A Guide for First Responders - IWSiwar.org.uk/ecoespionage/resources/cybercrime/e... ·...

U.S. Department of Justice

Office of Justice Programs

National Institute of Justice

A Guide for First Responders

NIJ Guide

U.S. Department of JusticeOffice of Justice Programs810 Seventh Street N.W.Washington, DC 20531

John AshcroftAttorney General

Office of Justice Programs National Institute of JusticeWorld Wide Web Site World Wide Web Site http://www.ojp.usdoj.gov http://www.ojp.usdoj.gov/nij

Cover photographs copyright © 2001 PhotoDisc, Inc.

Elec

tro

nic

Cri

me

Scen

e

i

Electronic Crime SceneInvestigation:A Guide for FirstResponders

Written and Approved by the Technical Working Group for Electronic Crime Scene Investigation

July 2001

U.S. Department of JusticeOffice of Justice ProgramsNational Institute of Justice

Opinions or points of view expressed in this document represent a consensus of theauthors and do not necessarily represent the official position or policies of the U.S.Department of Justice. The products and manufacturers discussed in this document arepresented for informational purposes only and do not constitute product approval orendorsement by the U.S. Department of Justice.

NCJ 187736

The National Institute of Justice is a component of the Office of Justice Programs,which also includes the Bureau of Justice Assistance, the Bureau of JusticeStatistics, the Office of Juvenile Justice and Delinquency Prevention, and theOffice for Victims of Crime.

iiii

This document is not intended to create, does not create, and may not be relied upon tocreate any rights, substantive or procedural, enforceable at law by any party in any mat-ter civil or criminal.

The Internet, computer networks, and automated data systemspresent an enormous new opportunity for committing criminalactivity. Computers and other electronic devices are being usedincreasingly to commit, enable, or support crimes perpetratedagainst persons, organizations, or property. Whether the crimeinvolves attacks against computer systems, the information theycontain, or more traditional crimes such as murder, money laun-dering, trafficking, or fraud, electronic evidence increasingly isinvolved. It is no surprise that law enforcement and criminal jus-tice officials are being overwhelmed by the volume of investiga-tions and prosecutions that involve electronic evidence.

To assist State and local law enforcement agencies and prosecu-torial offices with the growing volume of electronic crime, aseries of reference guides regarding practices, procedures, anddecisionmaking processes for investigating electronic crime isbeing prepared by technical working groups of practitioners andsubject matter experts who are knowledgeable about electroniccrime. The practitioners and experts are from Federal, State, andlocal law enforcement agencies; criminal justice agencies; officesof prosecutors and district attorneys general; and academic, com-mercial, and professional organizations.

The series of guides will address the investigation process fromthe crime scene first responder, to the laboratory, to the court-room. Specifically, the series of guides will address:

◆ Crime scene investigations by first responders.

◆ Examination of digital evidence.

◆ Investigative uses of technology.

◆ Investigating electronic technology crimes.

◆ Creating a digital evidence forensic unit.

◆ Courtroom presentation of digital evidence.

Due to the rapidly changing nature of electronic and computertechnologies and of electronic crime, efforts will be periodicallyundertaken to update the information contained within each ofthe guides. The guides, and any subsequent updates that are madeto them, will be made available on the National Institute ofJustice’s World Wide Web site (http://www.ojp.usdoj.gov/nij).

iii

Fore

wo

rd

Technical Work ing Group forElectronic Crime SceneInvestigationThe Technical Working Group for Electronic Crime SceneInvestigation (TWGECSI) was a multidisciplinary group of practi-tioners and subject matter experts from across the United States andother nations. Each of the individual participants is experienced inthe intricacies involved with electronic evidence in relation to recog-nition, documentation, collection, and packaging. To initiate theworking group, a planning panel composed of a limited number of participants was selected to define the scope and breadth of thework. A series of guides was proposed in which each guide willfocus on a different aspect of the discipline.

The panel chose crime scene investigation as the first topic forincorporation into a guide.

Planning Panel

v

TWG

ECSI

v

Susan BallouProgram Manager for Forensic

SciencesOffice of Law Enforcement StandardsNational Institute of Standards and

TechnologyGaithersburg, Maryland

Jaime CarazoSpecial AgentUnited States Secret ServiceElectronic Crimes BranchWashington, D.C.

Bill CraneAssistant DirectorComputer Crime SectionNational White Collar Crime CenterFairmont, West Virginia

Fred DemmaNational Law Enforcement and

Corrections Technology Center–Northeast

Rome, New York

Grant GottfriedSpecial ProjectsNational Center for Forensic ScienceOrlando, Florida

Sam GuttmanAssistant Inspector in ChargeForensic and Technical ServicesU.S. Postal Inspection ServiceDulles, Virginia

Jeffrey HerigSpecial AgentFlorida Department of Law

EnforcementFlorida Computer Crime CenterTallahassee, Florida

Tim HutchisonSheriffKnox County Sheriff’s OfficeKnoxville, Tennessee

David IcoveManager, Special ProjectsU.S. TVA PoliceKnoxville, Tennessee

vi

Abigail AbrahamAssistant State’s AttorneyCook County State’s Attorney’s OfficeChicago, Illinois

Keith AckermanHead of CIDPolice HQHampshire ConstabularyWinchester, HantsUnited Kingdom

Michael AndersonPresidentNew Technologies, IncGresham, Oregon

Bill BaughCEOSavannah Technology GroupSavannah, Georgia

Bob JarzenSacramento CountyLaboratory of Forensic ScienceSacramento, California

Tom JohnsonDeanSchool of Public Safety and

Professional StudiesUniversity of New HavenWest Haven, Connecticut

Karen MatthewsDOE Computer Forensic LaboratoryBolling AFBWashington, D.C.

Mark PollittUnit ChiefFBI–CARTWashington, D.C.

David PooleDirectorDoD Computer Forensics LaboratoryLinthicum, Maryland

Mary RileyPrice Waterhouse Coopers, LLPWashington, D.C.

Kurt SchmidDirectorNational HIDTA ProgramWashington, D.C.

Howard A. SchmidtCorporate Security OfficerMicrosoft Corp.Redmond, Washington

Raemarie SchmidtComputer Crime SpecialistNational White Collar Crime CenterComputer Crime SectionFairmont, West Virginia

Carl SelavkaMassachusetts State Police Crime

LaboratorySudbury, Massachusetts

Steve SepulvedaUnited States Secret ServiceWashington, D.C.

Todd ShipleyDetective SergeantReno Police DepartmentFinancial/Computer Crimes UnitReno, Nevada

Chris StippichComputer Crime SpecialistComputer Crime SectionNational White Collar Crime Center Fairmont, West Virginia

Carrie Morgan WhitcombDirectorNational Center for Forensic ScienceOrlando, Florida

Wayne WilliamsSr. Litigation CounselComputer Crime and Intellectual

Property SectionCriminal DivisionU.S. Department of JusticeWashington, D.C.

TWGECSI Members

Additional members were then incorporated into TWGECSI toprovide a full technical working group. The individuals listedbelow, along with those participants on the planning panel,worked together to produce this guide for electronic crime scene first responders.

vii

Randy BishopSpecial Agent in ChargeU.S. Department of EnergyOffice of Inspector GeneralTechnology Crime SectionWashington, D.C.

Steve BraniganVice President of Product

DevelopmentLucent TechnologiesMurray Hill, New Jersey

Paul BrownCyberEvidence, Inc.The Woodlands, Texas

Carleton BryantStaff AttorneyKnox County Sheriff’s OfficeKnoxville, Tennessee

Christopher BubbDeputy Attorney GeneralNew Jersey Division of Criminal

JusticeTrenton, New Jersey

Don BuchwaldProject EngineerNational Law Enforcement and

Corrections Technology Center–West

The Aerospace CorporationLos Angeles, California

Cheri CarrComputer Forensic Lab ChiefNASA Office of the Inspector GeneralNetwork and Advanced Technology

Protections OfficeWashington, D.C.

Nick CartwrightManagerCanadian Police Research CentreOttawa, OntarioCanada

Ken CitarellaChiefHigh Tech Crimes BureauWestchester County District AttorneyWhite Plains, New York

Chuck CoeDirector of Technical ServicesNASA Office of the Inspector GeneralNetwork and Advanced Technology


Fred CohenSandia National LaboratoriesCyber Defender ProgramLivermore, California

Fred CottonDirector of Training ServicesSEARCHThe National Consortium for Justice

Information and StatisticsSacramento, California

Tony CrispLieutenantMaryville Police DepartmentMaryville, Tennessee

Mark DaleNew York State PoliceForensic Investigation CenterAlbany, New York

Claude DavenportSenior SAUnited States Customs ServiceSterling, Virginia

David DaviesPhotographic ExaminerFederal Bureau of InvestigationWashington, D.C.

Michael DonhauserMaryland State PoliceColumbia, Maryland

James DoyleSergeantDetective BureauNew York City Police DepartmentNew York, New York

Michael DuncanSergeantRoyal Canadian Mounted PoliceEconomic Crime BranchTechnological Crime SectionOttawa, OntarioCanada

Jim DunneGroup SupervisorDrug Enforcement AgencySt. Louis, Missouri

Chris DuqueDetectiveHonolulu Police DepartmentWhite Collar Crime UnitHonolulu, Hawaii

Doug ElrickIowa DCI Crime LabDes Moines, Iowa

Paul FrenchComputer Forensics Lab ManagerNew Technologies Armor, Inc.Gresham, Oregon

viii

Gerald FriesenElectronic Search CoordinatorIndustry CanadaHull, QuebecCanada

Pat Gilmore, CISSPDirectorInformation Security Atomic TangerineSan Francisco, California

Gary GordonProfessorEconomic Crime ProgramsUtica CollegeWetStone TechnologiesUtica, New York

Dan HenryChief DeputyMarion County Sheriff’s DepartmentOcala, Florida

Jeff HormannSpecial Agent In ChargeComputer Crime Resident AgencyU.S. Army CIDFt. Belvoir, Virginia

Mary HorvathProgram ManagerFBI–CARTWashington, D.C.

Mel JoinerOfficerArizona Department of Public SafetyPhoenix, Arizona

Nigel JonesDetective SergeantComputer Crime UnitPolice HeadquartersKent County ConstabularyMaidstone, KentUnited Kingdom

Jamie KerrSGT/Project ManagerRCMP HeadquartersTraining DirectorateOttawa, OntarioCanada

Alan KestnerAssistant Attorney GeneralWisconsin Department of JusticeMadison, Wisconsin

Phil KiracofeSergeantTallahassee Police DepartmentTallahassee, Florida

Roland LascolaProgram ManagerFBI-CARTWashington, D.C.

Barry LeeseDetective SergeantMaryland State PoliceComputer Crimes UnitColumbia, Maryland

Glenn LewisComputer SpecialistSEARCHThe National Consortium for Justice


Chris MalinowskiForensic Computer InvestigationUniversity of New HavenWest Haven, Connecticut

Kevin MansonDirectorCybercop.orgSt. Simons Island, Georgia

Brenda MaplesLieutenantMemphis Police DepartmentMemphis, Tennessee

Tim McAuliffeNew York State PoliceForensic Investigation CenterAlbany, New York

Michael McCartneyInvestigatorNew York State Attorney General’s

OfficeCriminal Prosecution Bureau–

Organized Crime Task ForceBuffalo, New York

Alan McDonaldSSAWashington, D.C.

Mark MenzSEARCHThe National Consortium for Justice


Dave MerkelAOL InvestigationsReston, Virginia

Bill MoylanDetectiveNassau County PDComputer Crime SectionCrimes Against Property SquadWestbury, New York

ix

Steve NesbittDirector of OperationsNASA Office of the Inspector GeneralNetwork and Advanced Technology


Glen NickProgram ManagerU.S. Customs ServiceCyber Smuggling CenterFairfax, Virginia

Robert O’LearyDetectiveNew Jersey State PoliceHigh Technology Crimes &

Investigations Support UnitWest Trenton, New Jersey

Matt ParsonsSpecial Agent/Division ChiefNaval Criminal Investigative ServiceWashington, D.C.

Mike PhelanChiefComputer Forensics UnitDEA Special Testing and Research

LabLorton, Virginia

Henry R. ReeveGeneral Counsel/Deputy D.A.Denver District Attorney’s OfficeDenver, Colorado

Jim Riccardi, Jr.Electronic Crime SpecialistNational Law Enforcement and

Corrections Technology Center–Northeast

Rome, New York

David RobertsDeputy Executive DirectorSEARCHThe National Consortium for Justice


Leslie RussellForensic Science ServiceLambethLondon, EnglandUnited Kingdom

Greg SchmidtSr. Investigator EDS-Investigations/Technical Plano, Texas

George SidorLaw Enforcement Security ConsultantJaws Technologies Inc.St. Albert, AlbertaCanada

William SpernowCISSPResearch DirectorInformation Security Strategies GroupGartner, Inc.Suwanee, Georgia

Ronald StevensSenior InvestigatorNew York State PoliceForensic Investigation CenterAlbany, New York

Gail ThackeraySpecial Counsel–Technology CrimesArizona Attorney General’s OfficePhoenix, Arizona

Dwight Van de VateChief DeputyKnox County Sheriff’s OfficeKnoxville, Tennessee

Jay VerhorevoortLieutenantDavenport Police DepartmentDavenport, Iowa

Richard Vorder BrueggePhotographic ExaminerFederal Bureau of InvestigationWashington, D.C.

Robert B. WallaceU.S. Department of EnergyGermantown, Maryland

Craig WilsonDetective SergeantComputer Crime UnitPolice HeadquartersKent County ConstabularyMaidstone, KentUnited Kingdom

Brian ZwitChief Counsel (former)Environment, Science, and TechnologyNational Association of Attorneys

General Washington, D.C.

x

Chronology

In May 1998, the National Cybercrime Training Partnership(NCTP), the Office of Law Enforcement Standards (OLES), andthe National Institute of Justice (NIJ) collaborated on possibleresources that could be implemented to counter electronic crime.Continuing meetings generated a desire to formulate one set ofprotocols that would address the process of electronic evidencefrom the crime scene through court presentations. NIJ selectedthe technical working group process as the way to achieve thisgoal but with the intent to create a publication flexible enough toallow implementation with any State and local law enforcementpolicy. Using its “template for technical working groups,” NIJestablished the Technical Working Group for Electronic CrimeScene Investigation (TWGECSI) to identify, define, and establishbasic criteria to assist agencies with electronic investigations andprosecutions.

In January 1999, planning panel members met at the NationalInstitute of Standards and Technology (NIST) in Gaithersburg,Maryland, to review the fast-paced arena of electronic crime andprepare the scope, intent, and objectives of the project. Duringthis meeting, the scope was determined to be too vast for incor-poration into one guide. Thus evolved a plan for several guides,each targeting separate issues. Crime scene investigation wasselected as the topic for the first guide.

The initial meeting of the full TWGECSI took place March 1999at NIST. After outlining tasks in a general meeting, the groupseparated into subgroups to draft the context of the chapters asidentified by the planning panel. These chapters were ElectronicDevices: Types and Potential Evidence; Investigative Tools andEquipment; Securing and Evaluating the Scene; Documentingthe Scene; Evidence Collection; Packaging, Transportation, andStorage; and Forensic Examination by Crime Category. Thevolume of work involved in preparing the text of these chaptersrequired additional TWGECSI meetings.

The planning panel did not convene again until May 2000. Dueto the amount of time that had transpired between meetings, theplanning panel reviewed the draft content and compared it withchanges that had occurred in the electronic crime environment.

xi

These revisions to the draft were then sent to the full TWGECSIin anticipation of the next meeting. The full TWGECSI met againat NIST in August 2000, and through 2 days of intense discus-sion, edited most of the draft to represent the current status ofelectronic crime investigation. With a few more sections requir-ing attention, the planning panel met in Seattle, Washington, dur-ing September 2000 to continue the editing process. These finalchanges, the glossary, and appendixes were then critiqued andvoted on by the whole TWGECSI during the final meeting inNovember 2000 at NIST.

The final draft was then sent for content and editorial review tomore than 80 organizations having expertise and knowledge inthe electronic crime environment. The returned comments wereevaluated and incorporated into the document when possible. Thefirst chapter, Electronic Devices: Types and Potential Evidence,incorporates photographic representations of highlighted terms asa visual associative guide. At the end of the document are appen-dixes containing a glossary, legal resources, technical resources,training resources, and references, followed by a list of the organ-izations to which a draft copy of the document was sent.

