Computer crime investigations seek to determine the nature of a crime and collect evidence to lead to a conviction. Along the way, investigators may uncover information they can use to predict and prevent crimes of a similar nature in the future. For example, they might note a loophole in a program that makes intrusions possible, and could contact the manufacturer to recommend a patch to correct the problem. Training in information technology is necessary for this kind of work, as is experience in evidence collection and handling to reduce the risk of gathering information that cannot be legally used.
The process starts when someone calls to report a crime, or a monitoring agency detects evidence of a crime. Investigative teams must secure computers, networks, and components that may be connected with the incident. This can include things like financial networks connected to embezzlement in fraud, or computer networks targeted with malicious hacks in an attempt to expose and compromise data. Computer crime investigations can be challenging because of the ephemeral nature of the evidence, making it critical to get the computers secured and under control before starting an investigation.
Investigators may clone the system in order to explore it without compromising the original. Computer crime investigations can involve a detailed audit of a computer system to look for malicious code, security loopholes, and other issues. The investigators may seek out compromising files and programs, including material people have attempted to delete, alter, or conceal. Specifics of the investigation depend on the type of crime under investigation. For hacking, for example, computer crime investigations need to uncover evidence that intrusions occurred, and must link it to a source.
Maintaining the chain of evidence with computer crime investigations is challenging. Investigators need to carefully document everything they do and may videotape, record keystrokes, and take other measures to track their activities. In the event evidence is challenged in court, the team must be able to show that the evidence is original, without alterations that might compromise its validity. Members of this field constantly revise and update evidence guidelines to keep pace with computer crime investigations and set a standard for investigators to follow wherever they are working.
Once evidence has been fully collected and cataloged, the team may opt to retain the equipment they confiscated until the matter goes to court and is heard. This ensures that they have access if they need it during the trial. Otherwise, computers and other devices might be released back to their owners, which could ultimately compromise any remaining evidence.