Your SlideShare is downloading. ×
Evidence Seizure Ctin Version Draft Sent To Sandy For Polishing
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Evidence Seizure Ctin Version Draft Sent To Sandy For Polishing

419
views

Published on

Published in: Technology, Business

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
419
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Slide 1, the first slide is the Cover Slide. Do not make changes to this page. Use it as the opening slide of your presentation while attendees are entering the room.
  • Transcript

    • 1. High Tech Evidence Collection and Seizure
      • Detective Gregory Dawson
      • Pierce Co. Sheriff’s Dept.
      February 1st, 2003
    • 2. Pierce County Regional Computer Laboratory
      • Detective Gregory Dawson
      • Work Ph. (253)798-7508
      • Pager (253)680-1104
      • Email [email_address]
      • If you have questions or need help please call!!
    • 3. Class goals
      • FAMILIARIZE attending LEO’s with the process of collecting a computer and associated evidence in a safe and effective manner.
      • Discuss good evidence handling PRACTICES
    • 4. High Tech Evidence Collection and Seizure
      • Identification
        • Types of computer related evidence
        • Where and how computer related evidence may be found
      • Preservation and Collection
        • Preservation
        • Collection
        • Physical chain of evidence
      • Presentation
        • In court
      • Storage guides
    • 5. High Tech Evidence Collection and Seizure
      • Identification
      • Preservation and Collection
      • Storage guide
    • 6. High Tech Evidence Collection and Seizure
      • Identification
        • General Concepts
        • Types of computer related evidence
        • Where and how computer related evidence may be found
    • 7. Identification General Concepts
      • Consider all items real and virtual which could be evidence
      • Must be described in the SW or articulated at the time of seizure
      • Often determined by the “type” of crime
      • Sophistication of suspect
    • 8. Identification General Concepts
      • What to Take:
      • If you are seizing computer equipment, you may want to take everything, subject to S/W specificity
    • 9. Identification General Concepts
      • What to Take:
      • You may only want to take data
        • But…if you leave computer equipment, hardware, software or manuals and you may need it later in your investigation
        • Also, after you leave, the equipment may disappear altogether
    • 10. Identification General Concepts
      • If you are only going to take data, (i.e., image the computer media on scene)
        • you will have to have the equipment and personnel with you to do it
        • You will have to secure the scene long enough to do it
    • 11. Identification Types of Computer Related Evidence
      • Computer paraphernalia
        • Printers and other hardcopy hardware
        • Mouse, cables and other connectors
        • Software and manuals
        • Jaz and Zip drives
        • Tape backup drives
        • Hand and flat-plate scanners
    • 12. Identification Types of Computer Related Evidence
      • Computer paraphernalia
        • Computers, keyboards and monitors
        • Disks and diskettes
        • Magnetic tape storage units
        • Phones (memory dialers)
        • Circuit boards and components
        • Modems
    • 13. Identification Types of Computer Related Evidence
      • Paper output
        • Ledgers
        • Address books
        • Correspondence
        • Diary
        • Hacker notes
    • 14. Identification Where and how computer related evidence may be found
      • Desktops
      • Monitors
      • Next to phones
      • In wallet
      • In suspects pocket
    • 15. Identification Where and how computer related evidence may be found
      • Garbage cans
      • Under keyboards
      • Dependent only on the size of item being searched for
      • Restricted only by the imagination of suspect
      • Look for evidence of computer use
    • 16. Identification Where and how computer related evidence may be found
      • Search limited by the location described in warrant
      • Search limited by the size of smallest item listed in warrant
    • 17. Identification Where and how computer related evidence may be found
      • Search the Area Carefully
        • Don’t get “tunnel vision” on the area where a computer might be sitting
      • Diskettes and small media hide themselves in the strangest places
      • We often find them inside books, taped to the bottom of keyboards, in chests of drawers, shirt pockets and other surprising places
    • 18. Computer Case – Tower Configuration
    • 19. Monitor, Keyboard, and Mouse
    • 20. Computer Media/Storage
    • 21. Computer Media/Storage USB pocket disk 32MB IBM Microdrive 1GB, 500/340 MB
    • 22. Computer Media/Storage “ Thumb Drives” up to 128MB “Disk-on-Key” unit
    • 23. Card Readers USB Pocket DigiDrive. Reads multiple media sources, smart cards etc..
    • 24. Magnetic Readers Mini-Mag Magstripe reader (PMR 102), is ideal for capture and storage of magnetic stripe data without the presence of a computer or external power supply. Lithium battery for 5000 swipes. Non-volitile. Password protected.
    • 25. Computer peripherals
    • 26. Flat Plate Scanner
    • 27. Computer Cases
    • 28. Computer Cases
