Police procedurals have been among the most popular television programs for many years, hearkening back to the 1950s when Jack Webb's Dragnet was hailed as the first "realistic" cop show (as we were reminded every week in its opening: "The story you are about to see is true ..."). Crime shows are still one of the most popular genres today, with the airwaves dominated by such major network offerings as CSI, Law & Order, and NCIS (in all their incarnations).
In many of these, computer forensics and computer-based criminal investigation plays an important role in the storyline. Each program seems to have at least one character designated as the resident "computer genius" who, with a few keystrokes, can tap into every database - public and private - in existence (up to and including military spy satellites); run instantaneous DNA analysis on the most minute piece of trace evidence; and take control of remote computers, cell phones, traffic lights and motor vehicles to track down the bad guys and bring them to justice.
While Webb's portrayal of the straight-as-an-arrow, married-to-the-job Sergeant Joe Friday might not have been completely accurate in regard to the typical Los Angeles cop, the technology used on the show was pretty much exactly what the police force of that day had at their disposal. Today, screenwriters seem to take a bit more artistic license.
The computer systems used by TV's on-screen investigators are pretty impressive, ranging from the more mundane arrays of huge plasma monitors to almost magical holographic style touchscreens that project their displays on transparent glass or just into the air. The user interfaces are advanced far beyond anything we've seen at the IACP (International Association of Chiefs of Police) annual technology exposition or INTERSEG (the International Law Enforcement Technology, Services and Products exhibition and conference), much less the Consumer Electronics Show (CES).
The problem with the technology used on those programs is that much of it doesn't exist - or at least it doesn't work quite the way it's depicted. For example, the fancy transparent touchscreen used by the crime scene investigators on CSI: Miami is based on the Microsoft Surface computer, but the real thing is not nearly as elegant and the "processing" that you see the system doing is created with special effects.
Even when television brings it down a notch and attempts to portray computers a bit more realistically, they often don't get it right. Many Hollywood script writers use Macs; police departments, not so much. Even though Apple has only about five percent of the overall operating system market share (according to Netmarketshare statistics as of April 2011), it continues to excel in the "product placement" game. I've been in many, many police departments and I don't see many officers typing on Macs, if for no other reason than the fact that most cities go out for bid on equipment and the higher cost of Apple products would blow the budget.
In fact, in many of the small and medium sized P.D.s in the U.S., officers are lucky to have access to a ten-year-old desktop system running Windows XP. Despite efforts to catch up and bring old-time cops (who still prefer to write their reports by hand) into the twenty-first century, and despite federal grants, many municipal law enforcement agencies still face a money crunch. Citizens are becoming more and more dependent on government and consequently an increasing number of city services compete for declining revenues due to reduced or stagnant valuation of the property tax base. That's why I laugh when I see TV cops roll up to the scene in their high tech mobile command centers, whipping out the latest and greatest smartphones with which they effortlessly download real-time video of the perpetrator's movements. Yes, there are a few large agencies that have those sorts of resources, but not many.
Why it matters
So who cares if the television programs exaggerate a little or a lot about how technology works in the investigation of crimes? After all, it's just entertainment. Just as everyone surely knows that female cops don't really routinely chase crooks while wearing short skirts, five inch high heels and long blonde hair blowing free in the wind, they must know that the computer-related investigations they see on TV are fictionalized, too.
Except that not everyone does. And that leads to unrealistic expectations. It's a problem for real-life law enforcement officers when the public expects them to be able to work the same magic they see the TV cops work every day on their favorite programs.
Even IT pros who should know better may expect police investigators to have far more advanced equipment than they do, to have much more time to devote to a relatively routine case than they do, and to have much more technical knowledge and skill than they do.
There's a growing chance that, as an IT professional, at some time you'll be called upon to work with law enforcement in the investigation of a computer-related crime. You'll be better able to assist (and avoid some frustration) if you have a more realistic idea of how a real-world investigation generally proceeds.
How it works in the real world
The investigative process is a complex one, but like most complex tasks, it can be more easily accomplished if it's broken down into steps and roles assigned to different people. Think about how you go about a complex task in your own job, such as the roll-out of a software application across the organization. You might first install the software in a test lab situation, where you can observe its interoperability with your existing software and OS configurations and identify whether hardware needs to be upgraded. Then you could troubleshoot any compatibility problems that arise. Once those are resolved, you might run a pilot, deploying the software only to a selected group of users. You can learn from that experience what support problems you're likely to encounter. Then you roll it out to the rest of the organization. You may then need to institute training for those users. Most likely, you won't personally handle each of these steps. For instance, you may have hardware people who deal with that aspect, and dedicated instructors who teach users how to get the most out of the new software.
Law enforcement personnel follow similar protocols. In the investigation of a major crime, one person (usually a detective or an officer with the rank of sergeant or above) will be in charge of the investigation. That person will coordinate the activities of other personnel and will have the final authority regarding how the crime scene should be secured and how the evidence will be handled. Additional roles (which may be assigned to different people or, in a very small police agency, to the same person) include:The first responder: This is the first official representative of the law enforcement agency to arrive on the scene. This person is responsible for identifying the boundaries of the crime scene, establishing a perimeter and securing the scene so that evidence can't be deliberately or inadvertently tampered with or removed. The first responder may be a patrol officer who is not fully trained in investigation of a crime scene involving computers. His/her primary job is to protect the evidence until the investigator arrives. The investigator(s): These people will first establish a chain of command and a plan for the investigation, so that efforts are not duplicated, important steps are not left out, and evidence is not overlooked, damaged or contaminated. Next they will conduct a search of the crime scene. They can do this with consent, or with a search warrant. In addition to the obvious sources of evidence - the primary computer(s) - they will look for other evidentiary materials such as external storage media. They will continue to take steps to protect and preserve the evidence, and may make bit-level copies of hard drives on the scene or they may take the machines back to the lab. The investigators will also question witnesses and potential suspects. The crime scene and crime lab technicians: These are the people who will process the evidence. In cybercrime cases, they should be computer forensics specialists with training in how to preserve volatile evidence (e.g., data in memory), how to create bit-level images of disks, how to safely shut down computers for transport without triggering self-destruct mechanisms, proper packaging and transport of the evidence (for example, anti-static containers for bare hard disks and other components that contain exposed circuit boards), how to retrieve the data (including decrypting it if it's encrypted), and how to document all this and present it in court. Depending on the agency, crime technicians may or may not be sworn law enforcement officers who carry badges and guns.
Working with real-life law enforcement
When you, as a civilian, work with law enforcement officers to provide information or digital or physical evidence in a cybercrime case, it's helpful to understand the hierarchy and chain of command that's in place. But you should also keep in mind that those of higher rank won't necessarily have the best understanding of technology. The level of expertise among technicians varies widely depending on the agency, as well. In some departments, technicians have no specialized training in computer crimes, whereas in others, they are true experts. Remember that except for the largest agencies, public sector salaries often lag far behind those in the private sector, particularly in the technology field. This means local governments often have trouble recruiting the best and brightest.
So if you feel as though the computer crimes investigator knows less than you do or seriously misunderstands the technology, you might be right. But correcting him/her can be a delicate matter. Officers often have a good deal of discretion about how much attention to give a particular case. If you flaunt your superior knowledge, make the officers feel stupid or look bad in front of others, they may not put their best efforts into your case. On the other hand, if you help to make their job easier and make them look good, there's a good chance they'll go out of their ways to help you. That's just human nature.
It helps to have some advice from the pros. At a recent Security B-Sides conference, attendees benefitted from some tips from the director of an IT security consulting company who is also a police officer, regarding working with local law enforcement when your company's computers and network are hacked.
Perhaps the most important thing to keep in mind is that most police officers are stretched thin and have little time. If you can provide them with background information they need, documentation that will help them understand your network's setup - without forcing them to spend valuable timing digging for it - they'll appreciate it and work more cooperatively with you.
Tips for working with law enforcement#1 When you're questioned by police in a cybercrime case, keep Sergeant Friday's words in mind and stick to "just the facts."
Don't embellish and don't speculate. If you don't know the answer, say so (and if you can, offer to find out and get back to them). If you give your opinion, clearly label it as such. If the interview appears to be turning into an interrogation, keep cool, don't get angry and don't challenge the officer. Police officers are trained to take control and when they're on duty, they consider themselves the ultimate authority figures. They are taught, for their own safety, to respond assertively when there is a challenge to their authority. If you believe officers consider you a suspect, invoke your right to remain silent (whether or not you've been advised of that right), and consult an attorney before answering any further questions.#2 Whether you're a suspect or merely a witness, realize that officers may not automatically believe that you're telling them the truth or that you're telling them all you know.
Witnesses often lie for a variety of reasons, or inadvertently give inaccurate information. The officer's job is to get to the truth. Don't become offended if officers seem to doubt the veracity of your story. Again, stay calm and cool and take time to stop and think before you speak and be certain of what you remember.#3 To the police, the integrity of the crime scene is of utmost importance.
Once a perimeter has been established, it's off limits to everyone until officers tell you otherwise. It doesn't matter that it's your office or even that you own the building. Any intrusion into the crime scene, even if you don't think it had any effect, can disrupt the chain of custody and render the evidence inadmissible. Also note that anybody who enters the crime scene (and that includes accessing systems that are affected) can be called to testify in court and your access to the scene or systems could even cause you to be considered a suspect.#4 Computers that were involved in the crime are evidence, and will likely be seized and placed in a secure location until the disposition of the case.
Takes a lot longer than a one-hour episode
It's important to keep in mind that things move much more slowly in real life than on television. Examination and analysis of forensic evidence can take weeks or months, and criminal cases may not go to trial for months or years. The police on TV are rarely shown being hampered by the realities of an investigator's life: departmental policies, legal requirements (such as the time it can take to get a search warrant), backlogs at the lab that mean long waits for evidence to be analyzed, even the political factors and personal relationships that can bog down a case or make it go off track or disappear altogether. Most computer crimes investigators wish the process was as quick and easy as it is on TV, but it almost never is. Be prepared, if you ever become involved in a computer crimes investigation, for a long and tedious experience, but remember that your actions can make it go more smoothly - or not.
Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 additional books on subjects such as the Windows 2000 and Windows 2003 MCSE exams, CompTIA Security+ exam, and TruSecure's ICSA certification.