, l, MN 55102 55102 Phone: Phon e: 651– 651–266 266–279 –2797 7 E-mail: E-mai l: mike. mike.oneill@
[email protected] co.ramsey sey.mn.us .mn.us
Mississippi Biloxi Police Department Investigator Donnie G. Dobbs 170 Porter Avenue Biloxi Bil oxi,, MS 395 39530 30 Phone: Phon e: 228– 228–432 432–938 –9382 2 E-mail: E-mai l: mgc2d11
[email protected] @aol.com m
64
Missouri St. Louis Metropolitan Police Department High Tech Crimes Unit Det. Sgt. Robert Muffler 1200 Clark St. Loui Louis, s, MO 6310 63103 3 Phone: Phon e: 314 314–444 –444–544 –5441 1 E-mail: E-mai l: rjmuf rjmuffler@s
[email protected] lmpd.org rg
Montana Montana Division of Criminal Investigation Computer Crime Unit Jimmy Weg Agent in Charge 303 North North Robert Roberts, s, Room 367 Helena, Hel ena, MT 5962 59620 0 Phone: Phon e: 406 406–444 –444–668 –6681 1 E-mail: E-mai l: jweg jweg@state. @state.mt.us mt.us
Nebraska Lincoln Police Department Investigator Ed Sexton 575 South 10th Street Lincoln Lin coln,, NE 685 68508 08 Phone: Phon e: 402 402–441 –441–758 –7587 7 E-mail: E-mai l: lpd358@
[email protected] cjis.ci.lincol .lincoln.ne.us n.ne.us Nebraska State Patrol Internet Crimes Against Children Unit Sgt. Scott Christensen Coordinator 4411 South 108th Street Omaha, Oma ha, NE 6813 68137 7 Phone: Phon e: 402 402–595 –595–241 –2410 0 Fax:: 402 Fax 402–697 –697–140 –1409 9 E-mail: E-mai l: schris schriste@nsp
[email protected]. .state.ne.us ne.us
Nevada City of Ren City Reno, o, Nev Nevada ada,, Po Polic licee Department Computer Crimes Unit 455 East Second Street (street address) Reno Re no,, NV 8950 89502 2 P.O. Box 1900 (mailing address) Reno Re no,, NV 8950 89505 5 Phone: Pho ne: 775 775–334 –334–210 –2107 7 Fax:: 775 Fax 775–785 –785–402 –4026 6
Ocean County Prosecutor’s Office Special Investigations Unit/Computer Crimes Investigator Inv estigator Mike Nevil P.O. Box 2191 Toms River River,, NJ 08753 Phone: Pho ne: 732 732–929 –929–202 –2027, 7, ext ext.. 401 4014 4 Fax:: 732 Fax 732–240 –240–333 –3338 8 E-mail: E-mai l: mne mnevil@leo
[email protected] .gov
New Mexico
Nevada Attorney General’s Office John Lusak Senior Computer Forensic Tech Tech 100 North Carson Street Carson Carso n City City, NV 89701 89701 Phone: Pho ne: 775 775–328 –328–288 –2889 9 E-mail: E-mai l: jlusak jlusak@govm @govmail.st ail.state.n ate.nv v.us
New Mexico Gaming Control Board Information Systems Division Donovan Lieurance 6400 Uptown Uptown Boulevar Boulevard d N.E., Suite 100E Albuque Alb uquerque rque,, NM 87110 Phone: Pho ne: 505 505–841 –841–971 –9719 9 E-mail: E-mai l: dlieur dlieurance@nm ance@nmgcb gcb.org .org
New Hampshire
Twelfth Judicial District Attorney’s Office Investigator Jack Henderson 1000 New York Avenue, Avenue, Room 301 Alamog Ala mogord ordo, o, NM 88310 88310 Phone: Pho ne: 505 505–437 –437–131 –1313, 3, ext ext.. 110 E-mail: E-mai l: jack@w
[email protected] azoo.com
New Hampshire State Police Forensic Laboratory Computer Crimes Unit 10 Hazen Drive Concor Con cord, d, NH 033 03305 05 Phone: Pho ne: 603 603–271 –271–030 –0300 0
New Jersey New Jersey Division of Criminal Justice Computer Analysis and Technology Unit (CATU) James Parolski Team Leader 25 Market Street P.O. Box 085 Trenton, Tr enton, NJ 08625–00 08625–0085 85 Phone: 609–984 609–984–5256/6 –5256/609–984–6 09–984–6500 500 Pager: Pag er: 888 888–819 –819–129 –1292 2 E-mail: E-mai l: parols parolskij@dcj
[email protected] .lps.state.nj tate.nj.us .us
New York Erie County Sheriff’s Office Computer Crime Unit 10 Delaware Avenue Buffal Buf falo, o, NY 14202 14202 Phone: Pho ne: 716 716–662 –662–615 –6150 0 http://www.erie.gov/sheriff/CCU Nassau County Police Department Computer Crime Section Det. Bill Moylan 970 Brush Hollow Road Westb estbury ury,, NY 11590 Phone: Pho ne: 516 516–573 –573–527 –5275 5
65
New York Electronic Crimes Task Force United States Secret Service ATSAIC Rober Robertt Weaver 7 World World Trade Trade Center, Center, 10th Floor New York, NY 11048 Phone: Phon e: 212– 212–637 637–450 –4500 0 New York York Police Department De partment Computer Investigation and Technology Unit 1 Police Police Plaza, Plaza, Roo Room m 1110D 1110D New York, NY 10038 Phone: Phon e: 212– 212–374 374–424 –4247 7 Fax:: 212– Fax 212–374 374–424 –4249 9 E-mail: E-mai l: citu@n
