+ All Categories
Home > Documents > Seizing Electronic Evidence ● Best Practices – Secret Service ● ttp:// ttp://.

Seizing Electronic Evidence ● Best Practices – Secret Service ● ttp:// ttp://.

Date post: 12-Jan-2016
Category:
Upload: jayson-parks
View: 235 times
Download: 0 times
Share this document with a friend
Popular Tags:
53
Seizing Electronic Evidence Best Practices – Secret Service ttp://www.treasury.gov/usss/ electronic_evidence.htm Electronic Crime Scene Investigation – NIJ ttp://www.ojp.usdoj.gov/nij/pubs-sum/ 187736.htm
Transcript
Page 1: Seizing Electronic Evidence ● Best Practices – Secret Service ● ttp:// ttp://.

Seizing Electronic Evidence

● Best Practices – Secret Service● ttp://www.treasury.gov/usss/electronic_evidence.htm

● Electronic Crime Scene Investigation – NIJ● ttp://www.ojp.usdoj.gov/nij/pubs-sum/187736.htm

Page 2: Seizing Electronic Evidence ● Best Practices – Secret Service ● ttp:// ttp://.

Before You Twitch

● Consent search or Search warrant● Understand the nature of the crime● Read the search warrant

● Concerns● Safety – It is a crime scene● Destruction of potential evidence

● Plan, Plan, Plan● The seizure ● The collection techniques● The order of events

Page 3: Seizing Electronic Evidence ● Best Practices – Secret Service ● ttp:// ttp://.

Computers & Crime

● Fruits of crime● Stolen computers

● Tool of criminal activity● Hacking, counterfeit documents

● Repository of incriminating evidence● Drug records, meth formulas

● Repository of contraband● Toons, Tunes

● Unwitting record of criminal activity● e-mail records, Browsing history

Page 4: Seizing Electronic Evidence ● Best Practices – Secret Service ● ttp:// ttp://.

Potential Evidence

● Probable cause to seize HW?● Probable cause to seize SW?● Probable cause to seize Data?● Where will the search of the seized evidence be

conducted?● Careful of business interruption issues and proprietary

information.

● Depends on the role of the computers in the crime.

Page 5: Seizing Electronic Evidence ● Best Practices – Secret Service ● ttp:// ttp://.

Prior to Serving the Warrant

● Start your investigation report● Understand the nature of the crime● Describe the role of the computer/digital device

in the crime● Describe the limits of your investigation

● Probable cause for seizure● What can be seized● What can be looked at● Where is the search to be conducted

Page 6: Seizing Electronic Evidence ● Best Practices – Secret Service ● ttp:// ttp://.

Expect the Unexpected

● If it is not covered in your search warrant -● Get approval from DA● Get approval from Detective in charge● Take very detailed notes justifying your actions

Page 7: Seizing Electronic Evidence ● Best Practices – Secret Service ● ttp:// ttp://.

Role of the Computer

● Contraband computer● HW or SW stolen?

● Tool of the offense● Writing counterfeit checks, Ids

● Incidental to the offense● Data storage

Page 8: Seizing Electronic Evidence ● Best Practices – Secret Service ● ttp:// ttp://.

Seize what

● HW● SW● Data● All things digital● All things related to digital● Media, notes, documentation● Stay within the bounds of the search warrant

Page 9: Seizing Electronic Evidence ● Best Practices – Secret Service ● ttp:// ttp://.

Seize/Search where

● On site, in the field office, in a lab● Disposal of seized items● Consider the size of the seizure● Suspects:

● Interview● Passwords● Location of data● Installed software● Network● Etc.

Page 10: Seizing Electronic Evidence ● Best Practices – Secret Service ● ttp:// ttp://.

Search Warrants

● Electronic Storage Device Search Warrant● HW, SW, documents, storage media notes● Examination of data

● Service Provider Search Warrant/Subpoena● Utilities, phone cable, satellite, cellular, internet, etc.● Billing records, service records, subscriber info, etc.

Page 11: Seizing Electronic Evidence ● Best Practices – Secret Service ● ttp:// ttp://.

