C. Checkmate
IX. The Raid
When executing a search warrant, the priorities for the computer crime investigator are as follows:
1. Public and officer safety
2. Protect and preserve the court’s evidence
3. Accomplish these objectives with the minimum intrusion into the suspect’s rights, privacy, and business
There are three basic strategies that can be used to secure evidence at a site:
Investigative Strategy and Utilities 101
1. Verify that the evidence is present, document it, and leave.
2. Make a forensic copy of the data storage media and leave with the forensic copy.
3. Seize the computer hardware and media for later examination in a computer forensic laboratory.
Most experts recommend using the third strategy for all cases when possible.
An example of the first strategy — document evidence and leave — was an Internet obscene-pornography case investigated in Los Angeles. This was a membership Web site where members joined using a credit card payment and then were given an access code to an area of the Web server that contained obscene pornography. The investigators used an undercover identity and credit card to join the membership and enter the Web site. The obscene pornography images were photographed on the investigators’ screen and saved to files; hash codes of the files were created; and the IP address of the server was logged. After obtaining a search warrant, the server location was raided and the server shut down. The server computer was then booted from Figure 4.2 A typical computer crime scene during a search warrant raid.
102 Forensic Computer Crime Investigation
the investigators’ examination utility disk. A search utility was used to search the server’s hard drive for the undercover credit card number. The investi- gators’ account and credit card transactions were found on the suspect’s server. This information was photographed on the screen and copied to a file. The search utility was also used to find the obscene-pornography files, which were also photographed and copied to a file, and hash codes were generated for the files. The server was not removed from the site. A forensic copy of the media was not made. The suspect was arrested on the basis of this evidence alone, and a conviction resulted. In short, establishing that the suspect owned and operated the server and that the violations were docu- mented on the server were sufficient for this case.
This first strategy may be the investigator’s only choice in situations where the computer system has terabytes of disk storage and cannot be forensically copied in a realistic amount of time, or if the amount of system hardware is so large that it cannot be realistically booked into an evidence room. It has the disadvantage that the investigator is working without a safety net, and if something goes wrong and the data is corrupted or lost, the investigator has no fallback position. Additionally, this strategy limits the time available to search for evidence to the amount of time the raid team can remain at the site. Using this strategy, the raid team must include mem- bers who are technically capable of dealing with the hardware, operating systems, software, and surprises encountered at the search warrant site. Evi- dence obtained through this strategy may also be open to more legal chal- lenges by the defense than evidence processed through a forensic laboratory. An example of the second strategy — make a forensic copy and leave — was a case involving a Web site–hosting company. In this case, multiple legitimate business Web sites were located on the same Web server along with one Web site containing obscenity violations. A critical success factor for this case was to collect the evidence necessary for the case without unduly impacting the legitimate Web sites hosted by this business. To accomplish this, the inves- tigator obtained a search warrant, raided the site, shut down the server, and used a hard drive duplication utility to create a forensic copy of the server’s hard drive. Then, the server was returned to service with minimum downtime for the legitimate Web sites. The evidence necessary for the case was success- fully recovered from the forensic copy in a police forensic laboratory.
This second strategy has the advantages of limited disruption of the site and minimal amount of hardware to be accounted for and booked into evidence. In practice, an investigator using this strategy might wish to make two forensic copies of the hard drive — one copy to place back in service and one copy for forensic examination — and book the original hard drive into evidence. This strategy has the disadvantage that some of the suspect’s
Investigative Strategy and Utilities 103 software may be difficult to operate without the specific hardware of the suspect’s computer. For example, if the suspect has multiple disks using a RAID controller board, the investigator is likely to need the same controller. The third strategy — seize the computer hardware and media for later examination — is called “bag and tag” by seasoned investigators. This is because the computer, cables, and peripherals are labeled (tagged); disassem- bled into manageable pieces; placed in bags; and transported from the site for later examination. The evidence is then recovered in a computer forensic laboratory.
This third strategy has the disadvantage that it requires a lot of effort to take down, transport, and perhaps reassemble some systems. There is also some risk of damage to the system during handling and transport. There is sometimes a long backlog of cases waiting their turn to be processed in the computer forensic laboratory. These considerations are usually outweighed by the advantage of being able to do the evidence recovery in a controlled environment and having the suspect’s hardware for any device-dependent software. The investigator also has the luxury of being able to spend more time recovering the evidence than is usually available at a search warrant site.