Introduction

In Chapter 3, we mentioned that, in addition to traditional investigative skills, a good cybercrimes investigator needs a thorough understanding of the technology that is used to commit these crimes. Just as a homicide investigator must know something about basic human pathology to understand the significance of evidence provided by dead bodies rigor mortis, lividity, blood-spatter patterns, and so forth a cybercrimes investigator needs to know how computers operate so as to recognize and preserve the evidence they offer.

A basic tenet of criminal investigation is that there is no perfect crime. No matter how careful, a criminal always leaves something of him- or herself at the crime scene and/or takes something away from the scene. These clues can be obvious, or they can be well hidden or very subtle. Even though a cybercriminal usually never physically visits the location where the crime occurs (the destination computer or network), the same rule of thumb as for traditional crimes applies: Everyone who accesses a network, a system, or a file leaves a track behind. Technically sophisticated criminals might be able to cover those tracks, just as sophisticated and careful criminals are able to do in the physical world but in many cases, they don t completely destroy the evidence; they only make the evidence more difficult to find.

For example, a burglar might take care to wipe all fingerprints off everything he s touched while inside a residence, removing the most obvious and often the most helpful evidence that proves he was there. But if...