Evidence Seizure Sandyb


Published on

Published in: Technology, Health & Medicine
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Evidence Seizure Sandyb

    1. 1. Criminal Justice Training Center <ul><li>Level One </li></ul><ul><li>High Tech Evidence Collection and Seizure </li></ul>
    2. 2. High Tech Evidence Collection and Seizure <ul><li>Evidence practices </li></ul><ul><li>and procedures </li></ul>
    3. 3. Agenda <ul><li>Identification </li></ul><ul><li>Preservation </li></ul><ul><li>Collection </li></ul><ul><li>Chain of evidence </li></ul><ul><li>Storage guidelines </li></ul>
    4. 4. Identification <ul><li>General concepts </li></ul><ul><li>Types of computer related evidence </li></ul><ul><li>Where and how computer related evidence may be found </li></ul>
    5. 5. Identification – General Concepts <ul><li>Consider all items real and virtual to be evidence </li></ul><ul><li>Must be described in the search warrant or articulated at the time of seizure </li></ul><ul><li>Determined by the “type” of crime </li></ul><ul><li>Sophistication of suspect </li></ul>
    6. 6. Identification – General Concepts You can take everything, take only what is subject to search warrant or you can take only data. But…
    7. 7. Identification – General Concepts <ul><li>If you leave things behind, you may need it later </li></ul><ul><li>After you leave, things may disappear </li></ul><ul><li>And … </li></ul>
    8. 8. Identification – General Concepts <ul><li>Can you secure the scene long enough to accomplish tasks? </li></ul><ul><li>Do you have equipment and personnel necessary to accomplish tasks? </li></ul>
    9. 9. Identification – Types of Evidence <ul><li>Printers and other hardcopy hardware </li></ul><ul><li>Mouse, cables and other connectors </li></ul><ul><li>Software </li></ul><ul><li>Jaz and Zip drives </li></ul><ul><li>Tape backup drives </li></ul><ul><li>Hand and flat-plate scanners </li></ul>
    10. 10. Identification – Types of Evidence <ul><li>Computers, keyboards and monitors </li></ul><ul><li>Disks, CDs and diskettes </li></ul><ul><li>Magnetic tape storage units </li></ul><ul><li>Phones (memory dialers) </li></ul><ul><li>Circuit boards and components </li></ul><ul><li>Modems </li></ul>
    11. 11. Identification – Types of Evidence <ul><li>Paper output </li></ul><ul><li>Manuals </li></ul><ul><li>Ledgers </li></ul><ul><li>Address books </li></ul><ul><li>Correspondence </li></ul><ul><li>Diary </li></ul><ul><li>Notes and scribbling </li></ul>
    12. 12. Identification – Where to Look for It <ul><li>Desktops </li></ul><ul><li>Tabletops </li></ul><ul><li>Monitors </li></ul><ul><li>Next to phones </li></ul><ul><li>Garbage cans </li></ul><ul><li>In wallet </li></ul><ul><li>In suspects pocket </li></ul><ul><li>In bookcases </li></ul><ul><li>Under keyboards </li></ul>
    13. 13. Identification – Where to Look For It <ul><li>Search the Area Carefully </li></ul><ul><li>Do not get “tunnel vision” </li></ul><ul><li>Look for evidence of computer use </li></ul><ul><li>Dependent only on the size of item being searched for </li></ul><ul><li>Restricted only by the imagination of suspect </li></ul>
    14. 14. Identification – Where to Look For It <ul><li>Search may be limited by the location described in warrant </li></ul><ul><li>Search may be limited by the size of smallest item listed in warrant </li></ul>
    15. 15. Sample Evidence – Tower Computer Case
    16. 16. Sample Evidence - Monitor, Keyboard, and Mouse
    17. 17. Sample Evidence - Computer Media/Storage
    18. 18. Sample Evidence - Computer Media/Storage USB pocket disk 32MB IBM Microdrive 1GB, 500/340 MB
    19. 19. Sample Evidence - Computer Media/Storage “ Thumb Drives” up to 128MB “Disk-on-Key” unit
    20. 20. Sample Evidence - Card Readers USB Pocket DigiDrive. Reads multiple media sources, smart cards etc..