[email protected] ypd.org g New York York State Attorney General’s Office Internet Bureau 120 Broadway New York, NY 10271 Phone: Phon e: 212– 212–416 416–634 –6344 4 http://www.oag.state.ny.us New York State Department of Taxation and Finance Office of Deputy Inspector General W.A. Harriman Campus Buildi Bui lding ng 9, Roo Room m 481 Albany Alb any,, NY 12227 12227 Phone: Phon e: 518– 518–485 485–869 –8698 8 http://www.tax.state.ny.us New York State Police Computer Crime Unit Ronald R. Stevens Senior Investigator Forensic Investigation Center Building Buildi ng 30, 30, State Campus 1220 Washington Avenue Albany Alb any,, NY 12226 12226 Phone: Phon e: 518– 518–457 457–571 –5712 2 Fax:: 518– Fax 518–402 402–277 –2773 3 E-mail: E-mai l: nyspc nyspccu@troo
[email protected] pers.state.n tate.ny y.us
66
Rockland County Sheriff’s Department Computer Crime Task Force Det. Lt. John J. Gould 55 New Hempstead Road New City City,, NY 10956 10956 Phone: 845–708 845–708–7860/8 –7860/845–638–5 45–638–5836 836 Fax:: 845 Fax 845–708 –708–782 –7821 1 E-mail: E-mai l: gouldjo
[email protected] @co.rockland.n kland.ny y.us
North Carolina Raleigh Police Department Investigator Patrick Niemann 110 South McDowell Street Raleigh Ral eigh,, NC 2760 27601 1 Phone: Phon e: 919 919–890 –890–355 –3555 5 E-mail: E-mai l: nieman niemannp@rale np@raleigh-nc. igh-nc.org org
North Dakota North Dakota Bureau of Criminal Investigation Tim J. Erickson Special Agent P.O. Box 1054 Bismarck, Bisma rck, ND 58502–1 58502–1054 054 Phone: Phon e: 701 701–328 –328–550 –5500 0 E-mail: E-mai l: te409@s
[email protected] tate.nd.us .us
Ohio Hamilton County Ohio Sheriff’s Office Capt. Pat Olvey Justice Center 1000 Sycamore Sycamore Street Street,, Room 110 Cincinn Cin cinnati ati,, OH 45202 45202 Phone: Phon e: 513 513–946 –946–668 –6689 9 Fax:: 513 Fax 513–721 –721–358 –3581 1 http://www.hcso.org (under the Administration Division)
Ohio Attorney General’s Office Bureau of Criminal Investigation Computer Crime Unit Kathleen Barch Deputy Director 1560 State Route 56 London, Lon don, OH 4314 43140 0 Phone: Pho ne: 740 740–845 –845–241 –2410 0 E-mail: E-mai l: Kbarch
[email protected] @ag.state.oh.u te.oh.uss Riverside Police Department Officer Harold Jones MCSE/Computer Crime Specialist 1791 Harshman Road River Ri versid side, e, OH 45424 Phone: Pho ne: 937 937–904 –904–142 –1425 5 E-mail: E-mai l: hjones
[email protected] @cops.org rg
Washington County Sheriff’s Office Brian Budlong 215 S.W. S.W. Adams Avenue, MS32 Hillsb Hil lsboro oro,, OR 97123 97123 Phone: Pho ne: 503 503–846 –846–257 –2573 3 Fax:: 503 Fax 503–846 –846–263 –2637 7 E-mail: E-mai l: brian_b brian_budlong@ udlong@ co.washington.or.us
Pennsylvania
Oklahoma
Allegheny County Police Department High Tech Tech Crime Unit Det. T. Haney 400 North Lexington Street Pittsburgh Pittsb urgh,, PA 15208 Phone: Pho ne: 412 412–473 –473–130 –1304 4 Fax:: 412 Fax 412–473 –473–137 –1377 7 E-mail: thaney@county
[email protected] .allegheny.pa.us .pa.us
Oklahoma Attorney General 4545 North Lincoln Boulevard Suite 260 Oklahoma Oklaho ma City, City, OK 73105–3498 73105–3498 Phone: Pho ne: 405 405–521 –521–427 –4274 4 E-mail: E-mai l: jim_p jim_powel
[email protected] [email protected]. tate.ok.us us
Erie County District Attorney’s Attorney’s Office Erie County Courthouse 140 West West Sixth Street Erie, Eri e, PA 16501 16501 Phone: Pho ne: 814 814–451 –451–634 –6349 9 Fax:: 814 Fax 814–451 –451–641 –6419 9
Oklahoma State Bureau of Investigation Mark Mar k R. R. McCo McCoy y, Ed. Ed.D., D., CFC CFCE E Special Agent P.O. Box 968 Stillwater Still water,, OK 74076 Phone: Pho ne: 405 405–742 –742–832 –8329 9 Fax:: 405 Fax 405–742 –742–828 –8284 4 E-mail: E-mai l: mmcco mmccoy@spryn
[email protected] et.com
[email protected]
Rhode Island
Oregon Portland Police Bureau Computer Crimes Detail Det./Sgt. Tom Nelson Computer Forensic Inv Investigator estigator 1115 S.W. Second Avenue Portla Por tland, nd, OR 97204 97204 Phone: Pho ne: 503 503–823 –823–087 –0871 1 E-mail: E-mai l: tnelso tnelson@polic
[email protected] e.ci.portland.or tland.or.us .us
Warwick Police Department BCI Unit, Unit, Detecti Detective ve Division Division Edmund Pierce BCI Detective 99 Veterans Memorial Drive Warwick arwick,, RI 02886 Phone: Pho ne: 401 401–468 –468–420 –4200 0 (ma (main) in)// 401–468–4243 (direct) E-mail: WPDDetectives@w
[email protected] arwickri.com
[email protected]
67
South Carolina South Carolina Law Enforcement Division (SLED) Lt. L.J. L.J. “Chip” “Chip” Joh Johnso nson n Supervisory Special Agent P.O. Box 21398 Columb Col umbia, ia, SC 29221–1398 29221–1398 Phone: Phon e: 803– 803–737 737–900 –9000 0 Winthrop University Department of Public Safety Daniel R. Yeargin Assistant Chief of Police 02 Crawford Building Rock Hil Hill, l, SC 29733 29733 Phone: Phon e: 803– 803–323 323–349 –3496 6 E-mail: E-mai l: yearg yeargind@wi ind@winthrop. nthrop.edu edu
South Dakota Information unavailable.
