Handbook of Information Security Management:Law, Investigation, and Ethics

Previous Table of Contents Next

Section 6-2

Chapter 6-2-1
Computer Crime Investigation and Computer Forensics

Thomas Welch

Incidents of computer-related crime and telecommunications fraud have increased dramatically over the past decade. However, because of the esoteric nature of this crime, there have been very few prosecutions and even fewer convictions. The new technology that has allowed for the advancement and automation of many business processes has also opened the door to many new forms of computer abuse. Although some of these system attacks merely use contemporary methods to commit older, more familiar types of crime, others involve the use of completely new forms of criminal activity that evolved along with the technology.

Computer crime investigation and computer forensics are also evolving sciences that are affected by many external factors, such as continued advancements in technology, societal issues, and legal issues. Many gray areas need to be sorted out and tested through the courts. Until then, the system attackers will have an advantage, and computer abuse will continue to increase. Computer security practitioners must be aware of the myriad technological and legal issues that affect systems and users, including issues dealing with investigations and enforcement. This chapter covers each area of computer crime investigation and computer forensics.


According to the American Heritage Dictionary, a crime is any act committed or omitted in violation of the law. This definition causes a perplexing problem for law enforcement when dealing with computer-related crime, because much of today’s computer-related crime is without violation of any formal law. This may seem to be a contradictory statement, but traditional criminal statutes in most states have only been modified over the years to reflect the theories of modern criminal justice. These laws generally envision applications to situations involving traditional types of criminal activity, such as burglary, larceny, and fraud. Unfortunately, the modern criminal has kept apace with the vast advancements in technology and has found ways to apply such innovations as the computer to his criminal ventures. Unknowingly and probably unintentionally, he or she has also revealed the difficulties in applying older traditional laws to situations involving computer-related crimes.

In 1979, the Department of Justice established a definition for computer crime, stating that a computer crime is any illegal act for which knowledge of computer technology is essential for its perpetration, investigation, or prosecution. This definition was too broad and has since been further refined by new or modified state and federal criminal statutes.

Criminal Law

Criminal law identifies a crime as being a wrong against society. Even if an individual is victimized, under the law society is the victim. A conviction under criminal law normally results in a jail term or probation for the defendant. It could also result in a financial award to the victim as restitution for the crime. The main purpose of prosecuting under criminal law is punishment for the offender. This punishment is also meant to serve as a deterrent against future crime. The deterrent aspect of punishment only works if the punishment is severe enough to discourage further criminal activity. This is certainly not the case in the United States, where very few computer criminals ever go to jail. In other areas of the world, very strong deterrents exist. For example, in China in 1995, a computer hacker was executed after being found guilty of embezzling $200,000 from a national bank. This certainly will have a dissuading value for other hackers in China.

To be found guilty of a criminal offense under criminal law the jury must believe, beyond a reasonable doubt, that the offender is guilty of the offense. The lack of technical expertise, combined with the many confusing questions posed by the defense attorney, may cause doubt for many jury members, thus rendering a not guilty decision. The only short-term solution to this problem is to provide simple testimony in laymen’s terms and to use demonstrative evidence whenever possible. Even with this, it will be difficult for many juries to return a guilty verdict.

Criminal conduct is broken down into two classifications depending on severity. A felony is the more serious of the two, normally resulting in a jail term of more than one year. Misdemeanors are normally punishable by a fine or a jail sentence of less than a year. It is important to understand that to deter future attacks, stricter sentencing must be sought, which only occurs under the felonious classification. The type of attack or the total dollar loss has a direct relationship to the crime classification.

Criminal law falls under two main jurisdictions: federal and state. Although there is a plethora of federal and state statutes that may be used against traditional criminal offenses, and even though many of these same statutes may be applied to computer-related crimes with some measure of success, it is clear that many cases fail to reach prosecution or fail to result in conviction because of the gaps that exists in the federal criminal code and the individual state criminal statutes.

Previous Table of Contents Next

The CISSP Open Study Guide Web Site

We are proud to bring to all of our members a legal copy of this outstanding book. Of course this version is getting a bit old and may not contain all of the info that the latest version are covering, however it is one of the best tool you have to review the basics of security. Investing in the latest version would help you out in your studies and also show your appreciation to Auerbach for letting me use their book on the site.