Add to collection(s) Add to saved
  1. Social Science
  2. Law
  3. Forensic Science

1.2.Seizure

advertisement 
Seizing Electronic Evidence
●
Best Practices – Secret Service
●
●
http://www.treasury.gov/usss/electronic_evidence.htm
Electronic Crime Scene Investigation – NIJ
●
http://www.ojp.usdoj.gov/nij/pubs-sum/187736.htm
Before You Twitch
●
●
●
Consent search or Search warrant
●
Understand the nature of the crime
●
Read the search warrant
Concerns
●
Safety – It is a crime scene
●
Destruction of potential evidence
Plan, Plan, Plan
●
The seizure
●
The collection techniques
●
The order of events
What to Take Along
●
1)
Evidence Tape
●
2)
Chain of Custody forms
●
3)
Reading Glasses
●
4)
Inventory forms
●
5)
Camera (battery, memory)
●
6)
Backup disposable camera
●
7)
Tool kit. Jewelers set. Needle nose pliers.
●
8)
Sharpies, pens
●
9)
Adhesive tape
●
10)
New, wiped and verified Hard Drives in Pelican, w/lock
●
11)
Gloves
●
12)
Static wrist bands
More stuff
●
13) Tableau Pelican (ATA, SCSI, eSATA, Firefly) with power supplies and line cords. Firewire I/F cables,
laptop adaptor. Small laptop adaptor.
●
14) Firewire I/F board.
●
15) Several USB mouse. Two PS mouse.
●
16) Laptop with X-Ways and FTK (crossover tested)
●
17) eSATA interface
●
18) USB-small USB cable
●
19) PS2/USB converter
●
20) Small flatscreen monitor
●
21) UPS
●
22) Extension cord
●
23) Power strip (2)
●
24) Digital Media Flash reader
And More Stuff
●
25) DOS Boot w/Firewire USB.
●
26) DOS Boot with utilities
●
27) 1GB NIC
●
28) ATA interface with cable
●
29) CDs with WinHex, FTK, Linen,
●
30) Boot CD with Helix/Lenin, Boot USB
●
31) F-Response CD
●
32) Dongles – FTK, X-Ways, F-Response
●
33) Flashlight
●
34) Powered USB Hub
●
35) Magnifying Glass
●
36) Blank Labels
●
37) Bottle water
Computers & Crime
●
Fruits of crime
●
●
Tool of criminal activity
●
●
Drug records, meth formulas
Repository of contraband
●
●
Hacking, counterfeit documents
Repository of incriminating evidence
●
●
Stolen computers
Toons, Tunes
Unwitting record of criminal activity
●
e-mail records, Browsing history
Potential Evidence
●
Probable cause to seize HW?
●
Probable cause to seize SW?
●
Probable cause to seize Data?
●
Where will the search of the seized evidence be
conducted?
●
●
Careful of business interruption issues and proprietary
information.
Depends on the role of the computers in the crime.
Prior to Serving the Warrant
●
Start your investigation report
●
Understand the nature of the crime
●
●
Describe the role of the computer/digital device in the
crime
Describe the limits of your investigation
●
Probable cause for seizure
●
What can be seized
●
What can be looked at
●
Where is the search to be conducted
Expect the Unexpected
●
If it is not covered in your search warrant ●
Get approval from DA
●
Get approval from Detective in charge
●
Take very detailed notes justifying your actions
Role of the Computer
●
Contraband computer
●
●
Tool of the offense
●
●
HW or SW stolen?
Writing counterfeit checks, Ids
Incidental to the offense
●
Data storage
Seize what
●
HW
●
SW
●
Data
●
All things digital
●
All things related to digital
●
Media, notes, documentation
●
Stay within the bounds of the search warrant
Seize/Search where
●
On site, in the field office, in a lab
●
Disposal of seized items
●
Consider the size of the seizure
●
Suspects:
●
Interview
●
Passwords
●
Location of data
●
Installed software
●
Network
●
Etc.
Expectation of Privacy
●
●
There is no blanket guarantee of privacy in the
Constitution.
The 4th Amendment sufficed until telephones
etc.