The National Institute of Justice (NIJ) wishes to thank the members of the Technical Working Group for Electronic CrimeScene Investigation (TWGECSI) for their tireless dedication.There was a constant turnover of individuals involved, mainly as a result of job commitments and career changes. This dynamicenvironment resulted in a total of 94 individuals supplying theirknowledge and expertise to the creation of the guide. All partici-pants were keenly aware of the constant changes occurring in thefield of electronics and strove to update information during eachrespective meeting. This demonstrated the strong desire of theworking group to produce a guide that could be flexible and serveas a backbone for future efforts to upgrade the guide. In addition,NIJ offers a sincere thank you to each agency and organizationrepresented by the working group members. The work loss toeach agency during the absence of key personnel is evidence ofmanagement’s commitment and understanding of the importanceof standardization in forensic science.

NIJ also wishes to thank Kathleen Higgins, Director, and SusanBallou, Program Manager, of the Office of Law EnforcementStandards, for providing management and guidance in bringingthe project to completion.

NIJ would like to express appreciation for the input and supportthat Dr. David G. Boyd, Director of NIJ’s Office of Science andTechnology (OS&T), and Trent DePersia, Dr. Ray Downs, Dr.Richard Rau, Saralyn Borrowman, Amon Young, and JamesMcNeil, all of OS&T, gave the meetings and the document. Aspecial thanks is extended to Aspen Systems Corporation, specifi-cally to Michele Coppola, the assigned editor, for her patienceand skill in dealing with instantaneous transcription.

In addition, NIJ wishes to thank the law enforcement agencies,academic institutions, and commercial organizations worldwidethat supplied contact information, reference materials, and edito-rial suggestions. Particular thanks goes to Michael R. Anderson,President of New Technologies, Inc., for contacting agenciesknowledgeable in electronic evidence for inclusion in the appen-dix on technical resources.

xiii

Ack

no

wle

dg

men

ts

Foreword........................................................................................iii

Technical Working Group for Electronic Crime Scene Investigation ........................................................................v

Acknowledgments ......................................................................xiii

Overview ........................................................................................1

The Law Enforcement Response to Electronic Evidence..........1

The Latent Nature of Electronic Evidence ................................2

The Forensic Process..................................................................2

Introduction ....................................................................................5

Who Is the Intended Audience for This Guide? ........................5

What is Electronic Evidence? ....................................................6

How Is Electronic Evidence Handled at the Crime Scene? ......6

Is Your Agency Prepared to Handle Electronic Evidence?........7

Chapter 1. Electronic Devices: Types and Potential Evidence ......9

Computer Systems....................................................................10

Components..............................................................................12

Access Control Devices............................................................12

Answering Machines................................................................13

Digital Cameras........................................................................13

Handheld Devices (Personal Digital Assistants [PDAs],Electronic Organizers)..............................................................14

Hard Drives ..............................................................................15

Memory Cards..........................................................................15

Modems ....................................................................................16

Network Components ..............................................................16

Pagers ......................................................................................18

Printers......................................................................................18

Removable Storage Devices and Media ..................................19

Scanners....................................................................................19

Telephones................................................................................20

Miscellaneous Electronic Items ..............................................20

xv

Co

nte

nts

xvi

Chapter 2. Investigative Tools and Equipment. ............................23

Tool Kit ....................................................................................23

Chapter 3. Securing and Evaluating the Scene ............................25

Chapter 4. Documenting the Scene ..............................................27

Chapter 5. Evidence Collection....................................................29

Nonelectronic Evidence ..........................................................29

Stand-Alone and Laptop Computer Evidence ........................30

Computers in a Complex Environment....................................32

Other Electronic Devices and Peripheral Evidence ................33

Chapter 6. Packaging, Transportation, and Storage ....................35

Chapter 7. Forensic Examination by Crime Category ................37

Auction Fraud (Online) ............................................................37

Child Exploitation/Abuse ........................................................37

Computer Intrusion ..................................................................38

Death Investigation ..................................................................38

Domestic Violence....................................................................38

Economic Fraud (Including Online Fraud, Counterfeiting) ....38

E-Mail Threats/Harassment/Stalking ......................................39

Extortion ..................................................................................39

Gambling ..................................................................................39

Identity Theft ............................................................................39

Narcotics ..................................................................................40

Prostitution ..............................................................................40

Software Piracy ........................................................................41

Telecommunications Fraud ......................................................41

Appendix A. Glossary ..................................................................47

Appendix B. Legal Resources List ..............................................53

Appendix C. Technical Resources List ........................................55

Appendix D. Training Resources List ..........................................73

Appendix E. References ..............................................................77

Appendix F. List of Organizations ..............................................81

Computers and other electronic devices are present in everyaspect of modern life. At one time, a single computer filled anentire room; today, a computer can fit in the palm of your hand.The same technological advances that have helped law enforce-ment are being exploited by criminals.

Computers can be used to commit crime, can contain evidence ofcrime, and can even be targets of crime. Understanding the roleand nature of electronic evidence that might be found, how toprocess a crime scene containing potential electronic evidence,and how an agency might respond to such situations are crucialissues. This guide represents the collected experience of the lawenforcement community, academia, and the private sector in therecognition, collection, and preservation of electronic evidence ina variety of crime scenes.

The Law Enforcement Response toElectronic Evidence

The law enforcement response to electronic evidence requires thatofficers, investigators, forensic examiners, and managers all playa role. This document serves as a guide for the first responder. Afirst responder may be responsible for the recognition, collection,preservation, transportation, and/or storage of electronic evidence.In today’s world, this can include almost everyone in the lawenforcement profession. Officers may encounter electronicdevices during their day-to-day duties. Investigators may directthe collection of electronic evidence, or may perform the collec-tion themselves. Forensic examiners may provide assistance atcrime scenes and will perform examinations on the evidence.Managers have the responsibility of ensuring that personnel undertheir direction are adequately trained and equipped to properlyhandle electronic evidence.

Each responder must understand the fragile nature of electronicevidence and the principles and procedures associated with itscollection and preservation. Actions that have the potential toalter, damage, or destroy original evidence may be closely scrutinized by the courts.

1

Ove

rvie

w

1

2

Procedures should be in effect that promote electronic crimescene investigation. Managers should determine who will provideparticular levels of services and how these services will be fund-ed. Personnel should be provided with initial and ongoing techni-cal training. Oftentimes, certain cases will demand a higher levelof expertise, training, or equipment, and managers should have aplan in place regarding how to respond to these cases. The demandfor responses to electronic evidence is expected to increase for theforeseeable future. Such services require that dedicated resourcesbe allocated for these purposes.

The Latent Nature of ElectronicEvidence

Electronic evidence is information and data of investigative valuethat is stored on or transmitted by an electronic device. As such,electronic evidence is latent evidence in the same sense that fin-gerprints or DNA (deoxyribonucleic acid) evidence are latent. Inits natural state, we cannot “see” what is contained in the physicalobject that holds our evidence. Equipment and software arerequired to make the evidence visible. Testimony may be requiredto explain the examination process and any process limitations.

Electronic evidence is, by its very nature, fragile. It can bealtered, damaged, or destroyed by improper handling or improperexamination. For this reason, special precautions should be takento document, collect, preserve, and examine this type of evidence.Failure to do so may render it unusable or lead to an inaccurateconclusion. This guide suggests methods that will help preservethe integrity of such evidence.

The Forensic Process

The nature of electronic evidence is such that it poses specialchallenges for its admissibility in court. To meet these challenges,follow proper forensic procedures. These procedures include, butare not limited to, four phases: collection, examination, analysis,and reporting. Although this guide concentrates on the collectionphase, the nature of the other three phases and what happens ineach are also important to understand.

2

3

The collection phase involves the search for, recognition of,collection of, and documentation of electronic evidence. The collection phase can involve real-time and stored information thatmay be lost unless precautions are taken at the scene.

The examination process helps to make the evidence visible andexplain its origin and significance. This process should accom-plish several things. First, it should document the content andstate of the evidence in its totality. Such documentation allows all parties to discover what is contained in the evidence. Includedin this process is the search for information that may be hidden or obscured. Once all the information is visible, the process ofdata reduction can begin, thereby separating the “wheat” from the“chaff.” Given the tremendous amount of information that can bestored on computer storage media, this part of the examination iscritical.

Analysis differs from examination in that it looks at the productof the examination for its significance and probative value to the case. Examination is a technical review that is the provinceof the forensic practitioner, while analysis is performed by theinvestigative team. In some agencies, the same person or groupwill perform both these roles.

A written report that outlines the examination process and thepertinent data recovered completes an examination. Examinationnotes must be preserved for discovery or testimony purposes. Anexaminer may need to testify about not only the conduct of theexamination but also the validity of the procedure and his or herqualifications to conduct the examination.

3

This guide is intended for use by law enforcement and otherresponders who have the responsibility for protecting an electron-ic crime scene and for the recognition, collection, and preserva-tion of electronic evidence. It is not all-inclusive. Rather, it dealswith the most common situations encountered with electronic evi-dence. Technology is advancing at such a rapid rate that the sug-gestions in this guide must be examined through the prism ofcurrent technology and the practices adjusted as appropriate. It isrecognized that all crime scenes are unique and the judgment ofthe first responder/investigator should be given deference in theimplementation of this guide. Furthermore, those responsible offi-cers or support personnel with special training should also adjusttheir practices as the circumstances (including their level of expe-rience, conditions, and available equipment) warrant. This publi-cation is not intended to address forensic analysis. Circumstancesof individual cases and Federal, State, and local laws/rules mayrequire actions other than those described in this guide.

When dealing with electronic evidence, general forensic and procedural principles should be applied:

◆ Actions taken to secure and collect electronic evidence shouldnot change that evidence.

◆ Persons conducting examination of electronic evidence should be trained for the purpose.

◆ Activity relating to the seizure, examination, storage, or transfer of electronic evidence should be fully documented,preserved, and available for review.

Who Is the Intended Audience for This Guide?

◆ Anyone encountering a crime scene that might contain electronic evidence.

◆ Anyone processing a crime scene that involves electronic evidence.

◆ Anyone supervising someone who processes such a crime scene.

◆ Anyone managing an organization that processes such a crime scene.

5

Intr

od

uct

ion

Without having the necessary skills and training, no respondershould attempt to explore the contents or recover data from acomputer (e.g., do not touch the keyboard or click the mouse) orother electronic device other than to record what is visible on itsdisplay.

What Is Electronic Evidence?

Electronic evidence is information and data of investigative valuethat is stored on or transmitted by an electronic device. Such evi-dence is acquired when data or physical items are collected andstored for examination purposes.

Electronic evidence:

◆ Is often latent in the same sense as fingerprints or DNA evidence.

◆ Can transcend borders with ease and speed.

◆ Is fragile and can be easily altered, damaged, or destroyed.

◆ Is sometimes time-sensitive.

How Is Electronic Evidence Handled atthe Crime Scene?

Precautions must be taken in the collection, preservation, andexamination of electronic evidence.

Handling electronic evidence at the crime scene normally consistsof the following steps:

◆ Recognition and identification of the evidence.

◆ Documentation of the crime scene.

◆ Collection and preservation of the evidence.

◆ Packaging and transportation of the evidence.

The information in this document assumes that:

◆ The necessary legal authority to search for and seize the suspected evidence has been obtained.

6

◆ The crime scene has been secured and documented (photo-graphically and/or by sketch or notes).

◆ Crime scene protective equipment (gloves, etc.) is being used as necessary.

Note: First responders should use caution when seizing electronicdevices. The improper access of data stored in electronic devicesmay violate provisions of certain Federal laws, including theElectronic Communications Privacy Act. Additional legal processmay be necessary. Please consult your local prosecutor beforeaccessing stored data on a device. Because of the fragile nature ofelectronic evidence, examination should be done by appropriatepersonnel.

Is Your Agency Prepared to HandleElectronic Evidence?

This document recommends that every agency identify local com-puter experts before they are needed. These experts should be “oncall” for situations that are beyond the technical expertise of thefirst responder or department. (Similar services are in place fortoxic waste emergencies.) It is also recommended that investiga-tive plans be developed in compliance with departmental policyand Federal, State, and local laws. In particular, under the PrivacyProtection Act, with certain exceptions, it is unlawful for an agentto search for or seize certain materials possessed by a person rea-sonably believed to have a purpose of disseminating informationto the public. For example, seizure of First Amendment materialssuch as drafts of newsletters or Web pages may implicate thePrivacy Protection Act.

This document may help in:

◆ Assessing resources.

◆ Developing procedures.

◆ Assigning roles and tasks.

◆ Considering officer safety.

◆ Identifying and documenting equipment and supplies to bring to the scene.

7

Electronic Devices: Types andPotential EvidenceElectronic evidence can be found in many of the new types ofelectronic devices available to today’s consumers. This chapterdisplays a wide variety of the types of electronic devices com-monly encountered in crime scenes, provides a general descrip-tion of each type of device, and describes its common uses. Inaddition, it presents the potential evidence that may be found ineach type of equipment.

Many electronic devices contain memory thatrequires continuous power to maintain the informa-tion, such as a battery or AC power. Data can be easily lost by unplugging the power source or allow-

ing the battery to discharge. (Note: After determining the mode ofcollection, collect and store the power supply adaptor or cable, ifpresent, with the recovered device.)

9

Ch

apte

r 1

Printer CPU Location Telephone Diskettes

Monitor

Keyboard

CounterfeitDocuments

Software

Computer Systems

Description: A computer system typically consists of a main baseunit, sometimes called a central processing unit (CPU), data stor-age devices, a monitor, keyboard, and mouse. It may be a stand-alone or it may be connected to a network. There are many typesof computer systems such as laptops, desktops, tower systems,modular rack-mounted systems, minicomputers, and mainframecomputers. Additional components include modems, printers,scanners, docking stations, and external data storage devices. For example, a desktop is a computer system consisting of a case,motherboard, CPU, and data storage, with an external keyboardand mouse.

Primary Uses:For all types of computing functions and information storage, including word processing, calculations,communications, and graphics.

Potential Evidence:Evidence is most commonly found in filesthat are stored on hard drives and storage devices and media.Examples are:

User-Created Files

User-created files may contain important evidence of criminalactivity such as address books and database files that may provecriminal association, still or moving pictures that may be evi-dence of pedophile activity, and communications between crimi-nals such as by e-mail or letters. Also, drug deal lists may oftenbe found in spreadsheets.

◆ Address books. ◆ E-mail files.

◆ Audio/video files. ◆ Image/graphics files.

◆ Calendars. ◆ Internet bookmarks/favorites.

◆ Database files. ◆ Spreadsheet files.

◆ Documents or text files.

10

Computer

Monitor

Laptop

User-Protected Files

Users have the opportunity to hide evidence in a variety of forms.For example, they may encrypt or password-protect data that areimportant to them. They may also hide files on a hard disk orwithin other files or deliberately hide incriminating evidence files under an innocuous name.

◆ Compressed files. ◆ Misnamed files.

◆ Encrypted files. ◆ Password-protected files.

◆ Hidden files. ◆ Steganography.

Evidence can also be found in files and other data areas created as a routine function of the computer’s operating system. In manycases, the user is not aware that data are being written to theseareas. Passwords, Internet activity, and temporary backup files are examples of data that can often be recovered and examined.

Note: There are components of files that may have evidentiaryvalue including the date and time of creation, modification, dele-tion, access, user name or identification, and file attributes. Eventurning the system on can modify some of this information.

Computer-Created Files

◆ Backup files. ◆ Log files.

◆ Configuration files. ◆ Printer spool files.

◆ Cookies. ◆ Swap files.

◆ Hidden files. ◆ System files.

◆ History files. ◆ Temporary files.

Other Data Areas

11

PortReplicator

DockingStation

Server

◆ Bad clusters.

◆ Computer date, time,and password.

◆ Deleted files.

◆ Free space.

◆ Hidden partitions.

◆ Lost clusters.

◆ Metadata.

◆ Other partitions.

◆ Reserved areas.

◆ Slack space.

◆ Software registration information.

◆ System areas.

◆ Unallocated space.

Components

Central Processing Units (CPUs)

Description: Often called the “chip,” it is a microprocessor locat-ed inside the computer. The microprocessor is located in the maincomputer box on a printed circuit board with other electroniccomponents.

Primary Uses: Performs all arithmetic and logical functions inthe computer. Controls the operation of the computer.

Potential Evidence: The device itself may be evidence of component theft, counterfeiting, or remarking.

Memory

Description: Removable circuit board(s) inside the computer.Information stored here is usually not retained when the computeris powered down.