Tennessee Harriman Police Department Sgt. Brian Farmer 130 Pansy Hill Road Harrim Har riman, an, TN 37748 37748 Phone: Phon e: 865– 865–882 882–338 –3383 3 Fax:: 865– Fax 865–882 882–070 –0700 0 E-mail: E-mai l: crime crimeseen@ear seen@earthlink. thlink.net net
[email protected] Knox County Sheriff’s Office Carleton Bryant Staff Attorney 400 West Main Avenue Knoxvil Kno xville, le, TN 37902 37902 Phone: Phon e: 865– 865–971 971–391 –3911 1 E-mail: E-mai l: sherif sheriff@esper
[email protected] .com
68
Tennessee Attorney General’s Office Susan Holmes Forensic Technology Technology Specialist 425 Fifth Avenue, North Nashvil Nas hville, le, TN 37243 37243 Phone: Phon e: 615 615–532 –532–965 –9658 8 E-mail: E-mai l: sholm sholmes@mai
[email protected] l.state.tn.us e.tn.us
Texas Austin Police Department 715 East Eighth Street Austin, Aus tin, TX 7870 78701 1 http://www.ci.austin.tx.us/police Bexar County District Attorney’s Attorney’s Office Russ Brandau/David Getrost 300 Dolorosa San Anton Antonio, io, TX 78205 78205 Phone: 210–335 210–335–2974/2 –2974/210–335–2 10–335–2991 991 E-mail: E-mai l: rbranda
[email protected] [email protected] xar.tx.us .tx.us
[email protected] Dallas Police Department 2014 Main Street Dallas Dal las,, TX 7520 75201 1 http://www.ci.dallas.tx.us/dpd Federal Bureau of Investigation Dallas Field Office 1801 North Lamar Street Dallas Dal las,, TX 75202–179 75202–1795 5 Phone: Phon e: 214 214–720 –720–220 –2200 0 http://www.fbi.gov/contact/fo/dl/dallas.htm Houston Police Department 1200 Travis Street Housto Hou ston, n, TX 77002 77002 http://www.ci.houston.tx.us/departme/police Portland Police Department Det. Terrell Elliott 902 Moore Avenue Portlan Por tland, d, TX 78374 78374 Phone: Phon e: 361 361–643 –643–254 –2546 6 Fax:: 361 Fax 361–643 –643–568 –5689 9 E-mail: E-mai l: telliot telliott@port t@portlandpd. landpd.com com http://www.portlandpd.com
Texas Department of Public Safety 5805 North Lamar Boulevard (street address) Austin Aus tin,, TX 78752–4422 78752–4422 P.O. Box 4087 (mailing address) Austin Aus tin,, TX 78773–0001 78773–0001 Phone: 512–424 512–424–2200/8 –2200/800–252–5 00–252–5402 402 E-mail: E-mai l: special specialcrime crimes@txdps
[email protected]. .state.tx.us tx.us http://www.txdps.state.tx.us
Utah Utah Department of Public Safety Criminal Crimi nal Investigatio Investigations ns Bureau Bureau,, Foren Forensic sic Computer Lab Daniel D. Hooper Special Agent 5272 South South College College Drive, Drive, Suite 200 Murray Mur ray,, UT 84123 84123 Phone: Pho ne: 801 801–284 –284–623 –6238 8 E-mail: E-mai l: dhooper
[email protected] @dps.state.ut tate.ut.us .us
Vermont Internet Crimes Task Force Det. Sgt. Michael Schirling 50 Cherry Cherry Street Street,, Suite 102 Burlington, Burlin gton, VT 05401 Phone: 802–652 802–652–6800/8 –6800/802–652–6 02–652–6899 899 E-mail: E-mai l: mschi mschirli@dps
[email protected]. .state.vt.us vt.us State of Vermont Vermont Department Departmen t of Public Safety Bureau of Criminal Investigation Sgt. Mark Lauer 103 South Main Street Waterbury aterbury,, VT 05671–2101 Phone: Pho ne: 802 802–241 –241–536 –5367 7 Fax:: 802 Fax 802–241 –241–534 –5349 9 E-mail: E-mai l: mlauer
[email protected] @dps.state.vt tate.vt.us .us
Virginia Arlington County Police Department Criminal Investigations Division Computer Forensics Det. Ray Rimer 1425 North Courthouse Road Arlington, Arlin gton, VA 22201 Phone: Pho ne: 703 703–228 –228–423 –4239 9 Pager: Pag er: 703 703–866 –866–896 –8965 5 E-mail: E-mai l: rimer rimer550@ero
[email protected] ls.com Fairfax County Police Department Computer Forensics Section Lt. Doug Crooke 4100 Chain Bridge Road Fairfax, Fairf ax, VA 22030 Phone: Pho ne: 703 703–246 –246–780 –7800 0 Fax:: 703 Fax 703–246 –246–425 –4253 3 E-mail: E-mai l: douglas douglas.crook
[email protected] [email protected] airfax.va. x.va.us us http://www.co.fairfax.va.us/ps/police/ homepage.htm Richmond Police Department Technology Crimes Section Det. Jeff Deem 501 North Ninth Street Richmond, Richm ond, VA 23219 Phone: Pho ne: 804 804–646 –646–394 –3949 9 Pager: Pag er: 804 804–783 –783–302 –3021 1 E-mail: E-mai l: jdeem@
[email protected] ci.richmond.v mond.va.us a.us Virginia Beach Police Department Det. Michael Encarnacao Special Inv Investigations estigations CERU 2509 Princess Anne Road Virginia Beach, VA 23456 Phone: Pho ne: 757 757–427 –427–174 –1749 9 E-mail: E-mai l: mikee
[email protected] @cops.org rg Virginia Department of Motor Vehicles Law Enforcement Section Larry L. Barnett Assistant Special Agent in Charge 945 Edwards Ferry Road Leesburg, VA 20175 Phone: Pho ne: 703 703–771 –771–475 –4757 7 E-mail: E-mai l: lbtrip lbtrip@erols @erols.com .com
69
Virginia Office of the Attorney General Addison L. Cheeseman Senior Criminal Investigator 900 East Main Street Richmond, Richmo nd, VA 23219 Phone: Phon e: 804– 804–786 786–655 –6554 4 E-mail: E-mai l: acheesem
[email protected] [email protected] tate.va.us a.us
Vancouver Police Department Maggi Holbrook Computer Forensics Specialist 300 East 13th Street Vancouver, WA 98660 Phone: Phon e: 360 360–735 –735–888 –8887 7 E-mail: E-mai l: ecrime
[email protected] [email protected] ancouver er.wa.u .wa.uss
Virginia State Police Andre And rew w Clark, Clark, CFC CFCE E Computer Technology Specialist 3 Richmond, Richmo nd, VA 23236 Phone: Phon e: 804– 804–323 323–204 –2040 0 E-mail: E-mai l: AndyCl AndyClark@att
[email protected] .net
Washington State Department of Fish and Wildlife John D. D. Flanagan, Flanagan, IT ITAS3 AS3 600 Capitol Way North Olympia, Olymp ia, WA 98501 Phone: Phon e: 360 360–902 –902–221 –2210 0 Celll pho Cel phone: ne: 360 360–349 –349–122 –1225 5 E-mail: E-mai l: flanajd flanajdf@dfw
[email protected] .wa.gov v
Washington King County Sheriff’s Office Fraud/Computer Forensic Unit Sgt. Steve Davis/Det. Brian Palmer 401 Fourth Avenue North, North, RJC 104 Kent,, WA 98032–4429 Kent Phone: Phon e: 206– 206–296 296–428 –4280 0 E-mail: E-mai l: ste steven.d ven.davis avis@metro @metrokc.gov kc.gov
[email protected] Lynnwood Police Department High Tech Tech Property Prope rty Crimes Det. Douglas J. Teachworth Teachworth 19321 44th Avenue Avenue West West (street address) P.O. Box 5008 (mailing address) Lynnwood, WA 98046–5008 Phone: Phon e: 425– 425–744 744–691 –6916 6 E-mail: E-mai l: dteachw dteachworth@ci
[email protected] .lynnwood.w ood.wa.us a.us Tacoma Police Department PCSO Det. Richard Voce 930 Tacoma Avenue South Tacoma, WA 98402 Phone: Phon e: 253– 253–591 591–567 –5679 9 E-mail: E-mai l: rvoce
[email protected] @ci.tacoma.w oma.wa.us a.us
Washington State Patrol Computer Forensics Unit Det./Sgt. Steve Beltz Airdustrial Airdus trial Way Way,, Buildi Building ng 17 Olympia, Olymp ia, WA 98507–2347 Phone: Phon e: 360 360–753 –753–327 –3277 7 E-mail: E-mai l: sbeltz5 sbeltz505@aol.
