Read an Excerpt

Cybercrime Case Presentation

Using Digital Forensics and Investigative Techniques to Identify Cybercrime Suspects

Elsevier Science

Excerpt

CHAPTER 1

Case Presentation

1.1 INTRODUCTION

This chapter will discuss methods of presenting electronic evidence for a variety of audiences. The admissibility, authentication, chain of custody, and other aspects of what is evidence are extremely important to every case; however, this chapter will only minimally discuss the actual evidence and focus more on methods of presenting your case. After all, the objective of any investigation is to convey to an audience the facts of the case in a manner that they understand it.

Keep in mind that your goal of placing the suspect behind the keyboard rests upon your presentation clearly describing your case. Articulating your case in a manner in which your audience creates a picture in their mind will also have your audience place the suspect behind the keyboard. This can be accomplished without you having to say it directly as the audience will say it for you.

1.2 IT'S NOT WHETHER YOU WIN OR LOSE

As a witness, your primary function in presenting case information is simply explaining the facts. Experts will give opinions, keeping in mind that these experts' opinions are just as truthful as any fact and will always include their interpretations of computer user activity.

Investigations are conducted to uncover the truth, where both inculpatory and exculpatory evidences is authenticated, corroborated, analyzed, and interpreted for relevance and veracity. To have any preconceived beliefs or opinions discredits a fair investigation. You must be open to all possibilities and eliminate possible suspects through a fair investigation until you are left with only a list of reasonable suspects.

With an open and inquisitive mind, the facts will lead you to the truth of the investigation and analysis. Proving and disproving theories, corroborating and discrediting alibis, and verifying information will allow the case to speak for itself. But how do you convey this information to your audience and how can you have an inquisitive or investigative mindset to accomplish this?

1.3 INVESTIGATIVE MINDSET

Having an investigative mindset helps you to prepare your presentation as you need to know the why and the how of presenting information to convey the facts just as you did when investigating your case. One of your goals in presenting your case is showcasing how you arrived at your beliefs without actually saying it. As you answer the fundamental investigative questions of who, what, why, where, when, and how, your audience can put the case together in their own minds, as if they were the investigator. When that happens, your audience places the suspect behind the keyboard, not you.

Good investigators get asked the same questions time and time again. How do you do it? Why are you so lucky? What is your secret? Another set of similar types of questions are asked at trials and hearings. Why did you suspect this person and not that person? Did you focus your entire investigation on one person? These types of questions are intended to discover your mindset and to find out what you were thinking. The investigative mindset not only helps you to be a great examiner or investigator but it also helps you to prepare your case for presentation by being able to articulate your thought processes.

Whether you are an investigator conducting surveillance on a suspect or examining the registry for computer system settings, being curious leads to uncovering evidence or leads to evidence. Perhaps there is one clue that happens after days or weeks of intense focus, but sometimes that one clue is what makes a case. Whether you wait for a clue to appear or relentlessly dig for it, the clue is there. You just have to find it and know it when you see it. You want your audience to see it just as you did.

An example I have given in workshops on investigative mindsets is a personal experience where I've seen two police officers, standing side by side, and both looking at the same street corner. One officer saw several criminal acts occur whilst the other did not, even though they were both looking at the same activity. This occurred many times. Simply, one officer observed and asked why is that person there? and what is he doing? whereas the other officer accepted two people standing on a street corner as just being there. Just as important is the ability to effectively communicate these observations, feelings, and beliefs to your audience.

Digital forensics is not so different when looking at computer activity. Being able to ask questions such as, "why does this file have a modification data stamp that precedes the creation data stamp?" does not require a law enforcement commission to possess the superpower of curiosity. If any detail of an investigation doesn't seem right, maybe it is not right and should be examined more closely. This even applies to your gut feeling or intuition where you should ask yourself, "why do I get the feeling something is missing?"

Asking these questions during your investigation and analysis allows you to miss less evidence. This mindset will help you to develop an effective means to convey your investigation to others for your case presentation so your audience will also have a clear understanding.

1.4 YOUR AUDIENCE

You need to know your audience and the venue for your case presentation to be effective. This chapter gives several methods of presenting your information, but not every method will be appropriate for every type of audience. Your presentation could be informally presented to a supervisor or formally before a Congressional hearing. Even different courtrooms and judges will have varied rules on how digital evidence is presented.

Not knowing your intended audience or their needs will most likely result in at least embarrassment at a presentation or the complete failure of presenting your case effectively. There are instances where an audience, such as an attorney, just wants to know if the evidence points to the guilt or innocence of a client, without having to read dozens of pages of forensic analysis. Other audiences require minute details of analysis, but both audiences require the presenter to be aware of the objectives for presentations.

The one thing to avoid is thinking that you are the audience. As much as you may want to toot your horn, show off your great work, and speak in complicated technical jargon, the only person that will be impressed is you. Everyone else will be dazed, confused, and not at all impressed. Some of your audience may be plainly irritated. Case presentation is for your audience. You succeed when your information is clearly understood and this requires preparation.

