E-Book, Englisch, 320 Seiten
Shavers Placing the Suspect Behind the Keyboard
1. Auflage 2013
ISBN: 978-1-59749-984-2
Verlag: Elsevier Science & Techn.
Format: EPUB
Kopierschutz: Adobe DRM (»Systemvoraussetzungen)
Using Digital Forensics and Investigative Techniques to Identify Cybercrime Suspects
E-Book, Englisch, 320 Seiten
ISBN: 978-1-59749-984-2
Verlag: Elsevier Science & Techn.
Format: EPUB
Kopierschutz: Adobe DRM (»Systemvoraussetzungen)
Placing the Suspect Behind the Keyboard is the definitive book on conducting a complete investigation of a cybercrime using digital forensics techniques as well as physical investigative procedures. This book merges a digital analysis examiner's work with the work of a case investigator in order to build a solid case to identify and prosecute cybercriminals. Brett Shavers links traditional investigative techniques with high tech crime analysis in a manner that not only determines elements of crimes, but also places the suspect at the keyboard. This book is a first in combining investigative strategies of digital forensics analysis processes alongside physical investigative techniques in which the reader will gain a holistic approach to their current and future cybercrime investigations. - Learn the tools and investigative principles of both physical and digital cybercrime investigations-and how they fit together to build a solid and complete case - Master the techniques of conducting a holistic investigation that combines both digital and physical evidence to track down the 'suspect behind the keyboard' - The only book to combine physical and digital investigative techniques
Brett Shavers is a former law enforcement officer of a municipal police department. He has been an investigator assigned to state and federal task forces. Besides working many specialty positions, Brett was the first digital forensics examiner at his police department, attended over 2000 hours of forensic training courses across the country, collected more than a few certifications along the way, and set up the department's first digital forensics lab in a small, cluttered storage closet.
Autoren/Hrsg.
Weitere Infos & Material
Chapter 2 High Tech Interview Information in this chapter: A main goal of questioning a suspect The line of questioning for suspects Questions for victims Questions for network administrators Summary Introduction
There are investigators with an uncanny knack for obtaining admissions and confessions during their interrogations. Other investigators avoid interrogations because of a pattern of only being able to get requests for an attorney from suspects. Reading books on interview techniques, taking course work in interviews and interrogations, and experience can each contribute to becoming a more effective interrogator. This chapter is not designed to teach interrogations. It will give you the questions needed for interrogations that are related to computer-related investigations. Each investigator must choose the timing and the delivery of the questions to elicit the truth from the suspect based on her own training, experience, and specific knowledge of the investigation. Some of the most successful interrogations appear more like interviews or conversations, which many times could be the best description of the activity when speaking to suspects. Although an interview is an exchange of information and an interrogation is mainly a one-way road of information, the use of the terms “interrogation” and “interview” are used interchangeably throughout this chapter. The intention, regardless of definition, is eliciting truthful statements from suspects. In cases where a suspect has been identified and arrested with enough evidence to charge them with a crime, the interview phase can solidify details, but only if the right questions are asked which elicit truthful answers. As with any suspect interview, some questions are asked to which the investigator already knows the answer, intermingled with questions to which answers are sought. Although not a foolproof method of guaranteeing all answers are truthful, it does provide a means of corroborating known and truthful information. The Main Goal of Questioning a Suspect
The timing of contact with a suspect in any given case is not entirely dependent on the investigator. Sometimes, a suspect may not be identified until late in the case and the interview may only be used to corroborate evidence discovered previously. Other times, suspects may be contacted early in the case, during which time the evidence may be minimal. Either situation still requires specific questions to be asked concerning technology involved. The listing of questions in this chapter gives the interviewer a foundation of evidence-gathering questions related to technology involved in the investigation. The questions do not depend upon whether or not the suspect is interviewed early in the case or prior to submitting charges. The best case scenario is where the suspect freely admits guilt and confesses all details of the act. The sooner, the better for everyone involved. Sometimes that happens. Most times, it does not. For these investigations, it takes a person (the interrogator) to ask another person (the suspect) questions that elicit the truth. Unlike technology, there are no physical buttons to push, no debug program to determine why a question doesn’t work. It is purely human-to-human interaction. Non-criminal cases employ many of the same interviewing techniques as criminal investigations, although confessions and admissions won’t necessarily result in criminal convictions more so than civil penalties or internal employee discipline. With many investigations, a computer system