The use of computers as criminal instruments or as devices to collect information associated with criminal enterprises increases yearly. Criminals use computers to store data relating to drug deals, money laundering, embezzlement, mail fraud, extortion, and a myriad of other crimes. In addition to the simple storage of records, criminals also manipulate data, infiltrate computers of financial institutions, and illegally use telephone lines of unsuspecting businesses.
Statistics suggest that the law enforcement community must act quickly and decisively to meet the challenge presented by the criminal use of computers. For example:
* Over 4.7 million personal computers were sold in the United States in 1988, as compared with 386,500 in 1980
* An estimated 60 percent of personal computers are now networked
* $500 million is lost annually through illegal use of telephone access codes
* $1 trillion is moved electronically each week, and
* Only 11 percent of computer crime is reported.
While the law enforcement community, in general, often thinks of computer crime as high-tech crime, a growing segment of the population looks at computers and the data they store as nothing more than electronic paper. They feel very comfortable keeping their records, whether legal or illegal, in this format.
In order to address the legitimate need for access to computers and the information they contain, law enforcement must develop a structured approach to examine computer evidence. The examination of this evidence can provide investigative and intelligence information, and at the same time, preserve the information for subsequent admission in court.
PRESERVING COMPUTER EVIDENCE
As more and more records are converted from paper to electronic storage, individuals are becoming more and more computer literate. Unfortunately, a growing number of individuals use their computer knowledge for illegal activities.
While there is no typical computer case, the majority fall into the broad category of white-collar crime. During investigations of these cases, several problems repeatedly occur. However, by following the guidelines offered in this article, law enforcement agencies can protect valuable computer evidence.
Conduct Preliminary Examinations
Investigators should take immediate action to protect a computer's memory. Often, investigators attempt to generate investigative and intelligence information on site. While this approach is reasonable and should be encouraged, it is equally important that the computer be protected from any input introduced unintentionally by investigators.
For instance, many computer systems update files to the current date when read. In order to preserve the evidence in the same condition as it was when seized, steps must be taken to ensure that no dates are changed and nothing is written into or deleted from the computer's memory. Specialized software currently on the market protects the computer's memory and should always be used before an examination.
Investigators should also consider that anyone conducting a preliminary examination may be called on to testify concerning the procedures followed and the accuracy of the results. Because of this possibility, documented policy and protocol detailing steps to follow during examinations must be established. Examiners should closely follow guidelines set by their particular agency to avoid any legal discrepancies.
Seize Supporting Software
When investigators seize a computer, they should also take all supporting software and documentation. This simple action eliminates a host of problems that may arise during the examination of the computer. It is logical, but not necessarily correct, to assume that the software that runs the seized computer is common and commercially available. …