Computer crime
is no longer exclusively the realm of the adolescent
computer "hacker" who bypasses passwords
to enter corporate computers searching for data
files and games, as depicted in such movies as
War games and Sneakers. More and more, computers
are being used in all types of crimes, to include
traditional crimes of violence and theft. The
investigator of the future must be aware that
critical evidence, which can help him prove or
disprove the crime, may be locked away in a computer
and/or external storage media and often requires
more analysis than part-time, in-house "computer
experts" can provide. The successful investigator
will recognize that computer evidence is forensic
evidence that must be professionally analyzed.
(Beare, p. 25-41)
Background
Computers, especially desktop and easily portable
laptop-style personal computers are rapidly proliferating
throughout society. It is estimated that by the
year 2000, 80% of all Americans will use personal
computers at home. Virtually all businesses use
computers in some way, if for nothing else than
to record sales transactions or as a word processor
for their correspondence. Yet many law enforcement
and investigative agencies do not have dedicated
computer crime units. Of those that do, few have
the in-house resources either to completely understand
and analyze the sometimes complex issues that
arise or to fully exploit the information that
the computer storage media might contain. The
criminal element, on the other hand, is full of
individuals who exploit the strengths and weaknesses
of computers and find them to be vulnerable targets
or, paradoxically, powerful tools. (Charney &
Alexander, p. 931-957)
Many articles have been written about computer
security and computer crime involving computer
security, but few address the potential for the
application of computer technology in traditional
crimes and the value and availability of evidence
that can be obtained from a victim's or suspect's
computer. For the legal professional, law enforcement
investigator, or corporate security professional,
a thorough knowledge of the potential for computers
to be used in criminal activity of all types is
critical to combat the many forms of computer
crime.
Potential Criminal Applications of a Computer
Computers can be used as the target, tool, or
instrument of a crime. Increasingly, valuable
information is kept on a company's computers,
and is often the target of theft, destruction,
or alteration by disgruntled employees, industrial
spies, or external hackers. Contrary to popular
belief, the outside "hacker" who breaks
into a corporation's computer system via phone
lines and modem connections is rarely as successful
as the "trusted insider" who already
has access to the system and exploits it for his
or her own purposes. Employees being hired away
from one company are sometimes asked to bring
copies of computer disks with them to the competing
company that contain sensitive or valuable data
files pertaining to clients, financial records,
or research data. Corporate and industrial espionage
via computer is increasing. The modern spy no
longer needs to use sophisticated miniature cameras
or microfilm: Hundreds of pages of computer-stored
documents can be carried on a commonly available
pocket size floppy disk. In February 1989, a U.S.
Army soldier defected to East Germany, taking
with him two floppy disks containing key portions
of the U.S. General War Plans for Europe, making
him the first computer spy in U.S. history. (United
States v. Peri, p. 23-45) Disgruntled or careless
employees can bring computer viruses into the
company's computer system and wreak havoc if effective
safeguards are not employed. Corporations are
learning that information has value, and can easily
be compromised, stolen, or destroyed.
The computer can be a powerful tool used to commit
crimes as well, as evidenced by the debit card
"cloning" mentioned earlier in this
article. In addition, high-resolution scanners
are allowing persons to copy legitimate documents,
alter the data, and thereby forge new documents
with the fraudulent data. In 1994, an individual
in Dallas, TX was found to create authentic-looking
temporary Texas driver's licenses using his scanner
and a laser printer. Insurance cards, money orders,
checks, and other documents can be duplicated
using easily obtainable graphic editing and publishing
programs. Computerstored financial information
can be manipulated to cover up embezzlement and
thefts. In early 1993, officials at Reese Air
Force Base in Texas, discovered that a lowlevel
computer operator had altered computerized auditing
reports and account records to steal $2.1 million.
He was caught only after flaunting his wealth
by buying numerous high-priced sports cars. (Green,
p. 21-32)
Computers are also increasingly used as the
instrument of the crime by recording and storing
information pertaining to the criminal act itself.
Just as legitimate individuals and businesses
use computers to handle their data, records, and
correspondence, nonlegitimate businesses and individuals
will also. Illegal bookmaking operations find
a computer invaluable for recording bets, computing
the "line" of bets, and figuring the
payoffs, all while calculating the percentage
kept for the "house," regardless of
how the bets are paid. (Giacopassi & Stitt,
p. 117-131) As early as 1984, law enforcement
officials in southern Texas raided an illegal
bookmaking operation, expecting to find a typical
backroom operation with several operators manning
the usual multiple phones, bet boards, and rice-paper
betting slips. Instead, they were surprised to
find just a six-button phone and a middleaged,
pot-bellied man and his wife, who were entering
the bets on a small Apple computer.
Prostitution rings, boiler-room telemarketing
fraud operations, and other illegal activities
find computers essential for recording and tracking
their data. Individuals accustomed to using a
computer to type documents and enter and record
data also use their computers for their illegal
activity. Child molesters have been known to write
up their activities in electronic journals, and
suicide notes have been found on the deceased's
personal computer as early as 1984. Computer-literate
criminals utilize the latest technology to further
their illegal enterprises just as much as the
honest businessperson, and documents are no longer
exclusively written on paper.
In each of the cases and examples mentioned, professional
analysis of the computer system and/or storage
media was instrumental to solving the case or
prosecuting the individuals. This is because at
some point in time, the evidence of the criminal
activity ended up on something tangible somewhere.
Files, programs, or documents may not be easily
readable, or they may be hidden or even deleted.
