After Hours

Real-life computer crimes investigation: It's not like on TV

If the fancy tech on TV crime shows makes you chuckle, keep in mind that there are many other ways real cases differ from the TV versions. Deb Shinder offers tips for working with law enforcement if you're involved in a computer crime investigation.

Police procedurals have been among the most popular television programs for many years, hearkening back to the 1950s when Jack Webb's Dragnet was hailed as the first "realistic" cop show (as we were reminded every week in its opening: "The story you are about to see is true ..."). Crime shows are still one of the most popular genres today, with the airwaves dominated by such major network offerings as CSI, Law & Order, and NCIS (in all their incarnations).

In many of these, computer forensics and computer-based criminal investigation plays an important role in the storyline. Each program seems to have at least one character designated as the resident "computer genius" who, with a few keystrokes, can tap into every database - public and private - in existence (up to and including military spy satellites); run instantaneous DNA analysis on the most minute piece of trace evidence; and take control of remote computers, cell phones, traffic lights and motor vehicles to track down the bad guys and bring them to justice.

Artistic license

While Webb's portrayal of the straight-as-an-arrow, married-to-the-job Sergeant Joe Friday might not have been completely accurate in regard to the typical Los Angeles cop, the technology used on the show was pretty much exactly what the police force of that day had at their disposal. Today, screenwriters seem to take a bit more artistic license.

The computer systems used by TV's on-screen investigators are pretty impressive, ranging from the more mundane arrays of huge plasma monitors to almost magical holographic style touchscreens that project their displays on transparent glass or just into the air. The user interfaces are advanced far beyond anything we've seen at the IACP (International Association of Chiefs of Police) annual technology exposition or INTERSEG (the International Law Enforcement Technology, Services and Products exhibition and conference), much less the Consumer Electronics Show (CES).

The problem with the technology used on those programs is that much of it doesn't exist - or at least it doesn't work quite the way it's depicted. For example, the fancy transparent touchscreen used by the crime scene investigators on CSI: Miami is based on the Microsoft Surface computer, but the real thing is not nearly as elegant and the "processing" that you see the system doing is created with special effects.

Even when television brings it down a notch and attempts to portray computers a bit more realistically, they often don't get it right. Many Hollywood script writers use Macs; police departments, not so much. Even though Apple has only about five percent of the overall operating system market share (according to Netmarketshare statistics as of April 2011), it continues to excel in the "product placement" game. I've been in many, many police departments and I don't see many officers typing on Macs, if for no other reason than the fact that most cities go out for bid on equipment and the higher cost of Apple products would blow the budget.

In fact, in many of the small and medium sized P.D.s in the U.S., officers are lucky to have access to a ten-year-old desktop system running Windows XP. Despite efforts to catch up and bring old-time cops (who still prefer to write their reports by hand) into the twenty-first century, and despite federal grants, many municipal law enforcement agencies still face a money crunch. Citizens are becoming more and more dependent on government and consequently an increasing number of city services compete for declining revenues due to reduced or stagnant valuation of the property tax base. That's why I laugh when I see TV cops roll up to the scene in their high tech mobile command centers, whipping out the latest and greatest smartphones with which they effortlessly download real-time video of the perpetrator's movements. Yes, there are a few large agencies that have those sorts of resources, but not many.

Why it matters

So who cares if the television programs exaggerate a little or a lot about how technology works in the investigation of crimes? After all, it's just entertainment. Just as everyone surely knows that female cops don't really routinely chase crooks while wearing short skirts, five inch high heels and long blonde hair blowing free in the wind, they must know that the computer-related investigations they see on TV are fictionalized, too.

Except that not everyone does. And that leads to unrealistic expectations. It's a problem for real-life law enforcement officers when the public expects them to be able to work the same magic they see the TV cops work every day on their favorite programs.

Even IT pros who should know better may expect police investigators to have far more advanced equipment than they do, to have much more time to devote to a relatively routine case than they do, and to have much more technical knowledge and skill than they do.

There's a growing chance that, as an IT professional, at some time you'll be called upon to work with law enforcement in the investigation of a computer-related crime. You'll be better able to assist (and avoid some frustration) if you have a more realistic idea of how a real-world investigation generally proceeds.

How it works in the real world

The investigative process is a complex one, but like most complex tasks, it can be more easily accomplished if it's broken down into steps and roles assigned to different people. Think about how you go about a complex task in your own job, such as the roll-out of a software application across the organization. You might first install the software in a test lab situation, where you can observe its interoperability with your existing software and OS configurations and identify whether hardware needs to be upgraded. Then you could troubleshoot any compatibility problems that arise. Once those are resolved, you might run a pilot, deploying the software only to a selected group of users. You can learn from that experience what support problems you're likely to encounter. Then you roll it out to the rest of the organization. You may then need to institute training for those users. Most likely, you won't personally handle each of these steps. For instance, you may have hardware people who deal with that aspect, and dedicated instructors who teach users how to get the most out of the new software.

