Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Evidence Seizure Level One


Published on

Published in: Technology, Business

Evidence Seizure Level One

  1. 1. Criminal Justice Training Center <ul><li>Level One </li></ul><ul><li>High Tech Evidence Collection and Seizure </li></ul>
  2. 2. High Tech Evidence Collection and Seizure <ul><li>Evidence practices </li></ul><ul><li>and procedures </li></ul>
  3. 3. High Tech Evidence Collection and Seizure
  4. 4. Agenda <ul><li>Identification </li></ul><ul><li>Preservation </li></ul><ul><li>Collection </li></ul><ul><li>Chain of evidence </li></ul><ul><li>Storage guidelines </li></ul>
  5. 5. Agenda <ul><li>Familiarization </li></ul><ul><li>Good evidence handling practices </li></ul>
  6. 6. Agenda <ul><li>Law Enforcement vs. Private Enterprise </li></ul><ul><ul><li>Law Enforcement – how cases come in </li></ul></ul><ul><ul><ul><li>Patrol – Sexual assault/Domestic </li></ul></ul></ul><ul><ul><ul><li>Meth labs – ID Theft </li></ul></ul></ul>
  7. 7. Identification <ul><li>General concepts </li></ul><ul><li>Types of computer related evidence </li></ul><ul><li>Where and how computer related evidence may be found </li></ul>
  8. 8. Identification – General Concepts <ul><li>Consider all items real and virtual to be evidence </li></ul><ul><li>Must be described in the search warrant or articulated at the time of seizure </li></ul><ul><li>Determined by the “type” of crime </li></ul><ul><li>Sophistication of suspect </li></ul>
  9. 9. Identification – General Concepts <ul><li>All computing evidence is considered physical evidence. </li></ul><ul><li>[1] Information listed here are excerpts from the book “Digital Evidence and Computer Crime” by Eoghan Casey, Academic Press. </li></ul>
  10. 10. Identification – General Concepts You can take everything, or take only what is subject to search warrant or you can take only data. (Computer of Victim vs. Suspect vs. 2nd party to the event ??) But…
  11. 11. Identification – General Concepts <ul><li>If you leave things behind, you may need it later </li></ul><ul><li>After you leave, things may disappear </li></ul><ul><li>And … </li></ul>
  12. 12. Identification – General Concepts <ul><li>Can you secure the scene long enough to accomplish tasks? </li></ul><ul><li>Do you have equipment and personnel necessary to accomplish tasks? </li></ul>
  13. 13. Identification – Types of Evidence <ul><li>Printers and other hardcopy hardware </li></ul><ul><li>Mouse, cables and other connectors </li></ul><ul><li>Software </li></ul><ul><li>Jaz and Zip drives </li></ul><ul><li>Tape backup drives </li></ul><ul><li>Hand and flat-plate scanners </li></ul>
  14. 14. Identification – Types of Evidence <ul><li>Computers, keyboards and monitors </li></ul><ul><li>Disks, CDs and diskettes </li></ul><ul><li>Magnetic tape storage units </li></ul><ul><li>Phones (memory dialers) </li></ul><ul><li>Circuit boards and components </li></ul><ul><li>Modems </li></ul>
  15. 15. Identification – Types of Evidence <ul><li>Paper output </li></ul><ul><li>Manuals </li></ul><ul><li>Ledgers </li></ul><ul><li>Address books </li></ul><ul><li>Correspondence </li></ul><ul><li>Diary </li></ul><ul><li>Notes and scribbling </li></ul>
  16. 16. Identification – Where to Look for It <ul><li>Desktops </li></ul><ul><li>Tabletops </li></ul><ul><li>Monitors </li></ul><ul><li>Next to phones </li></ul><ul><li>Garbage cans </li></ul><ul><li>In wallet </li></ul><ul><li>In suspects pocket </li></ul><ul><li>In bookcases </li></ul><ul><li>Under keyboards </li></ul>
  17. 17. Identification – Where to Look For It <ul><li>Search the Area Carefully </li></ul><ul><li>Do not get “tunnel vision” </li></ul><ul><li>Look for evidence of computer use </li></ul><ul><li>Dependent only on the size of item being searched for </li></ul><ul><li>Restricted only by the imagination of suspect </li></ul>
  18. 18. Identification – Where to Look For It <ul><li>Search may be limited by the location described in warrant </li></ul><ul><li>Search may be limited by the size of smallest item listed in warrant </li></ul>
  19. 19. Sample Evidence – Tower Computer Case
  20. 20. Sample Evidence - Monitor, Keyboard, and Mouse
  21. 21. Sample Evidence - Computer Media/Storage
  22. 22. Sample Evidence - Computer Media/Storage USB pocket disk 32MB IBM Microdrive 1GB, 500/340 MB
  23. 23. Sample Evidence - Computer Media/Storage “ Thumb Drives” up to 128MB “Disk-on-Key” unit
  24. 24. Sample Evidence - Card Readers USB Pocket DigiDrive. Reads multiple media sources, smart cards etc..
