• Save
Evidence Seizure
Upcoming SlideShare
Loading in...5

Evidence Seizure






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds


Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Evidence Seizure Evidence Seizure Presentation Transcript

    • High Tech Evidence
      • Identification
        • Types of evidence
      • Preservation
        • Physical and chain of evidence
      • Presentation
        • In court
      • Storage guides
    • Identification
      • Consider all items real and virtual which could be evidence
      • Must be described in the SW
      • Often determined by the “type” of crime
      • Sophistication of suspect
      • Types of Computer Related Evidence
      • Paper output
        • Ledgers
        • Address books
        • Correspondence
        • Diary
        • Hacker notes
      • Types of Computer Related Evidence
      • Computer paraphernalia
        • Computers, keyboards and monitors
        • Disks and diskettes
        • Magnetic tape storage units
        • Phones (memory dialers)
        • Circuit boards and components
        • Modems
      • Types of Computer Related Evidence
        • Printers and other hardcopy hardware
        • Mouse, digitizers, cables and other connectors
        • Software and manuals
      • Where Computer Related Evidence May Be Found
      • Desktops
      • Monitors
      • Next to phones
      • In wallet
      • In suspects pocket
      • Where Computer Related Evidence May Be Found
      • Garbage cans
      • Under keyboards
      • Dependent only on the size of item being searched for
      • And the imagination of suspect
      • Steps for Locating Computer Evidence
      • Look for evidence of computer use
      • Examine the evidence for criminal content
      • Search limited by the location described in warrant
      • Search limited by the size of smallest item listed in warrant
      • Evidence Preservation
      • Determine if the evidence can be collected and preserved for future analyses
      • Have a plan for proper packaging and transport
      • Keep “chain of evidence” in mind
    • Evidence Preservation
      • Document everything
      • Practice safe evidence handling - wear rubber gloves!!!!!!!!!
        • Don’t let your prints be the only ones found :-)
      • Collecting the Evidence
      • Fragility of computer evidence
        • Computer related evidence is like any other evidence you might find with one exception:
          • It tends to be very volatile and can easily be damaged or destroyed . Handle it with extra care and follow documented procedures for preserving computer and electronic evidence
    • Collecting the Evidence
      • Avoid magnetic fields
      • Avoid excessive heat
      • Avoid direct sunlight
      • Don’t touch magnetic media with your skin
    • Collecting the Evidence
      • Static electricity
        • Avoid touching exposed wires or circuit boards
        • DO NOT place items in plastic evidence bags
        • DO NOT place items in boxes of foam peanuts
    • Collecting the Evidence
      • Do use paper bags or cardboard boxes
      • Do use original packaging material
      • Collecting the Evidence
        • It is advisable that only investigators with sufficient knowledge and hands-on computer experience deal with computers, peripherals, diskettes, programs, etc., As well as with other technical or specialized equipment during searches
      • Collecting the Evidence
      • However, it is paramount in four instances
      • Mainframes
      • Minicomputers
      • Specialty computers
    • Collecting the Evidence
        • Hacker systems
        • Note:
          • When you have a case involving a computer as the object or means of committing a crime, do not turn the computer off if it is on until you are sure the data in temporary memory has been "saved"
    • Simple Overview of Seizing a Computer
      • R ule number 1
        • Preserve the evidence
        • Don’t let the suspect near the machine
        • Don’t let cops or “computer experts” play with the computers to “see what’s inside.”
      • Both can be equally destructive
    • Preserve The Evidence
      • Photograph and document everything
      • Rule to remember: if you’re comfortable the computer is comfortable
    • Start Chronological Case Work Sheet
      • List the date, time and description of the computer
      • List the identity of those assisting you and witnesses to your activity
    • Use Chronological Case Work Sheet
      • List the date, time and action taken
      • Record your investigative clues and leads
      • List the date, time and programs or utilities used
      • Continue use throughout investigation/examination
    • Evaluate the Condition of the Computer
      • Is the computer On or off?
      • If the computer is on, what is the computer doing?
      • If a computer is on, there is a good chance it is doing something depending on where it is
    • Evaluate the Condition of the Computer
      • For example: running windows, accounting software, checking software, BBS, word processor, etc
      • Assess the potential for loss of data from outside threats such as weather, electrical and magnetic conditions
      • Determine if the computer is connected to other computers by network or modem
    • Evaluate the Condition of the Computer