[email protected] com
[email protected]
West Virginia Virgi nia National White Collar Crime Center 1000 Technolog Technology y Drive, Drive, Suite 2130 Fairmo Fai rmont, nt, WV 26554 26554 Phone: Phon e: 877 877–628 –628–767 –7674 4 http://www.cybercrime.org
Wisconsin Green Bay Police Department Specialist Rick Dekker 307 South Adams Street Green Bay Bay,, WI 54301 54301 E-mail: E-mai l: rickdk@
[email protected] ci.green-bay n-bay.wi.us .wi.us Wisconsin Department of Justice P.O. Box 7857 Madison, Madiso n, WI 53707–78 53707–7851 51 Phone: Phon e: 608 608–266 –266–122 –1221 1 http://www.doj.state.wi.us
70
Wood County Sheriff’s Department 400 Market Street Wis Rapids, Rapids, WI 54495 54495 Phone: Phone: 715–421 715–421–870 –8700 0 E-mail: E-mail:
[email protected] [email protected] m
Wyoming Casper Police Department Det. Derrick Dietz 210 North David Casper Casper,, WY 82601 82601 Phone: Phone: 307–235 307–235–848 –8489 9 E-mail: E-mail: ddietz@cityofc ddietz@cityofcasperw asperwy y.com Gillette Police Department Sgt. Dave Adsit 201 East Fifth Street Gillett Gillette, e, WY 82716 82716 Phone: Phone: 307–682 307–682–510 –5109 9 E-mail:
[email protected] [email protected] Green River Police Department Corp. Tom Tom Jarvie/Sgt. David Hyer 50 East Second North Green Riv River er,, WY 82935 82935 Phone: Phone: 307–872 307–872–055 –0555 5 E-mail: tjarvie@cityofgreenriver
[email protected] .org
[email protected] Wyoming Division of Criminal Investigation 316 West West 22nd Street Cheyen Cheyenne, ne, WY 82002 82002 Phone: Phone: 307–777 307–777–718 –7183 3 Fax: Fax: 307–777 307–777–725 –7252 2 Stephen J. Miller Miller,, Special Agent E-mail: E-mail: smille2@sta
[email protected] te.wy.us .us Patrick Patrick Seals, Seals, Special Agent E-mail: E-mail: pseals@state
[email protected] .wy.us .us Michael B. B. Curran, Curran, Special Agent E-mail: E-mail: mcurra@state
[email protected] .wy.us .us Flint Waters, Waters, Special Agent E-mail: E-mail: fwater@stat
[email protected] e.wy.us .us
International Australia Australia Western Australia Police Det./Sgt. Ted Wisniewski Computer Crime Investigation Investigation Commercial Crime Division Level 7 Eastpoint Plaza 233 Adelaide Tce Perth WA 6000 Phone: Phone: +61 8 9220 92200700 0700 Fax: Fax: +61 8 9225448 92254489 9 E-mail: E-mail: Computer Computer.Crim .Crime@ e@ police.wa.gov.au
Brazil Instituto De Criminalística - Polícia Civil Do Distrito Federal SAISO - Lote 23 - Bloco Bloco “C” Complexo Complexo de Poilcia Civil 70610–200 Brasíl Brasília, ia, Brazil Brazil Phone: 55 +61 +61 362–5948/55 362–5948/55 +61 233–9530 E-mail: E-mail:
[email protected] [email protected] f.gov.br .br
Canada Royal Canadian Mounted Police Technical Operations Directorate Technological Crime Branch 1426 St. Joseph Boulevard Gloucester Gloucester,, Ontario Ontario Canada KIA OR2 Phone: Phone: 613–993 613–993–177 –1777 7
71
Switzerland Computer Crime Unit (GCI) Det. Pascal Seeger/Det. Didiser Frezza 5, ch. de de la Grav Gravier ieree 1227 Acacias, Acacias, Geneva Geneva Switzerland Phone: +41 22 427.80.16 427.80.16 (17) (17) Fax: Fax: +41 22 820.3 820.30.16 0.16 E-mail: E-mail:
[email protected].
