Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Bag and Tag


Published on

Published in: Technology, Health & Medicine
  • Be the first to comment

  • Be the first to like this

Bag and Tag

  1. 1. Level 1 - Basic Investigations Part 4 – Evidence Collection and Seizure Criminal Justice Training Center
  2. 2. High Tech Evidence Collection and Seizure <ul><li>Evidence practices </li></ul><ul><li>and procedures </li></ul>
  3. 3. Agenda <ul><li>Identification </li></ul><ul><li>Preservation </li></ul><ul><li>Collection </li></ul><ul><li>Chain of evidence </li></ul><ul><li>Storage guidelines </li></ul>
  4. 4. Identification <ul><li>General concepts </li></ul><ul><li>Types of computer related evidence </li></ul><ul><li>Where and how computer related evidence may be found </li></ul>
  5. 5. Identification – General Concepts <ul><li>Consider all items real and virtual to be evidence </li></ul><ul><li>Must be described in the search warrant or articulated at the time of seizure </li></ul><ul><li>Determined by the “type” of crime </li></ul><ul><li>Sophistication of suspect </li></ul>
  6. 6. Identification – General Concepts You can take everything, take only what is subject to search warrant or you can take only data. But…
  7. 7. Identification – General Concepts <ul><li>If you leave things behind, you may need it later </li></ul><ul><li>After you leave, things may disappear </li></ul><ul><li>And … </li></ul>
  8. 8. Identification – General Concepts <ul><li>Can you secure the scene long enough to accomplish tasks? </li></ul><ul><li>Do you have equipment and personnel necessary to accomplish tasks? </li></ul>
  9. 9. Identification – Types of Evidence <ul><li>Printers and other hardcopy hardware </li></ul><ul><li>Mouse, cables and other connectors </li></ul><ul><li>Software </li></ul><ul><li>Jaz and Zip drives </li></ul><ul><li>Tape backup drives </li></ul><ul><li>Hand and flat-plate scanners </li></ul>
  10. 10. Identification – Types of Evidence <ul><li>Computers, keyboards and monitors </li></ul><ul><li>Disks, CDs and diskettes </li></ul><ul><li>Magnetic tape storage units </li></ul><ul><li>Phones (memory dialers) </li></ul><ul><li>Circuit boards and components </li></ul><ul><li>Modems </li></ul>
  11. 11. Identification – Types of Evidence <ul><li>Paper output </li></ul><ul><li>Manuals </li></ul><ul><li>Ledgers </li></ul><ul><li>Address books </li></ul><ul><li>Correspondence </li></ul><ul><li>Diary </li></ul><ul><li>Notes and scribbling </li></ul>
  12. 12. Identification – Where to Look for It <ul><li>Desktops </li></ul><ul><li>Tabletops </li></ul><ul><li>Monitors </li></ul><ul><li>Next to phones </li></ul><ul><li>Garbage cans </li></ul><ul><li>In wallet </li></ul><ul><li>In suspects pocket </li></ul><ul><li>In bookcases </li></ul><ul><li>Under keyboards </li></ul>
  13. 13. Identification – Where to Look For It <ul><li>Search the Area Carefully </li></ul><ul><li>Do not get “tunnel vision” </li></ul><ul><li>Look for evidence of computer use </li></ul><ul><li>Dependent only on the size of item being searched for </li></ul><ul><li>Restricted only by the imagination of suspect </li></ul>
  14. 14. Identification – Where to Look For It <ul><li>Search may be limited by the location described in warrant </li></ul><ul><li>Search may be limited by the size of smallest item listed in warrant </li></ul>
  15. 15. Sample Evidence – Tower Computer Case
  16. 16. Sample Evidence - Monitor, Keyboard, and Mouse
  17. 17. Sample Evidence - Computer Media/Storage
  18. 18. Sample Evidence - Computer Media/Storage USB pocket disk 32MB IBM Microdrive 1GB, 500/340 MB
  19. 19. Sample Evidence - Computer Media/Storage “ Thumb Drives” up to 128MB “Disk-on-Key” unit
  20. 20. Sample Evidence - Card Readers USB Pocket DigiDrive. Reads multiple media sources, smart cards etc..
  21. 21. Sample Evidence - Magnetic Readers Mini-Mag Magstripe reader (PMR 102)
  22. 22. Sample Evidence - Computer peripherals