      • Networks are gaining in popularity as their prices come down. Simple network prices are at the point where they are affordable for average home users
      • Consider the previous conditions to determine if the computer should be turned off or left running for a period of time and photograph the screen with a video camera
    • Evaluate the Condition of the Computer
      • If the computer has a large RAM disk and all your evidence is on the RAM disk and you turn the computer off without saving it, what happens to your evidence?
      • Photograph the computer using 35mm, polaroid, digital and/or video camera
      • Photograph the front and back of the computer
    • Evaluate the Condition of the Computer
      • Photograph cables
      • Photograph attached hardware
      • Take pictures of anything that may be of value or used for evidence
      • This could be the hidden location of floppies, printed material, hard drives and other hardware
    • Evaluate the Condition of the Computer
      • Boot the computer from the floppy drive
      • Mark and tag all cables and hardware
      • Use wire tags and stick on labels for each item seized
        • This insures you can return the computer to it's original configuration
    • Evaluate the Condition of the Computer
      • If you are seizing more than one computer system first number the computers and then tag the cables and hardware using the computer number so that when you get the whole mess back to the shop they can be put back together properly
      • Prepare the computer for transport
      • Shut down the computer
    • Evaluate the Condition of the Computer
      • Package the computer, cables and other hardware in boxes after entering the evidence description in the search warrant program
      • Keep boxes for each computer together during transport and storage
      • Place the first label on the item or it's bag
      • Place the second label on the box identifying each item in the box
    • Evaluate the Condition of the Computer
      • Seizing floppies and other removable media
      • Count floppies and other removable media
      • Mark them using an indelible colored marker or labels. Do not use pencils or ball point pens as they may damage the diskette media
    • Evaluate the Condition of the Computer
      • Keep magnetic media separate from other seized items. This will aid you later in the interrogation of the disks so you don't have to look through dozens of boxes and envelopes for diskettes
      • Place seized diskettes in separate boxes for each room
      • It will save you a lot of time and trouble sorting through them later
    • Search the Area Carefully
      • Diskettes and small media hide themselves in the strangest places
      • We often find them inside books, taped to the bottom of keyboards, in chests of drawers, shirt pockets and other surprising places
    • Transportation of Evidence
      • Pack the transport vehicle with care
      • Place the CPU and other computer related hardware and software in a safe place in for transport
      • Items fall out of pickups and bounce around in large trucks
      • Magnets in radios in the trunks of vehicles and excessive heat can damage media or hardware
    • Magnets and Degaussing Equipment.
      • Be aware of the possible presence of degaussing (magnets) equipment placed in the crime scene by the suspect
        • Evidence has been lost due the the presence of large degaussing hardware hidden in a doorway and operated by a wall switch
      • A simple compass will detect any strong electromagnetic currents
    • Preservation of Evidence
      • Package properly
      • Handle carefully
      • Mark clearly
      • Primary rule: if you are comfortable, the computer is comfortable
    • What to Take
      • If you are seizing computer equipment, you may want to take everything
      • You may only take data
        • If you leave computer equipment, hardware, software or manuals and you may need it later in your investigation
        • Also, after you leave, the equipment may disappear altogether
    • Chain of Evidence
      • Documentation of dominion and control of evidence
      • Physical security of evidence
      • Clearly marked so as to provide positive identification in court
      • Begins when evidence is identified
      • Ends when court/prosecutor releases same
    • Documentation
      • Photograph
      • Sketch
      • Mark/label
      • Package
      • Transport
      • Secure
    • Chain of Evidence Presentation
      • Documentation including reports and packaging must clearly show:
        • Person
        • Date
        • Time
        • Location
      • For each person handling (receiving) the evidence
    • Documentation
      • Evidence label
      • Property booking report
      • Chronological search form
      • Lab evidence tracking report
      • Individual supplemental reports
    • High Tech Evidence Storage
      • Secure Area
      • Moderate temperature
      • Free of excessive dust
      • No excessive moisture
      • Free of magnetic influence
    • High Tech Evidence Storage
      • Storage containers
        • Original packaging
          • The best material
        • Options
        • Cardboard boxes
        • Wooden shelves
        • Non static containers