Our Process

From NCSA Security R&D - University of Illinois at Urbana-Champaign

Our Process

In the initial six months of the project, the NCSA team spent considerable time interviewing and gathering requirements from a range of police departments including the University of Illinois PD, City of Urbana PD, Champaign County Sheriff's Office, City of Saint Louis PD, and the Illinois State Police. From those interviews we were able to document a small number of general scenarios that the LEFR typically encounters. The main theme for each of these scenarios is that someone is using electronic communications to send threatening, or harassing messages to an individual. The scenarios can be broken into three categories based on the technology the perpetrator is exploiting including; 1) Electronic Mail (E-Mail), 2) Instant Messaging (IM), and 3) Social Networking.

In our discussions with LE we have documented that CCTT will serve two “customers”. First it will provide the LEFR with the guidance he/she needs to efficiently respond to complaints. Secondly CCTT serves the local cyber expert, who typically becomes involved in the case only after the first responder has completed the initial investigation, by capturing and documenting all of the important evidence he/she will need to perform their initial analysis. We heard several times that often the cyber expert has to revisit the site of the complaint so that additional evidence can be captured. CCTT, properly configured, should eliminate or at least greatly reduce this need for the cyber expert to revisit sites.

While it is important that we capture the volatile state of the computer system that is the focus of the investigation, we have come to understand that the typical LEFR will not likely do much triage on that this evidence while at the scene. Rather the officers have indicated the need to spend their valuable time pursuing additional evidence such as digital images of threatening emails, or the logs related to a relevant instant message. Because of the large number of service offerings including the kinds of the browsers (e.g. Internet Explore (IE), FireFox), E-mail services (e.g. Outlook, G-Mail, Yahoo Mail) and IM (e.g. MSN, Yahoo) clients, it can be difficult even for computer experts to navigate to the evidence since each solution may have a very different navigation path.