More Planning

● What are the restrictions?● Photographs, video● Proprietary information● Classified information● Business records● Business continuity● Chief is ticked when he gets a law suit for business

losses!

Page 12: Seizing Electronic Evidence ● Best Practices – Secret Service ● ttp:// ttp://.

The Search & Seizure

● Secure the scene, restrict access● Preserve the area, no more fingerprints● Insure the safety of all concerned● Nobody touch nothing!● Usually the forensic specialist will not be a first

responder.● However, often they are.

Page 13: Seizing Electronic Evidence ● Best Practices – Secret Service ● ttp:// ttp://.

Notes

● Keep a very detailed log of every operation action

● Details● Time● Order

● They can cover a lot of mistakes during the seizure and search

● What did you do.● What reasons for doing it.● Itemize potential harm versus another way of doing it.

Page 14: Seizing Electronic Evidence ● Best Practices – Secret Service ● ttp:// ttp://.

Rule # 1

● If it is off, leave it off.

● If it is on leave it on (for awhile)

● Be very cautious if there is network visible● Such as cables● Blinking lights● Get a specialist● You are the specialist.

Page 15: Seizing Electronic Evidence ● Best Practices – Secret Service ● ttp:// ttp://.

Pictures of Everything

● Floor plan● Locate all equipment● Number all equipment on the floor plan● You will have to reconstruct

● Photograph/Video graph● The entire area containing HW & cables● The screen of each computer that is on.● Much more later

Page 16: Seizing Electronic Evidence ● Best Practices – Secret Service ● ttp:// ttp://.

Photos

● Items and placement● Each Item

● Placement● Serial numbers● Front● Back● Cables● Anything that might be of interest.

● You only get one chance to record the original evidence

Page 17: Seizing Electronic Evidence ● Best Practices – Secret Service ● ttp:// ttp://.

Examples - Scene

Photograph the placement of the seized equipment within the general crime scene.

Page 18: Seizing Electronic Evidence ● Best Practices – Secret Service ● ttp:// ttp://.

Examples - Computer

Photograph the placement of the seized equipment.

Page 19: Seizing Electronic Evidence ● Best Practices – Secret Service ● ttp:// ttp://.

After Pictures of an “on” PC

● If the computer is a stand alone PC ● pull the plug● Vista is different● Do not turn it off

● If it is a laptop● Pull the plug● If it is still on, it has a functioning battery

– Pull the battery– Keep the battery separate

Page 20: Seizing Electronic Evidence ● Best Practices – Secret Service ● ttp:// ttp://.

Examples - Screen

If the computer is on photograph the screen. If a screen saver is evident don’t wiggle the mouse to see what is under it. Make sure it is in focus!

Page 21: Seizing Electronic Evidence ● Best Practices – Secret Service ● ttp:// ttp://.

Examples - Back

Photo of the back with all of the connections tagged. More photos of each connection identified. In your log both ends of each connection should identified and cross refrenced with your photos.

Page 22: Seizing Electronic Evidence ● Best Practices – Secret Service ● ttp:// ttp://.

Examples - Back

Don’t forget all the network connections and devices. Photos should showconnection labels as well as general configuration. Multiple photos.

Page 23: Seizing Electronic Evidence ● Best Practices – Secret Service ● ttp:// ttp://.

Examples – Serial Numbers

This is the photo of the back of the monitor.Photos should show Model number and serial numbers.

Page 24: Seizing Electronic Evidence ● Best Practices – Secret Service ● ttp:// ttp://.

Examples – Media

Photograph the media. Also be able to show the location of the media found.Cross reference to the sketch. Also the media should be assigned a Item #.

Page 25: Seizing Electronic Evidence ● Best Practices – Secret Service ● ttp:// ttp://.

Evidence Collection● Locate Evidence

● Tie to sketch● Connectivity

● Photograph evidence● Coordinate with the general photographer

● Assign an Item Number, tag and log in the Evidence Inventory Form

● Bag – Item #, Date, Time, Who● Enter into custody log● Transfer custody to Judisdictional Agency

Page 26: Seizing Electronic Evidence ● Best Practices – Secret Service ● ttp:// ttp://.