    21. 21. Sample Evidence - Magnetic Readers Mini-Mag Magstripe reader (PMR 102)
    22. 22. Sample Evidence - Computer peripherals
    23. 23. Sample Evidence - Flat Plate Scanner
    24. 24. Sample Evidence - Computer Cases
    25. 25. Sample Evidence - Computer Cases
    26. 26. Sample Evidence Area Sometimes they can never be separated from their computer.
    27. 27. Preservation and Collection <ul><li>Preservation </li></ul><ul><li>Collection </li></ul><ul><li>Physical chain of evidence </li></ul>
    28. 28. Preservation <ul><li>Have a plan for proper packaging and transport… </li></ul><ul><li>Pre-prepared “Evidence Kit” </li></ul>
    29. 29. Preservation <ul><li>Determine if the evidence can be collected and preserved for future analyses </li></ul><ul><li>Keep “chain of evidence” in mind </li></ul><ul><li>Document everything </li></ul>
    30. 30. Preservation <ul><li>Practice safe evidence handling - wear rubber gloves! </li></ul><ul><li>Don’t let your prints be the only ones found </li></ul><ul><li>Bio-Hazards </li></ul>
    31. 31. Preservation – Fragility of Evidence <ul><li>Tends to be very volatile and easily be damaged or destroyed </li></ul><ul><li>Follow documented procedures for preserving computer and electronic evidence </li></ul>
    32. 32. Preservation – Fragility of Evidence <ul><li>Avoid magnetic fields </li></ul><ul><li>Avoid excessive heat </li></ul><ul><li>Avoid direct sunlight </li></ul><ul><li>Don’t touch magnetic media with your skin </li></ul>
    33. 33. Preservation – Fragility of Evidence <ul><li>Do use paper bags or cardboard boxes </li></ul><ul><li>Do use original packaging material </li></ul>
    34. 34. Preservation – Hacker systems When you have a case involving a computer as the object or means of committing a crime, remember that a program running in memory might be the evidence of your crime.
    35. 35. Preservation – Special Environments <ul><li>Mainframes </li></ul><ul><li>Networks </li></ul><ul><li>Specialty computers – cad cams </li></ul>
    36. 36. Preservation – Basic Rules <ul><li>Do not let the suspect near the machine. </li></ul><ul><li>Do not let cops or “computer experts” play with the computers to “see what’s inside.” </li></ul>
    37. 37. Preservation – Basic Rules <ul><li>Photograph everything </li></ul><ul><li>Document everything </li></ul><ul><li>Rule to remember: if you are comfortable the computer is comfortable </li></ul>
    38. 38. Preservation – Evaluating Conditions <ul><li>Is the computer on or off? </li></ul><ul><li>If the computer is on, what is the computer doing? </li></ul><ul><li>If a computer is on, there is a good chance it is doing something </li></ul>
    39. 39. Preservation – Evaluating Conditions <ul><li>What applications are running? </li></ul><ul><li>What is displayed on the screen? </li></ul><ul><li>What operating system is functioning? </li></ul>
    40. 40. Preservation – Evaluating Conditions <ul><li>Assess the potential for loss of data from outside threats such as weather, electrical and magnetic conditions </li></ul><ul><li>Determine if the computer is connected to other computers by network or modem </li></ul>
    41. 41. Preservation – Evaluating Conditions <ul><li>Consider previous conditions to determine if the computer should be turned off or left running </li></ul><ul><li>Be prepared for “Emergency” shut-down </li></ul><ul><li>Have camera ready - photograph the screen with a video camera </li></ul>
    42. 42. Preservation – Urban Legend? The possible presence of degaussing (magnets) equipment placed in the crime scene by the suspect. Evidence being lost due the presence of large degaussing hardware hidden in a doorway and operated by a wall switch. Hmm,…not likely.
