Betting Shop computer investigation Essay

The task granted to me for the following essay was Assume you feel been called in to investigate suspected incidences of calculating machine villainy enacted through the information processing system system at a local forebode office. Describe how you would acquire the hunt and seizure proceeding. Also explain why you would conduct the operation in the manner you describe. Keywords Electronic, Evidence, Investigation, Com hurtleers, Seizure, Forensic, Computing Introduction I was recently given the task of Head of Forensic Computing Investigation into carrying out Gamble.Operation Gamble had been in typeset for over 12 weeks, in this term it had become obvious that on that point was every possibility that some pleasing of estimator crimes were be committed on a everyday basis. This mull entails making veritable that nonhing is overlooked, that everything is through with(p) in a methodical manner, everything needs logging in one way or an different. on that point argon m whatsoever things to think about , and m whatsoever that need acting upon, decisions often need to be made on site at the time of the search. Hope aboundingy this essay pull up s mystifys inform the reader of a little k forthwithledge into the world of forensic computing investigating.Also that it will become clear that the happy prosecution of offenders means that the investigating essential be through with(p) thoroughly from start to finish. ACPO state in that respect are 4 principles that should be adhered to at all times, so when reading this must be took into con rampration. The four principles are as follows- Principle 1 No action taken by law enforcement agencies or their agents should change info held on a computer or storage media which may after be relied upon in court.Principle 2 In exceptional circumstances, where a person finds it necessary to access original information held on a computer or on storage media, that person must be competent to do s o and be able to give march explaining the relevance and the implications of their actions. Principle 3 An audit trail or separate record of all processes applied to computer based electronic secern should be created and preserved. An independent third party should be able to analyze those processes and achieve the homogeneous result.Principle 4 The person in foment of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to. condolence Suttons investigation into a local betting shop. Firstly I was called into the office and was allocated a new case, which necessitated investigating a betting shop that may give up been involved in some strain of fraud or computer misuse. I wasnt given each information in detail. Without having much detailed information I guard to prepare the investigation as though I am feel for every kind of electronic crime there is.With an plainspoken top dog it makes the invest igation much more through and lengthy, maybe turning up more clues to what has been occurring in this particular establishment. Also as I take a crap been put in charge of this investigation I make sure that all provide that had been drafted in to help with this investigation had the expertise to do so, they all needed to be aware how erratic forensic data is, how easily shew can be lost, changed, or altered and accordingly inadmissible in court.If I were to be given this case and was previously made aware that it was child pornography that I was looking for this would fit(p) my mind thinking, and turning into the direction of looking for non only bods tho perhaps photography equipment, chat logs, email, internet usage logs. On the separate hand it is a much different case for fraud. Accounting would be looked into address books, credit bait data, calendars, credit card skimmers, the list near goes on and on.Having no idea could turn up more things as child porn can oft en be attached to a ring, perhaps in that ring credit card fraud is be utilise to purchase entranceway to child porn sights, so with my open mind and that of my colleagues I start my investigation. Within the ACPO (Association Of Chief Police Officers) guidelines there are 4 stages that are involved in earningsing forensic evidence. They are 1. Acquiring the evidence 2. Identifying the evidence 3. Evaluating either evidence found 4. Presenting the evidence.For the purposes of my investigation in fact all forensic computing investigations, the first 3 rules are paramount as they all rely upon each separatewise being performed correctly. Although it must be said if any of the rules are not followed correctly this wouldnt make up get as far as the presenting Evidence rule, as there could be no successful prosecution. provision Kat onceing this is a retail betting shop, the first decision to be made is the time that we will serve our warrant to search the premises. by and by no t much deliberation it is decided to carry out the search to begin with opening time, I was aware that the manager opened up every morning at 8am so meeting him as he opened up would be the best policy. The reason for this decision is that with slight staff and no customers there would be less chance of anyone being able to tamper with any net pees, data, or any other applicable evidence. In the past it has been known for one member of staff to abstract an investigator, while another removes vital evidence.As time went on 3 other members of staff arrived for work, they were all taken aside and asked details of what there art involved, where there individual workstation was and any usernames, passwords or encryption keys that may be relevant to the case. On Entry On entry it was more or less important to visually identify anything that could be possible evidence. The following pointednesss were determine and noted down 1. computing device 2. Laptop 3. Usb stick 4. Digital photographic camera 5. Printer 6. Scanner 7. energetic Phones 8. Cds & videodiscs 9. PDA All these items could be relevant in gaining evidence as they all may contain relevant data.My reasons for each item were as follows 1. Computer This is obvious that looking for forensic data the background computer could hold lots of evidence. 2. Laptop Same reasons as above. 3. Usb Stick This could similarly contain data. 4. Digital Camera may contain images or even files of any data 5. Printer Printers spend a penny their own memory now so this could contain much needed evidence. 