Steps In Computer Crime Investigation

A computer crime in a company can result in a damage that can be worth billions of dollars.

As soon as one witnesses the incidence of a computer crime or becomes a victim, it is important to register the case with the local cyber crime investigation cell. In the US, it is the Federal Bureau of Investigation or FBI that investigates computer crimes.

Mentioned below are some guidelines used by the FBI while investigating computer crimes.

According to FBI, computer crimes can be divided into two separate categories. These include:

1. Crimes where computers are the target. Some examples include breaching computer security code for stealing data and damaging contents inside a computer.
2. Crimes that are facilitated by computers where computers are used as tools for committing a crime. Some examples include software copyright piracy, collection and distribution of porn videos and producing false identification.

FBI investigates any incident of cyber crime only when the following conditions are fulfilled.

1. Crime committed by the criminal should be a violation of criminal code as per the jurisdiction of the FBI
2. It is important that the United States Attorney’s Office extends its support to the investigation and also agrees to prosecute the criminal.

In order to investigate a cyber crime, a team is commissioned that usually contains members including the case supervisor, interview team, sketch and physical search team, photo team, technical evidence seizure team, logging team and security and arrest team. Some important steps that are followed during an investigation include:

• Documenting hardware configuration of the affected system
• Making copies of relevant logs and data. This includes make bit stream backups of all hard disk drives. 
• Transporting the computer to a secured location so that any potential evidence does not get destroyed or hampered.
• Authenticating data mathematically on all storage devices in order to prove that no alterations have been done to any of the evidence after the computer was taken into possession.
• Documenting the date and time associated with computer files when the computer was taken into evidence
• A list of keywords needs to be generated in order to facilitate the evaluation of data on a computer hard disk drive.
• The most critical step in investigating a computer crime is to evaluate the Windows Swap file that contains valuable information. Next important thing is to evaluate the file slack or the data storage area. File slack is a good source to investigate crimes committed through internet.
• Evaluating of unallocated space provides necessary information about deleted files on the computer. Encrypted, compressed and graphic files should be evaluated manually.
• Finally, it is important to document findings and issues that have been identified during the computer search.