Primary Uses: Stores user’s programs and data while computeris in operation.

Potential Evidence: The device itself may be evidence of component theft, counterfeiting, or remarking.

Access Control Devices

Smart Cards, Dongles, Biometric Scanners

Description: A smart card is a small handheld device that con-tains a microprocessor that is capable of storing a monetary value,encryption key or authentication information (password), digitalcertificate, or other information. A dongle is a small device thatplugs into a computer port that contains types of informationsimilar to information on a smart card. A biometric scanner is adevice connected to a computer system that recognizes physicalcharacteristics of an individual (e.g., fingerprint, voice, retina).

12

PIIIXeonProcessor

PIIIProcessor

G4 Processor

Memory

CPUs

Smart Card

Parallel Dongle

BiometricScanner

Primary Uses:Provides access control to computersor programs or functions as an encryption key.

Potential Evidence:Identification/authenticationinformation of the card and the user, level of access,configurations, permissions, and the device itself.

Answering Machines

Description: An electronic device that is part of a telephone orconnected between a telephone and the landline connection.Some models use a magnetic tape or tapes, while others use an electronic (digital) recording system.

Primary Uses:Records voice messages from callers when thecalled party is unavailable or chooses not to answer a telephonecall. Usually plays a message from the called party before record-ing the message.

Note: Since batteries have a limited life, data could be lost if theyfail. Therefore, appropriate personnel (e.g., evidence custodian,lab chief, forensic examiner) should be informed that a devicepowered by batteries is in need of immediate attention.

Potential Evidence:Answering machines can store voice messages and, in some cases, time and date information aboutwhen the message was left. They may also contain other voicerecordings.

Digital Cameras

Description: Camera, digital recording device for images andvideo, with related storage media and conversion hardware capable of transferring images and video to computer media.

13

USB Dongles ParallelDongle

AnsweringMachine

QuickCam

◆ Caller identification information.

◆ Deleted messages.

◆ Last number called.

◆ Memo.

◆ Phone numbers and names.

◆ Tapes.

Primary Uses:Digital cameras capture imagesand/or video in a digital format that is easilytransferred to computer storage media for viewing and/or editing.

Potential Evidence:

◆ Images. ◆ Time and date stamp.

◆ Removable cartridges. ◆ Video.

◆ Sound.

Handheld Devices (Personal DigitalAssistants [PDAs], ElectronicOrganizers)

Description: A personal digital assistant (PDA) is a small devicethat can include computing, telephone/fax, paging, networking,and other features. It is typically used as a personal organizer. Ahandheld computer approaches the full functionality of a desktopcomputer system. Some do not contain disk drives, but may con-tain PC card slots that can hold a modem, hard drive, or otherdevice. They usually include the ability to synchronize their datawith other computer systems, most commonly by a connection ina cradle (see photo). If a cradle is present, attempt to locate theassociated handheld device.

Primary Uses:Handheld computing, storage, and communica-tion devices capable of storage of information.


Potential Evidence:

14

Snappy Device(video capture

device)

Video Phone

Digital Cameras

Casio PDA

Palm Cradle

Palm inCradle

PDAs

◆ Address book.

◆ Appointment calendars/information.

◆ Documents.

◆ E-mail.

◆ Handwriting.

◆ Password.

◆ Phone book.

◆ Text messages.

◆ Voice messages.

Hard Drives

Description: A sealed box containing rigid platters (disks) coatedwith a substance capable of storing data magnetically. Can beencountered in the case of a PC as well as externally in a stand-alone case.

Primary Uses:Storage of information such as computer programs, text, pictures, video, multimedia files, etc.

Potential Evidence:See potential evidence under computer systems.

Memory Cards

Description: Removable electronic storage devices,which do not lose the information when power isremoved from the card. It may even be possible torecover erased images from memory cards. Memorycards can store hundreds of images in a credit card-size module. Used in a variety of devices, includingcomputers, digital cameras, and PDAs. Examples are memory sticks, smart cards, flash memory,and flash cards.

Primary Uses:Provides additional, removable methods of storing and transporting information.

Potential Evidence:See potential evidence undercomputer systems.

15

2.5-inch IDEHard Drive

(laptop)

5.25-inch IDEHard Drive(QuantumBigfoot)

RemovableHard Drive

Tray

Hard Drive

External HardDrive Pack

3.5-inch IDE HardDrive w/ cover

removed

Microdrive 2.5-inch IDEHard Drive w/

coverremoved

Memory Stick

Flash Card in PCMCIA

Adaptor

Floppy DiskAdaptor/

Memory Stick

CompactFlash Card

Memory Cards

Smart Media Card

Smart MediaFloppy

Modems

Description: Modems, internal and external (analog, DSL, ISDN,cable), wireless modems, PC cards.

Primary Uses:A modem is used to facilitate electronic communi-cation by allowing the computer to access other computers and/ornetworks via a telephone line, wireless, or other communicationsmedium.

Potential Evidence:The device itself.

Network Components

Local Area Network (LAN) Card or NetworkInterface Card (NIC)

Note: These components are indicative of a computernetwork. See discussion on network system evidencein chapter 5 before handling the computer system orany connected devices.

Description: Network cards, associated cables.Network cards also can be wireless.

Primary Uses:A LAN/NIC card is used to connectcomputers. Cards allow for the exchange of informa-tion and resource sharing.

Potential Evidence:The device itself, MAC (media access control) access address.

Routers, Hubs, and Switches

Description: These electronic devices are used in networked computer systems. Routers,switches, and hubs provide a means of connecting different computers or networks.They can frequently be recognized by thepresence of multiple cable connections. 16

InternalNetwork

Interface Card

WirelessNetwork

Interface Card

Wireless PCMCIA

Card

PCMCIANetworkInterface

Card

Router

Ethernet Hub

Wired Hub

ExternalModem

InternalModem

PCMCIAModem

ExternalModem

RicochetModem

WirelessModem

10Mbps or10/100MbpsAutosensingEthernet Hub

PowerAdapter

PowerAdapter

NBG600

Cable orxDSLModem

Standard RJ-45EthernetCable

Primary Uses:Equipment used to distribute and facilitate the distribution of data through networks.

Potential Evidence:The devices them-selves. Also, for routers, configuration files.

Servers

Description: A server is a computer that provides some servicefor other computers connected to it via a network. Any computer,including a laptop, can be configured as a server.

Primary Uses:Provides shared resources such as e-mail, filestorage, Web page services, and print services for a network.


Network Cables and Connectors

Description: Network cables can be different colors, thicknesses,and shapes and have different connectors, depending on thecomponents they are connected to.

Primary Uses:Connects components of a computer network.

Potential Evidence:The devices themselves.

17

Wireless Hub

Server

RJ-11 PhoneCable

RJ45 LANCable & RJ11Phone Cable

SCSI Cable

Parallel PortPrinter Cable

CentronicsPrinter Cable

SCSI Cable UltrawideSCSI Cable

PS2 Cable

Serial Cable& Mouse

PS2 CableWith PS2 AT

Adapter

USB CableWith A&B

Connectors

Audio/VisualCables

NetworkCable Dongle

& PCNetwork Card

Cable orxDSLModem

CableFREEISA/PCI Cardin a Desktop

CableFREEPC Card ina Notebook

NCF600 CableFREENetBlaster

NBG600

StandardRJ-45 EthernetCable

Pagers

Description: A handheld, portable electronic device that can con-tain volatile evidence (telephone numbers, voice mail, e-mail).Cell phones and personal digital assistants also can be used aspaging devices.

Primary Uses:For sending and receiving electronic messages,numeric (phone numbers, etc.) and alphanumeric (text, oftenincluding e-mail).


Potential Evidence:

◆ Address information. ◆ Text messages.

◆ E-mail. ◆ Voice messages.

◆ Phone numbers.

Printers

Description: One of a variety of printing systems, including ther-mal, laser, inkjet, and impact, connected to the computer via a cable(serial, parallel, universal serial bus (USB), firewire) or accessed viaan infrared port. Some printers contain a memory buffer, allowingthem to receive and store multiple page documents while they areprinting. Some models may also contain a hard drive.

Primary Uses:Print text, images, etc., from the computer to paper.

Potential Evidence:Printers may maintain usage logs, time anddate information, and, if attached to a network, they may storenetwork identity information. In addition, unique characteristicsmay allow for identification of a printer.

18

RIM Pager

Single Pager

Pagers

MultifunctionDevice

InkjetPrinter

InkjetPrinter

◆ Documents.

◆ Hard drive.

◆ Ink cartridges.

◆ Network identity/information.

◆ Superimposed images onthe roller.

◆ Time and date stamp.

◆ User usage log.

Removable Storage Devices and Media

Description: Media used to store electrical, magnetic, or digitalinformation (e.g., floppy disks, CDs, DVDs, cartridges, tape).

Primary Uses:Portable devices that can store computer programs, text, pictures, video, multimedia files, etc.

New types of storage devices and media come on the market frequently; these are a few examples of how they appear.


Scanners

Description: An optical device connected to a computer, whichpasses a document past a scanning device (or vice versa) andsends it to the computer as a file.

Primary Uses:Converts documents, pictures, etc., to electronicfiles, which can then be viewed, manipulated, or transmitted on a computer.

Potential Evidence:The device itself may be evidence. Havingthe capability to scan may help prove illegal activity (e.g., childpornography, check fraud, counterfeiting, identity theft). In addi-tion, imperfections such as marks on the glass may allow forunique identification of a scanner used to process documents.

19

SyquestCartridge

External CD-ROM Drive

RecordableCD

Jaz Cartridge Zip Cartridge DAT TapeReader

Tape Drive

LS-120Floppy Disk

External MediaDisk Drive

DLT TapeCartridge

DVD RAMCartridge

External ZipDrive

8mm and4mm Tapes

3.5-inchFloppy

Diskette

FlatbedScanner

SheetfedScanner

HandheldScanner

Telephones

Description: A handset either by itself (as with cell phones), or aremote base station (cordless), or connected directly to the land-line system. Draws power from an internal battery, electricalplug-in, or directly from the telephone system.

Primary Uses:Two-way communication from one instrument toanother, using land lines, radio transmission, cellular systems, ora combination. Phones are capable of storing information.


Potential Evidence:Many telephones can store names, phonenumbers, and caller identification information. Additionally, somecellular telephones can store appointment information, receive elec-tronic mail and pages, and may act as a voice recorder.

◆ Appointment calendars/information.◆ Password.

◆ Caller identification information. ◆ Phone book.

◆ Electronic serial number. ◆ Text messages.

◆ E-mail. ◆ Voice mail.

◆ Memo. ◆ Web browsers.

Miscellaneous Electronic Items

There are many additional types of electronic equip-ment that are too numerous to be listed that might befound at a crime scene. However, there are many non-traditional devices that can be an excellent source ofinvestigative information and/or evidence. Examplesare credit card skimmers, cell phone cloning equip-ment, caller ID boxes, audio recorders, and Web TV.Fax machines, copiers, and multifunction machines may have internal storage devices and may contain information of evidentiary value.

REMINDER: The search of this type of evidence may require a search warrant. See note in the Introduction, page 7.

20

Cordless

CellularPhones

CellularPhone

CloningEquipment

CellularPhone

CloningEquipment

Caller ID Box

Copiers

Some copiers maintain user access records and history of copiesmade. Copiers with the scan once/print many feature allow docu-ments to be scanned once into memory, and then printed later.

Potential Evidence:

◆ Documents. ◆ User usage log.

◆ Time and date stamp.

Credit Card Skimmers

Credit card skimmers are used to read informationcontained on the magnetic stripe on plastic cards.

Potential Evidence:Cardholder information con-tained on the tracks of the magnetic stripe includes:

◆ Card expiration date. ◆ User’s address.

◆ Credit card numbers. ◆ User’s name.

Digital Watches

There are several types of digital watches available that can func-tion as pagers that store digital messages. They may store addi-tional information such as address books, appointment calendars,e-mail, and notes. Some also have the capability of synchronizinginformation with computers.

Potential Evidence:

◆ Address book. ◆ Notes.

◆ Appointment calendars. ◆ Phone numbers.

◆ E-mail.

Facsimile Machines

Facsimile (fax) machines can store preprogrammed phone numbersand a history of transmitted and received documents. In addition,some contain memory allowing multiple-page faxes to be scannedin and sent at a later time as well as allowing incoming faxes to beheld in memory and printed later. Some may store hundreds ofpages of incoming and/or outgoing faxes.

21

Copier

Credit CardSkimmer

Credit CardSkimmer

Credit CardSkimmer—

Laptop

Fax Machine

Potential Evidence:

◆ Documents. ◆ Phone numbers.

◆ Film cartridge. ◆ Send/receive log.

Global Positioning Systems (GPS)

Global Positioning Systems can provide information on previoustravel via destination information, way points, and routes. Someautomatically store the previous destinations and include travellogs.

Potential Evidence:

◆ Home. ◆ Way point coordinates.

◆ Previous destinations. ◆ Way point name.

◆ Travel logs.

22

Investigative Tools and EquipmentPrinciple: Special tools and equipment may be required to collectelectronic evidence. Experience has shown that advances in tech-nology may dictate changes in the tools and equipment required.

Policy: There should be access to the tools and equipment neces-sary to document, disconnect, remove, package, and transportelectronic evidence.

Procedure: Preparations should be made to acquire the equip-ment required to collect electronic evidence. The needed tools andequipment are dictated by each aspect of the process: documenta-tion, collection, packaging, and transportation.

Tool Kit

Departments should have general crime scene processing tools(e.g., cameras, notepads, sketchpads, evidence forms, crime scenetape, markers). The following are additional items that may beuseful at an electronic crime scene.

Documentation Tools

◆ Cable tags.

◆ Indelible felt tip markers.

◆ Stick-on labels.

Disassembly and Removal Tools

A variety of nonmagnetic sizes and types of:

◆ Flat-blade and Philips-type screwdrivers.

◆ Hex-nut drivers.

◆ Needle-nose pliers.

◆ Secure-bit drivers.

◆ Small tweezers.

23

Ch

apte

r 2

◆ Specialized screwdrivers (manufacturer-specific, e.g., Compaq,Macintosh).

◆ Standard pliers.

◆ Star-type nut drivers.

◆ Wire cutters.

Package and Transport Supplies

◆ Antistatic bags.

◆ Antistatic bubble wrap.

◆ Cable ties.

◆ Evidence bags.

◆ Evidence tape.

◆ Packing materials (avoid materials that can produce static electricity such as styrofoam or styrofoam peanuts).

◆ Packing tape.

◆ Sturdy boxes of various sizes.

Other Items

Items that also should be included within a department’s tool kit are:

◆ Gloves.

◆ Hand truck.

◆ Large rubber bands.

◆ List of contact telephone numbers for assistance.

◆ Magnifying glass.

◆ Printer paper.

◆ Seizure disk.

◆ Small flashlight.

◆ Unused floppy diskettes (31/2 and 51/4 inch).

24

Securing and Evaluating theScenePrinciple: The first responder should take steps to ensure thesafety of all persons at the scene and to protect the integrity of all evidence, both traditional and electronic.

Policy: All activities should be in compliance with departmentalpolicy and Federal, State, and local laws. (Additional resourcesare referenced in appendix B.)

Procedure:After securing the scene and all persons on the scene,the first responder should visually identify potential evidence,both conventional (physical) and electronic, and determine if per-ishable evidence exists. The first responder should evaluate thescene and formulate a search plan.

Secure and evaluate the scene:

◆ Follow jurisdictional policy for securing the crime scene. Thiswould include ensuring that all persons are removed from theimmediate area from which evidence is to be collected. At thispoint in the investigation do not alter the condition of any elec-tronic devices:If it is off, leave it off. If it is on, leave it on.

◆ Protect perishable data physically and electronically.Perishable data may be found on pagers, caller ID boxes,electronic organizers, cell phones, and other similar devices.The first responder should always keep in mind that any devicecontaining perishable data should be immediately secured,documented, and/or photographed.

◆ Identify telephone lines attached to devices such as modemsand caller ID boxes. Document, disconnect, and label eachtelephone line from the wall rather than the device, when pos-sible. There may also be other communications lines presentfor LAN/ethernet connections. Consult appropriatepersonnel/agency in these cases.

25

Ch

apte

r 3

Keyboards, the computer mouse, diskettes, CDs, or other compo-nents may have latent fingerprints or other physical evidence thatshould be preserved. Chemicals used in processing latent printscan damage equipment and data. Therefore, latent prints shouldbe collected after electronic evidence recovery is complete.

