Seizing Electronic Evidence - PowerPoint PPT Presentation

1 / 53

About This Presentation

Title:

Seizing Electronic Evidence

Description:

The Search & Seizure Secure the scene, restrict access Preserve the area, no more fingerprints Insure the safety of all concerned Nobody touch nothing! – PowerPoint PPT presentation

Number of Views:494

Avg rating:3.0/5.0

Slides: 54

Provided by: homeSouE7

Category:

more less

Transcript and Presenter's Notes

Title: Seizing Electronic Evidence

1
Seizing Electronic Evidence

Best Practices Secret Service
ttp//www.treasury.gov/usss/electronic_evidence.ht
m
Electronic Crime Scene Investigation NIJ
ttp//www.ojp.usdoj.gov/nij/pubs-sum/187736.htm

2
Before You Twitch

Consent search or Search warrant
Understand the nature of the crime
Read the search warrant
Concerns
Safety It is a crime scene
Destruction of potential evidence
Plan, Plan, Plan
The seizure
The collection techniques
The order of events

3
Computers Crime

Fruits of crime
Stolen computers
Tool of criminal activity
Hacking, counterfeit documents
Repository of incriminating evidence
Drug records, meth formulas
Repository of contraband
Toons, Tunes
Unwitting record of criminal activity
e-mail records, Browsing history

4
Potential Evidence

Probable cause to seize HW?
Probable cause to seize SW?
Probable cause to seize Data?
Where will the search of the seized evidence be
conducted?
Careful of business interruption issues and
proprietary information.
Depends on the role of the computers in the crime.

5
Prior to Serving the Warrant

Start your investigation report
Understand the nature of the crime
Describe the role of the computer/digital device
in the crime
Describe the limits of your investigation
Probable cause for seizure
What can be seized
What can be looked at
Where is the search to be conducted

6
Expect the Unexpected

If it is not covered in your search warrant -
Get approval from DA
Get approval from Detective in charge
Take very detailed notes justifying your actions

7
Role of the Computer

Contraband computer
HW or SW stolen?
Tool of the offense
Writing counterfeit checks, Ids
Incidental to the offense
Data storage

8
Seize what

HW
SW
Data
All things digital
All things related to digital
Media, notes, documentation
Stay within the bounds of the search warrant

9
Seize/Search where

On site, in the field office, in a lab
Disposal of seized items
Consider the size of the seizure
Suspects
Interview
Passwords
Location of data
Installed software
Network
Etc.

10
Search Warrants

Electronic Storage Device Search Warrant
HW, SW, documents, storage media notes
Examination of data
Service Provider Search Warrant/Subpoena
Utilities, phone cable, satellite, cellular,
internet, etc.
Billing records, service records, subscriber
info, etc.

11
More Planning

What are the restrictions?
Photographs, video
Proprietary information
Classified information
Business records
Business continuity
Chief is ticked when he gets a law suit for
business losses!

12
The Search Seizure

Secure the scene, restrict access
Preserve the area, no more fingerprints
Insure the safety of all concerned
Nobody touch nothing!
Usually the forensic specialist will not be a
first responder.
However, often they are.

13
Notes

Keep a very detailed log of every operation
action
Details
Time
Order
They can cover a lot of mistakes during the
seizure and search
What did you do.
What reasons for doing it.
Itemize potential harm versus another way of
doing it.

14
Rule 1

If it is off, leave it off.
If it is on leave it on (for awhile)
Be very cautious if there is network visible
Such as cables
Blinking lights
Get a specialist
You are the specialist.

15
Pictures of Everything

Floor plan
Locate all equipment
Number all equipment on the floor plan
You will have to reconstruct
Photograph/Video graph
The entire area containing HW cables
The screen of each computer that is on.
Much more later

16
Photos

Items and placement
Each Item
Placement
Serial numbers
Front
Back
Cables
Anything that might be of interest.
You only get one chance to record the original
evidence

17
Examples - Scene
Photograph the placement of the seized equipment
within the general crime scene.
18
Examples - Computer
Photograph the placement of the seized equipment.
19
After Pictures of an on PC

If the computer is a stand alone PC
pull the plug
Vista is different
Do not turn it off
If it is a laptop
Pull the plug
If it is still on, it has a functioning battery
Pull the battery
Keep the battery separate

20
Examples - Screen
If the computer is on photograph the screen. If
a screen saver is evident dont wiggle the mouse
to see what is under it. Make sure it is in focus!
21
Examples - Back
Photo of the back with all of the connections
tagged. More photos of each connection
identified. In your log both ends of each
connection should identified and cross refrenced
with your photos.
22
Examples - Back
Dont forget all the network connections and
devices. Photos should show connection labels as
well as general configuration. Multiple photos.
23
Examples Serial Numbers
This is the photo of the back of the
monitor. Photos should show Model number and
serial numbers.
24
Examples Media
Photograph the media. Also be able to show the
location of the media found. Cross reference to
the sketch. Also the media should be assigned a
Item .
25
Evidence Collection