Law enforcement personnel follow similar protocols. In the investigation of a major crime, one person (usually a detective or an officer with the rank of sergeant or above) will be in charge of the investigation. That person will coordinate the activities of other personnel and will have the final authority regarding how the crime scene should be secured and how the evidence will be handled. Additional roles (which may be assigned to different people or, in a very small police agency, to the same person) include:

The first responder: This is the first official representative of the law enforcement agency to arrive on the scene. This person is responsible for identifying the boundaries of the crime scene, establishing a perimeter and securing the scene so that evidence can't be deliberately or inadvertently tampered with or removed. The first responder may be a patrol officer who is not fully trained in investigation of a crime scene involving computers. His/her primary job is to protect the evidence until the investigator arrives. The investigator(s): These people will first establish a chain of command and a plan for the investigation, so that efforts are not duplicated, important steps are not left out, and evidence is not overlooked, damaged or contaminated. Next they will conduct a search of the crime scene. They can do this with consent, or with a search warrant. In addition to the obvious sources of evidence - the primary computer(s) - they will look for other evidentiary materials such as external storage media. They will continue to take steps to protect and preserve the evidence, and may make bit-level copies of hard drives on the scene or they may take the machines back to the lab. The investigators will also question witnesses and potential suspects. The crime scene and crime lab technicians: These are the people who will process the evidence. In cybercrime cases, they should be computer forensics specialists with training in how to preserve volatile evidence (e.g., data in memory), how to create bit-level images of disks, how to safely shut down computers for transport without triggering self-destruct mechanisms, proper packaging and transport of the evidence (for example, anti-static containers for bare hard disks and other components that contain exposed circuit boards), how to retrieve the data (including decrypting it if it's encrypted), and how to document all this and present it in court. Depending on the agency, crime technicians may or may not be sworn law enforcement officers who carry badges and guns.

Working with real-life law enforcement

When you, as a civilian, work with law enforcement officers to provide information or digital or physical evidence in a cybercrime case, it's helpful to understand the hierarchy and chain of command that's in place. But you should also keep in mind that those of higher rank won't necessarily have the best understanding of technology. The level of expertise among technicians varies widely depending on the agency, as well. In some departments, technicians have no specialized training in computer crimes, whereas in others, they are true experts. Remember that except for the largest agencies, public sector salaries often lag far behind those in the private sector, particularly in the technology field. This means local governments often have trouble recruiting the best and brightest.

So if you feel as though the computer crimes investigator knows less than you do or seriously misunderstands the technology, you might be right. But correcting him/her can be a delicate matter. Officers often have a good deal of discretion about how much attention to give a particular case. If you flaunt your superior knowledge, make the officers feel stupid or look bad in front of others, they may not put their best efforts into your case. On the other hand, if you help to make their job easier and make them look good, there's a good chance they'll go out of their ways to help you. That's just human nature.

It helps to have some advice from the pros. At a recent Security B-Sides conference, attendees benefitted from some tips from the director of an IT security consulting company who is also a police officer, regarding working with local law enforcement when your company's computers and network are hacked.

Perhaps the most important thing to keep in mind is that most police officers are stretched thin and have little time. If you can provide them with background information they need, documentation that will help them understand your network's setup - without forcing them to spend valuable timing digging for it - they'll appreciate it and work more cooperatively with you.

Tips for working with law enforcement

#1 When you're questioned by police in a cybercrime case, keep Sergeant Friday's words in mind and stick to "just the facts."

Don't embellish and don't speculate. If you don't know the answer, say so (and if you can, offer to find out and get back to them). If you give your opinion, clearly label it as such. If the interview appears to be turning into an interrogation, keep cool, don't get angry and don't challenge the officer. Police officers are trained to take control and when they're on duty, they consider themselves the ultimate authority figures. They are taught, for their own safety, to respond assertively when there is a challenge to their authority. If you believe officers consider you a suspect, invoke your right to remain silent (whether or not you've been advised of that right), and consult an attorney before answering any further questions.

#2 Whether you're a suspect or merely a witness, realize that officers may not automatically believe that you're telling them the truth or that you're telling them all you know.

Witnesses often lie for a variety of reasons, or inadvertently give inaccurate information. The officer's job is to get to the truth. Don't become offended if officers seem to doubt the veracity of your story. Again, stay calm and cool and take time to stop and think before you speak and be certain of what you remember.