[email protected] ch
United Kingdom HM Inland Revenue Special Compliance Office Forensic Computing Team Barkley House P.O. Box 20 Castle Meadow Road Nottingham NG2 1BA UK Phone: Phone: +44 (0)115 (0)115 974 974 0887 Fax: Fax: +44 (0)115 (0)115 974 974 0890 E-mail: lindsay.j.scrimshaw@ir
[email protected] .gsi.gov.uk .uk
72
National High-Tech Crime Unit P.O. Box 10101 London E14 9NF UK Phone: +44 (0) 870–241–0549 870–241–0549 Fax: +44 (0) 870–241–5729 870–241–5729 E-mail: E-mail:
[email protected] [email protected] rg
D Training x i d n e p p A
Resources List
Canadian Police College P.O. Box 8900 Ottaw Ott awa, a, Ont Ontari ario o K1G 3J2 Canada Phone: Phon e: 613– 613–993 993–950 –9500 0 E-mail E-m ail:: cpc@ cpc@cpc. cpc.gc.c gc.caa http://www.cpc.gc.ca DoD Computer Investigations Training Program 911 Elkridge Landing Road Airport Square 11 Building Suite 200 Linthic Lin thicum, um, MD 21090 21090 Phone: Phon e: 410– 410–981 981–160 –1604 4 Fax:: 410– Fax 410–850 850–890 –8906 6 E-mail: E-mai l: info@dc
[email protected] itp.gov v http://www.dcitp.gov FBI Academy at Quantico U.S. Marine Corps Base Quantico, Quanti co, VA Phone: Phon e: 703– 703–640 640–613 –6131 1 http://www.fbi.gov/programs/ academy/academy.htm Federal Law Enforcement Training Center Headquarters Facility Glynco, Gly nco, GA 3152 31524 4 Phone: Phon e: 912– 912–267 267–210 –2100 0 http://www.fletc.gov Federal Law Enforcement Training Center Artesia Facility 1300 West Richey Avenue Artesi Art esia, a, NM 8821 88210 0 Phone: Phon e: 505– 505–748 748–800 –8000 0 http://www.fletc.gov
Federal Law Enforcement Training Center Charleston Facility 2000 Bainbridge Avenue Avenue Charleston, Charles ton, SC 29405–2 29405–2607 607 Phone: Phon e: 843– 843–743– 743–885 8858 8 http://www.fletc.gov Florida Association Association of Computer Crime In Investigator vestigators, s, Inc. P.O. Box 1503 Bartow Barto w, FL 33831–15 33831–1503 03 Phone: Phon e: 352– 352–357– 357–050 0500 0 E-mail:: info@f E-mail
[email protected] acci.org g http://www.facci.org Forensic Association of Computer Technologists Doug Elrick P.O. Box 703 Des Moine Moines, s, IA 50303 50303 Phone: Phon e: 515– 515–281– 281–767 7671 1 http://www.byteoutofcrime.org High Technology Technology Crime Investigation Inv estigation Association A ssociation (International) 1474 Freeman Drive Amissville, VA 20106 Phone: Phon e: 540– 540–937– 937–501 5019 9 http://www.htcia.org Information Security University 149 New Montgomery Street Second Floor San Franci Francisco, sco, CA 94105 94105 http://www.infosecu.com
73
Information Systems Security Association (ISSA) 7044 South 13th Street Oak Cree Creek, k, WI 53154 53154 Phone: Phon e: 800– 800–370 370–477 –4772 2 http://www.issa.org Institute of Police Technology Technology and Management University of North Florida 12000 Alumni Drive Jacksonville, Jackson ville, FL 32224–26 32224–2678 78 Phone: Phon e: 904– 904–620 620–478 –4786 6 Fax:: 904– Fax 904–620 620–245 –2453 3 http://www.iptm.org International Association of Computer Investigative Inv estigative Specialists Spe cialists (IA (IACIS) CIS) P.O. Box 21688 Keizer Kei zer,, OR 97307–16 97307–1688 88 Phone: Phon e: 503– 503–557 557–150 –1506 6 E-mail: E-mai l: admin@
[email protected] cops.org g http://www.cops.org International Organization on Computer Evidence Phone: +44 (0) 171–230– 171–230–6485 6485 E-mail: E-mai l: lwr@f
[email protected] ss.org.uk g.uk http://www.ioce.org James Madison University 800 South Main Street Harrisonburg, VA 22807 Phone: Phon e: 540– 540–568 568–621 –6211 1 http://www.cs.jmu.edu/currentcourses.htm Midwest Electronic Crime Investigators Association http://www.mecia.org National Center for Forensic Science University of Central Florida P.O. Box 162367 Orlando Orl ando,, FL 32816–23 32816–2367 67 Phone: Phon e: 407– 407–823 823–646 –6469 9 E-mail: E-mai l: natlctr natlctr@mail. @mail.ucf.edu ucf.edu http://www.ncfs.ucf.edu
74
National Colloquium for Information Systems Security Education (NCISSE) http://www.ncisse.org National Criminal Justice Computer Laboratory and Training Center SEARCH SEA RCH Grou Group, p, Inc Inc.. 7311 Greenhav Greenhaven en Drive, Drive, Suite 145 Sacrame Sacr amento nto,, CA 95831 95831 Phone: Phon e: 916 916–392 –392–255 –2550 0 http://www.search.org National Cybercrime Training Training Partnership (NCTP) 1000 Technolog Technology y Drive, Drive, Suite 2130 Fairmo Fai rmont, nt, WV 26554 26554 Phone: Phon e: 877 877–628 –628–767 –7674 4 E-mail: E-mai l: info@nc
[email protected] tp.org g http://www.nctp.org Note: New CD-R CD-ROM OM available, available, Prosecuting Cases That Involve Computers: Compute rs: A Resource Resource for State and Local Prosecutors National White Collar Crime Center 1000 Technolog Technology y Drive, Drive, Suite 2130 Fairmo Fai rmont, nt, WV 26554 26554 Phone: Phon e: 877 877–628 –628–767 –7674 4 http://www.cybercrime.org Note: New CD-R CD-ROM OM available, available, Prosecuting Cases That Involve Computers: Compute rs: A Resource Resource for State and Local Prosecutors New Technolo Technologies, gies, Inc. 2075 N.E. Division Street Gresha Gre sham, m, OR 9703 97030 0 Phone: Phon e: 503 503–661 –661–691 –6912 2 E-mail: E-mai l: info@f info@forensi orensics-int cs-intl.com l.com http://www.forensics-intl.com
Purdue University CERIAS (Center for Education and Research in Information and Assurance Security) Andra C. Short Recitation Building Purdue University West Lafayette, Lafayette, IN 47907–1315 47907–1315 Phone: Pho ne: 765 765–494 –494–780 –7806 6 E-mail: E-mai l: acs@cer
[email protected] ias.purdue.ed rdue.edu u http://www.cerias.purdue.edu Redlands Community College Clayton Clayto n Hoskin Hoskinson, son, CFCE Program Coordinator Criminal Justice and Forensic Computer Science 1300 South Country Club Road El Reno, Reno, OK 73036– 73036–5304 5304 Phone: Pho ne: 405 405–262 –262–255 –2552, 2, ext ext.. 251 2517 7 E-mail: E-mai l: hoskin hoskinsonc@re sonc@redlands dlandscc.net cc.net University of New Haven School of Public Safety and Professional Studies 300 Orange Avenue West Haven, Haven, CT 06516 06516 http://www.newhaven.edu
University of New Haven–California Campus Forensic Computer Investigation Program 6060 Sunrise Vista Vista Drive Citrus Height Heights, s, CA 95610 http://www.newhaven.edu U.S. Department of Justice Criminal Division Computer Crime and Intellectual Property Section (CCIPS) 1301 New York Avenue N.W. Washingt ashington, on, DC 20530 Phone: Pho ne: 202 202–514 –514–102 –1026 6 http://www.cycbercrime.gov Utica College Economic Crime Programs 1600 Burrstone Road Utica, Uti ca, NY 1350 13502 2 http://www.ecii.edu Wisconsin Association of Computer Crime Investigators P.O. Box 510212 New Berlin Berlin,, WI 53151–0212 53151–0212 http://www.wacci.org
75
E
References
Hacker’s Guide to Protecting x Anonymous. Maximum Security: A Hacker’s our Internet Site and Network, Network, Second Edition. Edition. Indianapolis, i YInIndi dian ana: a: Sa Sams ms,, 19 1998 98.. d Envir vironment. onment. Blacha Bla charsk rski, i, Dan Dan.. Network Security in a Mixed En Foste sterr City City,, Cal Califo iforn rnia: ia: ID IDG G Book Books, s, 199 1998. 8. n Fo orensic sic Casey y, Eogh Eoghan. an. Digital Evidence and Computer Crime: Foren e Case Diego: Acad Academic emic Press, Press, Science, Scien ce, Comp Computer uterss and the Internet. Internet. San Diego: p 2000. p Cheswick, Wi William lliam R. and Steven Steven M. Bellovin. Bellovin. Firewalls and Internet Security: Repelling the Wily Wily Hacker. Hacker. Boston, A Mass Massachus achusetts: etts: Add Addisonison-W Wesle esley y, 1994 1994..
