Chapter 12

High-Technology Crimes Investigative Support

Abstract

This chapter discusses the duties and responsibilities of a cyber security officer when it comes to providing service and support for deterring high-technology crimes, conducting noncompliance inquiries, assisting with computer forensics support, and dealing with law enforcement. A fictional case study scenario will be used.

Keywords

Computer forensics; Corporate executive officer (CEO); Cyber security officer; Director; High-technology crime prevention program (HTCPP); Law enforcement; Non-compliance inquiries (NCIs)

It was a common saying of Myson that men ought not to investigate things from words, but words from things; for that things are not made for the sake of words, but words for things

Diogenes Laërtius1

Chapter Objective
This chapter discusses the duties and responsibilities of a cyber security officer when it comes to providing service and support for deterring high-technology crimes, conducting noncompliance inquiries, assisting with computer forensics support, and dealing with law enforcement. A fictional case study scenario will be used.

Introduction

Not long after the cyber security officer took over the job as the cyber security officer, a meeting was held between the cyber security officer and the Director of Security. At that time, an agreement was reached as to the cyber security officer’s duties and responsibilities and those of the Director of Security. The Director of Security agreed that the cyber security officer’s duties and responsibilities would conflict with those of the Security Department if the cyber security officer conducted any type of investigation. The Director of Security and the cyber security officer reached a compromise and agreed that any infractions of the cyber security program could be looked at by the cyber security officer as long as they related to noncompliance with the cyber security program, such as violation of automated information protection.
They both agreed to the following:
• To differentiate between an investigation and the cyber security officer’s inquiries by having the cyber security officer call that function “noncompliance inquiries” (NCIs) and focusing on the cyber security program infractions;
• An information copy of each NCI was to be forwarded to the Director of Security;
• The cyber security officer would provide technical and forensics support to the Security staff, when requested;
• The Director of Security was the corporate focal point for law enforcement liaison activities, and any need to contact a law enforcement agency must be approved by the Director of Security, as well as others such as the Public Relations staff and the legal staff;
• In the event of the cyber security officer or members of the cyber security officer’s staff were contacted for any requests by outside agencies for investigative assistance, that request must be coordinated with the Director of Security and others at the corporation;
• The cyber security officer’s staff would provide in-house computer forensics training to the Security staff twice a year;
• The Security staff would provide in-house training in assets protection and basic investigative techniques, such as how to conduct an interview, to the cyber security program staff twice a year; and
• The Security staff would provide the budget for computer forensics software to be used in support of Security investigations, on an as-needed basis.
After completion of the discussion with the cyber security officer, the Director of Security knew that the cyber security officer and the cyber security program organization under the corporate information officer (CIO) were where they should be. The complicated job and headaches of the cyber security officer relative to NCIs and the entire cyber security program matter were something that the Director did not want to be responsible for.

Duties and Responsibilities of a Cyber Security Officer in Deterring High-Technology Crimes

Although investigations at the corporation are the purview of the Security staff, the cyber security officer and the Director of Security both knew that many such investigations, or NCIs, are high-technology based, such as those involving microprocessors (computers). Therefore, the cyber security officer’s staff would be active in supporting Security’s anticrime program as part of Security’s assets protection program for the corporation. They both knew that the entire corporate assets protection program would be best served, that is, more effectively and efficiently accomplished, if the cyber security officer and the cyber security program functions reported to the Director of Security instead of to the CIO.
However, at the corporation, as at many corporations, the Director of Security really did not want that responsibility, and politically, it was a difficult sell to executive management. Furthermore, the cyber security officer position, which now reports to the CIO, who reports to the corporate executive officer (CEO), would be downgraded, as the cyber security officer would report to the Director of Security, who reports to the Vice President of Human Resources, who reports to Corporate Office Executive Vice President, who reports to the CEO. The position would also mean less prestige, less money, and the inability to exercise management authority at a sufficiently high level.
However, the Director and the cyber security officer agreed that a high-technology crime prevention program should be established at the corporation as part of the corporation’s total assets protection program, which was led by the Director of Security. Therefore, the Director and the cyber security officer decided to establish a project to provide such a program and ensure that it interfaced with the cyber security program. It was also agreed that a long-term goal would be to integrate the crime prevention, cyber security, and corporate physical assets protection policies into an overall cyber security program under the authority of both the Director and the cyber security officer using a matrix management approach.
The Director and the cyber security officer agreed that the cyber security officer’s approach to the cyber security program and its related functions was adaptable to the development of a high-technology crime prevention program. After that initial baseline was developed by the cyber security officer, the Director would integrate antitheft, antifraud, and other crime-related policies, procedures, and processes into the program and baseline them as part of the corporate assets protection program under the authority of the Director of Security.
They both agreed that the basis on which to build the corporation high-technology crime prevention program (HTCPP) was the development of a comprehensive high-technology crime prevention environment at lowest cost and least impact to the corporation.
The Director and the cyber security officer decided to categorize HTCPP investigations and NCIs so that they could more easily be analyzed and placed in a common database for analyses such as trends or vulnerabilities of processes that allow such incidents to occur. The cyber security officer agreed that the cyber security officer’s organization would maintain the database, but the Security staff would have input and read access. However, modifications, maintenance, upgrades, and deletions would be controlled by the cyber security officer to ensure that the integrity of the database was maintained. The initial categories agreed to by the Director and cyber security officer were:
• Violations of laws (required by law to be reported to a government investigative agency);
• Unauthorized access;
• Computer fraud;
• Actions against users;
• Actions against systems;
• Interruption of services;
• Tampering;
• Misuse of information;
• Theft of services;
• Other crimes in which computers were used, such as:
    Money laundering
    Copyright violations
    Intellectual property thefts
    Mail fraud
    Wire fraud
    Pornography
• Other crimes
• Violators:
    Internal
    External
It was further agreed that these categories would be expanded based on analyses of investigations and noncompliance inquiries conducted to date.