  23. 23. Sample Evidence - Flat Plate Scanner
  24. 24. Sample Evidence - Computer Cases
  25. 25. Sample Evidence - Computer Cases
  26. 26. Sample Evidence Area Sometimes they can never be separated from their computer.
  27. 27. Preservation and Collection <ul><li>Preservation </li></ul><ul><li>Collection </li></ul><ul><li>Physical chain of evidence </li></ul>
  28. 28. Preservation <ul><li>Have a plan for proper packaging and transport… </li></ul><ul><li>Pre-prepared “Evidence Kit” </li></ul>
  29. 29. Preservation <ul><li>Determine if the evidence can be collected and preserved for future analyses </li></ul><ul><li>Keep “chain of evidence” in mind </li></ul><ul><li>Document everything </li></ul>
  30. 30. Preservation <ul><li>Practice safe evidence handling - wear rubber gloves! </li></ul><ul><li>Don’t let your prints be the only ones found </li></ul><ul><li>Bio-Hazards </li></ul>
  31. 31. Preservation – Fragility of Evidence <ul><li>Tends to be very volatile and easily be damaged or destroyed </li></ul><ul><li>Follow documented procedures for preserving computer and electronic evidence </li></ul>
  32. 32. Preservation – Fragility of Evidence <ul><li>Avoid magnetic fields </li></ul><ul><li>Avoid excessive heat </li></ul><ul><li>Avoid direct sunlight </li></ul><ul><li>Don’t touch magnetic media with your skin </li></ul>
  33. 33. Preservation – Fragility of Evidence <ul><li>Do use paper bags or cardboard boxes </li></ul><ul><li>Do use original packaging material </li></ul>
  34. 34. Preservation – Hacker systems When you have a case involving a computer as the object or means of committing a crime, remember that a program running in memory might be the evidence of your crime.
  35. 35. Preservation – Special Environments <ul><li>Mainframes </li></ul><ul><li>Networks </li></ul><ul><li>Specialty computers – cad cams </li></ul>
  36. 36. Preservation – Basic Rules <ul><li>Do not let the suspect near the machine. </li></ul><ul><li>Do not let cops or “computer experts” play with the computers to “see what’s inside.” </li></ul>
  37. 37. Preservation – Basic Rules <ul><li>Photograph everything </li></ul><ul><li>Document everything </li></ul><ul><li>Rule to remember: if you are comfortable the computer is comfortable </li></ul>
  38. 38. Preservation – Evaluating Conditions <ul><li>Is the computer on or off? </li></ul><ul><li>If the computer is on, what is the computer doing? </li></ul><ul><li>If a computer is on, there is a good chance it is doing something </li></ul>
  39. 39. Preservation – Evaluating Conditions <ul><li>What applications are running? </li></ul><ul><li>What is displayed on the screen? </li></ul><ul><li>What operating system is functioning? </li></ul>
  40. 40. Preservation – Evaluating Conditions <ul><li>Assess the potential for loss of data from outside threats such as weather, electrical and magnetic conditions </li></ul><ul><li>Determine if the computer is connected to other computers by network or modem </li></ul>
  41. 41. Preservation – Evaluating Conditions <ul><li>Consider previous conditions to determine if the computer should be turned off or left running </li></ul><ul><li>Be prepared for “Emergency” shut-down </li></ul><ul><li>Have camera ready - photograph the screen with a video camera </li></ul>
  42. 42. Preservation – Urban Legend? The possible presence of degaussing (magnets) equipment placed in the crime scene by the suspect. Evidence being lost due the presence of large degaussing hardware hidden in a doorway and operated by a wall switch. Hmm,…not likely.
  43. 43. Collection – Chronological Worksheet <ul><li>Date, time, description of the computer </li></ul><ul><li>The identity of those assisting you </li></ul><ul><li>The identify of witnesses to your activity </li></ul>
  44. 44. Collection – Chronological Worksheet <ul><li>Date, time and action taken </li></ul><ul><li>Record investigative clues and leads </li></ul><ul><li>Date, time and programs or utilities used </li></ul>