Cohen, Frede Cohen, Frederick rick B. A Short Course on Computer Viruses. Viruses. Somers Som erset, et, Ne New w Jerse Jersey: y: Joh John n Wile Wiley y & Sons, Sons, 19 1994. 94. Davis, William S. Comp Davis, Computing uting Fund Fundament amentals: als: Conc Concepts, epts, Thir Third d Edition. Bosto Boston, n, Massa Massachus chusetts: etts: Add Addisonison-W Wesle esley y Publi Publishin shing g Co., 1991. Deffie, Whitfield and Susan Landau. Privacy on the Line: Deffie, The Politics of Wiretapping and Encryption. Cambridge, Massac Mas sachus husett etts: s: MI MIT T Press, Press, 199 1998. 8. Deloitte, Hask Deloitte, Haskins ins & Sells Sells.. Computer Viruses: Pr Proceedings oceedings of an Invitati Invitational onal Sympo Symposium, sium, Octob October er 10–11, 10–11, 1988 1988.. New York York:: Deloit Del oitte, te, Has Haskin kinss & Sells Sells,, 198 1989. 9. Denning, Dor Denning, Dorothy othy E. Information Warfar arfaree and Security. Boston, Massachus Mass achusetts: etts: Add Addisonison-W Wesle esley y, 1999 1999.. Denning, D. and P. Denning. Denning. Internet Besieged: Besieged: Countering Cyberspace Scofflaws. New York: Addison-W Addison-Wesley esley,, 1997. Fiery, Denn Fiery, Dennis. is. Secrets of a Super Hacker. Port Townsend, Washin ashington gton:: Loom Loompani panics cs Unli Unlimited mited,, 1994 1994..
77
Ford, Mer Ford, Merile ilee, e, H. Kim Lew Lew, Ste Steve ve Spanie Spanierr, and Tim Tim Steve Stevenso nson. n. Indianapo anapolis, lis, Indi Indiana: ana: Internetworking Technolog Technologies ies Handbook. Indi New Ne w Riders Riders Publishing Publishing,, 1997 1997.. Garfinkel, Simson and Gene Garfinkel, Gene Spafford. Spafford. Practical UNIX & Internet Security Secur ity,, Seco Second nd Edition. Edition. Seb Sebast astopo opol, l, Cal Califo iforn rnia: ia: O’ O’Rei Reilly lly & Asso As soci ciat ates es,, In Inc. c.,, 19 1996 96.. Garfinkel, Simson and Gene Garfinkel, Gene Spafford. Spafford. Web Security & Sebast astopo opol, l, Cal Califo iforn rnia: ia: O’ O’Rei Reilly lly & Associa Associates tes,, Inc Inc., ., Commerce. Seb 1997. Cyberwar wars: s: Espi Espiona onage ge on the Inter Internet. net. New York Guisnel, Guisne l, Jea Jean. n. Cyber York:: Plenum Ple num Press Press,, 19 1997. 97.
Hafner, Katie and John Markof Hafner, Markoff. f. Cyberpunk. Ne New w York: York: Simo Simon n& Schu Sc hust ster er,, In Inc. c.,, 19 1995 95.. Landreth, Landre th, Bil Bill. l. Out of the Inner Circle. Redm Redmond, ond, Washin ashington gton:: Tempus Books of Microsoft Microsoft Press, 1989. Levin,, Ric Levin Richar hard d B. The Computer Virus Handbook. Berkeley, Californi Calif ornia: a: Osbo Osborne/M rne/McGra cGraw-H w-Hill, ill, 1990 1990.. Ludwig,, Mar Ludwig Mark. k. The Giant Black Book of Computer Viruses, Show w Low Low, Ariz Arizona: ona: Amer American ican Eagle Eagle Second Edition. Sho Publ Pu blic icat atio ions ns,, In Inc. c.,, 19 1998 98.. Martin, Fredr Martin, Fredrick ick T. T. Top Secret Intranet. Old Tappan, New Jersey: Prentice Prent ice Hall PTR, 1998 1998.. Security. Pa McCarthy,, Lind McCarthy Linda. a. Intranet Security. Palo lo Alto, Alto, Ca Cali lifo forn rnia ia:: Su Sun n Microsyste Micro systems ms Press, Press, 1998 1998..
McClure, McClur e, Stu Stuart art,, Joe Joell Scambray Scambray,, and Georg Georgee Kurtz. Kurtz. Hacking Berkeley eley,, Calif Californi ornia: a: Osbo Osborne/ rne/McGr McGrawaw-Hill, Hill, 1999 1999.. Exposed. Berk Meinel, Caro Meinel, Carolyn lyn P. P. The Happy Hacker Hacker,, Second Edition. Edition. Show Low Lo w, Ar Arizo izona: na: Am Ameri erican can Eagle Eagle Publi Publicat cation ions, s, Inc Inc., ., 199 1998. 8. National Institute of Justice. Crime Scene Scene Investig Investigation ation:: A Guide for Law Enforcement. Washin ashington, gton, D.C. D.C.:: U.S. Depa Departmen rtmentt of of Justice, Justi ce, Natio National nal Institu Institute te of Justic Justice, e, 2000 2000.. NCJ 17828 178280. 0.
78
Computers ters at Risk: Risk: Safe Computin Computing g National Research Council. Compu ashington gton,, D.C. D.C.:: Natio National nal Acad Academy emy in the Information Age. Washin Pres Pr ess, s, 19 1991 91..