  25. 25. Sample Evidence PDA’s…
  26. 26. Sample Evidence – Magnetic Card Readers Mini-Mag Magstripe reader (PMR 102)
  27. 27. Sample Evidence – Laptop
  28. 28. Sample Evidence – Tablet PC
  29. 29. Sample Evidence - Computer peripherals
  30. 30. Sample Evidence - Flat Plate Scanner
  31. 31. Sample Evidence – Homemade
  32. 32. Sample Evidence - Homemade
  33. 33. Sample Evidence Area Sometimes they can never be separated from their computer.
  34. 34. Preservation and Collection <ul><li>Preservation </li></ul><ul><li>Collection </li></ul><ul><li>Physical chain of evidence </li></ul>
  35. 35. Preservation and Collection <ul><li>Have a plan for proper packaging and transport… </li></ul><ul><li>Pre-prepared “Evidence Kit” </li></ul>
  36. 36. Preservation – Basic Rules <ul><li>Do not let the suspect near the machine. </li></ul><ul><li>Do not let cops or “computer experts” play with the computers to “see what’s inside.” </li></ul>
  37. 37. Preservation – Basic Rules <ul><li>Do not let the suspect near the machine. </li></ul><ul><ul><li>He may pretend to help but only wants to do something to destroy evidence </li></ul></ul><ul><ul><li>It will alter the evidence </li></ul></ul>
  38. 38. Preservation – Basic Rules <ul><li>Do not let cops or “computer experts” play with the computers to “see what’s inside.” </li></ul><ul><ul><li>If I could just “get a peek” </li></ul></ul><ul><ul><li>I’m the computer expert </li></ul></ul><ul><ul><li>Do you know how the machine is configured? Is it booby trapped? </li></ul></ul>
  39. 39. Preservation – Basic Rules <ul><li>Both the suspect and other officers can be equally destructive </li></ul>
  40. 40. Preservation – Basic Rules <ul><li>Photograph everything </li></ul><ul><ul><li>Overalls and detail </li></ul></ul><ul><ul><li>Photo log </li></ul></ul><ul><ul><li>Keep in mind “Crime Scene” </li></ul></ul><ul><ul><li>Use trained evidence collection units/personnel </li></ul></ul>
  41. 41. Preservation – Basic Rules <ul><li>Practice safe evidence handling - wear rubber gloves! </li></ul><ul><li>Don’t let your prints be the only ones found </li></ul><ul><li>Bio-Hazards </li></ul>
  42. 42. Preservation <ul><li>Determine if the evidence can be collected and preserved for future analyses, (on-site vs. seizure) </li></ul><ul><li>Keep “chain of evidence” in mind </li></ul><ul><li>Document everything </li></ul>
  43. 43. Preservation – Fragility of Evidence <ul><li>Tends to be very volatile and easily be damaged or destroyed </li></ul><ul><li>Follow documented procedures for preserving computer and electronic evidence </li></ul>
  44. 44. Preservation – Fragility of Evidence <ul><li>Avoid magnetic fields </li></ul><ul><li>Avoid excessive heat </li></ul><ul><li>Avoid direct sunlight </li></ul><ul><li>Don’t touch magnetic media with your skin </li></ul>
  45. 45. Preservation – Fragility of Evidence <ul><li>Do use paper bags or cardboard boxes </li></ul><ul><li>Do use original packaging material </li></ul>
  46. 46. Preservation – Special Environments <ul><li>Mainframes </li></ul><ul><li>Networks/Network Servers </li></ul><ul><li>Specialty computers </li></ul>
  47. 47. Preservation – Evaluating Conditions <ul><li>Does the case call for “immediate results” to effect an arrest </li></ul><ul><li>If it does then having someone capable to evaluate the machine without losing evidence is important </li></ul>
  48. 48. Preservation – Hacker systems When you have a case involving a computer as the object or means of committing a crime, remember that a program running in memory might be the evidence of your crime.
