textfiles/law/93jun002.txt

                        THE COMPUTER
                HIGH-TECH INSTRUMENT OF CRIME

                             By 

                     Michael G. Noblett
                            Chief
        Document Analysis, Research, and Training Unit
                       FBI Laboratory
                       Washington, DC

 
     The use of computers as criminal instruments or as devices
to collect information associated with criminal enterprises
increases yearly.  Criminals use computers to store data
relating to drug deals, money laundering, embezzlement, mail
fraud, extortion, and a myriad of other crimes.  In addition to
the simple storage of records, criminals also manipulate data,
infiltrate computers of financial institutions, and illegally
use telephone lines of unsuspecting businesses.

     Statistics suggest that the law enforcement community must
act quickly and decisively to meet the challenge presented by
the criminal use of computers.  For example:

     .  Over 4.7 million personal computers were sold in the
        United States in 1988, as compared with 386,500 in 1980

     .  An estimated 60 percent of personal computers are now
        networked

     .  $500 million is lost annually through illegal use of
        telephone access codes

     .  $1 trillion is moved electronically each week, and

     .  Only 11 percent of computer crime is reported.

     While the law enforcement community, in general, often
thinks of computer crime as high-tech crime, a growing segment
of the population looks at computers and the data they store as
nothing more than electronic paper.  They feel very comfortable
keeping their records, whether legal or illegal, in this format.

     In order to address the legitimate need for access to
computers and the information they contain, law enforcement must
develop a structured approach to examine computer evidence.  The
examination of this evidence can provide investigative and
intelligence information, and at the same time, preserve the
information for subsequent admission in court.

PRESERVING COMPUTER EVIDENCE

     As more and more records are converted from paper to
electronic storage, individuals are becoming more and more
computer literate.  Unfortunately, a growing number of
individuals use their computer knowledge for illegal activities.

     While there is no typical computer case, the majority fall
into the broad category of white-collar crime.  During
investigations of these cases, several problems repeatedly
occur.  However, by following the guidelines offered in this
article, law enforcement agencies can protect valuable computer
evidence.

Conduct Preliminary Examinations

     Investigators should take immediate action to protect a
computer's memory.  Often, investigators attempt to generate
investigative and intelligence information on site.  While this
approach is reasonable and should be encouraged, it is equally
important that the computer be protected from any input
introduced unintentionally by investigators.

     For instance, many computer systems update files to the
current date when read.  In order to preserve the evidence in
the same condition as it was when seized, steps must be taken to
ensure that no dates are changed and nothing is written into or
deleted from the computer's memory.  Specialized software
currently on the market protects the computer's memory and
should always be used before an examination.

     Investigators should also consider that anyone conducting a
preliminary examination may be called on to testify concerning
the procedures followed and the accuracy of the results.
Because of this possibility, documented policy and protocol
detailing steps to follow during examinations must be
established.  Examiners should closely follow guidelines set by
their particular agency to avoid any legal discrepancies.

Seize Supporting Software

     When investigators seize a computer, they should also take
all supporting software and documentation.  This simple action
eliminates a host of problems that may arise during the
examination of the computer.  It is logical, but not necessarily
correct, to assume that the software that runs the seized
computer is common and commercially available.

     As commercial software is developed and marketed,
manufacturers add new features and correct previously identified
problems.  Once the manufacturer revises the old programs, the
data seized may not be compatible with the particular version of
the same software.  Therefore, it is good policy to seize all
software, documentation, handwritten notes, and any other
related items found near the computer.

Seize the Entire Computer System

     Many of the items connected to the seized computer are
probably standard pieces of equipment found in any computer
facility.  However, it only takes one unique, nonstandard piece
of equipment to render a system incompatible with others.  For
this reason, it is best to seize all the equipment related to
the computer.  If it turns out that some of the items are not
needed for the examination, they can be quickly returned to the
site.

     The FBI Laboratory does not recommend that investigators
remove and submit the hard drive (memory), located inside the
computer, for examination.  The manner in which the computer is
set up internally is often crucial to reading, displaying, and
printing the data on the hard drive.  Thus, removing just the
hard drive may be useless to the investigation.

     In light of technical considerations, it may be appropriate
to use an expert as a consultant in the execution of these 
types of search warrants.  This is especially true if
investigators do not seize the entire system.  Concerns
regarding incompatibilities of computer systems should be stated
in the supporting affidavit as justification if investigators
plan to seize the entire computer system.

Package Equipment Properly

     If investigators need to ship the computer to another
facility for examination, they should package it properly.
Oftentimes, examinations take an inordinate amount of time
because poorly packaged computers are damaged in shipment and
must be subsequently repaired.

     Likewise, shipment of computer diskettes and other memory
devices requires certain precautions.  Because of the potential
hazard of static electric discharge, these items should not be
shipped in plastic evidence envelopes.  In addition, the
evidence should be marked to avoid exposure to strong magnetic
fields, such as those generated by x-ray machines.

COMPUTER ANALYSIS AND RESPONSE TEAM

     To assist with investigations involving computers as
evidence, the FBI Laboratory established the Computer Analysis
and Response Team (CART) at FBI Headquarters.  Computer
professionals with a variety of experience and expertise, along
with a sensitivity to the needs of the law enforcement
community, staff the team.  The CART has a full range of
hardware available, as well as unique utility software useful in
forensic examinations of computer-related evidence.

     Limited by the number of technical personnel available to
conduct these investigations, this service is available to
police agencies authorized to submit evidence to the FBI for
forensic examination.  In addition to its traditional forensic
examination, the FBI Laboratory's CART provides on-site field
support to both Bureau field offices and local police
departments.  Approval for this on-site support depends on the
individual case, the resources available, and the needs of the
requesting agency.

CONCLUSION

     The FBI Laboratory has seen the submission of computer
evidence double and then double again in the past few years,
reflecting the proliferation of computers in society.  With the
role of the computer becoming more predominant in society, its
impact is felt in every law enforcement investigative program.
Therefore, it is important for law enforcement to have the
necessary knowledge and procedures ready to address adequately
the examination of computer evidence and records.