Assisting with Computer Forensics Support

Businesses, public agencies, and individuals increasingly rely on a wide range of computers, often linked together into networks, to accomplish their missions. Because computers have become ubiquitous, they are often a highly productive source of evidence and intelligence that may be obtained by properly trained and equipped cyber security program and investigative professionals. Equipping the specialists to be able to competently search corporation systems is essential. In many cases, a suspect will use a computer to plan the crime, keep diaries or records of acts in furtherance of a conspiracy, or communicate with confederates about details via electronic mail. In other schemes the computer will play a more central role, perhaps serving as the vehicle for an unauthorized intrusion into a larger system from which valuable files or other information is downloaded or tampered.
Surprisingly, even many sophisticated criminals who are highly computer literate remain unaware of the many software utilities available that allow evidence to be scavenged from various storage media, including hard drives, random access memory, and other locations in the operating system environments such as file slack, swap, and temporary files. Therefore, every investigation of crimes and unauthorized activities should now assume that some effort will be invested in examining computers and computer records to locate relevant evidence that will prove or disprove allegations or suspicions of wrongdoing.
Whether computers are themselves used as the tool to commit other crimes or merely contain documents, files, or messages discussing the scheme or plans, computers can provide a wealth of useful information if properly exploited. A major barrier to obtaining this potentially valuable evidence is the relative lack of knowledge of many corporate and law enforcement investigators concerning high-technology—computer technology. This lack of familiarity and experience hampers the computer forensics specialists’ ability to conduct effective searches. When the crime scene itself is a computer or a network, or when the evidence related to the illegal or unauthorized activities is stored on a computer, there is no substitute for the use of “computer forensics” to gather relevant evidence.
Webster’s Dictionary defines forensics as “belonging to, used in, or suitable to courts of judicature or to public discussion and debate.”2 Thus, computer forensics is a term that we define as describing the application of legally sufficient methods and protocols and techniques to gather, analyze, and preserve computer information relevant to a matter under investigation. Operationally, computer forensics encompasses using appropriate software tools and protocols to efficiently search the contents of magnetic and other storage media and identify relevant evidence in files, fragments of files, and deleted files, as well as file slack and swap space.
The cyber security officer and cyber security program NCI specialist assigned as the Security support focal points provided a computer forensics awareness briefing to the corporation Security staff. The briefing gave an introduction to computer forensics and also discussed the support the cyber security officer staff would give the Security staff. The cyber security officer agreed to support the corporation Security staff by providing high-technology-related forensic services.

