Placing the Suspect Behind the Keyboard

In this excerpt from chapter 11 of Placing the Suspect Behind the Keyboard, author Brett Shavers describes the life and casework of a cyber-investigator.

The following is an excerpt from the book Placing the Suspect Behind the Keyboard written by Brett Shavers and published by Syngress. This section from chapter 11 discusses the life and casework of a cyber-investigator.


This investigative field is not just digital forensics. This field encompasses all things digital, not just computers, from the flash drive to a global network. Our personal electronic devices become interconnected and our personal devices connect to the devices of others around the world instantly, sharing information. Each person has their own personal virtual network consisting of social networking websites, home networks, work networks, and mobile devices connected wirelessly to their personal networks.

Of course this doesn't help explain to a client or case agent that even if digital forensics on a hard drive may be easy, but proving a particular person was at that keyboard is not. There are many factors to consider beyond the electronic data to build enough circumstantial evidence identifying the suspect.

So from now, take a different look at your suspects. Look at each suspect as having their own personal network of connectivity between devices and people. There are connections to be found. A connection that links your suspect to a crime could be an IP address or a username or a posting on a blog. There certainly will be a connection between the victim and suspect, at least an electronic connection. Just make sure the connections are real and not planted as red herrings to mislead your investigation.

Placing the Suspect Behind the Keyboard

Author: Brett Shavers

Learn more about Placing the Suspect Behind the Keyboard from publisher Syngress.

At checkout, use discount code PBTY14 for 25% off

Technical knowledge and skills

The vast amount of technical knowledge needed to place a suspect behind a keyboard makes this task difficult. No longer are cybercrime investigations just the forensic analysis of a computer hard drive. Cybercrimes require the identification of any and all devices connected to the crime which can be any number of devices and many different types of devices. Smartphones, tablets, flash drives, and digital cameras add to the complexity of cyber cases if not just for the sheer number of devices involved but also the technical skills needed for analysis.

Today's cybercrime fighter must have an overall grasp of how any electronic device may be used to facilitate a crime as well as having specific and specialized knowledge to examine these devices. Just as one device may contain evidence that supports allegations, another device may give evidence that is exculpatory to those allegations. Keeping up with technology is challenging when you are constantly trying to keep up with your cases. So what can you do to keep up with your skills?

Read the full excerpt

Download the PDF of chapter 11 to learn more!

One of the ways to keep up with your analysis skills is to modify your reading habits. Instead of reading a fictional love story, read a non-fiction book on file systems. Find and evaluate the casework of others, either found online or in your own office. Review cases you have completed in the past and see if there is anything you would do different today. Maybe you have since learned new methods or now use better software that could have resulted in better results. To keep up on your skills means evaluating and improving yourself constantly.

One of the quickest methods of learning about a newly discovered forensic artifact or method is through the sharing of others. Many of us painfully learn from our own mistakes while some of us choose to learn from the mistakes of others. Those that have suffered through a forensic analysis and solved difficult problems usually tried many different methods and tools to overcome obstacles. When these examiners share their efforts of what worked and what didn't, everyone can benefit. Ideally, these successful efforts with sharing will result in further advancements of forensic analysis and sharing with the community.

Not sharing the discovery of a new forensic artifact can be considered selfish, but no one will know about it anyway. The concept of not sharing advanced skills and knowledge with the community at large stymies the development of the digital forensics field as well as not allowing the newly discovered process to be vetted by the community.

In order for common practices and procedures to become accepted, they must be commonly used and practiced by a community of practitioners. Courts generally approve of commonly used practices without little, if any, questioning. Those that have kept the "secret sauce" to themselves run the risk of having to have their efforts and work vetted, and potentially destroyed, in court.

There are many examples of how sharing information among the community results in more effective forensic analysts. One example is that of collecting physical memory. Not so many years ago, physical memory was not considered a primary evidence source, so much so, that computers were forcefully and abruptly shut down by pulling the power cord from the back of computers while they were running. Today, that same action will destroy gigabytes of electronic data. Had not those that researched, tested, and shared their findings about physical memory, we'd still be yanking power cords on every machine we find, including the machines that absolutely need physical memory preserved.

This case is different from that case

Every investigation is unique because people are unique. Forensic artifacts in one case may not be exist in another. Even within the same case, the storage media being analyzed will be different, requiring different skill sets and tools. Motives are different from each other suspect, as is each suspect's technology skill level.

Knowing that every suspect is different from the next, that there are many ways to commit the same crime, and that the technology used is dependent upon the choices of the suspect, take a breath and think before going fishing in an ocean of electronic data. If your job is solely digital forensics, where you have no interaction with victims or suspects, you need to have constant communication with the case agent. The forensic examiner needs to know the objectives and goals of the investigation. Already, analyzing terabytes of data is akin to searching for a needle in a haystack of needles. Being made aware of the case details and needs of the investigator will prevent frustration for everyone involved in the case.

Investigations, whether criminal or civil in nature, where the forensic examiner is purposely not made aware of intimate case details will only result in a massive amount of time spent needlessly hoping to find evidence that miraculously jumps out during an exam. In most cases, knowing the details of an investigation will enable the forensic analyst to target specific data, in specific areas, that may resolve the case or lead to investigative leads that will satisfy case goals. It is up to the forensic examiner to ask just as much as it is the responsibility of the case agent (or client) to inform the forensic examiner of important information.


About the author:
Brett Shavers is a former law enforcement officer of a municipal police department. He has been an investigator assigned to state and federal task forces. Besides working many specialty positions, Brett was the first digital forensics examiner at his police department, attended over 2000 hours of forensic training courses across the country, collected more than a few certifications along the way, and set up the department's first digital forensics lab in a small, cluttered storage closet.

This was last published in March 2014

Dig Deeper on Information security laws, investigations and ethics