Conduct preliminary interviews:

◆ Separate and identify all persons (witnesses, subjects, or oth-ers) at the scene and record their location at time of entry.

◆ Consistent with departmental policy and applicable law, obtainfrom these individuals information such as:

❖ Owners and/or users of electronic devices found at thescene, as well as passwords (see below), user names, andInternet service provider.

❖ Passwords. Any passwords required to access the system,software, or data. (An individual may have multiple pass-words, e.g., BIOS, system login, network or ISP, applicationfiles, encryption pass phrase, e-mail, access token, sched-uler, or contact list.)

❖ Purpose of the system.

❖ Any unique security schemes or destructive devices.

❖ Any offsite data storage.

❖ Any documentation explaining the hardware or softwareinstalled on the system.

26

Documenting the ScenePrinciple: Documentation of the scene creates a permanenthistorical record of the scene. Documentation is an ongoingprocess throughout the investigation. It is important to accuratelyrecord the location and condition of computers, storage media,other electronic devices, and conventional evidence.

Policy: Documentation of the scene should be created and main-tained in compliance with departmental policy and Federal, State,and local laws.

Procedure: The scene should be documented in detail.

Initial documentation of the physical scene:

◆ Observe and document the physical scene, such as the positionof the mouse and the location of components relative to eachother (e.g., a mouse on the left side of the computer may indi-cate a left-handed user).

◆ Document the condition and location of the computer system,including power status of the computer (on, off, or in sleepmode). Most computers have status lights that indicate thecomputer is on. Likewise, if fan noise is heard, the system isprobably on. Furthermore, if the computer system is warm,that may also indicate that it is on or was recently turned off.

◆ Identify and document related electronic components that willnot be collected.

◆ Photograph the entire scene to create a visual record as notedby the first responder. The complete room should be recordedwith 360 degrees of coverage, when possible.

◆ Photograph the front of the computer as well as the monitorscreen and other components. Also take written notes on whatappears on the monitor screen. Active programs may requirevideotaping or more extensive documentation of monitorscreen activity.

27

Ch

apte

r 4

Note: Movement of a computer system while the system is run-ning may cause changes to system data. Therefore, the systemshould not be moved until it has been safely powered down asdescribed in chapter 5.

◆ Additional documentation of the system will be performed during the collection phase.

28

Evidence CollectionREMINDER: The search for and collection of evi-dence at an electronic crime scene may require asearch warrant. See note in the Introduction, page 7.

Principle: Computer evidence, like all other evidence, must behandled carefully and in a manner that preserves its evidentiaryvalue. This relates not just to the physical integrity of an item ordevice, but also to the electronic data it contains. Certain types ofcomputer evidence, therefore, require special collection, packag-ing, and transportation. Consideration should be given to protectdata that may be susceptible to damage or alteration from electro-magnetic fields such as those generated by static electricity, mag-nets, radio transmitters, and other devices.

Policy: Electronic evidence should be collected according todepartmental guidelines. In the absence of departmental guide-lines outlining procedures for electronic evidence collection, thefollowing procedures are suggested.

Note: Prior to collection of evidence, it is assumed that locatingand documenting has been done as described in chapters 3 and 4.Recognize that other types of evidence such as trace, biological,or latent prints may exist. Follow your agency’s protocol regard-ing evidence collection. Destructive techniques (e.g., use of fin-gerprint processing chemicals) should be postponed until afterelectronic evidence recovery is done.

Nonelectronic Evidence

Recovery of nonelectronic evidence can be crucial in the investi-gation of electronic crime. Proper care should be taken to ensurethat such evidence is recovered and preserved. Items relevant tosubsequent examination of electronic evidence may exist in otherforms (e.g., written passwords and other handwritten notes, blankpads of paper with indented writing, hardware and software man-uals, calendars, literature, text or graphical computer printouts,and photographs) and should be secured and preserved for future

29

Ch

apte

r 5

30

analysis. These items frequently are in close proximity to thecomputer or related hardware items. All evidence should be iden-tified, secured, and preserved in compliance with departmentalpolicies.

Stand-Alone and Laptop ComputerEvidence

CAUTION: Multiple computers may indicate a computernetwork. Likewise, computers located at businesses areoften networked. In these situations, specialized knowledgeabout the system is required to effectively recover evidenceand reduce your potential for civil liability. When a comput-er network is encountered, contact the forensic computerexpert in your department or outside consultant identifiedby your department for assistance.Computer systems in acomplex environment are addressed later in this chapter.

A “stand-alone” personal computer is a computer not connectedto a network or other computer. Stand-alones may be desktopmachines or laptops.

Laptops incorporate a computer, monitor, keyboard, and mouseinto a single portable unit. Laptops differ from other computers in that they can be powered by electricity or a battery source.Therefore, they require the removal of the battery in addition tostand-alone power-down procedures.

If the computer is on, document existing conditions and call yourexpert or consultant. If an expert or consultant is not available,continue with the following procedure:

Procedure:

After securing the scene per chapter 3, read all steps belowbefore taking any action (or evidentiary data may be altered).

a. Record in notes all actions you take and any changes that youobserve in the monitor, computer, printer, or other peripheralsthat result from your actions.

b. Observe the monitor and determine if it is on, off, or in sleepmode. Then decide which of the following situations appliesand follow the steps for that situation.

Situation 1: Monitor is on and work product and/or desktop is visible.

1. Photograph screen and record information displayed.

2. Proceed to step c.

Situation 2: Monitor is on and screen is blank (sleep mode) orscreen saver (picture) is visible.

1. Move the mouse slightly (without pushing buttons). Thescreen should change and show work product or request apassword.

2. If mouse movement does not cause a change in the screen,DO NOT perform any other keystrokes or mouse operations.

3. Photograph the screen and record the information displayed.

4. Proceed to step c.

Situation 3: Monitor is off.

1. Make a note of “off” status.

2. Turn the monitor on, then determine if the monitor status is asdescribed in either situation 1 or 2 above and follow those steps.

c. Regardless of the power state of the computer (on, off, or sleepmode), remove the power source cable from the computer—NOT from the wall outlet. If dealing with a laptop, in additionto removing the power cord, remove the battery pack. The bat-tery is removed to prevent any power to the system. Some lap-tops have a second battery in the multipurpose bay instead ofa floppy drive or CD drive. Check for this possibility andremove that battery as well.

d. Check for outside connectivity (e.g., telephone modem, cable,ISDN, DSL). If a telephone connection is present, attempt toidentify the telephone number.

e. To avoid damage to potential evidence, remove any floppy disks that are present, package the disk separately, and label the package. If available, insert either a seizure disk or a blankfloppy disk. Do NOT remove CDs or touch the CD drive.

f. Place tape over all the drive slots and over the power connector.

g. Record make, model, and serial numbers.

h. Photograph and diagram the connections of the computer andthe corresponding cables.

31

i. Label all connectors and cable ends (including connections toperipheral devices) to allow for exact reassembly at a latertime. Label unused connection ports as “unused.” Identify lap-top computer docking stations in an effort to identify otherstorage media.

j. Record or log evidence according to departmental procedures.

k. If transport is required, package the components as fragilecargo (see chapter 6).

Computers in a Complex Environment

Business environments frequently have multiple computers con-nected to each other, to a central server, or both. Securing andprocessing a crime scene where the computer systems are net-worked poses special problems, as improper shutdown maydestroy data. This can result in loss of evidence and potentialsevere civil liability. When investigating criminal activity in aknown business environment, the presence of a computer networkshould be planned for in advance, if possible, and appropriateexpert assistance obtained. It should be noted that computer net-works can also be found in a home environment and the sameconcerns exist.

The possibility of various operating systems and complex hard-ware configurations requiring different shutdown proceduresmake the processing of a network crime scene beyond the scopeof this guide. However, it is important that computer networksbe recognized and identified, so that expert assistance can beobtained if one is encountered. Appendix C provides a list oftechnical resources that can be contacted for assistance.

Indications that a computer network may be present include:

◆ The presence of multiple computer systems.

◆ The presence of cables and connectors, such as those depictedin the pictures at left, running between computers or centraldevices such as hubs.

◆ Information provided by informants or individuals at the scene.

◆ The presence of network components as depicted in chapter 1.

32

10Base2Connector

10BaseTConnector

DisconnectHere

DisconnectHere

Other Electronic Devices and Peripheral Evidence

The electronic devices such as the ones in the list below may con-tain potential evidence associated with criminal activity. Unless anemergency exists, the device should not be operated. Should it benecessary to access information from the device, all actions asso-ciated with the manipulation of the device should be documentedto preserve the authenticity of the information. Many of the itemslisted below may contain data that could be lost if not handledproperly. For more detailed information on these devices, seechapter 1.

Examples of other electronic devices (including computer peripherals):

33

◆ Audio recorders.

◆ Answering machines.

◆ Cables.

◆ Caller ID devices.

◆ Cellular telephones.

◆ Chips. (When componentssuch as chips are found inquantity, it may be indicativeof chip theft.)

◆ Copy machines.

◆ Databank/Organizer digital.

◆ Digital cameras (still andvideo).

◆ Dongle or other hardwareprotection devices (keys) forsoftware.

◆ Drive duplicators.

◆ External drives.

◆ Fax machines.

◆ Flash memory cards.

◆ Floppies, diskettes,CD–ROMs.

◆ GPS devices.

◆ Pagers.

◆ Palm Pilots/electronicorganizers.

◆ PCMCIA cards.

◆ Printers (if active, allowto complete printing).

◆ Removable media.

◆ Scanners (film, flatbed,watches,etc.).

◆ Smart cards/secure ID tokens.

◆ Telephones (including speeddialers, etc.).

◆ VCRs.

◆ Wireless access point.

Note: When seizing removable media, ensure that you take theassociated device that created the media (e.g., tape drive, car-tridge drives such as Zip®, Jaz®, ORB, Clik!™, Syquest, LS-120).

Packaging, Transportation, andStoragePrinciple: Actions taken should not add, modify, or destroy datastored on a computer or other media. Computers are fragile elec-tronic instruments that are sensitive to temperature, humidity,physical shock, static electricity, and magnetic sources. Therefore,special precautions should be taken when packaging, transport-ing, and storing electronic evidence. To maintain chain of custodyof electronic evidence, document its packaging, transportation,and storage.

Policy: Ensure that proper procedures are followed for packaging,transporting, and storing electronic evidence to avoid alteration,loss, physical damage, or destruction of data.

Packaging procedure:

a. Ensure that all collected electronic evi-dence is properly documented, labeled,and inventoried before packaging.

b. Pay special attention to latent or trace evidence and take actions to preserve it.

c. Pack magnetic media in antistatic packag-ing (paper or antistatic plastic bags).Avoid using materials that can producestatic electricity, such as standard plasticbags.

d. Avoid folding, bending, or scratchingcomputer media such as diskettes,CD–ROMs, and tapes.

e. Ensure that all containers used to hold evidence are properly labeled.

Note: If multiple computer systems are collected, label each system so that it can be reassembled as found (e.g., SystemA–mouse, keyboard, monitor, main base unit; System B–mouse,keyboard, monitor, main base unit).

35

Ch

apte

r 6

Transportation procedure:

a. Keep electronic evidence away from magnetic sources. Radiotransmitters, speaker magnets, and heated seats are examples of items that can damage electronic evidence.

b. Avoid storing electronic evidence in vehicles for prolongedperiods of time. Conditions of excessive heat, cold, or humiditycan damage electronic evidence.

c. Ensure that computers and other components that are not pack-aged in containers are secured in the vehicle to avoid shockand excessive vibrations. For example, computers may beplaced on the vehicle floor and monitors placed on the seatwith the screen down and secured by a seat belt.

d. Maintain the chain of custody on all evidence transported.

Storage procedure:

a. Ensure that evidence is inventoried in accordance with depart-mental policies.

b. Store evidence in a secure area away from temperature andhumidity extremes. Protect it from magnetic sources, moisture,dust, and other harmful particles or contaminants.

Note: Be aware that potential evidence such as dates, times, andsystems configurations may be lost as a result of prolonged stor-age. Since batteries have a limited life, data could be lost if theyfail. Therefore, appropriate personnel (e.g., evidence custodian,lab chief, forensic examiner) should be informed that a devicepowered by batteries is in need of immediate attention.

36

Forensic Examination by Crime Category The following outline should help officers/investigators identifythe common findings of a forensic examination as they relate tospecific crime categories. This outline will also help define thescope of the examination to be performed. (This information isalso presented as a matrix at the end of this chapter.)

Auction Fraud (Online)

37

Ch

apte

r 7

◆ Account data regardingonline auction sites.

◆ Accounting/bookkeepingsoftware and associated datafiles.

◆ Address books.

◆ Calendar.

◆ Chat logs.

◆ Customer information/creditcard data.

◆ Databases.

◆ Digital camera software.

◆ E-mail/notes/letters.

◆ Financial/asset records.

◆ Image files.

◆ Internet activity logs.

◆ Internet browserhistory/cache files.

◆ Online financial institutionaccess software.

◆ Records/documents of “testimonials.”

◆ Telephone records.

Child Exploitation/Abuse

◆ Chat logs.

◆ Date and time stamps.

◆ Digital camera software.


◆ Games.

◆ Graphic editing and viewingsoftware.

◆ Images.


◆ Movie files.

◆ User-created directory andfile names that classifyimages.

Computer Intrusion

38

◆ Address books.

◆ Configuration files.


◆ Executable programs.


◆ Internet protocol (IP)address and user name.

◆ Internet relay chat (IRC)logs.

◆ Source code.

◆ Text files (user names and passwords).

Death Investigation

◆ Address books.

◆ Diaries.



◆ Images.


◆ Legal documents and wills.

◆ Medical records.


Domestic Violence

◆ Address books.

◆ Diaries.





Economic Fraud (Including OnlineFraud, Counterfeiting)

◆ Address books.

◆ Calendar.

◆ Check, currency, and moneyorder images.

◆ Credit card skimmers.


◆ Databases.


◆ False financial transactionforms.

◆ False identification.


◆ Images of signatures.



E-Mail Threats/Harassment/Stalking

39

◆ Address books.

◆ Diaries.



◆ Images.


◆ Legal documents.


◆ Victim background research.

Extortion

◆ Date and time stamps.


◆ History log.


◆ Temporary Internet files.

◆ User names.

Gambling

◆ Address books.

◆ Calendar.

◆ Customer database andplayer records.


◆ Electronic money.



◆ Image players.



◆ Sports betting statistics.

Identity Theft

◆ Hardware and softwaretools.

❖ Backdrops.

❖ Credit card generators.

❖ Credit card reader/writer.

❖ Digital cameras.

❖ Scanners.

◆ Identification templates.

❖ Birth certificates.

❖ Check cashing cards.

❖ Digital photo images for photo identification.

❖ Driver’s license.

❖ Electronic signatures.

❖ Fictitious vehicle registrations.

❖ Proof of auto insurance documents.

❖ Scanned signatures.

❖ Social security cards.

◆ Internet activity related toID theft.

❖ E-mails and newsgroup postings.

❖ Erased documents.

❖ Online orders.

❖ Online trading information.

❖ System files and file slack.

❖ World Wide Web activity at forgery sites.

◆ Negotiable instruments.

❖ Business checks.

❖ Cashiers checks.

❖ Counterfeit money.

❖ Credit card numbers.

❖ Fictitious court documents.

❖ Fictitious gift certificates.

❖ Fictitious loan documents.

❖ Fictitious sales receipts.

❖ Money orders.

❖ Personal checks.

❖ Stock transfer documents.

❖ Travelers checks.

❖ Vehicle transfer documentation.

40

Narcotics

◆ Address books.

◆ Calendar.

◆ Databases.

◆ Drug recipes.





◆ Prescription form images.

Prostitution

◆ Address books.

◆ Biographies.

◆ Calendar.

◆ Customer database/records.






◆ World Wide Web pageadvertising.

Software Piracy

41

◆ Chat logs.


◆ Image files of software certificates.


◆ Serial numbers.

◆ Software cracking informa-tion and utilities.

◆ User-created directory andfile names that classifycopyrighted software.

Telecommunications Fraud

◆ Cloning software.

◆ Customer database/records.

◆ Electronic Serial Number(ESN)/Mobile IdentificationNumber (MIN) pair records.



◆ “How to phreak” manuals.

◆ Internet activity.


At a physical scene, look for duplication and packaging material.

The following information, when available, should be documented to assist in the forensic examination:

◆ Case summary.

◆ Internet protocoladdress(es).

◆ Keyword lists.

