INTERMEDIATE CRIME SCENE SEARCH TCOLE Course # 2106 32 to 40 hours AND UNIT TEN BCCO PCT #4 PowerPoint
Learning Objectives Learning Objective 10.1 The student will be able to summarize a process of identifying, documenting, securing, and processing potential computer and other electronic evidence. Learning Objective 10.1.1 The student will be able to list a basic guideline for identifying potential computer and/or other electronic evidence. Learning Objective10.1.2 The student will be able to identify a basic guideline for conducting preliminary interviews.
Learning Objective 10.1.3 The student will be able to explain the importance of maintaining a “chain of custody” when securing and processing all electronic date and evidence. Learning Objective 10.1.4 The student will be able to identify the methods for documenting computer and other electronic evidence. Learning Objective 10.1.5 The student will be able to identify the methods for securing and processing computer and other electronic evidence. Learning Objective 10.1.6 The student will be able to explain important considerations for securing and processing computers located in a complex environment.
Learning Objective 10.1.7 The student will be able to explain important considerations for securing and processing general electronic devices and peripheral evidence. Learning Objective 10.1.8 The student will be able to identify some common mistakes when handling electronic evidence. Learning Objective 10.1.9 The student will be able to demonstrate how to identify, document, secure, and process potential computer and other electronic evidence
10.0Computer and Other Electronic Evidence COMPUTER EVIDENCE INVESTIGATION
10.1 Computer & Other Electronic Evidence COMPUTER Process of identifying, documenting, securing, and processing potential computerand other electronic evidence. INVESTIGATION
10.1.1 Basic Guidelines for Identifying Computer & Other Electronic Evidence A. Search, locate, and clearly identify potential evidence. B. The first responder should visually identify the potential evidence, both conventional (physical) and electronic. Determine if perishable evidence (data that can be lost or deleted) exists.
D. Evaluate the scene and formulate a searchplan. If necessary, contact an a person who specializes in information technology, specifically computer forensics. 1. Specialized knowledge is required to avoid damaging evidence while performing even such simple tasks as starting up the electronic device or opening a file or directory to inspect the contents.
D. 2. Different tools and techniques are required for different operating systems and different software computer products. For instance, some e-mail systems save messages in a simple textual format that can be readily searched using keyword searches. Other e-mail products save messages in a compressed format to save disk space
D. 3. The investigator must know when to use normal keyword searches, when to use the e-mail system itself, or when to use specialized utilities to examine message contents. F. Follow Agency policy, procedure, SOP, protocol and Texas State Laws. COMPUTER INVESTIGATION
10.1.2 Conducting Preliminary Interviews (Guidelines) COMPUTER A. Separate and identify all persons (witnesses, subjects, or others) at the scene and record their location at the time of entry. INVESTIGATION
COMPUTER B. Referring to your Agency policy, procedures, SOP and current Texas law, obtain the following information: 1. Owners and/or users of electronic devices found at the scene, as well as passwords, user names and Internet service provider. INVESTIGATION
COMPUTER B. 2. Any passwords required accessing the system, software, or data. (Example: multiple passwords, e.g., BIOS, system login, network or ISP, application files, encryption pass phrase, e-mail, access, token, scheduler, or contact list.) INVESTIGATION 76508ABC#
PASSWORD PROTECTED 76508ABC#
B. 3. Purpose of the system. 4. Any offsite data storage. 5. Any other important information pertaining to the hardware, software, and/or actual device. COMPUTER INVESTIGATION
DATA STORAGE DEVICES
10.1.3 “CHAIN of CUSTODY” Securing & Processing Electronic Evidence COMPUTER A. The key point is to keep a detailedlist of individuals who had control of the evidence at any point, from collection to final disposition. INVESTIGATION
B. It is in the best interest of the investigator and the agency to treat all investigations with the mindset that every action taken during the search may one day be under the scrutiny of individuals who desire to discredit techniques used, the officer’s testimony, and basic fact finding skills used
C. Start maintaining a chain of custody of potential evidence early in the response process. D. Create evidencetags for each hard drive or media identified and seized: 1. Time and date of the action. 2. CaseNumber assigned. 3. Number of particular evidence tag (i.e. in sequential order).
EVIDENCE TAG #_____ CASE # TIME & DATE TAG NUMBER
D. 4. Whether or not consent is required and the signature of the person who owns the information being seized. 5. The owner of the evidence before it was seized, or who provided the information. 6. A complete description of the evidence, including the quantity, if necessary.
7. Nameof individual, crime laboratory, and/or storage facility who received the evidence from the investigator, and the signature of the recipient. 8. Date of transfer. 9. Reason the evidence was given to another person. LAB ANALYSIS
E. Each time the evidence exchanges possession from one person to another, or moves from one location to another, the investigator must record this transaction. For instance, if the officer moves the initial forensic duplication from a hard drive to many CD-ROMS, the officer must record this transfer.
