Seizing Electronic Evidence

Best Practices Secret Service

http://www.treasury.gov/usss/electronic_evidence.htm

Electronic Crime Scene Investigation NIJ

http://www.ojp.usdoj.gov/nij/pubs-sum/187736.htm

Before You Twitch

Consent search or Search warrant

Understand the nature of the crime

Read the search warrant

Concerns

Safety It is a crime scene

Destruction of potential evidence

Plan, Plan, Plan

The seizure

The collection techniques

The order of events

What to Take Along

1) Evidence Tape

2) Chain of Custody forms

3) Reading Glasses

4) Inventory forms

5) Camera (battery, memory)

6) Backup disposable camera

7) Tool kit. Jewelers set. Needle nose pliers.

8) Sharpies, pens

9) Adhesive tape

10) New, wiped and verified Hard Drives in Pelican, w/lock

11) Gloves

12) Static wrist bands

More stuf

13) TableauPelican (ATA, SCSI, eSATA, Firefly) with power supplies and line cords. Firewire I/F
cables, laptop adaptor. Small laptop adaptor.

14) Firewire I/F board.

15) Several USB mouse. Two PS mouse.

16)Laptop with X-Waysand FTK (crossover tested)

17)eSATA interface

18) USB-small USB cable

19) PS2/USB converter

20) Small flatscreen monitor

21) UPS

22) Extension cord

23) Power strip (2)

24) Digital Media Flash reader

And More Stuf

25) DOS Boot w/Firewire USB.

26) DOS Boot with utilities

27) 1GB NIC

28) ATA interface with cable

29) CDs with WinHex, FTK, Linen,

30) Boot CD with Helix/Lenin, Boot USB

31)F-Response CD

32) Dongles FTK, X-Ways, F-Response

33) Flashlight

34) Powered USB Hub

35) Magnifying Glass

36)Blank Labels

37) Bottle water

Computers & Crime

Fruits of crime

Tool of criminal activity

Drug records, meth formulas

Repository of contraband

Hacking, counterfeit documents

Repository of incriminating evidence

Stolen computers

Toons, Tunes

Unwitting record of criminal activity

e-mail records, Browsing history

Potential Evidence

Probable cause to seize HW?

Probable cause to seize SW?

Probable cause to seize Data?

Where will the search of the seized evidence be

conducted?

Careful of business interruption issues and proprietary

information.

Depends on the role of the computers in the

crime.

Prior to Serving the Warrant

Start your investigation report

Understand the nature of the crime

Describe the role of the computer/digital device

in the crime
Describe the limits of your investigation

Probable cause for seizure

What can be seized

What can be looked at

Where is the search to be conducted

Expect the Unexpected

If it is not covered in your search warrant

Get approval from DA

Get approval from Detective in charge

Take very detailed notes justifying your actions

Role of the Computer

Contraband computer

Tool of the ofense

HW or SW stolen?

Writing counterfeit checks, Ids

Incidental to the ofense

Data storage

Seize what

HW

SW

Data

All things digital

All things related to digital

Media, notes, documentation

Stay within the bounds of the search warrant

Seize/Search where

On site, in the field office, in a lab

Disposal of seized items

Consider the size of the seizure

Suspects:

Interview

Passwords

Location of data

Installed software

Network

Etc.

Expectation of Privacy

There is no blanket guarantee of privacy

in the Constitution.
The 4th Amendment sufficed until
telephones etc.

The Wire Tap Law (1934)

Further refined in:

ECPA 1986

CALEA

Legal Invasion of Privacy

Legal Instruments for Search and
Seizure

Search Warrants

Warrantless Searches

Subpoenas

Wire Taps/Surveillance

FISA It is a new world.

NSL It is a brave new world

NSA ???

Search Warrant

Obey the Constitution

Specifies

Place

Persons

Stuf papers, efects

Show Probable cause

Contained in a sworn affidavits

Support for probable cause

Signed by a Judge with jurisdiction

Warrants

Expectation of privacy

In public places

Requires warrants to conduct surveillance

If given to a 3rd party, no expectation of privacy

Telephone records, bank deposits,etc.

Requires subpoena

Careful: Exclusionary Rule

If government agents engage in unlawful searches of

seizures, then all fruits of search are excluded from
further legal action.

Warrant

Warrant to seize computer HW is diferent from

warrant to seize information.
Seize HW if the HW is contraband, evidence,
etc.

