The document discusses various types of evidence that may be found during a computer-related investigation and provides guidance on properly identifying, preserving, collecting, transporting, storing, and documenting digital evidence to maintain the chain of custody. It emphasizes the importance of carefully handling computer-related evidence to avoid damage or data loss and clearly documenting all actions taken with the evidence.

1. High Tech Evidence Identification Types of evidence Preservation Physical and chain of evidence Presentation In court Storage guides

2. Identification Consider all items real and virtual which could be evidence Must be described in the SW Often determined by the “type” of crime Sophistication of suspect

3. Types of Computer Related Evidence Paper output Ledgers Address books Correspondence Diary Hacker notes

4. Types of Computer Related Evidence Computer paraphernalia Computers, keyboards and monitors Disks and diskettes Magnetic tape storage units Phones (memory dialers) Circuit boards and components Modems

5. Types of Computer Related Evidence Printers and other hardcopy hardware Mouse, digitizers, cables and other connectors Software and manuals

6. Where Computer Related Evidence May Be Found Desktops Monitors Next to phones In wallet In suspects pocket

7. Where Computer Related Evidence May Be Found Garbage cans Under keyboards Dependent only on the size of item being searched for And the imagination of suspect

8. Steps for Locating Computer Evidence Look for evidence of computer use Examine the evidence for criminal content Search limited by the location described in warrant Search limited by the size of smallest item listed in warrant

9. Evidence Preservation Determine if the evidence can be collected and preserved for future analyses Have a plan for proper packaging and transport Keep “chain of evidence” in mind

10. Evidence Preservation Document everything Practice safe evidence handling - wear rubber gloves!!!!!!!!! Don’t let your prints be the only ones found :-)

11. Collecting the Evidence Fragility of computer evidence Computer related evidence is like any other evidence you might find with one exception: It tends to be very volatile and can easily be damaged or destroyed . Handle it with extra care and follow documented procedures for preserving computer and electronic evidence

12. Collecting the Evidence Avoid magnetic fields Avoid excessive heat Avoid direct sunlight Don’t touch magnetic media with your skin

13. Collecting the Evidence Static electricity Avoid touching exposed wires or circuit boards DO NOT place items in plastic evidence bags DO NOT place items in boxes of foam peanuts

14. Collecting the Evidence Do use paper bags or cardboard boxes Do use original packaging material

15. Collecting the Evidence It is advisable that only investigators with sufficient knowledge and hands-on computer experience deal with computers, peripherals, diskettes, programs, etc., As well as with other technical or specialized equipment during searches

16. Collecting the Evidence However, it is paramount in four instances Mainframes Minicomputers Specialty computers

17. Collecting the Evidence Hacker systems Note: When you have a case involving a computer as the object or means of committing a crime, do not turn the computer off if it is on until you are sure the data in temporary memory has been "saved"

18. Simple Overview of Seizing a Computer R ule number 1 Preserve the evidence Don’t let the suspect near the machine Don’t let cops or “computer experts” play with the computers to “see what’s inside.” Both can be equally destructive

19. Preserve The Evidence Photograph and document everything Rule to remember: if you’re comfortable the computer is comfortable

20. Start Chronological Case Work Sheet List the date, time and description of the computer List the identity of those assisting you and witnesses to your activity

21. Use Chronological Case Work Sheet List the date, time and action taken Record your investigative clues and leads List the date, time and programs or utilities used Continue use throughout investigation/examination

22. Evaluate the Condition of the Computer Is the computer On or off? If the computer is on, what is the computer doing? If a computer is on, there is a good chance it is doing something depending on where it is

23. Evaluate the Condition of the Computer For example: running windows, accounting software, checking software, BBS, word processor, etc Assess the potential for loss of data from outside threats such as weather, electrical and magnetic conditions Determine if the computer is connected to other computers by network or modem

24. Evaluate the Condition of the Computer Networks are gaining in popularity as their prices come down. Simple network prices are at the point where they are affordable for average home users Consider the previous conditions to determine if the computer should be turned off or left running for a period of time and photograph the screen with a video camera

25. Evaluate the Condition of the Computer If the computer has a large RAM disk and all your evidence is on the RAM disk and you turn the computer off without saving it, what happens to your evidence? Photograph the computer using 35mm, polaroid, digital and/or video camera Photograph the front and back of the computer

26. Evaluate the Condition of the Computer Photograph cables Photograph attached hardware Take pictures of anything that may be of value or used for evidence This could be the hidden location of floppies, printed material, hard drives and other hardware

27. Evaluate the Condition of the Computer Boot the computer from the floppy drive Mark and tag all cables and hardware Use wire tags and stick on labels for each item seized This insures you can return the computer to it's original configuration

28. Evaluate the Condition of the Computer If you are seizing more than one computer system first number the computers and then tag the cables and hardware using the computer number so that when you get the whole mess back to the shop they can be put back together properly Prepare the computer for transport Shut down the computer

29. Evaluate the Condition of the Computer Package the computer, cables and other hardware in boxes after entering the evidence description in the search warrant program Keep boxes for each computer together during transport and storage Place the first label on the item or it's bag Place the second label on the box identifying each item in the box

30. Evaluate the Condition of the Computer Seizing floppies and other removable media Count floppies and other removable media Mark them using an indelible colored marker or labels. Do not use pencils or ball point pens as they may damage the diskette media

31. Evaluate the Condition of the Computer Keep magnetic media separate from other seized items. This will aid you later in the interrogation of the disks so you don't have to look through dozens of boxes and envelopes for diskettes Place seized diskettes in separate boxes for each room It will save you a lot of time and trouble sorting through them later

32. Search the Area Carefully Diskettes and small media hide themselves in the strangest places We often find them inside books, taped to the bottom of keyboards, in chests of drawers, shirt pockets and other surprising places

33. Transportation of Evidence Pack the transport vehicle with care Place the CPU and other computer related hardware and software in a safe place in for transport Items fall out of pickups and bounce around in large trucks Magnets in radios in the trunks of vehicles and excessive heat can damage media or hardware

34. Magnets and Degaussing Equipment. Be aware of the possible presence of degaussing (magnets) equipment placed in the crime scene by the suspect Evidence has been lost due the the presence of large degaussing hardware hidden in a doorway and operated by a wall switch A simple compass will detect any strong electromagnetic currents

35. Preservation of Evidence Package properly Handle carefully Mark clearly Primary rule: if you are comfortable, the computer is comfortable

36. What to Take If you are seizing computer equipment, you may want to take everything You may only take data If you leave computer equipment, hardware, software or manuals and you may need it later in your investigation Also, after you leave, the equipment may disappear altogether

37. Chain of Evidence Documentation of dominion and control of evidence Physical security of evidence Clearly marked so as to provide positive identification in court Begins when evidence is identified Ends when court/prosecutor releases same

38. Documentation Photograph Sketch Mark/label Package Transport Secure

39. Chain of Evidence Presentation Documentation including reports and packaging must clearly show: Person Date Time Location For each person handling (receiving) the evidence

40. Documentation Evidence label Property booking report Chronological search form Lab evidence tracking report Individual supplemental reports

41. High Tech Evidence Storage Secure Area Moderate temperature Free of excessive dust No excessive moisture Free of magnetic influence

42. High Tech Evidence Storage Storage containers Original packaging The best material Options Cardboard boxes Wooden shelves Non static containers