    • 29. Sometimes they can never be separated from their computer
    • 30. High Tech Evidence Collection and Seizure
      • Preservation and Collection
        • Preservation
        • Collection
        • Physical chain of evidence
    • 31. Preservation and Collection Preservation
      • Have a plan for proper packaging and transport…
      • Pre-prepared “Evidence Kit”
    • 32. Preservation and Collection Preservation
      • Determine if the evidence can be collected and preserved for future analyses
      • Keep “chain of evidence” in mind
    • 33. Preservation and Collection Preservation
      • Document everything
      • Practice safe evidence handling - wear rubber gloves!
        • Don’t let your prints be the only ones found
        • Bio-Hazards
    • 34. Preservation and Collection Preservation
      • Fragility of computer evidence
        • It tends to be very volatile and can easily be damaged or destroyed. Handle it with extra care.
        • Follow documented procedures for preserving computer and electronic evidence if your agency/organization has them canonized
    • 35. Preservation and Collection Preservation
      • Avoid magnetic fields
      • Avoid excessive heat
      • Avoid direct sunlight
      • Don’t touch magnetic media with your skin
    • 36. Preservation and Collection Preservation
      • Static electricity
        • Avoid touching exposed wires or circuit boards
        • DO NOT place items in plastic evidence bags
        • DO NOT place items in boxes of foam peanuts
    • 37. Preservation and Collection Preservation
      • Do use paper bags or cardboard boxes
      • Do use original packaging material
    • 38. Preservation and Collection Preservation
        • It is advisable that only investigators with sufficient knowledge and hands-on computer experience deal with computers, peripherals, diskettes, programs, etc., As well as with other technical or specialized equipment during searches
    • 39. Preservation and Collection Preservation
      • However, it is paramount in specialized instances such as
      • Mainframes
      • Networked Computer Systems
      • Specialty computers
    • 40. Preservation and Collection Preservation
        • Hacker systems
        • Note:
          • When you have a case involving a computer as the object or means of committing a crime, remember that a program running in memory might be the evidence of your crime
    • 41. Preservation and Collection Preservation
      • Basic Rules.
            • Don’t let the suspect near the machine.
            • Don’t let cops or “computer experts” play with the computers to “see what’s inside.”
        • Both can be equally destructive.
    • 42. Preservation and Collection Preservation
      • Photograph and document everything
      • Rule to remember: if you’re comfortable the computer is comfortable
    • 43. Preservation and Collection Preservation
      • Is the computer on or off?
      • If the computer is on, what is the computer doing?
      • If a computer is on, there is a good chance it is doing something
      • Evaluate the Condition of the Computer:
    • 44. Preservation and Collection Preservation
      • For example: running windows, running applications, or maybe even overwriting or destroying data which might be evidentiary
      • Evaluate the Condition of the Computer:
    • 45. Preservation and Collection Preservation
      • Assess the type of operating system if possible. This will influence how you might preserve and collect the evidence
      • Evaluate the Condition of the Computer:
    • 46. Preservation and Collection Preservation
      • Assess the potential for loss of data from outside threats such as weather, electrical and magnetic conditions
      • Determine if the computer is connected to other computers by network or modem
      • Evaluate the Condition of the Computer:
    • 47. Preservation and Collection Preservation
      • Consider the previous conditions to determine if the computer should be turned off or left running for a period of time and photograph the screen with a video camera
      • Evaluate the Condition of the Computer:
    • 48. Preservation and Collection Preservation
      • Be prepared for “Emergency” shut-down
        • Have a camera ready
      • Evaluate the Condition of the Computer:
    • 49. Preservation and Collection Preservation
      • A little “Urban Legend”
        • Magnets and Degaussing Equipment.
      • The possible presence of degaussing (magnets) equipment placed in the crime scene by the suspect
        • Evidence being lost due the presence of large degaussing hardware hidden in a doorway and operated by a wall switch
          • Hmm,…not likely
    • 50. High Tech Evidence Collection and Seizure
      • Preservation and Collection
        • Preservation
        • Collection
        • Physical chain of evidence
    • 51. Preservation and Collection Collection
      • List the date, time and description of the computer
      • List the identity of those assisting you and witnesses to your activity
      • Start Chronological Case Work Sheet:
    • 52. Preservation and Collection Collection
      • List the date, time and action taken
      • Record your investigative clues and leads
      • List the date, time and programs or utilities used
      • Continue use throughout the investigation and examination
      • Use Chronological Case Work Sheet :
    • 53. Preservation and Collection Collection