#3 To the police, the integrity of the crime scene is of utmost importance.

Once a perimeter has been established, it's off limits to everyone until officers tell you otherwise. It doesn't matter that it's your office or even that you own the building. Any intrusion into the crime scene, even if you don't think it had any effect, can disrupt the chain of custody and render the evidence inadmissible. Also note that anybody who enters the crime scene (and that includes accessing systems that are affected) can be called to testify in court and your access to the scene or systems could even cause you to be considered a suspect.

#4 Computers that were involved in the crime are evidence, and will likely be seized and placed in a secure location until the disposition of the case.

Takes a lot longer than a one-hour episode

It's important to keep in mind that things move much more slowly in real life than on television. Examination and analysis of forensic evidence can take weeks or months, and criminal cases may not go to trial for months or years. The police on TV are rarely shown being hampered by the realities of an investigator's life: departmental policies, legal requirements (such as the time it can take to get a search warrant), backlogs at the lab that mean long waits for evidence to be analyzed, even the political factors and personal relationships that can bog down a case or make it go off track or disappear altogether. Most computer crimes investigators wish the process was as quick and easy as it is on TV, but it almost never is. Be prepared, if you ever become involved in a computer crimes investigation, for a long and tedious experience, but remember that your actions can make it go more smoothly - or not.

About

Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 add...

14 comments
kevsan
kevsan

One of the actors in a CSI series commented when asked about this subject and replied that on TV they have to solve a crime in 43 minutes. The same applies to courtroom dramas. In real life a main witness may spend several days being questioned and cross examined. In Medical shows it may take a doctor weeks to compete a full series of tests. A simple analysis of a bacteria could take several days. With cyber crime the all these magical tools used on TV simply don't exist or if they did very few policing departments could afford them. Face recognition software for example is not where as sophisticated as we a re lead to believe. For every on person on earth there are thousands of others who look similar so getting a "hit" as they do on TV is just not possible. Unfortunately people expect the same instant results as they see on TV.

JoeyD714
JoeyD714

So if you own a business that runs on computers and some type of cyber-crime takes place, the police will seize all your machines and all your back ups and put you completely out of business so they can investigate? No wonder most companies don't report hacks or intrusions. It's easier to take a one time hit and stay in business to recover from it than to let the police put you completely out of business... remember your creditors still want their money even if the cops shut your operations down by seizing all your equipment and back ups. You, the victim of a crime could be the only one punished, or at least punished way more severely than the bad guy. If paying your mortgage depends on income from your business, you will lose your house too. I say all this because everything I do to make money right now from website development to video editing depends on these machines and the software on them. If the cops came in and took it all I'd be totally Fv@kd. I also know that here in Detroit, whatever the cops take, you will NEVER EVER see again, even it it was rightfully and legally yours and they just took it to "examine" it... It's Gone, go buy another one you'll never see that one again. OK buy new computers, fine, what about all the software and irreplaceable data... stuff you thought you were smart about backing up onto removable drives? You said the cops are going to take all that too. sounds like you have to do daily back ups to external devices that you keep off premises at a location the cops don't know about and can't find. Damn now you're acting like a criminal just to protect your business.

Dr_Zinj
Dr_Zinj

It's to the benefit of law enforcement to get potential criminals to think their capabilities are greater than they really are. Every TV crime show shows the mounties always get their man. When people think it's not possible to get away with a crime, they're less likely to commit one. That sort of thing also is to the benefit of police departments when it comes time for their budget. People will pony up the money if they think it will bestow magical abilities on the cops.

Nungarx
Nungarx

I live in Mexico, I work primary on media and CGI. But computers are my life love. Thanks to my dad I was in a computer since I was 3 years old, now they are part of my life. I recognize that I have many computer skills that may be hacker skills. But always was for fun and to increase my knowledge. I'm not an engineer, nor a software developer. My mayor is on Social Communications and my other studies are on CGI. In general I'm a good guy. A few years ago I sell a computer on a site like ebay and was a fraud, I lose my computer (by the way a nice Mac 24") and I really needed the money. So I was so angry and sad, and because the laws in Mexico, it was impossible to reclaim my computer or my money. So I did what I knew how to do. In 3 days I was able to have the picture of the guy, his name, his school mat, his address, cellphone, birthday, etc. I went to the police, and they didn't believe me, nor understand me. So, a few months later I publish the face of this guy in all the newspapers of his little town, and from my City at 1500 km away. I made 1000 posters with his face that were posted over his college, the text was easy "This guy is a thief, if you know him ask him to pay me". Finally I got my money. But with this experience I made a workflow that actually works, Its part computer, part logic, part social engineering, but it works. In this days I'm able to track a cyber thief in less than a week and I had access to some databases in my country I would be able to do it faster and even more precise. I have 3 different cases completed successfully, and its just my hobby. My equipment is not fancy at all, a Macbook, an old SGI running on BT4, a P4 PC running on WinXP and an iPhone 3GS, yes and iPhone which is maybe the most powerful tool. The thing is that Cyber-crimes are a new kind of crime, and need a new workflow and a new kind of guys. But I'm certainly believe that its absolutely possible. However I don't have an holographic screen, nor a blonde beauty assistant, I have to work in that.