●
The Wire Tap Law (1934)
●
Further refined in:
●
ECPA 1986
●
CALEA
Legal Invasion of Privacy
Legal Instruments for Search and Seizure
●
Search Warrants
●
Warrantless Searches
●
Subpoenas
●
Wire Taps/Surveillance
●
FISA – It is a new world.
●
NSL – It is a brave new world
●
NSA – ???
Search Warrant
●
Obey the Constitution
●
Specifies
●
●
●
Place
●
Persons
●
Stuff – papers, effects
Show Probable cause
●
Contained in a sworn affidavits
●
Support for probable cause
Signed by a Judge with jurisdiction
Warrants
●
Expectation of privacy
●
In public places
●
Requires warrants to conduct surveillance
●
If given to a 3rd party, no expectation of privacy
●
–
Telephone records, bank deposits,etc.
–
Requires subpoena
Careful: Exclusionary Rule
●
If government agents engage in unlawful searches of
seizures, then all fruits of search are excluded from further
legal action.
Warrant
●
●
Warrant to seize computer HW is different from
warrant to seize information.
Seize HW if the HW is contraband, evidence, etc.
●
●
Warrant should describe HW.
Seize information if it relates to probable cause.
●
Warrant should describe information.
●
Either image HDD on site OR
●
Seize the HW and image at the office
●
Be sure you have a warrant for and description of HW.
Back to Warrants
●
Search warrants and computers, etc.
●
Much confusion over the wording of the warrant
●
Search and Seize
●
HW
●
Contents
●
Information
●
Where – home or the office?
Search Warrants for Computer stuff
●
Be very careful
●
Get 2 search warrants
●
Number 1:
●
●
Search premises, people, vehicles, etc.
●
Seize computers, docs, data media, etc.
Number 2:
●
Search the contents of the computers, digital devices, etc.
●
Business practice concerns taken
Warrantless Searches
●
Permission
●
Incident to arrest
●
Plain sight
●
Recent Oregon ruling
“Through the window of ones home is not in plain sight”
Search Warrants
●
Electronic Device Search Warrant
●
●
●
HW, SW, documents, storage media notes
Stored Data
●
Requires a separate warrant
●
Examination of data
Service Provider Search Warrant/Subpoena
●
Utilities, phone cable, satellite, cellular, internet, etc.
●
Billing records, service records, subscriber info, etc.
More Planning
●
What are the restrictions?
●
Photographs, video
●
Proprietary information
●
Classified information
●
Business records
●
Business continuity
●
Chief is ticked when he gets a law suit for business losses!
The Search & Seizure
●
Secure the scene, restrict access
●
Preserve the area, no more fingerprints
●
Insure the safety of all concerned
●
Nobody touch nothing!
●
●
Usually the forensic specialist will not be a first
responder.
However, often they are.
Notes
●
●
Keep a very detailed log of every operation action
●
Details
●
Time
●
Order
They can cover a lot of mistakes during the seizure
and search
●
What did you do.
●
What reasons for doing it.
●
Itemize potential harm versus another way of doing it.
Rule # 1
●
If it is off, leave it off.
●
Photograph the screen and then pull the plug
●
Be very cautious if there is network visible
●
Such as cables
●
Blinking lights
●
Get a specialist
●
You are the specialist.
Pictures of Everything
●
●
Floor plan
●
Locate all equipment
●
Number all equipment on the floor plan
●
You will have to reconstruct
Photograph/Video graph
●
The entire area containing HW & cables
●
The screen of each computer that is on.
●
Much more later
Photos
●
Items and placement
●
Each Item
●
●
Placement
●
Model numbers, Serial numbers
●
Front
●
Back
●
Cables
●
Anything that might be of interest.
You only get one chance to record the original
evidence
After Pictures of an “on” PC
●
●
If the computer is a stand alone PC
●
pull the plug
●
Vista is different
●
Do not turn it off
If it is a laptop
●
Pull the plug
●
If it is still on, it has a functioning battery
–
Pull the battery
–
Keep the battery separate
New World
●
Have to beat the trojan defense
–
●
Business interruption
–
●
Live acquisition
Live acquisition
Network activity
–
Network sniffer
Examples – Screen(s)
If the computer is on photograph the screen. If a screen saver is evident
don’t wiggle the mouse to see what is under it. Make sure it is in focus!