is only a part of the crime, either by use to facilitate a crime or maybe containing evidence of a crime. Therefore, not every crime has a digital forensics examiner assigned as the lead case agent. Additionally, since the digital forensics examiner in many organizations may be a rare breed, the non-digital forensics investigator conducts high-tech interviews, sometimes to the detriment of the case when necessary questions are not asked. The information obtained by a suspect willing to be interviewed will be beneficial whether the suspect lies, tells the truth, stretches the truth, or omits facts. Everything admitted by the suspect needs independent verification to confirm the veracity of the statements. If the statements were true, then verification goes to show credibility. Conversely, if any statements were false or misleading and further investigation can show the inconsistencies and untruthfulness, those statements then lead to the suspect’s lack of credibility. Either way, statements made are statements that, if possible, need to be fact checked through independent means. The suggested questions listed in this chapter can be used as a guide of questioning, in any order best suited to the investigator, the suspect, and the case. The particular manner of speaking, specific words used, and interviewing methods are up to the investigator to use with these. Technical information, for which the interrogator does not understand during the questioning, may even sometimes be best left to elaborate by the suspect. This not only educates the interrogator of the suspect’s mindset, but also allows the suspect to give even more information about the alleged crime. To assist in the corroboration of suspect statements, any alleged suspect activity on computer devices should be detailed in order for forensic examiners to more quickly prove or disprove the statements. As an example, if a suspect denies ever using a peer-to-peer networking program or downloading files with such a program, a forensic examination may find information on the system that could counter the denial, thereby, discrediting that statement and suspect’s credibility. Other information given by a suspect, especially those statements made against a penal interest, could save hours or days of an examiner’s time in looking for electronic evidence that could have been identified by the suspect. Investigators should keep an open mind as to the number and type of electronic devices that any suspect may have access at home, work, or public locations. For practical experience, an investigator can conduct a simple walkthrough of her own home and workplace, taking note of electronic devices and the interconnectivity to each other as well as to the Internet. Even with experienced investigators, conducting an informal visual survey of the home will most times be a surprise realization of the high number of devices used by family members on a regular basis. The actual devices used by cybercriminals will not be much different than the average computer user. As can be seen in Figure 2.1, a multitude of devices exists outside the basic desktop computer. Some of the devices have specific uses but interconnected with each other. Modems, wireless routers, external storage devices, multiple computers, multiple cellular devices, and even Internet connected game stations may contain electronic evidence as single points of analysis or as obtaining corroborating evidence for a whole picture of user activity across a spectrum of devices. Figure 2.1 Commonly used electronic devices, any or all, may be interconnected through wired or wireless networks at home or the workplace. The Line of Questions for Suspects
The rule of not asking any question for which you don’t know the answer works, but only if you knew the answer beforehand. In every other instance, you are asking questions to get answers. As the interviewer, it really doesn’t matter if the answers are true, half true, or lies. The goal is to corroborate the answers with other facts, regardless of what you hear in an interview. The sets of questions in this chapter are divided by topic and purpose. Not every question needs to be asked in every interview, but having a list of possible questions will help you guide the interview with a goal to accomplish. Computer skills, ability, and knowledge
Obtaining a foundation of computer knowledge of the suspect helps counter arguments of ignorance of technology skills at some point in the case. Most questions are benign and innocent without any inference of guilt; yet could be vitally important to the investigation. Depending upon the position of the interviewer (whether the interviewer is the forensic examiner or the case agent), certain questions may seem unimportant. It is vital for the interviewer to understand that an unimportant question asked now may be extremely important for her counterpart in the investigation later. Questions an interviewer may not understand can still be asked, as long as the interviewer is aware of the types of answers expected from each question. The assistance of a forensic examiner, or someone more versed in technology than the interviewer, would benefit the interviewer in obtaining accurate information from the suspect. Of course, one of the best questions to ask is simply, “Did you do it and how did you do it?” and take notes! Do you have any computer training or education? When and where? What did the training and education consist of? Have you ever taught computer subjects? When and where? Have you ever written software? Have you ever built a computer? Have you ever replaced parts of a computer? What parts? Have you ever installed software? What kind of...