  49. 49. Preservation – Evaluating Conditions <ul><li>Is the computer on or off? </li></ul><ul><li>If the computer is on, what is the computer doing? </li></ul><ul><ul><li>Printing? </li></ul></ul><ul><ul><li>Screensaver on? </li></ul></ul><ul><li>If a computer is on, there is a good chance it is doing something </li></ul>
  50. 50. Preservation – Evaluating Conditions <ul><li>What applications are running? </li></ul><ul><li>What is displayed on the screen? </li></ul><ul><li>What operating system is functioning? </li></ul>
  51. 51. Preservation – Evaluating Conditions <ul><li>Assess the potential for loss of data from outside threats such as weather, electrical and magnetic conditions </li></ul><ul><li>Determine if the computer is connected to other computers by network or modem </li></ul>
  52. 52. Preservation – Evaluating Conditions <ul><li>Consider previous conditions to determine if the computer should be turned off or left running </li></ul><ul><li>Be prepared for “Emergency” shut-down </li></ul><ul><li>Have camera ready - photograph the screen with a video camera </li></ul>
  53. 53. Preservation – Evaluating Conditions <ul><li>Decide on a strategy for power down… </li></ul><ul><li>Do I interrupt the power or shutdown normally? </li></ul><ul><li>There are pro and cons </li></ul>
  54. 54. Preservation – Urban Legend? The possible presence of degaussing (magnets) equipment placed in the crime scene by the suspect. Evidence being lost due the presence of large degaussing hardware hidden in a doorway and operated by a wall switch. Hmm,…not likely.
  55. 55. Collection – Chronological Worksheet <ul><li>Date, time, description of the computer </li></ul><ul><li>The identity of those assisting you </li></ul><ul><li>The identify of witnesses to your activity </li></ul>
  56. 56. Collection – Chronological Worksheet <ul><li>Date, time and action taken </li></ul><ul><li>Record investigative clues and leads </li></ul><ul><li>Date, time and programs or utilities used </li></ul>
  57. 57. Collection - Photographing <ul><li>Photograph the computer using 35mm, Polaroid, digital and/or video camera </li></ul><ul><li>Photograph the front and back of the computer </li></ul><ul><li>Photograph all computer connections and cables </li></ul>
  58. 58. Collection - Photographing <ul><li>Photograph all hardware devices </li></ul><ul><li>Take pictures of anything everywhere that may be of value or used for evidence </li></ul>
  59. 59. It is the small stuff that can create problems sometimes…
  60. 60. Collection - Photographing <ul><li>Be sure to note “unusual” things about the condition of the evidence…. </li></ul>
  61. 61. Someone wanted this one dead…
  62. 62. Collection – Sketching
  63. 63. Collection – Sketching <ul><li>Why Sketch? I already have photo’s! </li></ul><ul><li>Puts photo’s in context </li></ul><ul><li>Helps in recollection for reports and testimony </li></ul><ul><li>Useful with prosecutor and court to aid in testimony </li></ul>
  64. 64. Collection – Sketching <ul><li>Use graph paper if available </li></ul>
  65. 65. Collection – Sketching <ul><li>Rudimentary sketches can be all that is needed but… </li></ul>
  66. 66. Collection – Sketching <ul><li>Don’t forget it is a crime scene. </li></ul><ul><ul><li>Use support units if available </li></ul></ul>
  67. 67. Collection <ul><li>Disconnect the power at the computer case </li></ul>
  68. 68. Collection <ul><li>Disconnect the power at the computer case, (Laptops require the battery to be pulled as well). </li></ul>
  69. 69. Collection <ul><li>Then reinsert the battery…and observe. Remove again if needed. </li></ul>
  70. 70. Collection <ul><li>IMPORTANT: </li></ul><ul><li>Always try to locate and seize the laptop power supply </li></ul>
  71. 71. Collection <ul><li>Mark and tag all cables and hardware at both ends </li></ul><ul><ul><li>Helpful for reconstruction and court (even juries will understand it) </li></ul></ul>