Tape All Orifices with
Break Away Tape
Prove: No one has touched the system.
Back
Photo of the back with all of the connections tagged. More photos
of each connection identified. In your log both ends of each connection
should identified and cross refrenced with your photos.
Front
Inside
Hard Drive S/N & System S/N
IDs and S/Ns are important
Network Gear
Don’t forget all the network connections and devices. Photos should show
connection labels as well as general configuration. Multiple photos.
Examples – Serial Numbers
This is the photo of the back of the monitor.
Photos should show Model number and serial numbers.
Examples – Media
Photograph the media. Also be able to show the location of the media found.
Cross reference to the sketch. Also the media should be assigned a Item #.
Evidence Collection
●
●
Locate Evidence
●
Tie to sketch
●
Connectivity
Photograph evidence
●
●
Coordinate with the general photographer
Assign an Item Number, tag and log in the Evidence
Inventory Form
●
Bag – Item #, Date, Time, Who
●
Enter into custody log
●
Transfer custody to Judisdictional Agency
Evidence
Inventory
Form
Serial Cable to Serial Port
Network
●
Photograph, diagram and label everything
●
Can a live forensics capture suffice?
●
Get a sniffer on the network as close to the gateway
as possible
●
●
Ethereal on a USB device
Be prepared for this sort of situation
●
Tools, tools on the USB
●
Make sure the USB has enough memory for traffic capture
●
Document every program you run on a host
●
Document every thing you do!
Network Spaghetti
Tag and Bag
●
Tape every drive slot shut
●
Photograph, diagram and label all components
●
Photograph, diagram and label all connections
●
Photograph, diagram and label all cables – both ends
●
You will have to reconstruct
●
Pack it for transport
●
Keep it away from EM
●
Collect all printed material
●
Docs, records, notes
Seizure
●
●
●
If the network is active
●
Do not power down any networking gear
●
They have no hard drives
●
All evidence is volatile
●
If no significant network traffic disconnect from the ISP
Using the USB device harvest the routers and
switches
Then disassemble the network
●
●
Seize the servers and work stations
Get the network admin to help
●
They could corrupt the data, SO be careful
Liabilities
●
Criminal and civil
●
Destruction of business relevant data
●
Disruption of business services
●
Make detailed notes of your steps
●
Every step
Other Devices
●
Cell phones
●
Printers
●
Cordless phones
●
CD duplicators
●
Answering machines
●
Labelers
●
Caller ID devices
●
Digital cameras, video
●
Pagers
●
GPS
●
Fax
●
Game boxes
●
Copiers
●
PDA’s
●
Tivo’s
●
Home electronic
devices
Other Devices (cont’d)
●
●
●
Magnetic strip
Readers& writers
–
Check writers
●
Make credit cards
–
Bar code writers
–
Hologram writers
–
Special printers
ID card writers
Smart cards
Writers & readers
RFID
●
●
Home grown gear
●
●
●
●
Writers & readers
Security systems
●
Counterfeiting
Cell Phones
Cell Phones
●
A treasure trove of evidence
●
Numbers
●
●
Dialed and received
●
Calling card numbers
●
PIN numbers
Messages
●
Voice, text
●
Time lines
●
All is volatile to some extent
●
Internet access information
Cell Phones
●
Web surfing history
●
Cookies
●
Cached data
●
Stored programs
●
ISP information
●
Subpoena ISP for customer information
●
Recent syslogs
●
Cell provider keeps activity records
●
Subpoena information
●
Tracks recent where abouts
Cell Phones
●
Architecture
●
Computer
●
User interface
●
Transceiver
●
OS
●
Networking stack
●
I/O
–
Blue tooth
–
IR
–
Serial
Seizure - On
●
If it is on, leave it on
●
Lockout features
●
Volatile memory may contain info
–
Access codes, PINs, passwords
–
Recent financial transactions
●
Photograph screen
●
Document everything you do
●
Take all power cords and docs
●
Be very careful – It is on
–
If it does something it may construed as WIRE TAP
–
Put in a Faraday bag, prevents communication with tower
Seizure - Off
●
Tag and wrap
●
Get to an expert
●
Get all the ancillary gear
●
●
Head set
●
Remotes
●
Serial connects
Find service provider
●
Subpoena
Cordless Telephones
●
Not as rich as cell phones
●
Numbers called, stored
●
Perhaps Caller ID
●
Voice mail
●
●
Recent
●
May contain recoverable erased voice messages
●
Be careful – WIRE TAP
On screen info may be relevant
●
Photograph and document
Answering Machines
●
Same old, same old
●
Numbers, times, voice content
●
WIRE TAP caution if it is on.