Warrant should describe HW.

Seize information if it relates to probable cause.

Warrant should describe information.

Either image HDD on site OR

Seize the HW and image at the office

Be sure you have a warrant for and description of HW.

Back to Warrants

Search warrants and computers, etc.

Much confusion over the wording of the warrant

Search and Seize

HW

Contents

Information

Where home or the office?

Search Warrants for Computer

stuf

Be very careful

Get 2 search warrants

Number 1:

Search premises, people, vehicles, etc.

Seize computers, docs, data media, etc.

Number 2:

Search the contents of the computers, digital devices,

etc.
Business practice concerns taken

Warrantless Searches

Permission

Incident to arrest

Plain sight

Recent Oregon ruling

Through the window of ones home is not in plain sight

Search Warrants

Electronic Device Search Warrant

HW, SW, documents, storage media notes

Stored Data

Requires a separate warrant

Examination of data

Service Provider Search Warrant/Subpoena

Utilities, phone cable, satellite, cellular, internet, etc.

Billing records, service records, subscriber info, etc.

More Planning

What are the restrictions?

Photographs, video

Proprietary information

Classified information

Business records

Business continuity

Chief is ticked when he gets a law suit for business

losses!

The Search & Seizure

Secure the scene, restrict access

Preserve the area, no more fingerprints

Insure the safety of all concerned

Nobody touch nothing!

Usually the forensic specialist will not be a first

responder.
However, often they are.

Notes

Keep a very detailed log of every operation

action

Details

Time

Order

They can cover a lot of mistakes during the

seizure and search

What did you do.

What reasons for doing it.

Itemize potential harm versus another way of doing it.

Rule # 1

If it is of, leave it of.

Photograph the screen and then pull the plug

Be very cautious if there is network visible

Such as cables

Blinking lights

Get a specialist

You are the specialist.

Pictures of Everything

Floor plan

Locate all equipment

Number all equipment on the floor plan

You will have to reconstruct

Photograph/Video graph

The entire area containing HW & cables

The screen of each computer that is on.

Much more later

Photos

Items and placement

Each Item

Placement

Model numbers, Serial numbers

Front

Back

Cables

Anything that might be of interest.

You only get one chance to record the original

evidence

After Pictures of an on PC

If the computer is a stand alone PC

pull the plug

Vista is diferent

Do not turn it of

If it is a laptop

Pull the plug

If it is still on, it has a functioning battery

Pull the battery

Keep the battery separate

New World

Have to beat the trojan defense

Business interruption

Live acquisition

Live acquisition

Network activity

Network snifer

Examples Screen(s)

If the computer is on photograph the screen. If a screen saver is evident

dont wiggle the mouse to see what is under it. Make sure it is in focus!

Tape All Orifices with

Break Away Tape

Prove: No one has touched the system.

Back

Photo of the back with all of the connections tagged. More photos
of each connection identified. In your log both ends of each connection
should identified and cross refrenced with your photos.

Front

Inside

Hard Drive S/N & System S/N

IDs and S/Ns are important

Network Gear

Dont forget all the network connections and devices. Photos should show
connection labels as well as general configuration. Multiple photos.

Examples Serial Numbers

This is the photo of the back of the monitor.

Photos should show Model number and serial numbers.

Examples Media

Photograph the media. Also be able to show the location of the media fou
Cross reference to the sketch. Also the media should be assigned a Item #

Evidence Collection

Locate Evidence

Tie to sketch

Connectivity

Photograph evidence

Coordinate with the general photographer

Assign an Item Number, tag and log in the

Evidence Inventory Form

Bag Item #, Date, Time, Who

Enter into custody log

Transfer custody to Judisdictional Agency

Evidence
Inventory
Form

Serial Cable to Serial Port

Network

Photograph, diagram and label everything

Can a live forensics capture suffice?

Get a snifer on the network as close to the

gateway as possible

Ethereal on a USB device

Be prepared for this sort of situation

Tools, tools on the USB

Make sure the USB has enough memory for traffic
capture

Document every program you run on a host

Document every thing you do!