National White Collar Crime Center. Using the Internet as an Investigative In vestigative Tool, Tool, First Edition. Fairmont, West Virginia: Virginia: National White Collar Crime Center, Center, 1999. Northcutt,, Steph Northcutt Stephen. en. Network Intrusion Detection: An Analyst’s Analyst’s India dianap napoli olis, s, In India diana: na: Ne New w Riders Riders Pub Publis lishin hing, g, 199 1999. 9. Handbook. In Olson-Raymer, Gayle. Terrorism: A Historical & Contemporary Olson-Raymer, Perspective. New York: American Heritage Custom Publishing, 1996. Parker,, Don Parker Donn n B. Fighting Computer Crime. New York: Scribners, 1983. Parker,, Don Parker Donn n B. Fighting Computer Crime: A New Framewo Framework rk New w York: John Wiley & Sons, Sons, Inc., for Protecting Protecting Information. Ne 1998. Parsaye, Kamr Parsaye, Kamran an and Mark Chignell. Chignell. Expert Systems for Experts. New Ne w York ork:: Joh John n Wile Wiley y & Son Sons, s, In Inc., c., 198 1988. 8. Pipkin,, Don Pipkin Donald ald L. Halting the Hacker: A Practical Guide to Upperr Saddle Saddle Riv River er,, Ne New w Jersey: Jersey: Prent Prentice ice Computer Security. Uppe Hall Ha ll,, 19 1997 97.. Hacker’s Dictionary Dictionary,, Thir Third d Edition. Raymond, Raymon d, Er Eric ic S. The New Hacker’s Lond Lo ndon on,, En Engl glan and: d: MI MIT T Pres Press, s, 19 1998 98.. Nutshell, Thir Third d Edition. Edition. Sebastopol, Robbins, Arn Robbins, Arnold. old. UNIX in a Nutshell, Califo Cal iforni rnia: a: O’ O’Rei Reilly lly and As Assoc sociat iates, es, Inc Inc., ., 199 1999. 9.
Rodgers, Rodger s, Ulk Ulka. a. ORACLE ORACLE:: A Database Database Developer’ Developer’ss Guide. Upper Saddlee River Saddl River,, Ne New w Jersey Jersey:: Yourd ourdon on Press, Press, 1991 1991.. Rosenblatt,, Ken Rosenblatt Kenneth neth S. High-T High-Technology echnology Crime: In Investigating vestigating Cases Involving Computers. Sa San n Jose, Jose, Ca Cali lifo forn rnia ia:: KS KSK K Public Pub licati ations ons,, 199 1996. 6. Rosenoer,, Jonat Rosenoer Jonathan. han. Cyber CyberLaw: Law: The Law of the Intern Internet. et. New Ne w York ork:: Spr Spring inger er,, 199 1997. 7.
79
Russell, Debo Russell, Deborah rah and and G.T G.T. Gangemi Gangemi,, Sr Sr.. Computer Security Sebast astopo opol, l, Cal Califo iforni rnia: a: O’R O’Reil eilly ly & As Assoc sociat iates, es, Inc Inc., ., 199 1992. 2. Basics. Seb Schulman, Schulm an, Mar Mark. k. Intr Indianapo anapolis, lis, Indi Indiana: ana: Introduction oduction to UNIX. Indi Que Corp Corporati oration, on, 1992 1992.. Schwartau,, Winn. Information Warfar Schwartau arfare: e: Chaos on the Electronic Superhighway. Ne New w York: York: Thun Thunder’ der’ss Mout Mouth h Press Press,, 1995 1995.. Shimomura, Tsutomu and John Markof Markoff. f. Take-Down. New York York:: Hyper Hy perion ion,, 199 1996. 6. Slatalla, Michelle and Joshua Quittner Quittner.. The Gang That Ruled New w York: Harp Harper er Collins, Collins, 1995 1995.. Cyberspace. Ne Sterling, Sterli ng, Bru Bruce. ce. The Hacker Crackdown. Ne New w York: York: Banta Bantam m Book Bo oks, s, 19 1993 93.. Stoll, Cli Stoll, Clifff. The Cuckoo’s Egg. New York: Simon & Schuster, Inc. In c.,, 19 1989 89.. Strassmann, Strassman n, Pau Paull A. The Politics of Information Management New w Canaa Canaan, n, Conn Connecticu ecticut: t: The Info Informat rmation ion Policy Guidelines. Ne Economic Econ omic Press Press,, 1995 1995.. Tittel, Ed and Margaret Margaret Robbins. Robbins. Network Design Essentials. Boston Bos ton,, Mas Massac sachus husett etts: s: Aca Academ demic ic Pre Press, ss, Inc Inc., ., 199 1994. 4. Tripp rippi, i, Rober Robertt R., and Efra Efraim im Turba urban. n. Neural Networks in Cambridge, idge, Engl England: and: Prob Probus us Publi Publishin shing g Finance and Investing. Cambr Co., Co ., 19 1993 93.. U.S. Department Department of Justice, Justice, Computer Crime and Intellectual Intellectual Property Section. Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations. Washin ashington gton,, D.C. D.C.:: U.S. Depar Departmen tmentt of Justi Justice, ce, Comp Computer uter Crim Crimee and Intellectua Intellectuall Property Section, Section, 2001 2001.. Wang, Wallace allace.. Steal This Computer Book. San Francisco, Califo Cal iforni rnia: a: No Starc Starch h Press, Press, 199 1998. 8. Facts and Cover Your Wolf olff, f, Micha Michael. el. How You Can Access the Facts York: Wolff Tracks Using the Internet and Online Services. New York: New Ne w Med Media ia,, LL LLC, C, 19 1996 96..
