1.2.Seizure

January 9, 2018 | Author: Anonymous | Category: Social Science, Law, Forensic Science
Share Embed Donate


Short Description

Download 1.2.Seizure...

Description

Seizing Electronic Evidence ●

Best Practices – Secret Service ●



http://www.treasury.gov/usss/electronic_evidence.htm

Electronic Crime Scene Investigation – NIJ ●

http://www.ojp.usdoj.gov/nij/pubs-sum/187736.htm

Before You Twitch ●





Consent search or Search warrant ●

Understand the nature of the crime



Read the search warrant

Concerns ●

Safety – It is a crime scene



Destruction of potential evidence

Plan, Plan, Plan ●

The seizure



The collection techniques



The order of events

What to Take Along ●

1)

Evidence Tape



2)

Chain of Custody forms



3)

Reading Glasses



4)

Inventory forms



5)

Camera (battery, memory)



6)

Backup disposable camera



7)

Tool kit. Jewelers set. Needle nose pliers.



8)

Sharpies, pens



9)

Adhesive tape



10)

New, wiped and verified Hard Drives in Pelican, w/lock



11)

Gloves



12)

Static wrist bands

More stuff ●

13) Tableau Pelican (ATA, SCSI, eSATA, Firefly) with power supplies and line cords. Firewire I/F cables, laptop adaptor. Small laptop adaptor.



14) Firewire I/F board.



15) Several USB mouse. Two PS mouse.



16) Laptop with X-Ways and FTK (crossover tested)



17) eSATA interface



18) USB-small USB cable



19) PS2/USB converter



20) Small flatscreen monitor



21) UPS



22) Extension cord



23) Power strip (2)



24) Digital Media Flash reader

And More Stuff ●

25) DOS Boot w/Firewire USB.



26) DOS Boot with utilities



27) 1GB NIC



28) ATA interface with cable



29) CDs with WinHex, FTK, Linen,



30) Boot CD with Helix/Lenin, Boot USB



31) F-Response CD



32) Dongles – FTK, X-Ways, F-Response



33) Flashlight



34) Powered USB Hub



35) Magnifying Glass



36) Blank Labels



37) Bottle water

Computers & Crime ●

Fruits of crime ●



Tool of criminal activity ●



Drug records, meth formulas

Repository of contraband ●



Hacking, counterfeit documents

Repository of incriminating evidence ●



Stolen computers

Toons, Tunes

Unwitting record of criminal activity ●

e-mail records, Browsing history

Potential Evidence ●

Probable cause to seize HW?



Probable cause to seize SW?



Probable cause to seize Data?



Where will the search of the seized evidence be conducted? ●



Careful of business interruption issues and proprietary information.

Depends on the role of the computers in the crime.

Prior to Serving the Warrant ●

Start your investigation report



Understand the nature of the crime





Describe the role of the computer/digital device in the crime Describe the limits of your investigation ●

Probable cause for seizure



What can be seized



What can be looked at



Where is the search to be conducted

Expect the Unexpected ●

If it is not covered in your search warrant ●

Get approval from DA



Get approval from Detective in charge



Take very detailed notes justifying your actions

Role of the Computer ●

Contraband computer ●



Tool of the offense ●



HW or SW stolen?

Writing counterfeit checks, Ids

Incidental to the offense ●

Data storage

Seize what ●

HW



SW



Data



All things digital



All things related to digital



Media, notes, documentation



Stay within the bounds of the search warrant

Seize/Search where ●

On site, in the field office, in a lab



Disposal of seized items



Consider the size of the seizure



Suspects: ●

Interview



Passwords



Location of data



Installed software



Network



Etc.

Expectation of Privacy ●



There is no blanket guarantee of privacy in the Constitution.

The 4th Amendment sufficed until telephones etc.



The Wire Tap Law (1934)



Further refined in: ●

ECPA 1986



CALEA

Legal Invasion of Privacy Legal Instruments for Search and Seizure ●

Search Warrants



Warrantless Searches



Subpoenas



Wire Taps/Surveillance



FISA – It is a new world.



NSL – It is a brave new world



NSA – ???

Search Warrant ●

Obey the Constitution



Specifies







Place



Persons



Stuff – papers, effects

Show Probable cause ●

Contained in a sworn affidavits



Support for probable cause

Signed by a Judge with jurisdiction

Warrants ●

Expectation of privacy ●

In public places



Requires warrants to conduct surveillance



If given to a 3rd party, no expectation of privacy





Telephone records, bank deposits,etc.



Requires subpoena

Careful: Exclusionary Rule ●

If government agents engage in unlawful searches of seizures, then all fruits of search are excluded from further legal action.