◆ Nicknames.

◆ Passwords.

◆ Points of contact.

◆ Supporting documents.

◆ Type of crime.

42

Child

Explo

itatio

n/Abu

se

Pros

titut

ion

Death

Inve

stiga

tion

Auctio

n Fr

aud

Compu

ter I

ntru

sion

Econ

omic

Frau

dGam

bling

Iden

tity T

heft

Nar

cotic

sSo

ftwar

e Pir

acy

E-M

ail T

hrea

ts/

Haras

smen

t/Sta

lking

Telec

omm

unica

tions

Frau

d

Crimes AgainstPersons

SexCrimes

Domes

tic V

iolen

ce

Exto

rtion

Fraud/Other Financial Crime

General Information:Databases ✔ ✔ ✔ ✔ ✔

E-Mail/notes/letters ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

Financial/asset records ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

Medical records ✔ ✔ ✔

Telephone records ✔ ✔ ✔ ✔ ✔

Specific Information:Account data ✔

Accounting/bookkeepingsoftware ✔

Address books ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

Backdrops ✔

Biographies ✔

Birth certificates ✔

Calendar ✔ ✔ ✔ ✔ ✔

Chat logs ✔ ✔ ✔

Check, currency, and money order images ✔ ✔

Check cashing cards ✔

Cloning software ✔

Configuration files ✔

Counterfeit money ✔

Credit card generators ✔

Credit card numbers ✔

Credit card reader/writer ✔

Credit card skimmers ✔

Customer database/ records ✔ ✔ ✔

Customer information/credit card data ✔ ✔ ✔

Date and time stamps ✔ ✔

Diaries ✔ ✔ ✔

Digital cameras/software/images ✔ ✔ ✔

Driver’s license ✔

Drug recipes ✔

Electronic money ✔

Electronic signatures ✔

43

Child

Explo

itatio

n/Abu

se

Pros

titut

ion

Death

Inve

stiga

tion

Auctio

n Fr

aud

Compu

ter I

ntru

sion

Econ

omic

Frau

dGam

bling

Iden

tity T

heft

Nar

cotic

sSo

ftwar

e Pir

acy

E-M

ail T

hrea

ts/

Haras

smen

t/Sta

lking

Telec

omm

unica

tions

Frau

d


SexCrimes

Domes

tic V

iolen

ce

Exto

rtion


(Continued)

Specific Information (Cont):Erased Internet

documents ✔

ESN/MIN pair records ✔

Executable programs ✔

False financial transaction forms ✔

False identification ✔ ✔ ✔

Fictitious court documents ✔

Fictitious gift certificates ✔

Fictitious loan documents ✔

Fictitious sales receipts ✔

Fictitious vehicle registrations ✔

Games ✔

Graphic editing and viewing software ✔

History log ✔

“How to phreak” manuals ✔

Images ✔ ✔ ✔ ✔

Images of signatures ✔

Image files of software certificates ✔

Image players ✔

Internet activity logs ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

Internet browser history/cache files ✔

IP address and user name ✔

IRC chat logs ✔

Legal documents and wills ✔ ✔

Movie files ✔

Online financial institution access software ✔ ✔ ✔

Online orders and trading information ✔

Prescription form images ✔

Records/documents of “testimonials” ✔

44

Child

Explo

itatio

n/Abu

se

Pros

titut

ion

Death

Inve

stiga

tion

Auctio

n Fr

aud

Compu

ter I

ntru

sion

Econ

omic

Frau

dGam

bling

Iden

tity T

heft

Nar

cotic

sSo

ftwar

e Pir

acy

E-M

ail T

hrea

ts/

Haras

smen

t/Sta

lking

Telec

omm

unica

tions

Frau

d


SexCrimes

Domes

tic V

iolen

ce

Exto

rtion


Specific Information (Cont):Scanners/scanned

signatures ✔

Serial numbers ✔

Social security cards ✔

Software cracking information and utilities ✔

Source code ✔

Sports betting statistics ✔

Stock transfer documents ✔

System files and file slack ✔

Temporary Internet files ✔

User names ✔ ✔

User-created directory and file names that classify copyrighted software ✔

User-created directory and file names that classify images ✔

Vehicle insurance and transfer documentation ✔

Victim background research ✔

Web activity at forgery sites ✔

Web page advertising ✔

The views and opinions of authors expressed herein do not necessarily reflect those of the United States Government.

Reference herein to any specific commercial products, processes,or services by trade name, trademark, manufacturer, or otherwisedoes not necessarily constitute or imply its endorsement, recom-mendation, or favoring by the United States Government.

The information and statements contained in this document shall not be used for the purposes of advertising or to imply the endorsement or recommendation of the United StatesGovernment.

With respect to information contained in this publication, neitherthe United States Government nor any of its employees makeany warranty, express or implied, including but not limited to the warranties of merchantability and fitness for a particular purpose.Further, neither the United States Government nor any of itsemployees assume any legal liability or responsibility for theaccuracy, completeness, or usefulness of any information, appara-tus, product, or process disclosed; nor do they represent that itsuse would not infringe on privately owned rights.

45

Ap

pen

dic

es

GlossaryAccess token:In Windows NT, an internal security card that isgenerated when users log on. It contains the security IDs (SIDs)for the user and all the groups to which the user belongs. A copyof the access token is assigned to every process launched by theuser.

BIOS: Basic Input Output System. The set of routines stored inread-only memory that enable a computer to start the operatingsystem and to communicate with the various devices in the sys-tem such as disk drives, keyboard, monitor, printer, and commu-nication ports.

Buffer: An area of memory, often referred to as a “cache,” usedto speed up access to devices. It is used for temporary storage ofdata read from or waiting to be sent to a device such as a harddisk, CD-ROM, printer, or tape drive.

Clik!™: A portable disk drive, also known as a PocketZip disk.The external drive connects to the computer via the USB port or a PC card, the latter containing a removable cartridge slot withinthe card itself.

CD-R: Compact disk-recordable. A disk to which data can bewritten but not erased.

CD-RW: Compact disk-rewritable. A disk to which data can bewritten and erased.

Compressed file:A file that has been reduced in size through acompression algorithm to save disk space. The act of compress-ing a file will make it unreadable to most programs until the fileis uncompressed.

Cookies:Small text files stored on a computer while the user isbrowsing the Internet. These little pieces of data store informationsuch as e-mail identification, passwords, and history of pages theuser has visited.

47

Ap

pen

dix

A

CPU: Central processing unit. The computational and control unitof a computer. Located inside a computer, it is the “brain” thatperforms all arithmetic, logic, and control functions in a computer.

Deleted files:If a subject knows there are incriminating files onthe computer, he or she may delete them in an effort to eliminatethe evidence. Many computer users think that this actually elimi-nates the information. However, depending on how the files aredeleted, in many instances a forensic examiner is able to recoverall or part of the original data.

Digital evidence:Information stored or transmitted in binaryform that may be relied upon in court.

Docking station:A device to which a laptop or notebook com-puter can be attached for use as a desktop computer, usually having a connector for externally connected devices such as hard drives, scanners, keyboards, monitors, and printers.

Documentation:Written notes, audio/videotapes, printed forms,sketches, and/or photographs that form a detailed record of thescene, evidence recovered, and actions taken during the search ofthe scene.

Dongle:Also called a hardware key, a dongle is a copy protectiondevice supplied with software that plugs into a computer port,often the parallel port on a PC. The software sends a code to thatport and the key responds by reading out its serial number, whichverifies its presence to the program. The key hinders softwareduplication because each copy of the program is tied to a uniquenumber, which is difficult to obtain, and the key has to be pro-grammed with that number.

DSL: Digital subscriber line. Protocols designed to allow high-speed data communication over the existing telephone linesbetween end-users and telephone companies.

Duplicate digital evidence:A duplicate is an accurate digitalreproduction of all data objects contained on the original physicalitem.

DVD: Digital versatile disk. Similar in appearance to a compactdisk, but can store larger amounts of data.

48

Electromagnetic fields:The field of force associated with elec-tric charge in motion having both electric and magnetic compo-nents and containing a definite amount of electromagnetic energy.Examples of devices that produce electromagnetic fields includespeakers and radio transmitters frequently found in the trunk ofthe patrol car.

Electronic device:A device that operates on principles governingthe behavior of electrons. See chapter 1 for examples, whichinclude computer systems, scanners, printers, etc.

Electronic evidence:Electronic evidence is information and dataof investigative value that is stored on or transmitted by an elec-tronic device.

Encryption: Any procedure used in cryptography to convertplain text into ciphertext in order to prevent anyone but theintended recipient from reading that data.

First responder: The initial responding law enforcement officerand/or other public safety official arriving at the scene.

Hidden data: Many computer systems include an option to protect information from the casual user by hiding it. A cursoryexamination may not display hidden files, directories, or parti-tions to the untrained viewer. A forensic examination will docu-ment the presence of this type of information.

ISDN: Integrated services digital network. A high-speed digitaltelephone line for high-speed network communications.

ISP: Internet service provider. An organization that providesaccess to the Internet. Small Internet service providers provideservice via modem and ISDN, while the larger ones also offerprivate line hookups (e.g., T1, fractional T1).

Jaz®: A high-capacity removable hard disk system.

Latent: Present, although not visible, but capable of becomingvisible.

LS-120: Laser Servo-120 is a floppy disk technology that holds120MB. LS-120 drives use a dual-gap head, which reads and

49

writes 120MB disks as well as standard 3.5-inch 1.44MB and720KB floppies.

Magnetic media:A disk, tape, cartridge, diskette, or cassette thatis used to store data magnetically.

Misnamed files and files with altered extensions:One simpleway to disguise a file’s contents is to change the file’s name tosomething innocuous. For example, if an investigator was lookingfor spreadsheets by searching for a particular file extension, suchas “.XLS,” a file whose extension had been changed by the userto “.DOC” would not appear as a result of the search. Forensicexaminers use special techniques to determine if this has occurred,which the casual user would not normally be aware of.

Modem: A device used by computers to communicate over telephone lines. It is recognized by connection to a phone line.

Network: A group of computers connected to one another toshare information and resources.

Networked system:A computer connected to a network.

ORB: A high-capacity removable hard disk system. ORB drivesuse magnetoresistive (MR) read/write head technology.

Original electronic evidence:Physical items and those dataobjects that are associated with those items at the time of seizure.

Password-protected files:Many software programs include theability to protect a file using a password. One type of passwordprotection is sometimes called “access denial.” If this feature isused, the data will be present on the disk in the normal manner,but the software program will not open or display the file withoutthe user entering the password. In many cases, forensic examinersare able to bypass this feature.

Peripheral devices:An auxiliary device such as a printer,modem, or data storage system that works in conjunction with acomputer.

Phreaking: Telephone hacking.

50

51

Port: An interface by which a computer communicates withanother device or system. Personal computers have various typesof ports. Internally, there are several ports for connecting diskdrives, display screens, and keyboards. Externally, personal com-puters have ports for connecting modems, printers, mice, andother peripheral devices.

Port replicator: A device containing common PC ports such asserial, parallel, and network ports that plugs into a notebook com-puter. A port replicator is similar to a docking station but dockingstations normally provide capability for additional expansionboards.

Printer spool files: Print jobs that are not printed directly arestored in spool files on disk.

Removable media:Items (e.g., floppy disks, CDs, DVDs,cartridges, tape) that store data and can be easily removed.

Screen saver:A utility program that prevents a monitor frombeing etched by an unchanging image. It also can provide accesscontrol.

Seizure disk:A specially prepared floppy disk designed to protect the computer system from accidental alteration of data.

Server:A computer that provides some service for other computersconnected to it via a network.

Sleep mode:Power conservation status that suspends the harddrive and monitor resulting in a blank screen to conserve energy,sometimes referred to as suspend mode.

Stand-alone computer:A computer not connected to a networkor other computer.

Steganography:The art and science of communicating in a waythat hides the existence of the communication. It is used to hide afile inside another. For example, a child pornography image canbe hidden inside another graphic image file, audio file, or otherfile format.

Ap

pen

dix

B

System administrator: The individual who has legitimate super-visory rights over a computer system. The administrator maintainsthe highest access to the system. Also can be known as sysop,sysadmin, and system operator.

Temporary and swap files:Many computers use operating systems and applications that store data temporarily on the harddrive. These files, which are generally hidden and inaccessible,may contain information that the investigator finds useful.

USB: Universal Serial Bus. A hardware interface for low-speedperipherals such as the keyboard, mouse, joystick, scanner,printer, and telephony devices.

Volatile memory: Memory that loses its content when power isturned off or lost.

Zip ®: A 3.5-inch removable disk drive. The drive is bundled withsoftware that can catalog disks and lock the files for security.

52

Legal Resources ListPublications

Searching and Seizing Computers and Obtaining ElectronicEvidence in Criminal Investigations.Washington, D.C.: U.S.Department of Justice, Computer Crime and Intellectual Property Section, March 2001. (Online under http://www.cybercrime.gov/searchmanual.htm.)

Prosecuting Cases That Involve Computers: A Resource for State and Local Prosecutors(CD-ROM), National White Collar Crime Center, 2001. (See http://www.nctp.org andhttp://www.training.nw3c.org for information).

Web Sites

Computer Crime and Intellectual Property Section of the U.S. Department of Justice, 202–514–1026,http://www.cybercrime.gov.

National Cybercrime Training Partnership, 877–628–7674,http://www.nctp.org.

Infobin, http://www.infobin.org/cfid/isplist.htm.

53

Ap

pen

dix

B

Computer Analysis Response Team

FBI Laboratory935 Pennsylvania Avenue N.W.Washington, DC 20535Phone: 202–324–9307http://www.fbi.gov/programs/lab/

org/cart.htm

High Tech Crime ConsortiumInternational Headquarters1506 North Stevens StreetTacoma, WA 98406–3826Phone: 253–752–2427Fax: 253–752–2430E-mail:[email protected]://www.HighTechCrimeCops.org

Information Systems Security Association (ISSA)

7044 South 13th StreetOak Creek, WI 53154Phone: 800–370–4772http://www.issa.org

Internal Revenue ServiceCriminal Investigation DivisionRich MendropComputer Investigative SpecialistProgram Manager2433 South Kirkwood CourtDenver, CO 80222Phone: 303–756–0646E-mail: [email protected]

National Aeronautics and Space Administration

Cheri CarrComputer Forensic Lab ChiefNASA Office of the Inspector

GeneralNetwork and Advanced

Technology Protections Office300 E Street S.W.Washington, DC 20546Phone: 202–358–4298

National Aeronautics and SpaceAdministration

Charles CoeDirector of Technical ServicesNASA Office of the Inspector



National Aeronautics and SpaceAdministration

Steve NesbittDirector of OperationsNASA Office of the Inspector



Technical Resources List

National

55

Ap

pen

dix

C

National Center for ForensicScience

University of Central FloridaP.O. Box 162367Orlando, FL 32816Phone: 407–823–6469Fax: 407–823–3162http://www.ncfs.ucf.edu

National Criminal Justice Computer Laboratory and Training CenterSEARCH Group, Inc.

