WASHINGTON, DC – Last week, the U.S. Department of Justice’s Office of Justice Programs issued a report entitled “Investigations Involving the Internet and Computer Networks” to be disseminated to law enforcement agencies across the country, in aid of improving the capacity of such agencies to perform effective “cybercrime” investigations.The report offers a detailed look at the host of issues that confront investigators in cybercrime cases, covering the definitions of the most basic of terms and abbreviations –
like “trojan,” “spoof,” and “ISP,” – as well as more complex issues, like the legal ramifications of multi-jurisdictional evidence collection.

Coming out on the heels of several well-publicized investigations that local law enforcement agencies have been accused of botching and/or pursuing with greater zeal than professionalism (like the strange case of 16-year-old Arizonan Matthew Bandy), the report is packed with warnings and cautionary notes imploring investigators to proceed with caution, avoid jumping to conclusions, and to handle their investigations with the utmost care.

For example, one section of the report cautions that “(B)ecause investigations involving the Internet and computer networks mean that the suspect’s computer communicated with other computers, investigators should be aware that the suspect may assert that the incriminating evidence was placed on the media by a Trojan program,” adding that a “proper seizure and forensic examination of a suspect’s hard drive may determine whether evidence exists of the presence and use of Trojan programs.”

Similar caveats and cautionary notes crop up throughout the report. Another example, from the section of the report dealing with the subject of IP addresses, cites a common analogy that IP addresses are like an “apartment address.” The report cautions readers that the “IP address does not denote a physical location of the device at the time it is connected to the Internet.”

Further, the report warns that the “date and time an IP address was assigned must be determined to tie it to a specific device or user account,” noting that an ISP may or may not maintain historical log files that related dynamically assigned IP addresses to an individual subscriber account, or individual user, at any particular time.

Investigators are also warned that they must proceed with caution in their investigations to avoid tipping off suspects. In a section of the report instructing investigators on the use of whois, nslookup and traceroute queries, investigators are cautioned that they “should be aware that inquiries made on these sites might be monitored and recorded.”

“It is important to conduct sensitive inquiries from a computer that is not traceable back to the investigating agency,” the report continues.

Among the basic investigative techniques covered in the report is a step by step guide to tracing an IP address or domain name, and extensive bullet-point lists of what manner of evidence might be found on a computer, server or other digital device, and the type of data that could be available through a suspect’s or victim’s ISP.

In an acknowledgement of the particular skills required to conduct a proper investigation, the report cautions that an “investigator should not attempt to examine a computer system if the investigator has not received special training in forensic examination of computers.”

“The investigator should follow agency policy or contact an agency with a forensic examination capability,” the report states, further warning that extreme care should be taken to ensure that investigators do not inadvertently alter, damage, overwrite, or otherwise taint digital evidence by attempting to use a suspect’s or victim’s PC.

The DOJ report also explicitly cautions investigators to be very mindful of the legal morass their case could devolve into if proper investigative and chain of evidence protocols are not followed and provides a brief analysis of the major statutes that govern their investigation.

The report specifically instructs investigators to be mindful of their duties and required protocols under the Fourth Amendment, the Electronic Communications Privacy Act, the Pen Register and Trap and Trace Statute, Title III wiretaps, and “applicable State laws.”

For the full DOJ Office of Justice Programs report, refer to the following URL: http://www.ncjrs.gov/pdffiles1/nij/210798.pdf