EVIDENCE Agency: ________________________ Case #: _________________________ Officer:_____________ ___________ Printed Last Name Printed First Name Badge #:_________ Initials _________ Date:____/___/____ Time:_______ Location: ________________________ Physical address item recovered _____________ ________ __________ City State Zip TAG# ___ Brief Description of Evidence:
F. It is also important to document information about the items that are being seized. For instance, if the investigator decides to make forensic duplications of several mail servers located in a single office, document the following information: 1. Individuals who occupy the office.
2. Names of employees that may have access to the office. . 3. Location of the computer systems in the room. . 4. State of systems (whether it is powered on, and what is visible on the screen.). . 5. Network connects or modem connections.
F. 6. Individuals present at the time, the forensic duplication was performed. 7. Serial numbers, models, and makes of the hard drives and the components of the system. 8. Peripherals attached to the system.
G. It is critical to record all pertinent information possible and maintain the chain of custody. H. A well documented evidence tag only takes a few minutes to create. I. Follow Agency policy, procedure, SOP and protocol.
10.1.4 Documenting Computer & Other Electronic EVIDENCE COMPUTER A. The scene should be documented in detail. B. Initial documentation of the physical scene: 1. Observe and document the physical scene, such as the position of the mouse and the location of EVIDENCE
B.1.(Cont’d): components relative to each other (e.g., a mouse on the left side of the computer may indicate a left-handed user). 2. Document the condition and location of the computersystem or other electronic device , including its power status (on, off, or in sleep mode
B.3. Most electronic devices have status lights that indicate that it is on. 4. If fannoise is heard on a computer, the system is probably on. 5. If the device (especially a computer system) is warm, this may also indicate that it is on or was recently turned off.
B.6. Identify/document related electronic components that will not be collected. 7. Photograph the entire scene to create a visualrecord as noted by the first responder. The complete room should be recorded with 360 degrees of coverage, when possible.
B. 8. Photograph the front of the computer as well as the monitorscreen and other components. This applies to other electronic devices that are seized. 9. Take writtennotes on what appears on the monitor screen, or screen of any other electronic device
B. 10. Active programs may require videotaping or more extensive documentation of monitor screen activity. 11. Additional documentation of the system will be required during the collectionphase.
CAUTION Note: Movement of a computer system while the system is running may cause changes to system data. Therefore, the system should not be moved until it has been safely powereddown. This is detailed in Chapter 5 of the Electronic Crime Scene Investigation. (July 2001). U.S. Dept. of Justice, Office of Justice Programs.
SECURING 10.1.5 Securing & Processing Computers & Other Electronic EVIDENCE A. Evaluating the scene. 1. Follow Agency policy, SOPand protocol for securing the crime scene. a. This would include ensuring that all persons are removedfrom the immediate crime scene area from which evidence is to be collected. COMPUTER EVIDENCE
A. Evaluating the scene. 1. b. At this point in the investigation do not alter the condition of any electronicdevices: c. Protect perishable data physically and electronically.
A. Evaluating the scene. 1. d. Perishable data may be found on pagers, callerIDboxes, electronic organizers (PDAs), cell phones, and other similar devices, as well as other electronic devices, see Objective 7.7.6.
A. Evaluating the scene. 1. e. The first responder should always keep in mind that any device containing perishabledata should be immediately secured, documented, and/or photographed. COMPUTER HARD DRIVE TREASURE TROVE OF INFORMATION
A. Evaluating the scene. 2. Identify telephonelines attached to electronic devices, such as caller ID boxes. a. Document, disconnect, and label each telephone line from the wall rather than the device, when possible.
A. Evaluating the scene. 2. b. There may also be other communication lines present for LAN/Ethernet connections. c. Consult appropriate personnel or agency in these cases. For us call Deputy Constable John Terry
A. Evaluating the scene. 3. Latent fingerprints. a. Keyboards, computer mouse, diskettes, CDs, or other components may have latentfingerprints or other physical evidence that should be preserved. b. Chemicals used in processing latent prints can damage equipment and data
A. Evaluating the scene. 3. c. Therefore, latentprints should be collected after electronic evidence recovery is complete. B. Collecting electronic evidence. 1. Should be collected according to Agency policy, procedure and protocol
B. Collecting electronic evidence. 2. In the absence of Agency guidelines outlining procedures for collecting electronic evidence, the following methods are suggested. a. Prior to the collection of evidence, it is assumed that locating and documenting has been done as described above
B. Collecting electronic evidence. 2. b. Recognize that other types of evidence such as trace, biological, or latent prints may exist. c. Destructive techniques (e.g., use of fingerprint processing chemicals) should be postponed until after electronic evidence recovery is done.
B. Collecting electronic evidence. 3. Making back-upcopies of information stored in computers reduces the possibility that evidence will be altered of destroyed.
C. Evidence. 1. Recovery of non-electronic evidence can be crucial in the investigation of electronic crime. 2. Proper care should be taken to ensure that such evidence is recovered and preserved.
C. Non-electronic evidence. 3. Items relevant to subsequent examination of electronic evidence may exist in other forms and should be secured and preserved for future analysis; • notes, • blank pads of paper with indented writing, • hardware and softwaremanuals • calendars, • literature, • text or • graphical computer printouts and photographs)