7311 Greenhaven Drive, Suite 145Sacramento, CA 95831Phone: 916–392–2550http://www.search.org

National Law Enforcement and Corrections Technology Center(NLECTC)–Northeast

26 Electronic ParkwayRome, NY 13441Phone: 888–338–0584Fax: 315–330–4315http://www.nlectc.org

National Law Enforcement and Corrections Technology Center (NLECTC)–West

c/o The Aerospace Corporation2350 East El Segundo BoulevardEl Segundo, CA 90245Phone: 888–548–1618Fax: 310–336–2227http://www.nlectc.org

National Railroad Passenger Corporation (NRPC) (AMTRAK)

Office of Inspector GeneralOffice of InvestigationsWilliam D. PurdySenior Special Agent10 G Street N.E., Suite 3E–400Washington, DC 20002Phone: 202–906–4318E-mail: [email protected]

National White Collar Crime Center7401 Beaufont Springs DriveRichmond, VA 23225Phone: 800–221–4424http://www.nw3c.org

Scientific Working Group onDigital Evidence

http://www.for-swg.org/swgdein.htm

Social Security AdministrationOffice of Inspector GeneralElectronic Crime Team4–S–1 Operations Building6401 Security BoulevardBaltimore, MD 21235Phone: 410–965–7421Fax: 410–965–5705

U.S. Customs Service’s Cyber Smuggling Center

11320 Random Hills, Suite 400Fairfax, VA 22030Phone: 703–293–8005Fax: 703–293–9127

U.S. Department of DefenseDoD Computer Forensics Laboratory911 Elkridge Landing Road, Suite 300Linthicum, MD 21090Phone: 410–981–0100/877–981–3235

U.S. Department of DefenseOffice of Inspector GeneralDefense Criminal Investigative ServiceDavid E. TroschSpecial AgentProgram Manager, Computer

Forensics Program400 Army Navy DriveArlington, VA 22202Phone: 703–604–8733E-mail: [email protected]://www.dodig.osd.mil/dcis/dcismain.html

56

U.S. Department of EnergyOffice of the Inspector GeneralTechnology Crimes Section1000 Independence Avenue, 5A–235Washington, DC 20585Phone: 202–586–9939Fax: 202–586–0754E-mail: [email protected]

U.S. Department of JusticeCriminal DivisionComputer Crime and Intellectual

Property Section (CCIPS)Duty Attorney1301 New York Avenue N.W.Washington, DC 20530Phone: 202–514–1026http://www.cybercrime.gov

U.S. Department of JusticeDrug Enforcement AdministrationMichael J. PhelanGroup SupervisorComputer ForensicsSpecial Testing and Research Lab10555 Furnace RoadLorton, VA 22079Phone: 703–495–6787Fax: 703–495–6794E-mail: [email protected]

U.S. Department of TransportationOffice of Inspector GeneralJacquie WenteSpecial Agent111 North Canal, Suite 677Chicago, IL 60606Phone: 312–353–0106E-mail: [email protected]

U.S. Department of the TreasuryBureau of Alcohol, Tobacco and FirearmsTechnical Support DivisionVisual Information BranchJack L. Hunter, Jr.Audio and Video Forensic Enhancement

Specialist650 Massachusetts Avenue N.W.Room 3220Washington, DC 20226–0013Phone: 202–927–8037Fax: 202–927–8682E-mail: [email protected]

U. S. Postal Inspection Service Digital Evidence22433 Randolph DriveDulles, VA 20104–1000Phone: 703–406–7927

U.S. Secret ServiceElectronic Crimes Branch950 H Street N.W.Washington, DC 20223Phone: 202–406–5850Fax: 202–406–9233

Veterans AffairsOffice of the Inspector GeneralRobert FrielProgram Director, Computer Crimes

and Forensics801 I Street N.W., Suite 1064Washington, DC 20001Phone: 202–565–5701E-mail: [email protected]

57

By State

Alabama

Alabama Attorney General’s OfficeDonna White, S/A11 South Union StreetMontgomery, AL 36130Phone: 334–242–7345E-mail: [email protected]

Alabama Bureau of InvestigationInternet Crimes Against Children UnitGlenn TaylorAgent716 Arcadia CircleHuntsville, AL 35801Phone: 256–539–4028E-mail: [email protected]

Homewood Police DepartmentWade Morgan1833 29th Avenue SouthHomewood, AL 35209Phone: 205–877–8637E-mail: [email protected]

Hoover Police DepartmentDet. Michael AlexiouFBI Innocent Images Task Force,

Birmingham100 Municipal DriveHoover, AL 35216Phone: 205–444–7798Pager: 205–819–0507Mobile: 205–567–7516E-mail: [email protected]

AlaskaAlaska State TroopersSgt. Curt HarrisWhite Collar Crime Section5700 East Tudor RoadAnchorage, AK 99507Phone: 907–269–5627E-mail: [email protected]

Anchorage Police DepartmentDet. Glen Klinkhart/Sgt. Ross Plummer4501 South Bragaw StreetAnchorage, AK 99507–1599Phone: 907–786–8767/907–786–8778E-mail: [email protected]

[email protected]

University of Alaska at FairbanksPolice Department

Marc PoeschelCoordinatorP.O. Box 755560Fairbanks, AK 99775Phone: 907–474–7721E-mail: [email protected]

ArizonaArizona Attorney General’s OfficeTechnology Crimes1275 West Washington StreetPhoenix, AZ 85007Phone: 602–542–3881Fax: 602–542–5997

58

ArkansasUniversity of Arkansas at Little Rock

Police DepartmentWilliam (Bill) Reardon/Bobby Floyd2801 South University AvenueLittle Rock, AR 72204Phone: 501–569–8793/501–569–8794E-mail: [email protected]

[email protected]

CaliforniaBureau of Medi-Cal Fraud and

Elder AbuseLuis SalazarSenior Legal Analyst/Computer Forensic

Team Coordinator110 West A Street, Suite 1100San Diego, CA 92101Phone: 619–645–2432Fax: 619–645–2455E-mail: [email protected]

California Franchise Tax BoardInvestigations BureauAshraf L. MassoudSpecial Agent100 North Barranca Street, Suite 600West Covina, CA 91791–1600Phone: 626–859–4678E-mail: [email protected]

Kern County Sheriff’s DepartmentTom Fugitt1350 Norris RoadBakersfield, CA 93308Phone: 661–391–7728E-mail: [email protected]

Los Angeles Police DepartmentComputer Crime UnitDet. Terry D. Willis150 North Los Angeles StreetLos Angeles, CA 90012Phone: 213–485–3795

Modesto Police Department600 10th StreetModesto, CA 95353Phone: 209–572–9500, ext. 29119

North Bay High Technology Evidence Analysis Team (HEAT)

Sgt. Dave Bettin1125 Third StreetNapa, CA 94559Phone: 707–253–4500

Regional Computer Forensic Laboratory at San Diego

9797 Aero DriveSan Diego, CA 92123–1800Phone: 858–499–7799Fax: 858–499–7798E-mail: [email protected]://www.rcfl.org

Sacramento Valley Hi-Tech Crimes Task Force

Hi-Tech Crimes DivisionSacramento County Sheriff’s DepartmentLt. Mike TsuchidaP.O. Box 988Sacramento, CA 95812–0998Phone: 916–874–3030E-mail: [email protected]

San Diego High Technology CrimesEconomic Fraud Division

David DeckerDistrict Attorney’s Office, County of

San DiegoSuite 1020San Diego, CA 92101Phone: 619–531–3660E-mail: [email protected]

59

Silicon Valley High Tech Crime Task Force

Rapid Enforcement Allied ComputerTeam (REACT)

c/o Federal Bureau of InvestigationNick Muyo950 South Bascom Avenue, Suite 3011San Jose, CA 95128Phone: 408–494–7161Pager: 408–994–3264E-mail: [email protected]

Southern California High Technology Crime Task Force

Sgt. Woody GishCommercial Crimes BureauLos Angeles County Sheriff’s Department11515 South Colima Road, Room M104Whittier, CA 90604Phone: 562–946–7942

U.S. Customs ServiceFrank DaySenior Special AgentComputer Investigative Specialist3403 10th Street, Suite 600Riverside, CA 92501Phone: 906–276–6664, ext. 231E-mail: [email protected]

ColoradoDenver District Attorney’s OfficeHenry R. ReeveGeneral Counsel/Deputy D.A.303 West Colfax Avenue, Suite 1300Denver, CO 80204Phone: 720–913–9000

Department of Public SafetyColorado Bureau of InvestigationComputer Crime Investigation690 Kipling Street, Suite 3000Denver, Colorado 80215Phone: 303–239–4292Fax: 303–239–5788E-mail: [email protected]

Connecticut

Connecticut Department of Public SafetyDivision of Scientific ServicesForensic Science LaboratoryComputer Crimes and Electronic

Evidence Unit278 Colony StreetMeriden, CT 06451Phone: 203–639–6492Fax: 203–630–3760E-mail: [email protected]

Connecticut Department of Revenue Services

Special Investigations Section25 Sigourney StreetHartford, CT 06106Phone: 860–297–5877Fax: 860–297–5625E-mail: [email protected]

Yale University Police DepartmentSgt. Dan Rainville98–100 Sachem StreetNew Haven, CT 06511Phone: 203–432–7958E-mail: [email protected]

DelawareDelaware State PoliceHigh Technology Crimes Unit1575 McKee Road, Suite 204Dover, DE 19904Det. Steve WhalenPhone: 302–739–2761E-mail: [email protected]. Daniel WilleyPhone: 302–739–8020E-mail: [email protected]. Robert MosesPhone: 302–739–2467E-Mail: [email protected]. David CitroPhone: 302–734–1399E-mail: [email protected]

60

New Castle County Police DepartmentCriminal Investigations UnitDet. Christopher M. Shanahan/

Det. Edward E. Whatley3601 North DuPont HighwayNew Castle, DE 19720Phone: 302–395–8110E-mail: [email protected]

[email protected]

University of Delaware Police Department

Capt. Stephen M. Bunting101 MOB700 Pilottown RoadLewes, DE 19958Phone: 302–645–4334E-mail: [email protected]

District of Columbia

Metropolitan Police DepartmentSpecial Investigations DivisionComputer Crimes and Forensics UnitInvestigator Tim Milloff300 Indiana Avenue N.W., Room 3019Washington, DC 20001Phone: 202–727–4252/202–727–1010E-mail: [email protected]

Florida

Florida Atlantic University Police Department

Det. Wilfredo Hernandez777 Glades Road, #49Boca Raton, FL 33431Phone: 561–297–2371Fax: 561–297–3565

Gainsville Police DepartmentCriminal Investigations/Computer UnitDet. Jim Ehrat721 N.W. Sixth StreetGainsville, FL 32601Phone: 352–334–2488E-mail: [email protected]

Institute of Police Technology and Management

Computer Forensics LaboratoryUniversity of North Florida12000 Alumni DriveJacksonville, FL 32224–2678Phone: 904–620–4786Fax: 904–620–2453http://www.iptm.org

Office of Statewide ProsecutionHigh Technology CrimesThomas A. SadakaSpecial Counsel135 West Central Boulevard, Suite 1000Orlando, FL 32801Phone: 407–245–0893Fax: 407–245–0356

Pinellas County Sheriff’s OfficeDet. Matthew Miller10750 Ulmerton RoadLargo, FL 33778E-mail: [email protected]

Georgia

Georgia Bureau of InvestigationFinancial Investigations UnitSteve EdwardsSpecial Agent in Charge5255 Snapfinger Drive, Suite 150Decatur, GA 30035Phone: 770–987–2323Fax: 770–987–9775E-mail: [email protected]

Hawaii

Honolulu Police DepartmentWhite Collar Crime UnitDet. Chris Duque801 South Beretania StreetHonolulu, HI 96819Phone: 808–529–3112

61

Idaho

Ada County Sheriff’s OfficeDet. Lon Anderson, CFCE7200 Barrister DriveBoise, ID 83704Phone: 208–377–6691

Illinois

Illinois State PoliceComputer Crimes Investigation UnitDivision of OperationsOperational Services CommandStatewide Special Investigations Bureau500 Illes Park Place, Suite 104Springfield, IL 62718Phone: 217–524–9572Fax: 217–785–6793

Illinois State PoliceComputer Crimes Investigation UnitMaster Sgt. James Murray9511 West Harrison StreetDes Plaines, IL 60016–1562Phone: 847–294–4549E-mail: [email protected]

Tazewell County State’s Attorney CIDDet. Dave Frank342 Court Street, Suite 6Pekin, IL 61554–3298Phone: 309–477–2205, ext. 400Fax: 309–477–2729E-mail: [email protected]

Indiana

Evansville Police DepartmentDet. J. Walker/Det. Craig JordanFraud Investigations15 N.W. Martin Luther King, Jr., BoulevardEvansville IN, 47708Phone: 812–436–7995/812–436–7994E-mail: [email protected]

[email protected]

Indiana State PoliceDet. David L. LloydComputer Crime Unit5811 Ellison RoadFort Wayne, IN 46750Phone: 219–432–8661E-mail: [email protected]

Indianapolis Police DepartmentDet. William J. Howard901 North Post Road, Room 115Indianapolis, IN 46219Phone: 317–327–3461E-mail: [email protected]

Iowa

Iowa Division of Criminal InvestigationDoug ElrickCriminalist502 East Ninth StreetDes Moines, IA 50319Phone: 515–281–3666Fax: 515–281–7638E-mail: [email protected]

Kansas

Kansas Bureau of InvestigationHigh Technology Crime Investigation

Unit (HTCIU)David J. SchroederSenior Special Agent1620 S.W. Tyler StreetTopeka, KS 66612–1837Phone: 785–296–8222 Fax: 785–296–0525E-mail: [email protected]

Olathe Police DepartmentSgt. Edward McGillivray501 East 56 HighwayOlathe, KS 66061Phone: 913–782–4500E-mail: [email protected]

62

Wichita Police DepartmentForensic Computer Crimes UnitDet. Shaun Price/Det. Randy Stone455 North Main, Sixth Floor LabWichita, KS 67202Phone: 316–268–4102/316–268–4128E-mail: [email protected]

[email protected]@feist.com

Kentucky

Boone County SheriffDet. Daren HarrisP.O. Box 198Burlington, KY 41005Phone: 859–334–2175E-mail: [email protected]

Louisiana

Gonzales Police DepartmentOfficer Victoria Smith120 South Irma BoulevardGonzales, LA 70737Phone: 225–647–7511Fax: 225–647–9544E-mail: [email protected]

Louisiana Department of JusticeCriminal DivisionHigh Technology Crime UnitP.O. Box 94095Baton Rouge, LA 70804James L. Piker, Assistant Attorney GeneralSection Chief, High Technology Crime UnitInvestigator Clayton RivesPhone: 225–342–7552Fax: 225–342–7893E-mail: [email protected]

[email protected] Turner, Computer Forensic ExaminerPhone: 225–342–4060Fax: 225–342–3482E-mail: [email protected]

Maine

Maine Computer Crimes Task Force171 Park StreetLewiston, ME 04240Det. James C. RiouxPhone: 207–784–6422, ext. 250Investigator Mike WebberPhone: 207–784–6422, ext. 255Det. Thomas BureauPhone: 207–784–6422, ext. 256

Maryland

Anne Arundel County Police Department

Computer Crimes UnitSgt. Terry M. Crowe41 Community PlaceCrownsville, MD 21032Phone: 410–222–3419Fax: 410–987–7433E-mail: [email protected]

Department of Maryland State PoliceComputer Crimes UnitD/SGT Barry E. LeeseUnit Commander7155–C Columbia Gateway DriveColumbia, MD 21046Phone: 410–290–1620Fax: 410–290–1831

Montgomery County PoliceComputer Crime UnitDet. Brian Ford2350 Research BoulevardRockville, MD 20850Phone: 301–840–2599E-mail: [email protected]

63

Massachusetts

Massachusetts Office of the Attorney General

High Tech and Computer Crime DivisionJohn Grossman, ChiefAssistant Attorney GeneralOne Ashburton PlaceBoston, MA 02108Phone: 617–727–2200

Michigan

Michigan Department of Attorney General

High Tech Crime Unit18050 DeeringLivonia, MI 48152Phone: 734–525–4151Fax: 734–525–4372

Oakland County Sheriff’s DepartmentComputer Crimes UnitDet./Sgt. Joe Duke, CFCE1201 North Telegraph RoadPontiac, MI 48341Phone: 248–858–4942Fax: 248–858–9565Pager: 248–580–4047

Minnesota

Ramsey County Sheriff’s Department14 West Kellogg BoulevardSt. Paul, MN 55102Phone: 651–266–2797E-mail: [email protected]

Mississippi

Biloxi Police DepartmentInvestigator Donnie G. Dobbs170 Porter AvenueBiloxi, MS 39530Phone: 228–432–9382E-mail: [email protected]

Missouri

St. Louis Metropolitan Police Department

High Tech Crimes UnitDet. Sgt. Robert Muffler1200 ClarkSt. Louis, MO 63103Phone: 314–444–5441E-mail: [email protected]

Montana

Montana Division of Criminal Investigation

Computer Crime UnitJimmy WegAgent in Charge303 North Roberts, Room 367Helena, MT 59620Phone: 406–444–6681E-mail: [email protected]

Nebraska

Lincoln Police DepartmentInvestigator Ed Sexton575 South 10th StreetLincoln, NE 68508Phone: 402–441–7587E-mail: [email protected]

Nebraska State PatrolInternet Crimes Against Children UnitSgt. Scott ChristensenCoordinator4411 South 108th StreetOmaha, NE 68137Phone: 402–595–2410Fax: 402–697–1409E-mail: [email protected]

64

Nevada

City of Reno, Nevada, Police Department

Computer Crimes Unit455 East Second Street (street address)Reno, NV 89502P.O. Box 1900 (mailing address)Reno, NV 89505Phone: 775–334–2107Fax: 775–785–4026

