Network Investigation & Digital Triage

network-investAs an on-scene investigator, it’s likely that you are often faced with processing live crime scenes that contain an abundance of digital evidence. Unfortunately, traditional digital evidence collection methods have the potential to result in evidence being left at the crime scene or being inadvertently deleted from computers entirely. Don’t let that happen to your case.

Let us teach you how to conduct pre-raid electronic surveillance of a suspect location to identify wireless networks and access points. You’ll learn how to locate suspect networks and then how to recover volatile evidence commonly found on network devices (routers, switches, and hubs) as well as the volatile data from running computers.

Audience: Law enforcement investigators
Prerequisites: Complete The Investigation of Computer Crime course. (Recommended)
Length: 3 days
Difficulty: Basic-to-intermediate


Firefox as an Investigative Tool and Other Online Resources

We show you why Firefox—supplemented by our list of recommended Add-ons—will soon become your favorite Internet browser to use for investigations. You’ll see a demonstration of some Firefox add-ons that will speed up your investigations by increasing functionality. Many of these add-ons fall under the category of “You better hurry up and grab it now, because it might be gone later.”

We introduce you to the SEARCH Investigative Toolbar, which is a collection of shortcuts that point to frequently used web resources. We also introduce you to the SEARCH ISP List, which is a collection of legal contact information and instructions you need in order to serve subpoenas, court orders, and search warrants to Internet Service Providers.

Network Storage

Network storage comes in all shapes and sizes and includes everything from rack storage to wireless hard drives. We introduce you to Network Attached Storage (NAS) and show you how it can be a danger for law enforcement because it’s so easy to hide. We practice setting up and configuring a wireless NAS, and we provide tips on how to locate a NAS device.

Understanding Wireless Routers

Routers—the traffic cops of the Internet—play a major role in network investigations. We show you how routers work to forward information between networks. You’ll learn about wireless access points (WAP), Dynamic Host Configuration Protocol (DHCP), and Network Interface Cards (NIC). We show you that IP lease information—in the form of a client table—can be found within a router. You will learn how to set up a router and enable log functions. This is evidence that can help your case and we show you how to get to it.

Wireless Cameras

Suspects often use wireless cameras as an early warning system or to record and then relive a criminal act. Like routers and storage devices, wireless cameras come in many shapes and sizes. We give you some tips on what to look for and then show you how they work. We show you how to locate hidden cameras and demonstrate some of the tools that will assist in the search. You will work through an exercise and gain valuable experience in setting up a wireless camera.

On-Scene Investigative Tools

Now that we know the kinds of things we’re looking for in our investigation—and how to find them—we can start to capture potential evidence. We show you some tools you can use on-scene that can provide you with valuable information. Specifically, these are tools to 1) rule out encryption, 2) look at devices on a network, 3) look for a network’s WEP or WPA passphrase, and 4) rule out a defense claim of intrusion by a third party. We present this material with an abundance of caution to investigators and urge agencies to work with prosecutors to develop digital evidence collection policies that will guide them through this area of investigation.

Network Client Geolocation

Finding information about a suspect’s network and router is intelligence gathering that you need to do before you can prepare a search warrant. We show you some network scanning tools and explain how they work. You’ll see how to focus on a target network and how to isolate a network. We talk about geolocation, and show you how you can use this feature to target a router. You’ll also see tools that can be used to scan for wifi networks.

Understanding Volatile Data

Volatile data is data that requires power to maintain its existence. If power is removed from a device, the volatile data is erased and gone forever. Examples of volatile data include a computer’s Random Access Memory (RAM) and router client lease tables. We give you a laundry list of things that can be found in the RAM, and show you why it’s important to preserve it. We walk you through the installation and operation of some of the tools that can collect volatile data.

Previewing Tools – Live Previewing

Previewing tools can help investigators determine whether or not a suspect computer contains potential evidence. Most previewing tools can quickly find potential evidence in Internet histories, image and media files. More advanced tools can find passwords, network settings and registry information. We walk you through the precautions you need to take to obtain to this information, and we introduce you to some free tools.

Previewing Tools – Bootable Previewing with WinFE Imaging

Windows Forensic Environment (WinFE) is a tool that gives investigators a forensically safe way to conduct previews within a Windows environment. We walk you through the steps necessary to build a Windows-based, forensically sound bootable operating system using WinFE. You’ll learn what you can expect to find and hear about the limitations and restrictions of the tool. Our WinFE exploration will then walk you through the steps necessary to control the boot sequence to prevent anything from being written to the hard drive. As an added bonus, we give you the software you need to create your own version of WinFE.

Final Exercise

To pull it all together and make sure that you have grasped what’s been covered in this course, we assign a final exercise. You will be asked to take down a simulated crime scene. You will be required to locate a suspect network, collect data from the suspect network, and seize suspect network hardware.

Karen Lissy

Ms. Karen Lissy is a Justice Information Services Specialist for the Law and Policy Program of SEARCH, The National Consortium for Justice Information and Statistics. In this position, she provides assistance to state and local justice and public safety agencies to collect, curate, and use National Incident-Based Reporting System (NIBRS) data and computerized criminal history record (CCH/CHRI) information for policy analysis and development.

She also guides justice and related organizations in how to craft and implement laws, policies, practices, and technology applications to effectively collect and use CCH and related justice/public safety data; address legal, policy, and regulatory issues associated with CCH data; better manage and operate criminal justice information and identification systems; and develop security and privacy policies that protect justice information sharing systems.

Ms. Lissy has nearly two decades of research and data analysis experience, having led projects and tasks in support of two agencies within the U.S. Department of Justice’s Office of Justice Programs (the Bureau of Justice Statistics and National Institute of Justice), as well as the Centers of Disease Control and Prevention, and multiple foundations, including Ford, Annie E. Casey, and Hewlett. Prior to joining SEARCH in October 2020, Ms. Lissy served as a Social Science Researcher at RTI International, as a regional Crime Analyst for the Redmond (WA) Police Department, and as Director of a research program with the Harvard Center for Risk Analysis. Beginning in 2012, Ms. Lissy’s work has focused on improving data in law enforcement to answer policy questions and improve community/police relations.

Ms. Lissy earned a Bachelor’s degree in Public Policy from Duke University, and a Master’s in Public Health from the University of North Carolina at Chapel Hill.

Michael Mackay

Mr. Michael Mackay is an Information Sharing Developer for SEARCH, The National Consortium for Justice Information and Statistics. As part of the Software and Data Engineering Program (SDEP) team, he plans, develops, implements, and deploys information sharing systems on behalf of SEARCH clients in local, state, tribal, and Federal government settings. He also provides programming, configuration, and testing assistance, and consults on implementation architecture and design with clients. 

Mr. Mackay supports justice, public safety, and homeland security information sharing nationwide through SDEP services that include software architecture and systems design, application development, deployment and support, data management services, and direct technical assistance and training. These services offer capabilities that include federated query, authentication access/control, subscription/notification, process/workflow automation, data analysis, and more. 

Prior to joining SEARCH in 2021, Mr. Mackay worked as a Software Engineering Intern for TDM Business Toole Suite, where he provided software development support using Java frameworks, implemented relational database models using MySQL, and designed GUI components using NetBeans. 

Mr. Mackay will work in an Agile development environment, a methodology that SEARCH embraces that focuses on incremental development and delivery, collaboration in a team approach, and rapid and flexible response to change throughout the development cycle. 

Mr. Mackay earned a bachelor’s degree in Computer Science and Applied Mathematics and Statistics from Stony Brook University, New York.