Warrant ●



Warrant to seize computer HW is different from warrant to seize information. Seize HW if the HW is contraband, evidence, etc. ●



Warrant should describe HW.

Seize information if it relates to probable cause. ●

Warrant should describe information.



Either image HDD on site OR



Seize the HW and image at the office



Be sure you have a warrant for and description of HW.

Back to Warrants ●

Search warrants and computers, etc.



Much confusion over the wording of the warrant



Search and Seize ●

HW



Contents



Information



Where – home or the office?

Search Warrants for Computer stuff ●

Be very careful



Get 2 search warrants



Number 1:





Search premises, people, vehicles, etc.



Seize computers, docs, data media, etc.

Number 2: ●

Search the contents of the computers, digital devices, etc.



Business practice concerns taken

Warrantless Searches ●

Permission



Incident to arrest



Plain sight ●

Recent Oregon ruling “Through the window of ones home is not in plain sight”

Search Warrants ●

Electronic Device Search Warrant ●





HW, SW, documents, storage media notes

Stored Data ●

Requires a separate warrant



Examination of data

Service Provider Search Warrant/Subpoena ●

Utilities, phone cable, satellite, cellular, internet, etc.



Billing records, service records, subscriber info, etc.

More Planning ●

What are the restrictions? ●

Photographs, video



Proprietary information



Classified information



Business records



Business continuity



Chief is ticked when he gets a law suit for business losses!

The Search & Seizure ●

Secure the scene, restrict access



Preserve the area, no more fingerprints



Insure the safety of all concerned



Nobody touch nothing!





Usually the forensic specialist will not be a first responder. However, often they are.

Notes ●



Keep a very detailed log of every operation action ●

Details



Time



Order

They can cover a lot of mistakes during the seizure and search ●

What did you do.



What reasons for doing it.



Itemize potential harm versus another way of doing it.

Rule # 1 ●

If it is off, leave it off.



Photograph the screen and then pull the plug



Be very cautious if there is network visible ●

Such as cables



Blinking lights



Get a specialist



You are the specialist.

Pictures of Everything ●



Floor plan ●

Locate all equipment



Number all equipment on the floor plan



You will have to reconstruct

Photograph/Video graph ●

The entire area containing HW & cables



The screen of each computer that is on.



Much more later

Photos ●

Items and placement



Each Item





Placement



Model numbers, Serial numbers



Front



Back



Cables



Anything that might be of interest.

You only get one chance to record the original evidence

After Pictures of an “on” PC ●



If the computer is a stand alone PC ●

pull the plug



Vista is different



Do not turn it off

If it is a laptop ●

Pull the plug



If it is still on, it has a functioning battery –

Pull the battery



Keep the battery separate

New World ●

Have to beat the trojan defense –



Business interruption –



Live acquisition

Live acquisition

Network activity –

Network sniffer

Examples – Screen(s)

If the computer is on photograph the screen. If a screen saver is evident don’t wiggle the mouse to see what is under it. Make sure it is in focus!

Tape All Orifices with Break Away Tape

Prove: No one has touched the system.

Back

Photo of the back with all of the connections tagged. More photos of each connection identified. In your log both ends of each connection should identified and cross refrenced with your photos.

Front

Inside

Hard Drive S/N & System S/N

IDs and S/Ns are important

Network Gear

Don’t forget all the network connections and devices. Photos should show connection labels as well as general configuration. Multiple photos.

Examples – Serial Numbers

This is the photo of the back of the monitor. Photos should show Model number and serial numbers.

Examples – Media

Photograph the media. Also be able to show the location of the media found. Cross reference to the sketch. Also the media should be assigned a Item #.

Evidence Collection ●



Locate Evidence ●

Tie to sketch



Connectivity

Photograph evidence ●



Coordinate with the general photographer

Assign an Item Number, tag and log in the Evidence Inventory Form



Bag – Item #, Date, Time, Who



Enter into custody log



Transfer custody to Judisdictional Agency

Evidence Inventory Form

Serial Cable to Serial Port

Network ●

Photograph, diagram and label everything



Can a live forensics capture suffice?



Get a sniffer on the network as close to the gateway as possible ●



Ethereal on a USB device

Be prepared for this sort of situation ●

Tools, tools on the USB



Make sure the USB has enough memory for traffic capture



Document every program you run on a host



Document every thing you do!