Charles Bundy
Charles Bundy

SOP for questioning users about their computer woes... Taking a cue from my active vision research days it's amazing how little an adult human actually "sees" versus how much we "perceive" with regards to detail.

Kent Lion
Kent Lion

Very good article, and good management training in general. I'd add this regarding the section titled, "Working with real-life law enforcement", first paragraph, second sentence: "...keep in mind that those of higher rank won't necessarily have the best understanding of technology." There is something else that it can be helpful to consider when dealing with "those of higher rank". The greater the rank, the greater the possibility that the contact may not be as interested in fair and/or accurate results on a project as in short-term (perceived) benefits to self (i.e., "hidden agenda"), typically in the form of enhancing personal standing or finances (i.e., more power); and that goal could require sacrificing a "fall guy", possibly you or your team/group/organization. Warning signs of this situation are: you're having difficulty communicating with the contact's subordinates; the contact appears to ignore the advice of qualified subordinates; the contact does not seem to try to understand important aspects of the project; or you get blank stares from the contact's subordinates when you mention information you provided that should have been passed to them. In the first case, consider refusing or getting off of the project, because it will prevent you from noticing the other three conditions. The other three conditions are good signs that you are being set up for failure, possibly because of a hidden agenda; therefore, try to find a suitable contact at a lower level.

kenrblan1901
kenrblan1901

When I worked for a university IT Services department, I was frequently called in to assist the campus police when computers or technical devices were involved in an investigation. They would often ask for things like "Can you tell me whether this individual used this specific computer three weeks ago?" The problem with the request was often that the computer was either a person's privately owned device or a completely public kiosk computer in the library that did not require users to login. They also had the perception that we could magically reconstruct everything a person did while on a computer. Though it might have been technically possible to some extent, we weren't well funded enough to have the tools or time to devote to that level of computer forensics. I must also mention that I had to work with some FBI computer techs when every Solaris server we had was hit with an attack in late fall of 2000. The guy the sent out really knew what he was doing. Luckily for me, I wasn't responsible for the systems that were attacked, but I got to help with the investigation since somebody else was out for a conference or training.

JohnMcGrew
JohnMcGrew

...where the "CSI effect" has created an expectation within potential jurors that the forensic science is so magically high-tech that they're dumbfounded when faced with the methodologically and painstakingly complex and slow science that is the reality. My favorite is the "we can enhance the fuzzy low-res surveillance video so we can read the license plate on a speeding car 500 feet away via the reflection from someone's sunglasses..."

NickNielsen
NickNielsen

As you describe it, losing all your computers, data, and software to a police investigation would be a disaster. Wouldn't the loss of hardware, software, and data from a fire be just as disastrous? So you plan for it. Simple as that. An "off-site" backup can be as simple as moving your backup media to a backyard shed. Or even your car.

pgit
pgit

This is some of the most straight-up good advice I've read regarding this topic. Look out for the "higher-ups" and get a grip on the agendas that are elevating versus demoting people in the "law enforcement" matrix. The "Peter principle" falls down in this realm, as there is a level above which competencies don't matter, and raw ambition becomes more pertinent than raw talent.

Charles Bundy
Charles Bundy

A lady wanted me to do just this off of a gas station camera still. The picture in question was of a car in which two folks had just grabbed her dog and took off. I was able to extract enough features to tell her the state, but not the actual tag contents. And she did ask why couldn't I just "zoom in" on the tag ... very sad because I so wanted to zoom in and get a lead on her dog...

bikingbill
bikingbill

I served on a jury last year, and there was some concern amongst the jurors that the crime scene was not covered by CCTV. We jurors had to rely almost exclusively on witness statements, and some on the jury were uncomfortable with that. I fear that a universal expectation of high-quality CCTV images will make convictions in the absence of CCTV or forensic evidence harder to achieve.

JohnMcGrew
JohnMcGrew

...but symptomatic of the unrealistic expectations set by the media; Too many people just don't realize that most of our media is "entertainment", and not "reality".