6. Scanner May have been used to scan fraudulent scrolls (if there is any damage or imperfections to the glass this could show that a particular document was created with its use.7. Mobile Phones Mobile phones have own operating system, could contain not only contacts tho also images, files, and time logs etc, lots of relevant data. 8. Cds & Dvds Another item that could contain lots of data. 9. PDA Thi s desire a mobile phone has its own operating system and could be used to store relevant data, contacts, time logs etc. Before any searches in drawers or anything was moved the whole area was photographed, fancy where all the above items were exactly in relation to the shop.This is done to document the evidence in a visual manner, that can be looked at after things have been moved to unsurface perhaps more clues, for example If a computer mouse was sitting on the unexpended hand side of the desk, perhaps the manager is right handed so it could lead to a clue that perhaps a left handed member of staff uses that desk, which the computer is sitting on. Photographs were taken of the computer screen as it was on and had the user names on it, this was also documented by text.The computer matte sort of warm so this could give clues as to whether it had been left on overnight or perhaps used before we had gained entry to the premises. Photographs were also taken of all the cables at th e back of the computer, so as reconstructing at a later stage would be easier, also the cables were labelled. The desktop computer was then switched off by removing the power from the computer not the wall socket. The laptop was the next item to be dealt with, it was switched off so removal of the battery was next. Next a search took place which would involve looking in drawers, cupboards etc.The items I was looking for were 1. Any idea work that may give some clues to any passwords that may have been used 2. Memory Cards 3. Credit card Skimmers 4. Address books 5. mesh cards/books 6. GPS SAT NAV equipment 7. CCTV footage Most of these items were found lurking in and around the neighbourhood of the desk where the desktop computer was located, other than the CCTV footage that was located in the DVD fipple flute next to the kitchen door. The DVD recorder contained a DVD- rw (DVD re- writable), which was left in place until also photographed and noted while in situ.The rest of the items were subsequently photographed and logged before anything else was done. The reasons for seizing these items were as follows 1. Paperwork passwords, contacts etc. 2. Memory Cards Data, Images 3. Credit card skimmers Evidence in itself or even more so if there is data contained on the magnetic strip. 4. Address books Contacts 5. Appointment cards/books control evidence of suspects whereabouts 6. GPS SAT NAV Travel logs, previous places visited 7. CCTV Evidence to say who has been in the premises, and when as the camera will have its own time logs.The manger was then asked a few questions about any passwords or encryption keys he may have been aware of, this was done to try and gain any extra information regarding passwords, encryption etc, as this could all go a wide time when it comes to imaging and gaining access to files. All the questions and answers were noted down in a methodical manner. Seizing the evidence The decision was made by myself to take the equipment , rather than live image at the suspected crime scene, as there was no network, wireless or otherwise, I felt this was the best decision to make as the imaging could be done under labatory conditions.Also as there was quite an amount of electronic data that would need to be imaged, this would take far too long and would not be efficient to do so. Although it is seen best for the raw electronic data to be accessed least as possible due to its volatile nature, this would only have to be done the at one time in the lab, once imaged they actual items (pc, laptop) would not need to be handled again as the image would be an exact copy. Fingerprinting would need to be done, but this could not occur until all equipment had been imaged, as the chemicals used can be pervertingThe laptop was known to have Bluetooth capability, and wifi so this had to be put into a shielded box, so as that it could not receive any signals from anywhere else. The mobile phone and PDA were treated in the same m anner. The boxes were tagged and everything noted so as to start the chain of evidence for these items. All that had to be done now was to actually bag up all the evidence. This has to be done and sealed in anti electrostatic bags, and all written down in a methodical manner. This was done item by item individually as each item was tagged and bagged it had to be logged in a chain of evidence.This took quite a long time but this job cannot be rushed, as anything missed could be fatal to a prosecution. Next was the issue of transportation, this would need to be done strategically so as not to damage any possible data evidence. These would have to be kept away from any magnetic fields, e. g. speakers, radios etc, so they were removed with a van that had storage boxes deep down so as the seized equipment would not get too warm, cold, or anything else transcend to them. Evaluating the Evidence This is where the real investigation continues, and where more light may be shed on the sit uation concerning electronic data found.Encase was used to image the hard drive of the desktop computer and laptop, and various other software was used for the acquisition of the other electronic items. Once imaged work would begin on searching labouredly through the data. To finish this investigation could take quite a few man-hours, as there is so much data to work through. Now is when this case is turned over to the other specialists that I work alongside. Conclusion Alas my work has ended now in this case as I have finished my job of searching the crime scene and seizing the evidence, after a full week of preparation before the actual search, I am quite pleased with the result.I am no clearer about any crimes that were or may have been committed, but hopefully due to myself carrying out the investigation thoroughly I have led the way for a successful prosecution to go ahead.References - National hi-tech crime unit (2008) The ACPO straightforward Practice Guide for Computer-Base d Electronic Evidence www. acpo. police. uk/asp/policies/Data/gpg_computer_based_evidence_v3. pdf accessed 05/05/2008. Computer Crime ACPO Guidelines (2008) http//www. dataclinic. co. uk/computer-ACPO. htm accessed 07/05/08.