  45. 45. Collection - Photographing <ul><li>Photograph the computer using 35mm, polaroid, digital and/or video camera </li></ul><ul><li>Photograph the front and back of the computer </li></ul><ul><li>Photograph all computer connections and cables </li></ul>
  46. 46. Collection - Photographing <ul><li>Photograph all hardware devices </li></ul><ul><li>Take pictures of anything everywhere that may be of value or used for evidence </li></ul>
  47. 47. It is the small stuff that can create problems sometimes…
  48. 48. Collection - Photographing <ul><li>Disconnect the power at the computer case </li></ul><ul><li>Be sure to note “unusual” things about the condition of the evidence…. </li></ul>
  49. 49. Someone wanted this one dead…
  50. 50. Collection <ul><li>Mark and tag all cables and hardware at both ends </li></ul><ul><li>Use wire tags and stick on labels for each item seized </li></ul>
  51. 51. Collection If you are seizing more than one computer system first number the computers and then tag the cables and hardware using the computer number.
  52. 52. Collection - Transport <ul><li>Package the computer, cables and other hardware in boxes after entering the evidence description in the search warrant property sheet </li></ul><ul><li>Keep boxes for each computer together during transport and storage </li></ul>
  53. 53. Collection - Transport <ul><li>When seizing floppies and removable media count floppies and removable media </li></ul><ul><li>Mark them using an indelible colored marker or labels on tape or other stick on media </li></ul>
  54. 54. Collection - Transport <ul><li>Keep magnetic media separate from other seized items </li></ul><ul><li>Place seized diskettes in separate boxes for each room </li></ul>
  55. 55. Collection - Transport <ul><li>Pack the transport vehicle with care </li></ul><ul><li>Place the CPU and other computer related hardware and software in a safe place for transport </li></ul>
  56. 56. Collection – Golden Rules <ul><li>Package properly </li></ul><ul><li>Handle carefully </li></ul><ul><li>Mark clearly </li></ul><ul><li>If you are comfortable, the computer is comfortable </li></ul>
  57. 57. What is ‘Chain of Evidence’? <ul><li>Documentation of dominion and control of evidence </li></ul><ul><li>Physical security of evidence </li></ul>
  58. 58. Maintaining the Chain of Evidence <ul><li>Evidence clearly marked so as to provide positive identification in court </li></ul><ul><li>Begins when evidence is identified </li></ul><ul><li>Ends when court/prosecutor releases same </li></ul>
  59. 59. Presenting the Chain of Evidence <ul><li>Agency case number </li></ul><ul><li>Person finding the evidence </li></ul><ul><li>Evidence number </li></ul><ul><li>Date and time </li></ul><ul><li>Location found </li></ul><ul><li>Running log for each person handling (receiving) the evidence </li></ul>
  60. 60. Presenting the Chain of Evidence <ul><li>Photographs </li></ul><ul><li>Sketches and notes </li></ul><ul><li>Mark/label </li></ul><ul><li>Packages and evidence label </li></ul>
  61. 61. Presenting the Chain of Evidence <ul><li>Property booking report </li></ul><ul><li>Chronological search form </li></ul><ul><li>Lab evidence tracking report </li></ul><ul><li>Individual supplemental reports </li></ul>
  62. 62. Evidence Storage Guidelines <ul><li>Secure area </li></ul><ul><li>Moderate temperature </li></ul><ul><li>Free of excessive dust </li></ul><ul><li>No excessive moisture </li></ul><ul><li>Free of magnetic influence </li></ul>
  63. 63. Storage Containers <ul><li>Original packaging is the best material </li></ul><ul><li>Other options: </li></ul><ul><ul><li>Cardboard boxes </li></ul></ul><ul><ul><li>Wooden shelves </li></ul></ul><ul><ul><li>Non static containers </li></ul></ul>
  64. 64. Summary <ul><li>Finding all the evidence </li></ul><ul><li>Preserving and collecting any evidence </li></ul><ul><li>Transportation and storage of all evidence </li></ul>