A series of computer forensics notes...............

1. Intro to Computer Forensics
Mr. Islahuddin Jalal
MS (Cyber Security) – UKM Malaysia
Research Title – 3C-CSIRT Model for Afghanistan
BAKHTAR UNIVERSITY ‫باخترپوهنتون‬ ‫د‬

2. Outline
• Searching and Seizing Computers
• Searching and Seizing Computers without warrant
• The Fourth Amendment’s (Reasonable Expectation of Privacy)
• Consent
• Private Sector Workplace Searches
• Searching and Seizing Computers with a warrant
• Basic strategies for executing Computer Searches
• The Privacy Protection Act

3. What is search and Seizure?
• Search
• Expectation of privacy
• Seizure
• Individual
• When a person believes he is not free to ignore the government’s presence
• Property
• Meaningful interference with an individual’s possessory interest

4. Search and Seizure Separate
• Examples:
• Person seized and searched
• Person seized but not searched
• Traffic citation
• Person searched but not seized
• Thermal Scans, X-rays etc

5. Searching and seizing computer related
evidence
• Traditional Problems Associated with Finding Digital Evidence
-Digital evidence is especially volatile & voluminous, susceptible to
climate or environmental factors as well as human error.
- It may be affected by power outages, electromagnetic fields, or
extreme temperatures

6. Continued….
• -Unlike traditional evidence in which analysis of small samples is
utilized to preserve the totality of the evidence, assessment of digital
evidence requires evaluation of the whole, making one investigative
mistake very costly.
- The potential of liability for criminal investigators because of the loss
of critical data.
- The volume of digital evidence further complicates it's recovery,
making it virtually impossible to conduct a full on-scene analysis.

7. Continued…..
• Digital evidence can be concealed by individuals by hiding information
• The new level of software production, encryption and steganography in order
to hide files
• Self-destructive or remote programs are used to erase data by pre-
programmed commands
• Resources and computer related devices are hard to replace due to lack of
funds and approval from the administrator

8. Pre Search Activities
• The creation of a technologically sound computer forensic laboratory
• A temperature controlled evidence storage facility with security
• A listed & recorded personnel need for the search & seizure
• Pre-Search intelligence information & reports
• On-Scene equipment & evidence retrieval packaging
• Note:
• A safety backup plan in case the initial search & seizure activities are foiled by
the suspect or exigent circumstances

9. On-site vs off-site searches
• Determined by the lead investigator or supervisor on the case
- On-site allows for immediate interviewing of the suspect due to developing
evidence at the crime scene
- Off-site may be impossible due to mass amounts of storage or computer devices
- Off-site searches are more relaxed, time consuming, and no evidence is
overlooked
- Legal issues vary on the possibility of a secondary warrant and off-site storage of
the secondary evidence

10. Searching and Seizing Computers
• To find out evidence from computer by looking it from different
aspects and captured that for further off-site searching thoroughly.
• Searching and seizing computers can be with warrant or without
warrant

11. Continued….
• Searching and seizing computers with or without warrant depends
upon the constitution of respective country
• Constitutions of the countries are different from each other due to
several reasons
• Geographical
• Cultural
• Ethnics
• Religious differences
• etc

12. Searching and Seizing Computers without warrant
No legal documents required………

13. Reasons for (without warrant)
• According to the Fourth amendments of US
• The right of the people to be secure in their persons, houses, papers, and
effects, against unreasonable searches and seizures, shall not be violated, and
no Warrants shall issue, but upon probable cause, supported by Oath or
affirmation, and particularly describing the place to be searched, and the
persons or things to be seized.
•

14. Analytical Model
• This model is used to determine if a search and/or seizure has
occurred, and If it has occurred, was it reasonable (legal)
1) WHO conducted the search/seizure?
2) WHAT has been searched/seized?
3) Was there a SEARCH/SEIZURE?
4) If so, was it REASONABLE

15. 1) WHO conducted the search and/or seizure?
Agency or official of the government

16. 2) WHAT has been searched and/or seized?
Was it a person, house, paper and/or “effect” (other possesion)

17. 3) Was there a SEARCH and/or SEIZURE?
The Supreme Court has defined “Search” as any governmental
intrusion into something in which a person has a reasonable
expectation of privacy. A “seizure” is any taking into possession,
custody or control

18. 4) If there was a search and/or seizure, was it REASONABLE?
• Was there a valid search or seizure warrant?
• Or, did one of the exceptions to the warrant requirement apply?

19. Cases: Search and/or Seizure?
1) Lucy breaks into her ex boyfriend’s apartment and
steals some of her old love letters to him.
2) The police order Joe to have a blood test to
determine how much alcohol he has in his
bloodstream

20. Cases: Search and/or Seizure?
3) Officer Jones stops Tim and asks him what he is
doing, then looks through the suitcase Tim is
carrying.
4) Tim is arrested and taken to jail.
5) The FBI puts a wiretap on Ellen’s telephone and
listens to her conversations.

21. Reasonable vs Unreasonable
• For a search/seizure to be reasonable there must be a
warrant issued by a judge or magistrate
• The police must have probable cause to convince a
judge to sign a warrant
• There are also some exceptions to the warrant
requirement.

22. Probable Cause
There must be good reason to believe that that a crime has
been, is being, or is about to be committed, and that the
person, place or thing which is to be searched or seized is
involved in some way.

23. Exceptions to the
Warrant Requirement
1) Search Incident to a Lawful Arrest
extends to everything w/in arrestee’s immediate control
2) Stop and Frisk
can frisk outer layer of clothing with “articulable suspicion” of crime
3) Emergency Situations
Bomb threats, burning buildings, etc.
4) Hot Pursuit
Warrant not required for places police follow suspect into.
5) Items connected with crime in Plain View
If police had a right to be there in the first place

24. Exceptions to the
Warrant Requirement
6) Consent
A person may ‘knowingly and voluntarily’ let police search w/o a
warrant. Fraud and deception are excepted. Must be that person’s or
common property. In some case eg. parent/child, teacher/student, a
person may legally let police search someone else’s property
7) Abandoned Property
Once you abandon something you give up the expectation of privacy.
8) Border & Airline Searches
Customs Agents may search w/o warrant OR probable cause. Airline
personnel may search passengers and carry on luggage with metal
detectors and/or x-rays
9) Vehicle Searches
Police may search a vehicle WITH Probable Cause W/O Warrant

41. Searching and Seizing Computers with a warrant
legal documents required………

42. Warrant preparation
• Warrants: Should be prepared and reviewed by legal specialists &
computer division commanders. It ensures that all language,
protections, equipment, media, and incidentals, which may be
brought up in a court of law are stated. It also breeds familiarity with
the investigators, & ensures judicial approval.
Probable Cause: Must state that a crime has been committed, there
is evidence of the crime, & evidence resides at a particular location
Seizing Equipment: The proper seizing of all hardware & software
items at the scene of the crime

49. Reference
Most of the slides are exactly copied and taken from the CHFI Slides
Notes……..

50. Thank You
For Your PatienceFor Your Patience