FollowingLegalProcessesWhenconductingacomput.docx
Following Legal Processes :
When conducting a computer investigation for potential criminal violations of the law, the legal processes you follow depend on local custom, legislative standards, and rules of evidence. In general, however, a criminal case follows three stages: the complaint, the investigation, and the prosecution. Someone files a complaint, and then a specialist investigates the complaint and, with the help of a prosecutor, collects evidence and builds a case. If the evidence is sufficient, the case might proceed to trial. A criminal investigation generally begins when someone finds evidence of or witnesses an illegal act. The witness or victim makes an allegation to the police, an accusation of fact that a crime has been committed. A police officer interviews the complainant and writes a report about the crime. The law enforcement agency processes the report, and management decides to start an investigation or log the information into a police blotter, which provides a record of information about crimes that have been committed previously. Criminals often repeat actions in their illegal activities, and these patterns can be discovered by examining police blotters. This historical knowledge is useful when conducting investigations, especially in high-technology crimes. Blotters now are generally electronic files, often structured as databases, so they can be searched more easily than the old paper blotters. 68944_ch01_hr_001-062.indd 13 27/12/17 3:56 pm Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203 14 CHAPTER 1 Understanding the Digital Forensics Profession and Investigations Not every police officer is a computer expert. Some are computer novices; others might be trained to recognize what they can retrieve from a computer disk. To differentiate the training and experience officers have, ISO standard 27037 (www.iso.org/ standard/44381.html) defines two categories. A Digital Evidence First Responder (DEFR) has the skill and training to arrive on an incident scene, assess the situation, and take precautions to acquire and preserve evidence. A Digital Evidence Specialist (DES) has the skill to analyze the data and determine when another specialist should be called in to assist with the analysis. If you’re an examiner assigned to a case, recognize the level of expertise of police officers and others involved in the case. You should have DES training to conduct the examination of systems and manage the digital forensics aspects of the case. You start by assessing the scope of the case, which includes the device’s OS, hardware, and peripheral devices. You then determine whether resources are available to process all the evidence. Determine whether you have the right tools to collect and analyze evidence and whether you need to call on other specialists to assist in collecting and processing evidence. After you have gathered the resources you need, your role is to delegate, collect, and process the information related to the complaint. After you build a case, the information is turned over to the prosecutor. As an investigator, you must then present the collected evidence with a report to the government’s attorney. Depending on the community and the nature of the crime, the prosecutor’s title varies by jurisdiction. In a criminal or public-sector case, if the police officer or investigator has sufficient cause to support a search warrant, the prosecuting attorney might direct him or her to submit an affidavit (also called a “declaration”). This sworn statement of support of facts about or evidence of a crime is submitted to a judge with the request for a search warrant before seizing evidence. Figure 1-6 shows a typical affidavit. It’s your responsibility to write the affidavit, which must include exhibits (evidence) that support the allegation to justify the warrant. You must then have the affidavit notarized under sworn oath to verify that the information in the affidavit is true. (You learn more about affidavits and declarations in Chapter 14.) In general, after a judge approves and signs a search warrant, it’s ready to be executed, meaning a DEFR can collect evidence as defined by the warrant. After you collect the evidence, you process and analyze it to determine whether a crime actually occurred. The evidence can then be presented in court in a hearing or trial. A judge or an administrative law judge then renders a judgment, or a jury hands down a verdict (after which a judge can enter a judgment). Tip To see an example of a police blotter, go to http://spdblotter.seattle.gov. 68944_ch01_hr_001-062.indd 14 27/12/17 3:56 pm Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Copyright 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203 CHAPTER 1 Understanding the Digital Forensics Profession and Investigations 15 Figure 1-6 Typical affidavit language Understanding Private-Sector Investigations Private-sector investigations involve private companies and lawyers who address