Locate Evidence
Tie to sketch
Connectivity
Photograph evidence
Coordinate with the general photographer
Assign an Item Number, tag and log in the
Evidence Inventory Form
Bag Item , Date, Time, Who
Enter into custody log
Transfer custody to Judisdictional Agency

26
Evidence Inventory Form
27
Serial Cable to Serial Port
28
Mouse Item 11
29
Network

Photograph, diagram and label everything
Can a live forensics capture suffice?
Get a sniffer on the network as close to the
gateway as possible
Ethereal on a USB device
Be prepared for this sort of situation
Tools, tools on the USB
Make sure the USB has enough memory for traffic
capture
Document every program you run on a host
Document every thing you do!

30
Network Spaghetti
31
Tag and Bag

Tape every drive slot shut
Photograph, diagram and label all components
Photograph, diagram and label all connections
Photograph, diagram and label all cables both
ends
You will have to reconstruct
Pack it for transport
Keep it away from EM
Collect all printed material
Docs, records, notes

32
Seizure

If the network is active
Do not power down any networking gear
They have no hard drives
All evidence is volatile
If no significant network traffic disconnect from
the ISP
Using the USB device harvest the routers and
switches
Then disassemble the network
Seize the servers and work stations
Get the network admin to help
They could corrupt the data, SO be careful

33
Liabilities

Criminal and civil
Destruction of business relevant data
Disruption of business services
Make detailed notes of your steps
Every step

34
Other Devices

Cell phones
Cordless phones
Answering machines
Caller ID devices
Pagers
Fax
Copiers
Home electronic devices

Printers
CD duplicators
Labelers
Digital cameras, video
GPS
Game boxes
PDAs
Tivos

35
Other Devices (contd)

Magnetic strip
Readers writers
Make credit cards
ID card writers
Smart cards
Writers readers
RFID
Writers readers
Security systems

Home grown gear
Check writers
Bar code writers
Hologram writers
Special printers
Counterfeiting

36
Cell Phones
37
Cell Phones

A treasure trove of evidence
Numbers
Dialed and received
Calling card numbers
PIN numbers
Messages
Voice, text
Time lines
All is volatile to some extent
Internet access information

38
Cell Phones

Web surfing history
Cookies
Cached data
Stored programs
ISP information
Subpoena ISP for customer information
Recent syslogs
Cell provider keeps activity records
Subpoena information
Tracks recent where abouts

39
Cell Phones

Architecture
Computer
User interface
Transceiver
OS
Networking stack
I/O
Blue tooth
IR
Serial

40
Seizure - On

If it is on, leave it on
Lockout features
Volatile memory may contain info
Access codes, PINs, passwords
Recent financial transactions
Photograph screen
Document everything you do
Take all power cords and docs
Be very careful It is on
If it does something it may construed as WIRE TAP
Put in a Faraday bag, prevents communication with
tower

41
Seizure - Off

Tag and wrap
Get to an expert
Get all the ancillary gear
Head set
Remotes
Serial connects
Find service provider
Subpoena

42
Cordless Telephones

Not as rich as cell phones
Numbers called, stored
Perhaps Caller ID
Voice mail
Recent
May contain recoverable erased voice messages
Be careful WIRE TAP
On screen info may be relevant
Photograph and document

43
Answering Machines

Same old, same old
Numbers, times, voice content
WIRE TAP caution if it is on.

44
Caller ID Boxes

More numbers and times
Unplug from phone line
WIRE TAP caution applies
If off leave it off
If on leave on
Tag, photograph, document
Does it have battery backup
No - pull the plug
Yes - get an expert
Get everything

45
Pagers

Pages
Numeric
Call back , codes, passwords, etc.
Text messages Incoming Outgoing
Info some are held on device
Others, one must subpoena from provider
Voice mail
Must subpoena from provider
E-mail
Some held on device
Others at provider

46
Pagers

Architecture
Transceiver
CPU and memory
Simple to elaborate user interface
Often has a full keyboard
Reasonable display

47
Pagers - Seizure

On
Caution real time communications intercept after
seizure
Get it away from suspect
Document and photograph
Turn it off
Caution on battery life
Tag and bag
Off
Tag and bag

48
Fax, Printer, Copier, ID Printers

Today they are converging into one machine
Architecture
Computer
Ethernet
Phone line
Massive storage 20 Gigabytes
Extensive display tree

49
Fax, Printer, Copier, ID Printers

Dial lists, e-mail addresses, times, logs,
headers
Stored documents
Sent
To be sent
Received not opened
Received opened
Photographs, personal info

50
Seizure

If off leave it off.
Tag and bag
If on
Photograph and document especially comms
connections
An attempt may be made to access memory and
capture the most recently printed document.
If the device is a scan first and then dispatch,
every thing is stored on the hard drive.
Disconnect the comms interfaces
Tag and bag
Determine phone connections
Subpoena service provider

51
Custom Stuff