Dealing with Law Enforcement

There is a great lack of communication between cyber security professionals and law enforcement agencies. Neither profession seems to know what the other does or how they can assist each other. The cyber security officer works primarily in the internal world of the corporation. Therefore, cyber security officers usually are ignorant of what investigations are being conducted by law enforcement agencies, even in the cities where the corporation has facilities.
This lack of communication means that the cyber security officer, and more often than not the Director of Security, is not aware of local high-technology crime investigations that law enforcement are conducting. Thus, the cyber security officer is unaware of some high-technology crime techniques that would be useful to know about when developing internal defenses and controls to protect the corporation against such attacks.
When to Call for Help—and Whom.
If you or one of your staff is conducting an NCI or supporting a Security staff member conducting an investigation, there is more than one person who can be of assistance. These include:
• Victims,
• Witnesses,
• Consultants,
• Vendors,
• Suspects, and
• Law enforcement officers.
What if a high-technology crime is perpetrated at the corporation and the law requires a law enforcement agency to be contacted? What if management decides that they want the perpetrator caught and prosecuted? They will file a complaint with the appropriate law enforcement agency, and the cyber security officer has an important role to play to support prosecution of the criminal. Therefore, the cyber security officer should be aware of the processes involved. Some of the things to consider are:
• Does the corporation have a company policy as to when or when not to call an outside law enforcement agency?
• Are Legal staff involved?
• Are Human Resources personnel involved?
• Are Public Relations personnel involved?
• Is budget available to support the investigation and prosecution?
• Is the question “Can the corporation stand the bad publicity?” considered in making the decision?
• Is executive management prepared for the required commitment?
• Is reporting required by law?
• If yes, should it be reported?
• If no, should it be reported?
    When deciding whether to call law enforcement, one should also consider:
• Costs versus benefits,
• Extent of loss,
• Probability of identifying and successfully prosecuting the suspect,
• Potential lawsuits that will follow if someone is identified (whether or not he or she is successfully prosecuted), and
• Time in supporting the criminal justice process: investigation through prosecution.
    There are some advantages to calling law enforcement, who can:
• Perform acts that are illegal if done by citizens,
• Obtain search warrants to recover property,
• Gain access to related information, and
• Protect victims under some instances.
    Some of the disadvantages of calling law enforcement for help include:
• Control over the incident is lost,
• It is probably costly and time-consuming, and
• The company must be willing to cooperate in the prosecution, during which the case may receive high visibility from news media, stockholders, and others.
If you decide to call in a law enforcement agency, corporate management must also decide which one to call and why—national, state, or local. No matter which one is called, corporate management must also be prepared to help them for an extended period of time. Initially, the cyber security officer in concert with the Director of Security should:
• Prepare a briefing for investigators;
• Ensure that executive management and the Legal Staff Director attend;
• Be sure of the facts;
• Brief in clear, concise, and nontechnical terms;
• Identify the loss, the basis for the amount, and the process used to determine that amount;
• Gather all related evidence;
• Know the related laws;
• Describe action taken to date;
• Explain the real-world impact of the alleged crime;
• Identify and determine if any victims will cooperate;
• Explain what assistance they can provide.
    If the incident is to be handled internally:
• What is the objective?
• What is the plan to accomplish that objective?
• What expertise is available to help?
• What is the cost?
• What are the consequences?
• What can be done to be sure it doesn’t happen again?

Questions to Consider

Based on what you have read, consider the following questions and how you would reply to them:
• Do you think the cyber security officer’s responsibilities should include conducting any type of investigation or inquiry?
• If so, why?
• If not, why not?
• Do you think it is the job and professional responsibility of a cyber security officer and staff to support internal and external investigations by providing forensics support?
• If so, what limitations would you set on that support?
• As a cyber security officer, do you have a policy, plan, process, and procedure in place as to when and how you would support an internal or external investigation?
• If so, are they current?
• Have they been coordinated with applicable internal customers, such as auditors and Security staff?

Summary

Usually, a security department’s staff is not trained to conduct high-technology investigations, whereas the cyber security officer and staff are in the best position to support the security department or an outside law enforcement agency in conducting their investigations. An agreement should be worked out between the Director of Security and the cyber security officer as to who has what authority for investigations relevant to violations of corporate policies as well as those that would also be a criminal offense.
Corporations must have current policies detailing when an outside law enforcement agency should be called and when a matter identified as a violation of law, criminal or civil, should be investigated internally. It is absolutely mandatory that such decision not be made by the cyber security officer, but by the executive management supported by the Legal staff, Public Relations staff, and Human Resources staff. If a law enforcement agency is contacted, the corporation must be prepared for usually many months of support to the investigative agency as well as bad publicity.
High-technology crime investigations and NCIs are based on basic investigative techniques and answering the questions of who, how, where, when, why, and what.
High-technology criminals are beginning to install more sophisticated security systems, including encryption systems. Such devices will require very sophisticated devices and expertise to access them. Some have focused on methods of destroying evidence if law enforcement or investigators tamper with the system.
The challenges to high-technology crime investigators and computer forensics specialists are many and quickly increasing. Only through constant training will investigators and cyber security staff members have any hope at all of keeping up with these changes, including searching media for evidence.
Keys to successful searches include knowing the technology, having a plan, using common sense, and using a specialist who is an expert in the technology and accompanying software to be searched.

1 Diogenes Laërtius (third century?), Greek historian and biographer. Lives of the Philosophers “Myson” (third century?)—Encarta® Book of Quotations, © & (P) 1999, Microsoft Corporation. All rights reserved. Developed for Microsoft by Bloomsbury Publishing Plc.

2 Merriam–Webster’s Collegiate Dictionary. G&C Merriam Company, 1973.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset