High-tech crime investigators at all levels can benefit from tools and resources that provide targeted information, strategies and tips. The stakes are high—online fraud, Internet bullying, child exploitation, identity theft, and more—with nearly every crime today leaving a digital footprint. Collected here is a range of SEARCH resources developed for high-tech crime investigators.
While most investigators today have a working knowledge of the Internet, they may not be aware of the many free tools available that can take that basic knowledge and turn it into something more robust. While these tools help to streamline and enhance investigations, they are not considered too high-tech or advanced for the basic investigator to master. These podcasts offer the knowledge and insight of practitioners in conducting the three main components of an online investigation: people searching, information searching, and capturing/saving data.
See our Podcasts page for detailed descriptions of each podcast and the participants, as well as links to resources offered by the practitioners we interviewed.
- Podcast 1: “TLOxp®—A Public Records Research System”
- Podcast 2: “Information Searching”
- Podcast 3: “People Searching”
- Podcast 4: “Capturing and Saving Data”
- Podcast 5: Advanced Data Extraction From Mobile Devices
- Podcast 6: Mental Wellness for Law Enforcement
- Podcast 7: Peer-to-Peer Investigations
- Podcast 8: Peer-to-Peer Legal Issues
Check out our online ISP List, which provides legal contact information for more than 700 Internet Service Providers, for service of subpoenas, court orders, and search warrants.
Use our handy online form to request one or more of these documents, offered by ISPs as a service to law enforcement investigators:
- Comcast Cable/Xfinity Law Enforcement Handbook
- Ebay Responding to Law Enforcement Record Requests
- Experience Project Law Enforcement Guidelines
- Formspring Law Enforcement Guide
- Formspring Legal Process Policies
- hi5 Official Law Enforcement Guide
- MeetMe Law Enforcement Compliance Guide
- MocoSpace Law Enforcement Guide
- myYearbook Law Enforcement Guidelines
- Omegle Law Enforcement Guide
- Sonic.net Legal Process Policy
- Stickam Law Enforcement Guide
- Tagged Official Law Enforcement Guide
- TeenSpot.com Law Enforcement Handbook
- Verizon Law Enforcement Legal Compliance Guide
- Wickr Law Enforcement Guide
- Yahoo! Compliance Guide for Law Enforcement
The SEARCH Investigative Toolbar is an aid for investigators who conduct online, cellular telephone, or wireless network investigations. Once installed, it becomes a readily available desktop resource that contains some of the most frequently used and up-to-date online investigative links for law enforcement. Learn more about the Toolbar
Note: Users must download the Toolbar Installation Guide, which provides download and installation instructions for the Toolbar itself. We strongly advise all users to follow these instructions carefully.
SEARCH offers four basic, self-paced training courses for high-tech crime investigators.
- Social Networking Sites: Investigative Tools and Techniques
This course is suitable for ALL law enforcement investigators—high-tech crime, gangs, homicide, vice, property crimes, narcotics, or other details. It covers tools, techniques and tips for investigating Facebook and other social networking sites.
- Basic Computer Skills for Law Enforcement
This course is designed for investigators planning to attend advanced onsite computer investigation courses through SEARCH, the National White Collar Crime Center, and the Internet Crimes Against Children Task Force Program. This course will guide you through basic computer skills and will ensure that you are sufficiently prepared to attend future computer investigation classes.
- Network Investigation and Digital Triage (NIDT): Pre-Course Considerations
This course introduces investigators to networking, lays the groundwork for how the Internet works, and shows how to determine the legal compliance resources for an IP address and a domain name. It is a prerequisite for the classroom NIDT training course offered by SEARCH.
- Crime Involving Handheld Computing Devices
This course covers the basics for identifying various handheld devices, related physical evidence (such as memory and storage cards, peripherals), proper seizure methods, secure transport and storage, evidence analysis requests, testimony strategies, and much more.
- 2015 State of the States Cyber Crime Consortium Meeting Recap
- 2014 State of the States Cyber Crime Consortium Meeting Recap
- Imaging a Microsoft Surface Pro Tablet Using a WinFE Thumb Drive
- The Internet is Upgrading: What Law Enforcement Needs to Know About the Protocol Transition from IPv4 to IPv6
- Validation Report: Validating the Forensic Write Blocking Capabilities of WinFE
- Child Protection System Instructor Update
- Authenticating Evidence Found in Cyberspace
- U.S. Supreme Court Limits Warrantless Cell Phone Searches
- An Investigator’s Guide to Mozilla Firefox
- How to Google More Effectively
- Cellular Device Data Recovery Preparation Considerations and Troubleshooting
- A Law Enforcement Investigator’s Guide to Basic Digital Officer Safety
- The SEARCH Social Networking Custom Search Engine
- Creating a Cellular Device Investigation Toolkit: Basic Hardware and Software Specifications
- Creating a Wireless Network Investigation Toolkit: Basic Hardware and Software Specifications
- Seized Handheld Device Worksheets
- How to Capture a MySpace Page for Investigative Purposes
- A Guide to Online Gaming for Law Enforcement Investigators
- How to Effectively Search MySpace.com: A Guide for Investigators
- Methods for Capturing Volatile Data
- Collecting Evidence from a Running Computer: A Technical and Legal Primer for the Justice Community
- Creating a Forensic Computer System: Basic Hardware and Software Specifications
- Viewing Email Headers
Revised August 2005
- Setting up an Online Investigative Computer: Hardware, Connectivity and Software Recommendations
|Within a physical digital media device—such as a hard drive, thumb drive, or memory card—lie the physical and logical structures that organize the data storage for documents, pictures, music, videos, and more.||How data is stored in sectors, which allows information to be easily separated and identified. Other topics: file system; digital media storage capacity; partitions.||View metadata within the file system; be better prepared for incident scenes where digital evidence might be present.|
|Duplicate imaging is the process of creating an exact copy of digital evidence. The goal is to preserve the integrity of the original digital evidence.||How write protection is needed to preserve the integrity of the evidence. Other topics: hashing algorithms; the process of duplicate imaging; types of duplicate images, including physical, logical, and file copy.||Creating a duplicate image is like taking a snapshot of a computer, exactly as it was found.|
|The Windows Registry is a database in the Windows Operating System. It contains important information about system hardware, installed programs and settings, and profiles of each of the user accounts on the computer.||Topics: Registry items, backups, viewers, hives, keys, values; encoding.||Investigators, forensic examiners, and prosecutors each have their own digital evidence requirements, but the common bond starts with the Windows Registry.|
|Hashtags are a type of label used in social media to group information, and investigators can find public information by using them in their online searches.||How the syntax of hashtags works.||Through site-specific examples, investigators see how they can use hashtags to find information on Twitter, Instagram, and Facebook.|
|Instagram is the online mobile photo-sharing, video-sharing and social networking service that enables users to share pictures and videos.||How Instagram works; what types of information can be found on Instagram; the elements of an Instagram profile.||A free app called Iconosquare can be used to search Instagram without having an Instagram user account.|
Digital Evidence in the Courtroom
|Pros, cons, and guidelines for calling a computer forensic examiner to court as either a non-expert witness or an expert witness, and the boundaries under which each type of witness can testify.||How prosecutors often use the forensic examiner as an expert witness to educate the judge and the jury on technology.||Resources and case law that support the role of a computer forensic examiner as an expert witness.|
|The process of working with a computer forensic examiner before trial in order to establish that this person has the knowledge, education, training, and experience to be called as a computer forensic expert witness in court.||The 3 A’s: Acquisition, Authentication, Analysis||Resources to narrow the focus of a computer forensic examiner’s background in order to establish their credibility.|
|The traditional versus significant evidence approach in deciding how to present evidence to the jury.||Digital evidence collection; lab protocols/digital evidence handling protocols; transitioning into your case using the 3 A’s; using demonstrative exhibits to highlight testimony; meeting defenses; limitations of your forensic examiner.||The types of questions that generally arise when digital evidence is brought out in court.|
|Pre-trial information gathering begins with a complete review of the case, followed by a review of the defense pleadings, and then learning as much as you can about the defense expert witness.||The importance of knowing the complete background of a defense expert witness. This information will allow the prosecution to better anticipate, and be prepared to respond to, the defense in court.||Specific tools and tips that investigators can use to learn about the defense expert witness.|
|The purpose of cross-examination; areas to potentially conduct cross-examination of a defense computer forensic examiner.||Potential topics for cross-examination; concessions, and how to evoke them from the examiner; how to review a defense expert’s credentials to determine they have the ability to give an opinion.||How to dissect a defense expert witness’s report; how to cross-examine a virus defense.|
|Different types of cross-examination techniques.||How to shape questions and arrange topics in order to achieve the desired results.||Tools to help reach conviction, including knowing how to phrase questions for the defense expert witness and use demonstrative exhibits to help steer the cross-examination in a particular direction.|
|What it means to authenticate a piece of digital evidence. Current case law is breaking along two lines in terms of describing what is necessary to authenticate information from cyber space.||Authentication is a low burden. Whether a judge or jury wants to say that something is in fact coming from a defendant is a question of weight, not authenticity. There is a distinction between responsibility and weight. Sometimes the defense tries to tie the two together, but they should remain separate.||The Maryland-Massachusetts approach has a more narrow view of proper foundation. Texas cases allow for a more broad approach to what the court may rely upon.||Case law continues to evolve regarding getting text messages admitted into court.||There are two approaches: The liberal approach requires that the suspect must be the account holder or assigned to the phone number and found to be in possession of the phone. The restrictive approach requires direct or circumstantial evidence that the text message was sent by the defendant.||Case law examples and citations that prosecutors can use under various conditions for getting text messages admitted as evidence in court.|
|Artistic license taken by Hollywood often gives the public a false impression of how things truly work. This certainly applies to the overabundance of police shows where law enforcement roles and responsibilities are often exaggerated and the lines are blurred.||Advancing technologies have changed the way we look at crimes, particularly digital evidence.||Prosecutors and defense attorneys today must adjust their presentations to account for unrealistic jury expectations.|
|The steps investigators need to take to ensure they are using an Internet Protocol (IP) address that can’t be traced back to their agency or home.||How IP addressing works, and how IP addresses can be tracked; website tracking; wi-fi connections; device name settings; Bluetooth sniffing.||Ways investigators can avoid exposing themselves or their agencies to harm while conducting online investigations.|
|Internet Protocol addresses are unique numbers that help us connect to the Internet. Each device is assigned an IP address—and this addressing system is how the packets of information are delivered to the intended location or recipient across the Internet or network.||Topics: Types of IP addresses; where they come from in a case; IP tracing; Using the SEARCH ISP List for sending legal requests; ECPA and its Stored Communications Act.||IP addresses are transitioning from version 4 to version 6. IPv4 and IPv6 addresses are structured differently and investigators should know both protocols and know how to proceed with an investigation and legal process.|
1This project was supported by Cooperative Agreement #2010-BE-BX-K022 by the U.S. Department of Justice, Office of Justice Programs, Bureau of Justice Assistance. Points of view or opinions expressed in this presentation are those of the author, and do not necessarily represent the official position or policies of the U.S. Department of Justice.
2This project was supported by Cooperative Agreement #2009-BE-BX-K030 by the U.S. Department of Justice, Office of Justice Programs, Bureau of Justice Assistance. Points of view or opinions expressed in this presentation are those of the author, and do not necessarily represent the official position or policies of the U.S. Department of Justice.