Caller ID Boxes
●
More numbers and times
●
Unplug from phone line
●
WIRE TAP caution applies
●
If off leave it off
●
If on leave on
●
Tag, photograph, document
●
Does it have battery backup
●
●
●
No - pull the plug
Yes - get an expert
Get everything
Pagers
●
Pages
●
Numeric
●
●
Text messages – Incoming & Outgoing
●
●
●
Info – some are held on device
Others, one must subpoena from provider
Voice mail
●
●
Call back #, codes, passwords, etc.
Must subpoena from provider
E-mail
●
●
Some held on device
Others at provider
Pagers
●
Architecture
●
Transceiver
●
CPU and memory
●
Simple to elaborate user interface
●
Often has a full keyboard
●
Reasonable display
Pagers - Seizure
●
●
On
●
Caution: real time communications intercept after seizure
●
Get it away from suspect
●
Document and photograph
●
Turn it off
●
Caution on battery life
●
Tag and bag
●
Tag and bag
Off
Fax, Printer, Copier, ID Printers
●
Today they are converging into one machine
●
Architecture
●
Computer
●
Ethernet
●
Phone line
●
Massive storage – 20+ Gigabytes
●
Extensive display tree
Fax – Printer - Copier
Fax, Printer, Copier, ID Printers
●
Dial lists, e-mail addresses, times, logs, headers
●
Stored documents
●
Sent
●
To be sent
●
Received – not opened
●
Received – opened
●
Photographs, personal info
Seizure
●
If off leave it off.
●
●
If on
●
●
●
●
Tag and bag
Photograph and document especially comms connections
An attempt may be made to access memory and capture the
most recently printed document.
If the device is a scan first and then dispatch, every thing is
stored on the hard drive.
●
Disconnect the comms interfaces
●
Tag and bag
Determine phone connections
●
Subpoena service provider
Custom Stuff
●
RFID readers/writers
●
Credit card readers/writers
●
Smart card readers/writers
●
Bar code readers/writers
Security Systems
●
Ingress/egress logs – time line, IDs
●
Service provider
●
System info
●
Photograph and document location of all devices
●
Text, video
●
Tag and bag all stored data and recorded data.
●
Detailed documentation – you can’t tag and bag
Stuff
●
Docs, notes, documentation, etc.
●
Credit cards, smart cards, RFIDs, etc
●
CDs, DVDs – all media
Related documents
Wislawa Szymborska
Wislawa Szymborska
Springboard 1.13 Bharti Mukherjees personal essay Two
Springboard 1.13 Bharti Mukherjees personal essay Two
Company Presentation
Company Presentation
ELIAS - 2015 Traffic Records Forum
ELIAS - 2015 Traffic Records Forum
Arrest, Search and Seizure
Arrest, Search and Seizure
The Logical Structure of Argument
The Logical Structure of Argument
Post War Uncertainty
Post War Uncertainty
Look: if you had one shot
Look: if you had one shot
V-J day in Times Square
V-J day in Times Square
Constitutional Amendments Related to Forensics
Constitutional Amendments Related to Forensics
2010_Martinez - Mass Legal Services
2010_Martinez - Mass Legal Services
Dr Kathryn Swoboda
Dr Kathryn Swoboda
Money Market instruments
Money Market instruments
Download
advertisement