Network Spaghetti

Tag and Bag ●

Tape every drive slot shut



Photograph, diagram and label all components



Photograph, diagram and label all connections



Photograph, diagram and label all cables – both ends ●

You will have to reconstruct



Pack it for transport



Keep it away from EM



Collect all printed material ●

Docs, records, notes

Seizure ●





If the network is active ●

Do not power down any networking gear



They have no hard drives



All evidence is volatile



If no significant network traffic disconnect from the ISP

Using the USB device harvest the routers and switches Then disassemble the network ●



Seize the servers and work stations

Get the network admin to help ●

They could corrupt the data, SO be careful

Liabilities ●

Criminal and civil



Destruction of business relevant data



Disruption of business services



Make detailed notes of your steps



Every step

Other Devices ●

Cell phones



Printers



Cordless phones



CD duplicators



Answering machines



Labelers



Caller ID devices



Digital cameras, video



Pagers



GPS



Fax



Game boxes



Copiers



PDA’s



Tivo’s



Home electronic devices

Other Devices (cont’d) ●





Magnetic strip Readers& writers



Check writers



Make credit cards



Bar code writers



Hologram writers



Special printers

ID card writers Smart cards Writers & readers

RFID ●



Home grown gear









Writers & readers

Security systems



Counterfeiting

Cell Phones

Cell Phones ●

A treasure trove of evidence



Numbers





Dialed and received



Calling card numbers



PIN numbers

Messages ●

Voice, text



Time lines



All is volatile to some extent



Internet access information

Cell Phones ●

Web surfing history ●

Cookies



Cached data



Stored programs



ISP information ●

Subpoena ISP for customer information



Recent syslogs



Cell provider keeps activity records ●

Subpoena information



Tracks recent where abouts

Cell Phones ●

Architecture ●

Computer



User interface



Transceiver



OS



Networking stack



I/O –

Blue tooth



IR



Serial

Seizure - On ●

If it is on, leave it on ●

Lockout features



Volatile memory may contain info –

Access codes, PINs, passwords



Recent financial transactions



Photograph screen



Document everything you do



Take all power cords and docs



Be very careful – It is on –

If it does something it may construed as WIRE TAP



Put in a Faraday bag, prevents communication with tower

Seizure - Off ●

Tag and wrap



Get to an expert



Get all the ancillary gear





Head set



Remotes



Serial connects

Find service provider ●

Subpoena

Cordless Telephones ●

Not as rich as cell phones



Numbers called, stored



Perhaps Caller ID



Voice mail





Recent



May contain recoverable erased voice messages



Be careful – WIRE TAP

On screen info may be relevant ●

Photograph and document

Answering Machines ●

Same old, same old



Numbers, times, voice content



WIRE TAP caution if it is on.

Caller ID Boxes ●

More numbers and times



Unplug from phone line ●

WIRE TAP caution applies



If off leave it off



If on leave on ●

Tag, photograph, document



Does it have battery backup ● ●



No - pull the plug Yes - get an expert

Get everything

Pagers ●

Pages ●

Numeric ●



Text messages – Incoming & Outgoing ● ●



Info – some are held on device Others, one must subpoena from provider

Voice mail ●



Call back #, codes, passwords, etc.

Must subpoena from provider

E-mail ● ●

Some held on device Others at provider

Pagers ●

Architecture ●

Transceiver



CPU and memory



Simple to elaborate user interface



Often has a full keyboard



Reasonable display

Pagers - Seizure ●



On ●

Caution: real time communications intercept after seizure



Get it away from suspect



Document and photograph



Turn it off



Caution on battery life



Tag and bag



Tag and bag

Off

Fax, Printer, Copier, ID Printers ●

Today they are converging into one machine



Architecture ●

Computer



Ethernet



Phone line



Massive storage – 20+ Gigabytes



Extensive display tree

Fax – Printer - Copier

Fax, Printer, Copier, ID Printers ●

Dial lists, e-mail addresses, times, logs, headers



Stored documents ●

Sent



To be sent



Received – not opened



Received – opened



Photographs, personal info

Seizure ●

If off leave it off. ●



If on ● ●





Tag and bag

Photograph and document especially comms connections An attempt may be made to access memory and capture the most recently printed document. If the device is a scan first and then dispatch, every thing is stored on the hard drive.



Disconnect the comms interfaces



Tag and bag

Determine phone connections ●

Subpoena service provider

Custom Stuff ●

RFID readers/writers



Credit card readers/writers



Smart card readers/writers



Bar code readers/writers

Security Systems ●

Ingress/egress logs – time line, IDs



Service provider



System info



Photograph and document location of all devices



Text, video



Tag and bag all stored data and recorded data.



Detailed documentation – you can’t tag and bag

Stuff ●

Docs, notes, documentation, etc.



Credit cards, smart cards, RFIDs, etc



CDs, DVDs – all media

View more...

Comments

Copyright � 2017 NANOPDF Inc.
SUPPORT NANOPDF