      • Photograph the computer using 35mm, polaroid, digital and/or video camera
      • Photograph the front and back of the computer
    • 54. Preservation and Collection Collection
      • Photograph cables
      • Disconnect power to the system, at the computer case
    • 55. Preservation and Collection Collection
      • Photograph attached hardware
      • Take pictures of anything that may be of value or used for evidence
      • This could be the hidden location of floppies, printed material, hard drives and other hardware
    • 56. Preservation and Collection Collection
      • Sometimes the “Devil is in the details”…
    • 57. It is the small stuff that can create problems sometimes…
    • 58. Preservation and Collection Collection
      • Be sure to note “unusual” things about the condition of the evidence….
    • 59. Someone wanted this one dead…
    • 60. Preservation and Collection Collection
      • Mark and tag all cables and hardware
      • Use wire tags and stick on labels for each item seized
        • This insures you can return the computer to it's original configuration
    • 61. Preservation and Collection Collection
      • If you are seizing more than one computer system first number the computers and then tag the cables and hardware using the computer number so that when you get the whole mess back to the shop they can be put back together properly
    • 62. Preservation and Collection Collection
      • Prepare the computer for transport
    • 63. Preservation and Collection Collection
      • Package the computer, cables and other hardware in boxes after entering the evidence description in the search warrant property sheet
      • Keep boxes for each computer together during transport and storage
    • 64. Preservation and Collection Collection
      • Seizing floppies and other removable media
      • Count floppies and other removable media
    • 65. Preservation and Collection Collection
      • Mark them using an indelible colored marker or labels on tape or other stick on media
      • If you can’t itemize, describe and package
    • 66. Preservation and Collection Collection
      • Keep magnetic media separate from other seized items. This will aid you later in the examination of the disks so you don't have to look through dozens of boxes and envelopes for diskettes
    • 67. Preservation and Collection Collection
      • Place seized diskettes in separate boxes for each room
      • It will save you a lot of time and trouble sorting through them later
    • 68. Preservation and Collection Collection
      • Transportation of Evidence:
      • Pack the transport vehicle with care
      • Place the CPU and other computer related hardware and software in a safe place for transport
    • 69. Preservation and Collection Collection
      • Transportation of Evidence:
      • Items fall out of pickups and bounce around in large trucks
      • Magnets in radios in the trunks of vehicles and excessive heat can damage media or hardware
    • 70. Preservation and Collection Summary
      • Package properly
      • Handle carefully
      • Mark clearly
      • Primary rule: if you are comfortable, the computer is comfortable
    • 71. High Tech Evidence Collection and Seizure
      • Preservation and Collection
        • Preservation
        • Collection
        • Physical chain of evidence
    • 72. Preservation and Collection Physical chain of evidence
      • The “Chain of Evidence” is the:
      • Documentation of dominion and control of evidence
      • Physical security of evidence
    • 73. Preservation and Collection Physical chain of evidence
      • Maintain the “Chain of Evidence”
      • Evidence clearly marked so as to provide positive identification in court
      • Begins when evidence is identified
      • Ends when court/prosecutor releases same
    • 74. Preservation and Collection Physical chain of evidence
      • “ Chain of Evidence” presentation:
      • Documentation including reports and packaging should show:
        • Agency case number
        • Person finding the evidence
        • Evidence number
        • Date
        • Time
        • Location found
    • 75. Preservation and Collection Physical chain of evidence
      • “ Chain of Evidence” presentation:
      • Running log for each person handling (receiving) the evidence
    • 76. Preservation and Collection Physical chain of evidence
      • Documentation of the “Chain of Evidence”:
      • Photograph
      • Sketch
      • Mark/label
      • Package
      • Evidence label
      • Property booking report
      • Chronological search form
      • Lab evidence tracking report
      • Individual supplemental reports
    • 77. High Tech Evidence Collection and Seizure
      • Storage Guide
    • 78. High Tech Evidence Storage
      • Secure area
      • Moderate temperature
      • Free of excessive dust
      • No excessive moisture
      • Free of magnetic influence
    • 79. High Tech Evidence Storage
      • Storage containers
        • Original packaging = the best material
        • Other options:
          • Cardboard boxes
          • Wooden shelves
          • Non static containers
    • 80. Questions ???
    • 81. Pierce County Regional Computer Laboratory
      • Detective Gregory Dawson
      • Work Ph. (253)798-7508
      • Pager (253)680-1104
      • Email [email_address]
      • If you have questions or need help please call!!
    • 82.