Evidence Inventory

Form

Page 27: Seizing Electronic Evidence ● Best Practices – Secret Service ● ttp:// ttp://.

Serial Cable to Serial Port

Page 28: Seizing Electronic Evidence ● Best Practices – Secret Service ● ttp:// ttp://.

Mouse – Item #11

Page 29: Seizing Electronic Evidence ● Best Practices – Secret Service ● ttp:// ttp://.

Network

● Photograph, diagram and label everything● Can a live forensics capture suffice?● Get a sniffer on the network as close to the

gateway as possible● Ethereal on a USB device

● Be prepared for this sort of situation● Tools, tools on the USB● Make sure the USB has enough memory for traffic

capture

● Document every program you run on a host● Document every thing you do!

Page 30: Seizing Electronic Evidence ● Best Practices – Secret Service ● ttp:// ttp://.

Network Spaghetti

Page 31: Seizing Electronic Evidence ● Best Practices – Secret Service ● ttp:// ttp://.

Tag and Bag

● Tape every drive slot shut● Photograph, diagram and label all components● Photograph, diagram and label all connections● Photograph, diagram and label all cables – both

ends● You will have to reconstruct

● Pack it for transport● Keep it away from EM● Collect all printed material

● Docs, records, notes

Page 32: Seizing Electronic Evidence ● Best Practices – Secret Service ● ttp:// ttp://.

Seizure● If the network is active

● Do not power down any networking gear● They have no hard drives● All evidence is volatile● If no significant network traffic disconnect from the ISP

● Using the USB device harvest the routers and switches

● Then disassemble the network● Seize the servers and work stations

● Get the network admin to help● They could corrupt the data, SO be careful

Page 33: Seizing Electronic Evidence ● Best Practices – Secret Service ● ttp:// ttp://.

Liabilities

● Criminal and civil● Destruction of business relevant data● Disruption of business services

● Make detailed notes of your steps● Every step

Page 34: Seizing Electronic Evidence ● Best Practices – Secret Service ● ttp:// ttp://.

Other Devices

● Cell phones● Cordless phones● Answering machines● Caller ID devices● Pagers● Fax● Copiers● Home electronic

devices

● Printers● CD duplicators● Labelers● Digital cameras,

video● GPS● Game boxes● PDA’s● Tivo’s

Page 35: Seizing Electronic Evidence ● Best Practices – Secret Service ● ttp:// ttp://.

Other Devices (cont’d)

● Magnetic strip● Readers& writers● Make credit cards

● ID card writers● Smart cards

● Writers & readers

● RFID● Writers & readers

● Security systems

● Home grown gear– Check writers

– Bar code writers

– Hologram writers

– Special printers

● Counterfeiting

Page 36: Seizing Electronic Evidence ● Best Practices – Secret Service ● ttp:// ttp://.

Cell Phones

Page 37: Seizing Electronic Evidence ● Best Practices – Secret Service ● ttp:// ttp://.

Cell Phones

● A treasure trove of evidence● Numbers

● Dialed and received● Calling card numbers ● PIN numbers

● Messages● Voice, text

● Time lines● All is volatile to some extent● Internet access information

Page 38: Seizing Electronic Evidence ● Best Practices – Secret Service ● ttp:// ttp://.

Cell Phones

● Web surfing history● Cookies● Cached data

● Stored programs● ISP information

● Subpoena ISP for customer information

● Recent syslogs● Cell provider keeps activity records

● Subpoena information● Tracks recent where abouts

Page 39: Seizing Electronic Evidence ● Best Practices – Secret Service ● ttp:// ttp://.

Cell Phones

● Architecture● Computer● User interface● Transceiver● OS● Networking stack● I/O

– Blue tooth– IR– Serial

Page 40: Seizing Electronic Evidence ● Best Practices – Secret Service ● ttp:// ttp://.