Network Spaghetti

Tag and Bag

Tape every drive slot shut

Photograph, diagram and label all components

Photograph, diagram and label all connections

Photograph, diagram and label all cables both

ends

You will have to reconstruct

Pack it for transport

Keep it away from EM

Collect all printed material

Docs, records, notes

Seizure

If the network is active

Do not power down any networking gear

They have no hard drives

All evidence is volatile

If no significant network traffic disconnect from the ISP

Using the USB device harvest the routers and

switches
Then disassemble the network

Seize the servers and work stations

Get the network admin to help

They could corrupt the data, SO be careful

Liabilities

Criminal and civil

Destruction of business relevant data

Disruption of business services

Make detailed notes of your steps

Every step

Other Devices

Cell phones

Printers

Cordless phones

CD duplicators

Answering machines Labelers

Caller ID devices

Pagers

Digital cameras,
video

Fax

GPS

Copiers

Game boxes

Home electronic
devices

PDAs

Tivos

Other Devices (contd)

Magnetic strip

Readers& writers

Make credit cards

ID card writers
Smart cards

RFID

Writers & readers

Writers & readers

Security systems

Home grown gear

Check writers

Bar code writers

Hologram writers

Special printers

Counterfeiting

Cell Phones

Cell Phones

A treasure trove of evidence

Numbers

Dialed and received

Calling card numbers

PIN numbers

Messages

Voice, text

Time lines

All is volatile to some extent

Internet access information

Cell Phones

Web surfing history

Cookies

Cached data

Stored programs

ISP information

Subpoena ISP for customer information

Recent syslogs

Cell provider keeps activity records

Subpoena information

Tracks recent where abouts

Cell Phones

Architecture

Computer

User interface

Transceiver

OS

Networking stack

I/O

Blue tooth

IR

Serial

Seizure - On

If it is on, leave it on

Lockout features

Volatile memory may contain info

Access codes, PINs, passwords

Recent financial transactions

Photograph screen

Document everything you do

Take all power cords and docs

Be very careful It is on

If it does something it may construed as WIRE TAP

Put in a Faraday bag, prevents communication with tower

Seizure - Of

Tag and wrap

Get to an expert

Get all the ancillary gear

Head set

Remotes

Serial connects

Find service provider

Subpoena

Cordless Telephones

Not as rich as cell phones

Numbers called, stored

Perhaps Caller ID

Voice mail

Recent

May contain recoverable erased voice messages

Be careful WIRE TAP

On screen info may be relevant

Photograph and document

Answering Machines

Same old, same old

Numbers, times, voice content

WIRE TAP caution if it is on.

Caller ID Boxes

More numbers and times

Unplug from phone line

WIRE TAP caution applies

If of leave it of

If on leave on

Tag, photograph, document

Does it have battery backup

No - pull the plug

Yes - get an expert

Get everything

Pagers

Pages

Numeric

Text messages Incoming & Outgoing

Info some are held on device

Others, one must subpoena from provider

Voice mail

Call back #, codes, passwords, etc.

Must subpoena from provider

E-mail

Some held on device

Others at provider

Pagers

Architecture

Transceiver

CPU and memory

Simple to elaborate user interface

Often has a full keyboard

Reasonable display

Pagers - Seizure

On

Caution: real time communications intercept after

seizure

Get it away from suspect

Document and photograph

Turn it of

Caution on battery life

Tag and bag

Tag and bag

Of

Fax, Printer, Copier, ID Printers

Today they are converging into one machine

Architecture

Computer

Ethernet

Phone line

Massive storage 20+ Gigabytes

Extensive display tree

Fax Printer - Copier

Fax, Printer, Copier, ID Printers

Dial lists, e-mail addresses, times, logs, headers

Stored documents

Sent

To be sent

Received not opened

Received opened

Photographs, personal info

Seizure

If of leave it of.

If on

Tag and bag

Photograph and document especially comms

connections
An attempt may be made to access memory and
capture the most recently printed document.
If the device is a scan first and then dispatch, every
thing is stored on the hard drive.

Disconnect the comms interfaces

Tag and bag

Determine phone connections

Subpoena service provider

Custom Stuf

RFID readers/writers

Credit card readers/writers

Smart card readers/writers

Bar code readers/writers

Security Systems

Ingress/egress logs time line, IDs

Service provider

System info

Photograph and document location of all

devices

Text, video

Tag and bag all stored data and recorded data.

Detailed documentation you cant tag and bag

Stuf

Docs, notes, documentation, etc.

Credit cards, smart cards, RFIDs, etc

CDs, DVDs all media