    43. 43. Collection – Chronological Worksheet <ul><li>Date, time, description of the computer </li></ul><ul><li>The identity of those assisting you </li></ul><ul><li>The identify of witnesses to your activity </li></ul>
    44. 44. Collection – Chronological Worksheet <ul><li>Date, time and action taken </li></ul><ul><li>Record investigative clues and leads </li></ul><ul><li>Date, time and programs or utilities used </li></ul>
    45. 45. Collection - Photographing <ul><li>Photograph the computer using 35mm, polaroid, digital and/or video camera </li></ul><ul><li>Photograph the front and back of the computer </li></ul><ul><li>Photograph all computer connections and cables </li></ul>
    46. 46. Collection - Photographing <ul><li>Photograph all hardware devices </li></ul><ul><li>Take pictures of anything everywhere that may be of value or used for evidence </li></ul>
    47. 47. It is the small stuff that can create problems sometimes…
    48. 48. Collection - Photographing <ul><li>Disconnect the power at the computer case </li></ul><ul><li>Be sure to note “unusual” things about the condition of the evidence…. </li></ul>
    49. 49. Someone wanted this one dead…
    50. 50. Collection <ul><li>Mark and tag all cables and hardware at both ends </li></ul><ul><li>Use wire tags and stick on labels for each item seized </li></ul>
    51. 51. Collection If you are seizing more than one computer system first number the computers and then tag the cables and hardware using the computer number.
    52. 52. Collection - Transport <ul><li>Package the computer, cables and other hardware in boxes after entering the evidence description in the search warrant property sheet </li></ul><ul><li>Keep boxes for each computer together during transport and storage </li></ul>
    53. 53. Collection - Transport <ul><li>When seizing floppies and removable media count floppies and removable media </li></ul><ul><li>Mark them using an indelible colored marker or labels on tape or other stick on media </li></ul>
    54. 54. Collection - Transport <ul><li>Keep magnetic media separate from other seized items </li></ul><ul><li>Place seized diskettes in separate boxes for each room </li></ul>
    55. 55. Collection - Transport <ul><li>Pack the transport vehicle with care </li></ul><ul><li>Place the CPU and other computer related hardware and software in a safe place for transport </li></ul>
    56. 56. Collection – Golden Rules <ul><li>Package properly </li></ul><ul><li>Handle carefully </li></ul><ul><li>Mark clearly </li></ul><ul><li>If you are comfortable, the computer is comfortable </li></ul>
    57. 57. What is ‘Chain of Evidence’? <ul><li>Documentation of dominion and control of evidence </li></ul><ul><li>Physical security of evidence </li></ul>
    58. 58. Maintaining the Chain of Evidence <ul><li>Evidence clearly marked so as to provide positive identification in court </li></ul><ul><li>Begins when evidence is identified </li></ul><ul><li>Ends when court/prosecutor releases same </li></ul>
    59. 59. Presenting the Chain of Evidence <ul><li>Agency case number </li></ul><ul><li>Person finding the evidence </li></ul><ul><li>Evidence number </li></ul><ul><li>Date and time </li></ul><ul><li>Location found </li></ul><ul><li>Running log for each person handling (receiving) the evidence </li></ul>
    60. 60. Presenting the Chain of Evidence <ul><li>Photographs </li></ul><ul><li>Sketches and notes </li></ul><ul><li>Mark/label </li></ul><ul><li>Packages and evidence label </li></ul>
    61. 61. Presenting the Chain of Evidence <ul><li>Property booking report </li></ul><ul><li>Chronological search form </li></ul><ul><li>Lab evidence tracking report </li></ul><ul><li>Individual supplemental reports </li></ul>
    62. 62. Evidence Storage Guidelines <ul><li>Secure area </li></ul><ul><li>Moderate temperature </li></ul><ul><li>Free of excessive dust </li></ul><ul><li>No excessive moisture </li></ul><ul><li>Free of magnetic influence </li></ul>
    63. 63. Storage Containers <ul><li>Original packaging is the best material </li></ul><ul><li>Other options: </li></ul><ul><ul><li>Cardboard boxes </li></ul></ul><ul><ul><li>Wooden shelves </li></ul></ul><ul><ul><li>Non static containers </li></ul></ul>
    64. 64. Summary <ul><li>Finding all the evidence </li></ul><ul><li>Preserving and collecting any evidence </li></ul><ul><li>Transportation and storage of all evidence </li></ul>