Seizure - On

● If it is on, leave it on● Lockout features● Volatile memory may contain info

– Access codes, PINs, passwords– Recent financial transactions

● Photograph screen● Document everything you do● Take all power cords and docs● Be very careful – It is on

– If it does something it may construed as WIRE TAP– Put in a Faraday bag, prevents communication with

tower

Page 41: Seizing Electronic Evidence ● Best Practices – Secret Service ● ttp:// ttp://.

Seizure - Off

● Tag and wrap● Get to an expert● Get all the ancillary gear

● Head set● Remotes● Serial connects

● Find service provider● Subpoena

Page 42: Seizing Electronic Evidence ● Best Practices – Secret Service ● ttp:// ttp://.

Cordless Telephones

● Not as rich as cell phones● Numbers called, stored● Perhaps Caller ID● Voice mail

● Recent● May contain recoverable erased voice messages● Be careful – WIRE TAP

● On screen info may be relevant ● Photograph and document

Page 43: Seizing Electronic Evidence ● Best Practices – Secret Service ● ttp:// ttp://.

Answering Machines

● Same old, same old● Numbers, times, voice content● WIRE TAP caution if it is on.

Page 44: Seizing Electronic Evidence ● Best Practices – Secret Service ● ttp:// ttp://.

Caller ID Boxes

● More numbers and times● Unplug from phone line

● WIRE TAP caution applies

● If off leave it off● If on leave on

● Tag, photograph, document● Does it have battery backup

● No - pull the plug● Yes - get an expert

● Get everything

Page 45: Seizing Electronic Evidence ● Best Practices – Secret Service ● ttp:// ttp://.

Pagers

● Pages● Numeric

● Call back #, codes, passwords, etc.● Text messages – Incoming & Outgoing

● Info – some are held on device● Others, one must subpoena from provider

● Voice mail● Must subpoena from provider

● E-mail● Some held on device● Others at provider

Page 46: Seizing Electronic Evidence ● Best Practices – Secret Service ● ttp:// ttp://.

Pagers

● Architecture● Transceiver● CPU and memory● Simple to elaborate user interface● Often has a full keyboard● Reasonable display

Page 47: Seizing Electronic Evidence ● Best Practices – Secret Service ● ttp:// ttp://.

Pagers - Seizure

● On● Caution: real time communications intercept after

seizure● Get it away from suspect ● Document and photograph● Turn it off● Caution on battery life● Tag and bag

● Off● Tag and bag

Page 48: Seizing Electronic Evidence ● Best Practices – Secret Service ● ttp:// ttp://.

Fax, Printer, Copier, ID Printers

● Today they are converging into one machine● Architecture

● Computer● Ethernet● Phone line● Massive storage – 20+ Gigabytes● Extensive display tree

Page 49: Seizing Electronic Evidence ● Best Practices – Secret Service ● ttp:// ttp://.

Fax, Printer, Copier, ID Printers

● Dial lists, e-mail addresses, times, logs, headers● Stored documents

● Sent● To be sent● Received – not opened● Received – opened● Photographs, personal info

Page 50: Seizing Electronic Evidence ● Best Practices – Secret Service ● ttp:// ttp://.

Seizure● If off leave it off.

● Tag and bag

● If on● Photograph and document especially comms

connections● An attempt may be made to access memory and

capture the most recently printed document.● If the device is a scan first and then dispatch, every

thing is stored on the hard drive.● Disconnect the comms interfaces● Tag and bag

● Determine phone connections● Subpoena service provider

Page 51: Seizing Electronic Evidence ● Best Practices – Secret Service ● ttp:// ttp://.

Custom Stuff

● RFID readers/writers● Credit card readers/writers● Smart card readers/writers● Bar code readers/writers

Page 52: Seizing Electronic Evidence ● Best Practices – Secret Service ● ttp:// ttp://.

Security Systems

● Ingress/egress logs – time line, IDs● Service provider● System info● Photograph and document location of all

devices● Text, video● Tag and bag all stored data and recorded data.● Detailed documentation – you can’t tag and bag

Page 53: Seizing Electronic Evidence ● Best Practices – Secret Service ● ttp:// ttp://.

Stuff

● Docs, notes, documentation, etc.● Credit cards, smart cards, RFIDs, etc● CDs, DVDs – all media


Recommended