1.5 PREPARATION

The work of preparing your presentation may be the only part of case presentation where you have total control. The information is in your hands, arranged in the manner that you prefer, and any technical problems can be tested and corrected. Because you have this luxury during the preparation phase, take advantage of it – during the presentation, the control of the information may be completely out of your hands.

The amount of time to prepare a presentation depends on the complexity of the investigation and your audience. One case presentation may require an hour to prepare while another may require weeks of preparation time. The objective in both of these scenarios is the same, only the timeline will vary.

1.6 ORGANIZING CASE INFORMATION

Maybe you are the sole investigator on an entire case, conducting all forensic analysis and interviews personally, and maintaining all information centrally. If that is the situation, gathering and organizing case information will be fairly easy. However, many investigations have more than one person involved and can include a variety of third parties such as Internet service providers, witnesses, co-case agents, and multiple examiners. For these situations, collecting and organizing case information takes on a life of its own just trying to track down all reports that may have been written. But it has to be done, especially finding all written reports.

Read all the reports. Read them all again. Find any inconsistencies and loose ends and make sure each written statement is corroborated with supporting evidence. During this process of reviewing reports, should anything negative to the case be found, take corrective measures and inform your client or legal counsel immediately. No one likes surprises during a presentation of evidence. If supplementary reports are needed to clarify information, make sure they are written and submitted to the case file.

Organize your information. Printed information can be organized in folders, but what about a gigabyte or more of electronic data collected throughout the case? E-mails, electronic documents, scanned letters, and other electronic evidence files contained on an external drive may need immediate and unplanned use at any time during the case presentation. One answer is to use forensic applications that can also organize your case data. An example application, seen in Fig. 1.1, is dtSearch, an indexing application typically used as a forensic tool but also excels at indexing your case information to be searched on the fly.

Complex cases that contain hundreds of thousands of electronic files are better served being indexed, that is, a database of words and numbers of the files created for ease of searching. dtSearch not only indexes large datasets but it can also create reports of the searches, export the files found, and even highlight the key words found. A utility such as dtSearch enables you to find information quickly that might have been easily be overlooked when manually searching files on a hard drive. Being asked a question on the spot by your boss, client, or judge for whom you don't have answer is stressful enough, but not being able to find the answer makes it that much worse.

1.7 VALUE OF VISUALS

The cliché that a picture is worth a thousand words does not accurately describe a visual used in your presentation. In a case presentation, one visual can be worth the entire case. As most people grow up learning visually, whether in math class using charts and graphs to see numbers or through art, understanding by seeing is an effective method of learning.

In the tale of three blind men attempting to describe an elephant with words, each basing their description on the part of the elephant each person touched, such as the tusk or the tail, they could not agree on the totality of the elephant's description. Presentations require the spoken word for descriptions, but visuals can make sure that each person in your audience understands and sees the same thing.

Compare the following examples. Figure 1.2 shows a paragraph describing an average evidence scene with multiple evidence items.

The accompanying figure to the written description is seen in Fig. 1.3. Although this is a simple photo of the items described in Fig. 1.2, the photo clarifies the scene in the mind of your audience without misunderstanding.

Although the report accurately reflected the physical evidence scene, the ease at which a visual aid clarifies the words is dramatic. Taking this one step further to clarify the physical connections described in the report, review Fig. 1.4 as an example of a visual created to show the connections.

The value of visuals cannot be understated but can be overused. As long as your audience has the sense of sight, visuals will enable all to see that which you verbally describe. The key ingredient, however, is to choose the right type of visual to use for each situation and only use visuals when needed, not just for the sake of creating them.

1.7.1 Presentation Media

Not all media presentation methods, visuals, or equipment used may be suitable for every type of presentation. Your audience may be a technically proficient supervisor who will not need visual aids to understand a verbal presentation. Another audience could be a jury where your audience's technical knowledge is unknown and can range from someone who has never operated computers through to computer experts.

Within this range are presentation limitations based on limited technical resources or even restrictions on using specific types of technical resources by a specific judge. Therefore, having access to a wide range of presentation media and the ability to use each effectively will allow you to tailor your presentations accordingly.

As much as any forensic examiner uses technology, reliance on any technology cannot be taken for granted nor expected to work all the time. Computers and software programs crash, a surprise shortage of power outlets prevents the use of a projector, bulbs burn out, and sometimes, nothing seems to work as expected when needed. These electronic devices, such as projectors, computers, video players, and televisions, will eventually fail, all of them, at some point in their normal life cycle. Expecting that this day of equipment failure will occur when you are presenting your case will make a big difference in the outcome if you are prepared with backup plans.
(Continues...)

---

Excerpted from Cybercrime Case Presentation by Brett Shavers. Copyright © 2013 by Elsevier Inc.. Excerpted by permission of Elsevier Science.
All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

---