Nevada Attorney General’s OfficeJohn LusakSenior Computer Forensic Tech100 North Carson StreetCarson City, NV 89701Phone: 775–328–2889E-mail: [email protected]

New Hampshire

New Hampshire State Police Forensic Laboratory

Computer Crimes Unit10 Hazen DriveConcord, NH 03305Phone: 603–271–0300

New Jersey

New Jersey Division of Criminal JusticeComputer Analysis and Technology Unit

(CATU)James ParolskiTeam Leader25 Market StreetP.O. Box 085Trenton, NJ 08625–0085Phone: 609–984–5256/609–984–6500Pager: 888–819–1292E-mail: [email protected]

Ocean County Prosecutor’s OfficeSpecial Investigations Unit/Computer

CrimesInvestigator Mike NevilP.O. Box 2191Toms River, NJ 08753Phone: 732–929–2027, ext. 4014Fax: 732–240–3338E-mail: [email protected]

New Mexico

New Mexico Gaming Control BoardInformation Systems DivisionDonovan Lieurance6400 Uptown Boulevard N.E., Suite 100EAlbuquerque, NM 87110Phone: 505–841–9719E-mail: [email protected]

Twelfth Judicial District Attorney’s Office

Investigator Jack Henderson1000 New York Avenue, Room 301Alamogordo, NM 88310Phone: 505–437–1313, ext. 110E-mail: [email protected]

New York

Erie County Sheriff’s OfficeComputer Crime Unit10 Delaware AvenueBuffalo, NY 14202Phone: 716–662–6150http://www.erie.gov/sheriff/CCU

Nassau County Police DepartmentComputer Crime SectionDet. Bill Moylan970 Brush Hollow RoadWestbury, NY 11590Phone: 516–573–5275

65

New York Electronic Crimes Task ForceUnited States Secret ServiceATSAIC Robert Weaver7 World Trade Center, 10th FloorNew York, NY 11048Phone: 212–637–4500

New York Police DepartmentComputer Investigation and Technology

Unit1 Police Plaza, Room 1110DNew York, NY 10038Phone: 212–374–4247Fax: 212–374–4249E-mail: [email protected]

New York State Attorney General’s Office

Internet Bureau120 BroadwayNew York, NY 10271Phone: 212–416–6344http://www.oag.state.ny.us

New York State Department of Taxationand Finance

Office of Deputy Inspector GeneralW.A. Harriman CampusBuilding 9, Room 481Albany, NY 12227Phone: 518–485–8698http://www.tax.state.ny.us

New York State PoliceComputer Crime UnitRonald R. StevensSenior Investigator Forensic Investigation CenterBuilding 30, State Campus1220 Washington AvenueAlbany, NY 12226Phone: 518–457–5712Fax: 518–402–2773E-mail: [email protected]

Rockland County Sheriff’s DepartmentComputer Crime Task ForceDet. Lt. John J. Gould55 New Hempstead RoadNew City, NY 10956Phone: 845–708–7860/845–638–5836Fax: 845–708–7821E-mail: [email protected]

North Carolina

Raleigh Police DepartmentInvestigator Patrick Niemann110 South McDowell StreetRaleigh, NC 27601Phone: 919–890–3555E-mail: [email protected]

North Dakota

North Dakota Bureau of Criminal Investigation

Tim J. EricksonSpecial AgentP.O. Box 1054Bismarck, ND 58502–1054Phone: 701–328–5500E-mail: [email protected]

Ohio

Hamilton County Ohio Sheriff’s OfficeCapt. Pat OlveyJustice Center1000 Sycamore Street, Room 110Cincinnati, OH 45202Phone: 513–946–6689Fax: 513–721–3581http://www.hcso.org (under the Administration Division)

66

Ohio Attorney General’s OfficeBureau of Criminal InvestigationComputer Crime UnitKathleen BarchDeputy Director1560 State Route 56London, OH 43140Phone: 740–845–2410E-mail: [email protected]

Riverside Police DepartmentOfficer Harold JonesMCSE/Computer Crime Specialist1791 Harshman RoadRiverside, OH 45424Phone: 937–904–1425E-mail: [email protected]

Oklahoma

Oklahoma Attorney General4545 North Lincoln BoulevardSuite 260Oklahoma City, OK 73105–3498Phone: 405–521–4274E-mail: [email protected]

Oklahoma State Bureau of InvestigationMark R. McCoy, Ed.D., CFCESpecial AgentP.O. Box 968Stillwater, OK 74076Phone: 405–742–8329Fax: 405–742–8284E-mail: [email protected]

[email protected]

Oregon

Portland Police BureauComputer Crimes DetailDet./Sgt. Tom NelsonComputer Forensic Investigator1115 S.W. Second AvenuePortland, OR 97204Phone: 503–823–0871E-mail: [email protected]

Washington County Sheriff’s OfficeBrian Budlong215 S.W. Adams Avenue, MS32Hillsboro, OR 97123Phone: 503–846–2573Fax: 503–846–2637E-mail: brian_budlong@

co.washington.or.us

Pennsylvania

Allegheny County Police DepartmentHigh Tech Crime UnitDet. T. Haney400 North Lexington StreetPittsburgh, PA 15208Phone: 412–473–1304Fax: 412–473–1377E-mail: [email protected]

Erie County District Attorney’s OfficeErie County Courthouse140 West Sixth StreetErie, PA 16501Phone: 814–451–6349Fax: 814–451–6419

Rhode Island

Warwick Police DepartmentBCI Unit, Detective DivisionEdmund PierceBCI Detective99 Veterans Memorial DriveWarwick, RI 02886Phone: 401–468–4200 (main)/

401–468–4243 (direct)E-mail:[email protected]

[email protected]

67

South Carolina

South Carolina Law Enforcement Division (SLED)

Lt. L.J. “Chip” JohnsonSupervisory Special AgentP.O. Box 21398Columbia, SC 29221–1398Phone: 803–737–9000

Winthrop UniversityDepartment of Public SafetyDaniel R. YearginAssistant Chief of Police02 Crawford BuildingRock Hill, SC 29733Phone: 803–323–3496E-mail: [email protected]

South Dakota

Information unavailable.

Tennessee

Harriman Police DepartmentSgt. Brian Farmer130 Pansy Hill RoadHarriman, TN 37748Phone: 865–882–3383Fax: 865–882–0700E-mail: [email protected]

[email protected]

Knox County Sheriff’s OfficeCarleton BryantStaff Attorney400 West Main AvenueKnoxville, TN 37902Phone: 865–971–3911E-mail: [email protected]

Tennessee Attorney General’s OfficeSusan HolmesForensic Technology Specialist425 Fifth Avenue, NorthNashville, TN 37243Phone: 615–532–9658E-mail: [email protected]

Texas

Austin Police Department715 East Eighth StreetAustin, TX 78701http://www.ci.austin.tx.us/police

Bexar County District Attorney’s OfficeRuss Brandau/David Getrost300 DolorosaSan Antonio, TX 78205Phone: 210–335–2974/210–335–2991E-mail: [email protected]

[email protected]

Dallas Police Department2014 Main StreetDallas, TX 75201http://www.ci.dallas.tx.us/dpd

Federal Bureau of InvestigationDallas Field Office1801 North Lamar StreetDallas, TX 75202–1795Phone: 214–720–2200http://www.fbi.gov/contact/fo/dl/dallas.htm

Houston Police Department1200 Travis StreetHouston, TX 77002http://www.ci.houston.tx.us/departme/police

Portland Police DepartmentDet. Terrell Elliott902 Moore AvenuePortland, TX 78374Phone: 361–643–2546Fax: 361–643–5689E-mail: [email protected]://www.portlandpd.com

68

Texas Department of Public Safety5805 North Lamar Boulevard (street

address)Austin, TX 78752–4422P.O. Box 4087 (mailing address)Austin, TX 78773–0001Phone: 512–424–2200/800–252–5402E-mail: [email protected]://www.txdps.state.tx.us

Utah

Utah Department of Public SafetyCriminal Investigations Bureau, Forensic

Computer LabDaniel D. HooperSpecial Agent5272 South College Drive, Suite 200Murray, UT 84123Phone: 801–284–6238E-mail: [email protected]

Vermont

Internet Crimes Task ForceDet. Sgt. Michael Schirling50 Cherry Street, Suite 102Burlington, VT 05401Phone: 802–652–6800/802–652–6899E-mail: [email protected]

State of Vermont Department of Public Safety

Bureau of Criminal InvestigationSgt. Mark Lauer103 South Main StreetWaterbury, VT 05671–2101Phone: 802–241–5367Fax: 802–241–5349E-mail: [email protected]

Virginia

Arlington County Police DepartmentCriminal Investigations DivisionComputer ForensicsDet. Ray Rimer1425 North Courthouse RoadArlington, VA 22201Phone: 703–228–4239Pager: 703–866–8965E-mail: [email protected]

Fairfax County Police DepartmentComputer Forensics SectionLt. Doug Crooke4100 Chain Bridge RoadFairfax, VA 22030Phone: 703–246–7800Fax: 703–246–4253E-mail: [email protected]://www.co.fairfax.va.us/ps/police/

homepage.htm

Richmond Police DepartmentTechnology Crimes SectionDet. Jeff Deem501 North Ninth StreetRichmond, VA 23219Phone: 804–646–3949Pager: 804–783–3021E-mail: [email protected]

Virginia Beach Police DepartmentDet. Michael EncarnacaoSpecial Investigations CERU2509 Princess Anne RoadVirginia Beach, VA 23456Phone: 757–427–1749E-mail: [email protected]

Virginia Department of Motor VehiclesLaw Enforcement SectionLarry L. BarnettAssistant Special Agent in Charge945 Edwards Ferry RoadLeesburg, VA 20175Phone: 703–771–4757E-mail: [email protected]

69

Virginia Office of the Attorney GeneralAddison L. CheesemanSenior Criminal Investigator900 East Main StreetRichmond, VA 23219Phone: 804–786–6554E-mail: [email protected]

Virginia State PoliceAndrew Clark, CFCEComputer Technology Specialist 3Richmond, VA 23236Phone: 804–323–2040E-mail: [email protected]

Washington

King County Sheriff’s OfficeFraud/Computer Forensic UnitSgt. Steve Davis/Det. Brian Palmer401 Fourth Avenue North, RJC 104Kent, WA 98032–4429Phone: 206–296–4280E-mail: [email protected]

[email protected]

Lynnwood Police DepartmentHigh Tech Property CrimesDet. Douglas J. Teachworth19321 44th Avenue West (street address)P.O. Box 5008 (mailing address)Lynnwood, WA 98046–5008Phone: 425–744–6916E-mail: [email protected]

Tacoma Police DepartmentPCSODet. Richard Voce930 Tacoma Avenue SouthTacoma, WA 98402Phone: 253–591–5679E-mail: [email protected]

Vancouver Police DepartmentMaggi HolbrookComputer Forensics Specialist300 East 13th StreetVancouver, WA 98660Phone: 360–735–8887E-mail: [email protected]

Washington State Department ofFish and Wildlife

John D. Flanagan, ITAS3600 Capitol Way NorthOlympia, WA 98501Phone: 360–902–2210Cell phone: 360–349–1225E-mail: [email protected]

Washington State PatrolComputer Forensics UnitDet./Sgt. Steve BeltzAirdustrial Way, Building 17Olympia, WA 98507–2347Phone: 360–753–3277E-mail: [email protected]

[email protected]

West Virginia

National White Collar Crime Center1000 Technology Drive, Suite 2130Fairmont, WV 26554Phone: 877–628–7674http://www.cybercrime.org

Wisconsin

Green Bay Police DepartmentSpecialist Rick Dekker307 South Adams StreetGreen Bay, WI 54301E-mail: [email protected]

Wisconsin Department of JusticeP.O. Box 7857Madison, WI 53707–7851Phone: 608–266–1221http://www.doj.state.wi.us

70

71

Wood County Sheriff’s Department400 Market StreetWis Rapids, WI 54495Phone: 715–421–8700E-mail: [email protected]

Wyoming

Casper Police DepartmentDet. Derrick Dietz210 North DavidCasper, WY 82601Phone: 307–235–8489E-mail: [email protected]

Gillette Police DepartmentSgt. Dave Adsit201 East Fifth StreetGillette, WY 82716Phone: 307–682–5109E-mail: [email protected]

Green River Police DepartmentCorp. Tom Jarvie/Sgt. David Hyer50 East Second NorthGreen River, WY 82935Phone: 307–872–0555E-mail: [email protected]

[email protected]

Wyoming Division of Criminal Investigation

316 West 22nd StreetCheyenne, WY 82002Phone: 307–777–7183Fax: 307–777–7252Stephen J. Miller, Special AgentE-mail: [email protected] Seals, Special AgentE-mail: [email protected] Michael B. Curran, Special AgentE-mail: [email protected] Waters, Special AgentE-mail: [email protected]

International

Australia

Western Australia PoliceDet./Sgt. Ted WisniewskiComputer Crime InvestigationCommercial Crime DivisionLevel 7 Eastpoint Plaza233 Adelaide TcePerth WA 6000Phone: +61 8 92200700Fax: +61 8 92254489E-mail: Computer.Crime@

police.wa.gov.au

Brazil

Instituto De Criminalística - PolíciaCivil Do Distrito FederalSAISO - Lote 23 - Bloco “C” Complexo

de Poilcia Civil70610–200Brasília, BrazilPhone: 55 +61 362–5948/55 +61

233–9530E-mail: [email protected]

Canada

Royal Canadian Mounted PoliceTechnical Operations DirectorateTechnological Crime Branch1426 St. Joseph BoulevardGloucester, OntarioCanadaKIA OR2Phone: 613–993–1777

72

Switzerland

Computer Crime Unit (GCI)Det. Pascal Seeger/Det. Didiser Frezza5, ch. de la Graviere1227 Acacias, GenevaSwitzerlandPhone: +41 22 427.80.16 (17)Fax: +41 22 820.30.16E-mail: [email protected]

United Kingdom

HM Inland RevenueSpecial Compliance OfficeForensic Computing TeamBarkley HouseP.O. Box 20Castle Meadow RoadNottinghamNG2 1BAUKPhone: +44 (0)115 974 0887Fax: +44 (0)115 974 0890E-mail: [email protected]

National High-Tech Crime UnitP.O. Box 10101 LondonE14 9NFUKPhone: +44 (0) 870–241–0549Fax: +44 (0) 870–241–5729E-mail: [email protected]

73

Ap

pen

dix

D Training Resources ListCanadian Police CollegeP.O. Box 8900Ottawa, OntarioK1G 3J2CanadaPhone: 613–993–9500E-mail: [email protected]://www.cpc.gc.ca

DoD Computer Investigations Training Program

911 Elkridge Landing RoadAirport Square 11 BuildingSuite 200Linthicum, MD 21090Phone: 410–981–1604Fax: 410–850–8906E-mail: [email protected]://www.dcitp.gov

FBI Academy at QuanticoU.S. Marine Corps BaseQuantico, VAPhone: 703–640–6131http://www.fbi.gov/programs/

academy/academy.htm

Federal Law Enforcement Training Center

Headquarters FacilityGlynco, GA 31524Phone: 912–267–2100http://www.fletc.gov


Artesia Facility1300 West Richey AvenueArtesia, NM 88210Phone: 505–748–8000http://www.fletc.gov


Charleston Facility2000 Bainbridge AvenueCharleston, SC 29405–2607Phone: 843–743–8858http://www.fletc.gov

Florida Association of Computer Crime Investigators, Inc.

P.O. Box 1503Bartow, FL 33831–1503Phone: 352–357–0500E-mail: [email protected]://www.facci.org

Forensic Association of Computer Technologists

Doug ElrickP.O. Box 703Des Moines, IA 50303Phone: 515–281–7671http://www.byteoutofcrime.org

High Technology Crime Investigation Association (International)

1474 Freeman DriveAmissville, VA 20106Phone: 540–937–5019http://www.htcia.org

Information Security University149 New Montgomery StreetSecond FloorSan Francisco, CA 94105http://www.infosecu.com

Information Systems Security Association (ISSA)

7044 South 13th StreetOak Creek, WI 53154Phone: 800–370–4772http://www.issa.org


University of North Florida12000 Alumni DriveJacksonville, FL 32224–2678Phone: 904–620–4786Fax: 904–620–2453http://www.iptm.org

International Association of Computer Investigative Specialists (IACIS)

P.O. Box 21688Keizer, OR 97307–1688Phone: 503–557–1506E-mail: [email protected]://www.cops.org

International Organization on Computer Evidence

Phone: +44 (0) 171–230–6485E-mail: [email protected]://www.ioce.org

James Madison University800 South Main StreetHarrisonburg, VA 22807Phone: 540–568–6211http://www.cs.jmu.edu/currentcourses.htm

Midwest Electronic Crime InvestigatorsAssociation

http://www.mecia.org

National Center for Forensic ScienceUniversity of Central FloridaP.O. Box 162367Orlando, FL 32816–2367Phone: 407–823–6469E-mail: [email protected]://www.ncfs.ucf.edu

National Colloquium for Information Systems Security Education (NCISSE)

http://www.ncisse.org

National Criminal Justice Computer Laboratory and Training Center SEARCH Group, Inc.