Often, hidden audit trails exist that can indicate
what files or programs were used or accessed,
and date/time stamps on files, if verified, can
be valuable indicators of the usage of the computer
system, which can tie suspects to the illegal
activity. Special tools or techniques may be required
to resurrect these files or analyze the systems.
In each case, this must be done professionally,
by knowledgeable analysts who have the academic
and experiential credentials to be credible witnesses
when the issue of data recovery comes to court.
Many commonly available utility programs can write
to the hard disk or otherwise change data during
the process of analysis, and should not be used
for extensive analysis of seized evidence. Rules
of evidence, as established by the courts and
legal doctrine, must be followed. Especially,
defense or opposing lawyers must have the ability
to have this evidence analyzed as well. This means
that however analysis of computer evidence is
performed by the police agency or prosecutor,
the results must not alter or destroy the original
evidence, and such results must be duplicable
in court. (Erbschloe, p. 9-23)
Examples Of Computer-Related Crime
In sex offenses, computers can be used as both
a tool and an instrument. Pedophiles and child
molesters utilize computer technology to record
and store their collections of child pornography
and child-related documents. Computer programs
can be used to hide or encrypt the pictures of
files so that only the pedophile can have normal,
easy access to them.
Sophisticated image-manipulating software programs
allow for editing and enhancement of these photos.
Separate pictures of children can be merged with
traditional adult pornography. The combined result
depicts the children interacting with the adults
in the picture in a sexual fashion. In addition,
new and different pictures and files can be transferred
to and traded with other pedophiles using modem
connections and bulletin board systems (BBSs),
often with complete freedom from detection for
the pornographer. Pedophiles have also been known
to make contacts with potential victims through
publicly accessible BBS messages, sometimes employing
masquerades and phony identities to help facilitate
contact with their victims. One child molester
used his computer, loaded with children's games
and programs, as a "bag of candy" to
entice young girls to sit in his lap and play
on the computer while he fondled them. Analysis
of these systems can often prove or disprove such
allegations and can lead the investigator to other
suspects and places to search. (Allen, p. 52-62)
Criminals often find clever ways to use computers
to help them in their illegal endeavors, but this
does not mean they are "whiz kids" or
geniuses, as some have been called. In 1987 a
group of burglars used a computer, a modem, and
a program called a "War Games Auto-Dialer"
(named after the movie showing use of the program)
to record the results of random calls to houses
in a given area at several times during the day.
After a while, the group had recorded blocks of
time at several homes where the phone was not
answered -- indications that no one was home during
those times. They then burglarized those homes,
confident that they would be vacant. When caught
by police for pawning one stolen item, professional
analysis of the computer system and disks revealed
the full extent of their activity, effectively
linking them to every burglary.
Legal issues, long since established, require
new interpretations when computers are involved.
Around Christmas 1988, a woman's 13-month-old
daughter was admitted to the Emergency Room at
Zweibrucken Air Base, Germany, for injuries resulting
in severe brain damage. Initial investigation
indicated classic child abuse and that the woman's
husband was a prime suspect. The next day the
woman brought to investigators a computer-generated
printout of a diary in which she indicated that
the child's injuries were caused by hospital personnel,
babysitters, and others. Diaries are admissible
in court as exceptions to the hearsay rule: They
can be accepted as a recording of events if the
diary entry was made at the time the events occurred.
Detailed forensic analysis of the computer disk
containing the diary, including analysis of the
date/time tagging of the files, proved she had
manufactured the entire diary the night before
in an attempt to divert suspicion from her husband.
Hundreds of hours of investigative manpower were
saved by proving her diary was an electronic forgery.
(Air Force Office of Special Investigations, p.
12-18)
What Can Investigators Do?
Regardless of how much technology changes the
nature of the crime, the basic rules of investigation
remain. The difference brought about by modern
computer technology is that the evidence may now
take new forms and may not always be instantly
recognizable or readable. The modern investigator
must be able to recognize those computers and
their associated storage media may be integral
to any category of crime, not just white-collar
fraud or high-tech computer hacking.
Second, when gathering evidence in an investigation,
investigators need to incorporate wording in subpoenas,
search warrants, and affidavits to include computer
technology. When a computer is being used as a
tool to commit the crime, the search warrant should
include sufficient description to enable investigators
to seize the actual hardware (i.e., the physical
components of the computer) and associated peripherals,
such as scanners, printers, and other items being
used to perform the illegal activity. (Sauls,
p. 24-32)
Next, computer evidence is both delicate and sturdy
and vulnerable to unseen dangers. All investigators
should be aware of the many methods and ways computer
evidence can be accidentally or deliberately erased
or deleted. Entire systems have been booby-trapped
to prevent their analysis by authorities. Before
executing a search or gathering computer evidence
at a crime scene, investigators should try to
establish enough background intelligence on the
suspect(s) to determine whether they are computer
knowledgeable enough to booby-trap their systems
or otherwise thwart a search of their computer.
Finally, after computer evidence is seized, it
must be analyzed properly to extract all possible
information. Homicide detectives do not perform
their own blood typing or DNA analysis on biological
evidence collected at crime scenes; narcotics
investigators do not run extensive analytical
tests on unknown substances to determine whether
or not what they seized during a raid was a controlled
substance. In both cases, investigators send properly
collected evidence to a reputable lab for professional
analysis by trained technicians who can testify
to their results as experts in the courtroom.
The same should hold true for computer evidence.
(Conly, p. 6-11)
|