  72. 72. Collection
  73. 73. Collection <ul><li>Use wire tags and stick on labels for each item seized </li></ul>
  74. 74. Collection If you are seizing more than one computer system first number the computers and then tag the cables and hardware using the computer number. Ex. A-1, B-1, A-2, B-2 etc…
  75. 75. Collection - Transport <ul><li>Package the computer, cables and other hardware in boxes after entering the evidence description in the search warrant property sheet </li></ul><ul><li>Keep boxes for each computer together during transport and storage </li></ul>
  76. 76. Collection - Transport <ul><li>When seizing floppies and removable media count floppies and removable media </li></ul><ul><li>Mark them using an indelible colored marker or labels on tape or other stick on media </li></ul>
  77. 77. Collection - Transport <ul><li>Keep magnetic media separate from other seized items </li></ul><ul><li>Place seized diskettes in separate boxes for each room </li></ul>
  78. 78. Collection - Transport <ul><li>Pack the transport vehicle with care </li></ul><ul><li>Place the CPU and other computer related hardware and software in a safe place for transport </li></ul>
  79. 79. Collection – Golden Rules <ul><li>Package properly </li></ul><ul><li>Handle carefully </li></ul><ul><li>Mark clearly </li></ul><ul><li>If you are comfortable, the computer is comfortable </li></ul>
  80. 80. What is “Chain of Evidence”? <ul><li>Documentation of dominion and control of evidence </li></ul><ul><li>Physical security of evidence </li></ul>
  81. 81. What is “Chain of Evidence”? <ul><li>Basically, being able to show by documentation that the evidence is the same and untampered with from the moment of seizure to court presentation </li></ul>
  82. 82. Maintaining the Chain of Evidence <ul><li>Evidence clearly marked so as to provide positive identification in court </li></ul><ul><li>Begins when evidence is identified </li></ul><ul><li>Ends when court/prosecutor releases same </li></ul>
  83. 83. Maintaining the Chain of Evidence <ul><li>Recommendation: </li></ul><ul><li>Have a log of all who entered the scene </li></ul>
  84. 84. Maintaining the Chain of Evidence <ul><li>Recommendation: </li></ul><ul><li>Establish a central point in or near the crime scene and make it the “Evidence Collection Point”. Then designation a “Property Officer” to log in and mark evidence. </li></ul>
  85. 85. Presenting the Chain of Evidence <ul><li>Agency case number </li></ul><ul><li>Person finding the evidence </li></ul><ul><li>Evidence number </li></ul><ul><li>Date and time </li></ul><ul><li>Location found </li></ul><ul><li>Running log for each person handling (receiving) the evidence </li></ul>
  86. 86. Presenting the Chain of Evidence <ul><li>Photographs </li></ul><ul><li>Sketches and notes </li></ul><ul><li>Mark/label </li></ul><ul><li>Packages and evidence label </li></ul>
  87. 87. Presenting the Chain of Evidence <ul><li>Property booking report </li></ul><ul><li>Chronological search form </li></ul><ul><li>Lab evidence tracking report </li></ul><ul><li>Individual supplemental reports </li></ul>
  88. 88. Evidence Storage Guidelines <ul><li>Secure area </li></ul><ul><li>Moderate temperature </li></ul><ul><li>Free of excessive dust </li></ul><ul><li>No excessive moisture </li></ul><ul><li>Free of magnetic influence </li></ul>
  89. 89. Storage Containers <ul><li>Original packaging is the best material </li></ul><ul><li>Other options: </li></ul><ul><ul><li>Cardboard boxes </li></ul></ul><ul><ul><li>Wooden shelves </li></ul></ul><ul><ul><li>Non static containers </li></ul></ul>
  90. 90. Summary <ul><li>Finding all the evidence </li></ul><ul><li>Preserving and collecting any evidence </li></ul><ul><li>Transportation and storage of all evidence </li></ul>