7311 Greenhaven Drive, Suite 145Sacramento, CA 95831Phone: 916–392–2550http://www.search.org

National Cybercrime Training Partnership (NCTP)

1000 Technology Drive, Suite 2130Fairmont, WV 26554Phone: 877–628–7674E-mail: [email protected]://www.nctp.orgNote: New CD-ROM available,

Prosecuting Cases That Involve Computers: A Resource for State and Local Prosecutors

National White Collar Crime Center1000 Technology Drive, Suite 2130Fairmont, WV 26554Phone: 877–628–7674http://www.cybercrime.orgNote: New CD-ROM available,

Prosecuting Cases That Involve Computers: A Resource for Stateand Local Prosecutors

New Technologies, Inc.2075 N.E. Division StreetGresham, OR 97030Phone: 503–661–6912E-mail: [email protected]://www.forensics-intl.com

74

Purdue UniversityCERIAS (Center for Education and

Research in Information and Assurance Security)

Andra C. ShortRecitation BuildingPurdue UniversityWest Lafayette, IN 47907–1315Phone: 765–494–7806E-mail: [email protected]://www.cerias.purdue.edu

Redlands Community CollegeClayton Hoskinson, CFCEProgram CoordinatorCriminal Justice and Forensic

Computer Science1300 South Country Club RoadEl Reno, OK 73036–5304Phone: 405–262–2552, ext. 2517E-mail: [email protected]

University of New HavenSchool of Public Safety and

Professional Studies300 Orange AvenueWest Haven, CT 06516http://www.newhaven.edu

University of New Haven–California Campus

Forensic Computer Investigation Program6060 Sunrise Vista DriveCitrus Heights, CA 95610http://www.newhaven.edu

U.S. Department of JusticeCriminal DivisionComputer Crime and Intellectual Property

Section (CCIPS)1301 New York Avenue N.W.Washington, DC 20530Phone: 202–514–1026http://www.cycbercrime.gov

Utica CollegeEconomic Crime Programs1600 Burrstone RoadUtica, NY 13502http://www.ecii.edu

Wisconsin Association of Computer Crime Investigators

P.O. Box 510212New Berlin, WI 53151–0212http://www.wacci.org

75

ReferencesAnonymous. Maximum Security: A Hacker’s Guide to ProtectingYour Internet Site and Network, Second Edition.Indianapolis,Indiana: Sams, 1998.

Blacharski, Dan. Network Security in a Mixed Environment.Foster City, California: IDG Books, 1998.

Casey, Eoghan. Digital Evidence and Computer Crime: ForensicScience, Computers and the Internet.San Diego: Academic Press,2000.

Cheswick, William R. and Steven M. Bellovin. Firewalls andInternet Security: Repelling the Wily Hacker.Boston,Massachusetts: Addison-Wesley, 1994.

Cohen, Frederick B. A Short Course on Computer Viruses.Somerset, New Jersey: John Wiley & Sons, 1994.

Davis, William S. Computing Fundamentals: Concepts, ThirdEdition.Boston, Massachusetts: Addison-Wesley Publishing Co.,1991.

Deffie, Whitfield and Susan Landau. Privacy on the Line:The Politics of Wiretapping and Encryption.Cambridge,Massachusetts: MIT Press, 1998.

Deloitte, Haskins & Sells. Computer Viruses: Proceedings of an Invitational Symposium, October 10–11, 1988.New York:Deloitte, Haskins & Sells, 1989.

Denning, Dorothy E. Information Warfare and Security.Boston,Massachusetts: Addison-Wesley, 1999.

Denning, D. and P. Denning. Internet Besieged: CounteringCyberspace Scofflaws.New York: Addison-Wesley, 1997.

Fiery, Dennis. Secrets of a Super Hacker. Port Townsend,Washington: Loompanics Unlimited, 1994.

77

Ap

pen

dix

E

Ford, Merilee, H. Kim Lew, Steve Spanier, and Tim Stevenson.Internetworking Technologies Handbook.Indianapolis, Indiana:New Riders Publishing, 1997.

Garfinkel, Simson and Gene Spafford. Practical UNIX & InternetSecurity, Second Edition.Sebastopol, California: O’Reilly &Associates, Inc., 1996.

Garfinkel, Simson and Gene Spafford. Web Security &Commerce.Sebastopol, California: O’Reilly & Associates, Inc.,1997.

Guisnel, Jean. Cyberwars: Espionage on the Internet.New York:Plenum Press, 1997.

Hafner, Katie and John Markoff. Cyberpunk.New York: Simon &Schuster, Inc., 1995.

Landreth, Bill. Out of the Inner Circle.Redmond, Washington:Tempus Books of Microsoft Press, 1989.

Levin, Richard B. The Computer Virus Handbook.Berkeley,California: Osborne/McGraw-Hill, 1990.

Ludwig, Mark.The Giant Black Book of Computer Viruses,Second Edition.Show Low, Arizona: American EaglePublications, Inc., 1998.

Martin, Fredrick T. Top Secret Intranet.Old Tappan, New Jersey:Prentice Hall PTR, 1998.

McCarthy, Linda. Intranet Security.Palo Alto, California: SunMicrosystems Press, 1998.

McClure, Stuart, Joel Scambray, and George Kurtz. HackingExposed.Berkeley, California: Osborne/McGraw-Hill, 1999.

Meinel, Carolyn P. The Happy Hacker, Second Edition.ShowLow, Arizona: American Eagle Publications, Inc., 1998.

National Institute of Justice.Crime Scene Investigation: A Guidefor Law Enforcement.Washington, D.C.: U.S. Department ofJustice, National Institute of Justice, 2000. NCJ 178280.

78

National Research Council. Computers at Risk: Safe Computingin the Information Age.Washington, D.C.: National AcademyPress, 1991.

National White Collar Crime Center. Using the Internet as anInvestigative Tool, First Edition.Fairmont, West Virginia:National White Collar Crime Center, 1999.

Northcutt, Stephen. Network Intrusion Detection: An Analyst’sHandbook.Indianapolis, Indiana: New Riders Publishing, 1999.

Olson-Raymer, Gayle. Terrorism:A Historical & ContemporaryPerspective.New York: American Heritage Custom Publishing,1996.

Parker, Donn B. Fighting Computer Crime.New York: Scribners,1983.

Parker, Donn B. Fighting Computer Crime: A New Frameworkfor Protecting Information. New York: John Wiley & Sons, Inc.,1998.

Parsaye, Kamran and Mark Chignell. Expert Systems for Experts.New York: John Wiley & Sons, Inc., 1988.

Pipkin, Donald L. Halting the Hacker: A Practical Guide toComputer Security.Upper Saddle River, New Jersey: PrenticeHall, 1997.

Raymond, Eric S. The New Hacker’s Dictionary, Third Edition.London, England: MIT Press, 1998.

Robbins, Arnold. UNIX in a Nutshell, Third Edition.Sebastopol,California: O’Reilly and Associates, Inc., 1999.

Rodgers, Ulka. ORACLE: A Database Developer’s Guide.UpperSaddle River, New Jersey: Yourdon Press, 1991.

Rosenblatt, Kenneth S. High-Technology Crime: InvestigatingCases Involving Computers.San Jose, California: KSKPublications, 1996.

Rosenoer, Jonathan. CyberLaw: The Law of the Internet.New York: Springer, 1997.

79

Russell, Deborah and G.T. Gangemi, Sr. Computer SecurityBasics.Sebastopol, California: O’Reilly & Associates, Inc., 1992.

Schulman, Mark. Introduction to UNIX.Indianapolis, Indiana:Que Corporation, 1992.

Schwartau, Winn. Information Warfare: Chaos on the ElectronicSuperhighway.New York: Thunder’s Mouth Press, 1995.

Shimomura, Tsutomu and John Markoff. Take-Down.New York:Hyperion, 1996.

Slatalla, Michelle and Joshua Quittner. The Gang That RuledCyberspace.New York: Harper Collins, 1995.

Sterling, Bruce. The Hacker Crackdown.New York: BantamBooks, 1993.

Stoll, Cliff. The Cuckoo’s Egg.New York: Simon & Schuster,Inc., 1989.

Strassmann, Paul A. The Politics of Information ManagementPolicy Guidelines.New Canaan, Connecticut: The InformationEconomic Press, 1995.

Tittel, Ed and Margaret Robbins. Network Design Essentials.Boston, Massachusetts: Academic Press, Inc., 1994.

Trippi, Robert R., and Efraim Turban. Neural Networks inFinance and Investing.Cambridge, England: Probus PublishingCo., 1993.

U.S. Department of Justice, Computer Crime and IntellectualProperty Section. Searching and Seizing Computers andObtaining Electronic Evidence in Criminal Investigations.Washington, D.C.: U.S. Department of Justice, Computer Crimeand Intellectual Property Section, 2001.

Wang, Wallace. Steal This Computer Book.San Francisco,California: No Starch Press, 1998.

Wolff, Michael. How You Can Access the Facts and Cover YourTracks Using the Internet and Online Services.New York: WolffNew Media, LLC, 1996.

80

List of OrganizationsThe following is a list of organizations to whicha draft copy of this document was mailed.

81

Ap

pen

dix

F

Alaska Criminal Laboratory

American Academy of Forensic Sciences

American Bar Association

American Society of Law Enforcement Trainers

Anchorage, Alaska, Police Department

Arapahoe County, Colorado, Sheriff’sOffice

Association of Federal Defense Attorneys

Bridgeport, Michigan, Forensic Laboratory

Bureau of Justice Assistance

Canadian Police Research Center

Cleveland State College Basic Police Academy

Commission of Accreditation for LawEnforcement Agencies

Connecticut Department of Public Safety

Council of State Governments

Crime Scene Academy

Criminal Justice Institute

Dallas County District Attorney

Fairbanks, Alaska, Police Department

Federal Bureau of Investigation


Florida Department of Law Enforcement

Florida Department of Law Enforcement-Jacksonville Regional Operations Center

Florida Office of Statewide Prosecution

Frederick County, Maryland, State’s Attorney’s Office

Georgia Bureau of Investigation

Harlingen, Texas, Police Department

High Tech Crime Consortium

Illinois State Police

Indiana State Police Laboratory

Institute for Intergovernmental Research


Internal Revenue Service, Criminal Investigations

International Association of Bomb Technicians and Investigators

International Association of Chiefs of Police

International Association for Identification

Juneau, Alaska, Police Department

LaGrange, Georgia, Police Department

Law Enforcement Training Institute

Maine State Police Crime Laboratory

Massachusetts State Police Crime Laboratory

Metro Nashville Police Academy

Metro Nashville Police Department

Middletown Township, New Jersey,Police Department

National Advocacy Center

National Association of Attorneys General

National District Attorneys Association

National Law Enforcement and Corrections Technology Center–Northeast

National Law Enforcement and Corrections Technology Center–Rocky Mountain

National Law Enforcement and Corrections Technology Center–Southeast

National Law Enforcement Council

National Sheriffs’ Association

National White Collar Crime Center

Naval Criminal Investigative Service

New Hampshire State Police Forensic Laboratory

New York Police Department

North Carolina Justice Academy

Office of the District Attorney General-Nashville, Tennessee

Office of Law Enforcement Technology Commercialization

Office of Overseas Prosecutorial Development

Ohio Bureau of Criminal ID and Investigation

Orange County, California,Community College–Department of Criminal Justice

Orange County Sheriff’s Department–Forensic Science Services

Peace Officers Standards and Training

Pharr, Texas, Police Department

Regional Computer Forensic Laboratory

Rhode Island State Crime Laboratory

Sedgwick County, Kansas, District Attorney’s Office

Sitka, Alaska, Police Department

Social Security Administration–Officeof the Inspector General

State of Florida Crime Laboratory

TASC, Inc.

Tennessee Bureau of Investigation

Tennessee Law Enforcement Training Academy

Texas Rangers Department of Public Safety

Town of Goshen, New York, Police Department

U.S. Army Criminal Investigation Laboratory

U.S. Attorney’s Office–Western District of New York

U.S. Customs Service Cybersmuggling Center

U.S. Department of Justice–Criminal Division

U.S. Department of Justice–Fraud Section

U.S. Department of Justice–Office of Overseas Prosecutorial Development

U.S. Department of Justice–Western District of Michigan

U.S. Postal Service–Office of Inspector General

Virginia State Police Academy

82

About the National Institute of JusticeNIJ is the research and development agency of the U.S. Department of Justice and is the only Federalagency solely dedicated to researching crime control and justice issues. NIJ provides objective, inde-pendent, nonpartisan, evidence-based knowledge and tools to meet the challenges of crime and justice,particularly at the State and local levels. NIJ’s principal authorities are derived from the OmnibusCrime Control and Safe Streets Act of 1968, as amended (42 U.S.C. §§ 3721–3722).

NIJ’s MissionIn partnership with others, NIJ’s mission is to prevent and reduce crime, improve law enforcementand the administration of justice, and promote public safety. By applying the disciplines of the socialand physical sciences, NIJ—

• Researches the nature and impact of crime and delinquency.

• Develops applied technologies, standards, and tools for criminal justice practitioners.

• Evaluates existing programs and responses to crime.

• Tests innovative concepts and program models in the field.

• Assists policymakers, program partners, and justice agencies.

• Disseminates knowledge to many audiences.

NIJ’s Strategic Direction and Program AreasNIJ is committed to five challenges as part of its strategic plan: 1) rethinking justice and the process-es that create just communities; 2) understanding the nexus between social conditions and crime; 3)breaking the cycle of crime by testing research-based interventions; 4) creating the tools and tech-nologies that meet the needs of practitioners; and 5) expanding horizons through interdisciplinaryand international perspectives. In addressing these strategic challenges, the Institute is involved in thefollowing program areas: crime control and prevention, drugs and crime, justice systems and offenderbehavior, violence and victimization, communications and information technologies, critical incidentresponse, investigative and forensic sciences (including DNA), less-than-lethal technologies, officerprotection, education and training technologies, testing and standards, technology assistance to lawenforcement and corrections agencies, field testing of promising programs, and international crimecontrol. NIJ communicates its findings through conferences and print and electronic media.

NIJ’s StructureThe NIJ Director is appointed by the President and confirmed by the Senate. The NIJ Director estab-lishes the Institute’s objectives, guided by the priorities of the Office of Justice Programs, the U.S.Department of Justice, and the needs of the field. NIJ actively solicits the views of criminal justiceand other professionals and researchers to inform its search for the knowledge and tools to guide policy and practice.

NIJ has three operating units. The Office of Research and Evaluation manages social science researchand evaluation and crime mapping research. The Office of Science and Technology manages technol-ogy research and development, standards development, and technology assistance to State and locallaw enforcement and corrections agencies. The Office of Development and Communications managesfield tests of model programs, international research, and knowledge dissemination programs. NIJ is acomponent of the Office of Justice Programs, which also includes the Bureau of Justice Assistance,the Bureau of Justice Statistics, the Office of Juvenile Justice and Delinquency Prevention, and theOffice for Victims of Crime.

To find out more about the National Institute of Justice, please contact:

National Criminal Justice Reference ServiceP.O. Box 6000

Rockville, MD 20849–6000800–851–3420

e-mail: [email protected]

To obtain an electronic version of this document, access the NIJ Web site(http://www.ojp.usdoj.gov/nij).

If you have questions, call or e-mail NCJRS.

PRESORTED STANDARDPOSTAGE & FEES PAID

DOJ/NIJPERMIT NO. G–91

U.S. Department of Justice

Office of Justice Programs

National Institute of Justice

Washington, DC 20531

Official Business

Penalty for Private Use $300

A Guide for First Responders - IWSiwar.org.uk/ecoespionage/resources/cybercrime/e... ·...

Documents

Transcript of A Guide for First Responders - IWSiwar.org.uk/ecoespionage/resources/cybercrime/e... ·...