80
F
List of O rganizations
x The following is a list of organizations to which i a draft copy of this document was mailed. d Alaska Criminal Laboratory Florida Department of Law Enforcement-Jacksonville Academy Academy of Forensic Regional Operations Center n American Sciences Florida Office of Statewide Prosecution e American Bar Association Society of Law Frederick Frederick County County, Maryland, Maryland, State’ State’s p American Enforcement Trainers Attorney’s Office Anchorage age,, Alaska Alaska,, Police Police Georgia Bureau of Investigation Investigation p Anchor Department Harlingen Harlingen,, Texas, exas, Police Police Departm Department ent Arapahoe County, County, Colorado, Colorado, Sheriff’ Sheriff’ss A Arapahoe Office High Tech Crime Consortium Association of Federal Defense Attorneys
Illinois State Police Indiana State Police Laboratory
Bridge Bridgepor port, t, Michig Michigan, an, Foren Forensic sic Laboratory
Institute for Intergovernmental Intergovernmental Research
Bureau of Justice Assistance Canadian Police Research Center
Institute of Police Technology Technology and Management
Cleveland State College Basic Police Academy
Internal Revenue Service, Criminal Investigations
Commission of Accreditation for Law Enforcement Agencies
International Association Association of Bomb Technicians and Investigators
Connecticut Department of Public Safety
International Association Association of Chiefs of Police
Council of State Governments Governments
International Association for Identification
Crime Scene Academy Juneau, Juneau, Alaska, Alaska, Police Police Departme Department nt Criminal Justice Institute Dallas County District Attorney Attorney
LaGran LaGrange, ge, Geor Georgia gia,, Police Police Department
Fairbank Fairbanks, s, Alaska, Alaska, Police Departmen Departmentt
Law Enforcement Training Institute
Federal Bureau of Investigation Investigation
Maine State Police Crime Laboratory
Federal Law Enforcement Training Center
Massachusetts State Police Crime Laboratory
Florida Department of Law Enforcement
81
Metro Nashville Police Academy
Peace Officers Standards and Training
Metro Nashville Police Department
Pharr, Phar r, Texas exas,, Polic Policee Departm Department ent
Middletown Township, Township, New Jersey, Jersey, Police Department
Regional Computer Forensic Laboratory
National Advocacy Center
Rhode Island State Crime Laboratory
National Association of Attorneys General
Sedgwick County Sedgwick County,, Kans Kansas, as, Distr District ict Attorney’s Office
National District Attorneys Association
Sitka,, Alask Sitka Alaska, a, Polic Policee Depar Department tment
National Law Enforcement and Corrections Technology Center–Northeast
Social Security Administration–Office Administration–Office of the Inspector General State of Florida Crime Laboratory
National Law Enforcement and Corrections Technology Center–Rocky Mountain
TAS ASC, C, Inc Inc..
National Law Enforcement and Corrections Technology Center–Southeast
Tennessee Law Enforcement Training Academy
National Law Enforcement Council National Sheriffs’ Sheriffs’ Association
Tennessee Bureau of Investigation
Texas Rangers Department of Public Safety Tow own n of Goshe Goshen, n, Ne New w York, York, Polic Policee Department
National White Collar Crime Center Naval Criminal Investigative Service
U.S. Army Criminal Investigation Laboratory
New Hampshire State Police Forensic Laboratory
U.S. Attorney’s Office–Western District of New York
New York Police Department
U.S. Customs Service Cybersmuggling Center
North Carolina Justice Academy Office of the District Attorney Office General-Nashville, Tennessee Office of Law Enforcement Technology Commercialization
U.S. Department of Justice–Criminal Division U.S. Department of Justice–Fraud Section
Office of Overseas Prosecutorial Development
U.S. Department of Justice–Off Justice–Office ice of Overseas Prosecutorial Development
Ohio Bureau of Criminal ID and Investigation
U.S. Department of Justice–Western District of Michigan
Orange County Orange County,, Calif California ornia,, Community College–Department of Criminal Justice
U.S. Postal Service–Office of Inspector General Virginia State Police Academy
Orange County Sheriff’ Sheriff’ss Department– Forensic Science Services
82
About the National Institute of Justice NIJ is the research and development agency of the U.S. Department of Justice and is the only Federal agency solely dedicated to researching researching crime control and justice issues. NIJ provides objective, independent, nonpartisa nonpartisan, n, evidenc evidence-based e-based knowledge knowledge and tools tools to meet the challenges challenges of crime and justice, particularly at the State and local levels. NIJ’s principal authorities are derived from the Omnibus Crime Control and Safe Streets Act of 1968, as amended (42 U.S.C. §§ 3721–3722).
NIJ’s Mission In partnership with others, NIJ’s mission is to prevent and reduce crime, improve law law enforcement and the administration of justice, and promote public safety. safety. By applying the disciplines of the social and physical physical scienc sciences, es, NIJ— • Researches the nature and impact of crime and delinquency. • Develops applie applied d technologies, technologies, stand standards, ards, and tools for criminal criminal justice practitione practitioners. rs. • Evaluates existing programs and responses to crime. • Tests innovative concepts and program models in the field. • Assists polic policymake ymakers, rs, progra program m partners, partners, and justice justice agencies agencies.. • Disseminates knowledge to many audiences.
NIJ’s Strategic Direction and Program Areas NIJ is committed to five challenges as part of its strategic plan: 1) rethinking justice and the processes that create just communities; 2) understandin understanding g the nexus between social conditions and crime; 3) breaking the cycle of crime by testing research-based interventions; 4) creating the tools and technologies that meet the needs of practitioners; and 5) expanding horizons through interdisciplinary and international perspectives. perspectives. In addressing these strategic challenges, challenges, the Institute is involved involved in the following follo wing program program areas: crime control control and preventi prevention, on, drugs and crime, crime, justic justicee systems systems and offender offender behavior beha vior,, violen violence ce and victimization, victimization, commun communicatio ications ns and information information technologies, technologies, critic critical al incident incident response, respo nse, in invest vestigati igative ve and forens forensic ic sciences (including (including DNA), lessless-than-l than-lethal ethal technologies technologies,, off officer icer protection, protec tion, educa education tion and training training technologie technologies, s, testi testing ng and standards, standards, techn technology ology assistan assistance ce to law enforcement enforc ement and corrections corrections agencies, agencies, fiel field d testing of promising programs, programs, and international international crime control. NIJ communicates its findings through conferences and print and electronic media.
NIJ’s Structure The NIJ Director is appointed by the President and confirmed by the Senate. The NIJ Director establishes the Institute’s objectives, guided by the priorities of the Office of Justice Programs, the U.S. Department of Justice, and the needs of the field. NIJ actively actively solicits the views views of criminal justice and other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice. NIJ has three operating units. The Office of Research and Evaluation manages social science research and evaluation and crime mapping research. The Office of Science and Technology manages technology research and development, development, standards development, development, and technology assistance to State and local law enforcement and corrections agencies. The Office of Development and Communications manages field tests tests of model programs, international research, and knowledge knowledge dissemination programs. NIJ is a component of the Office of Justice Programs, which also includes the Bureau of Justice Assistance, the Bureau of Justice Statistics, the Office Office of Juvenile Juvenile Justice and Delinquency Prevention, and the Office for Victims Victims of Crime. To find out more about the National Institute of Justice, please contact: National Criminal Justice Reference Service P.O. Box 6000 Rockville, Rockv ille, MD 20849– 20849–6000 6000 800–851–3420 e-mail:
[email protected] To obtain an electronic version of this document, access the NIJ Web Web site (http://www.ojp.usdoj.gov/nij). If you have have questions, questions, call or e-mail e-mail NCJRS.
U.S. Department of Justice
PRESORTED STANDARD
Office of Justice Programs
POSTAGE & FEES PAID
National Institute of Justice
DOJ/NIJ
Washing ashington, ton, DC 20531 20531
Official Business Penalty for Private Use $300
PERMIT NO. G–91
