Digital Forensics – Best Practices

September 6th, 2012 by Charles Edge

Best Practices for Seizing Electronic Evidence

A joint project of the International Association of Chiefs of Police
and
The United States Secret Service

Recognizing Potential Evidence:

Computers and digital media are increasingly involved in unlawful activities. The computer may be contraband, fruits of the crime, a tool of the offense, or a storage container holding evidence of the offense. Investigation of any criminal activity may produce electronic evidence. Computers and related evidence range from the mainframe computer to the pocket-sized peronal data assistant, to the smallest electronic chip storage device. Images, audio, text, and other data on these media can be easily altered or destroyed. It is imperative that investigators recognize, protect, seize and search such devices in accordance with applicable statutes, policies and best practices, and guidelines.

Answers to the following questions will better determine the role of the computer in the crime:

  1. Is the computer contraband or fruits of a crime?
    For example, was the computer software or hardware stolen?
  2. Is the computer system a tool of the offense?
    For example, was the system actively used by the defendant to commit the offense? Were fake IDs or other counterfeit documents prepared using the computer, scanner, or printer?
  3. Is the computer system only incidental to the offense, i.e., being used to store evidence of the offense?
    For example, is a drug dealer maintaining his trafficking records in his computer?
  4. Is the computer system both instrumental to the offense and a storage device for the evidence?
    For example, did the computer hacker use her computer to attack other systems and also use it to store stolen credit card information?

Once the computer’s role is known and understood, the following essential questions should be answered:

  1. Is there probable cause to seize the hardware?
  2. Is there probable cause to seize the software?
  3. Is there probable cause to seize the data?
  4. Where will this search be conducted?
    For example, is it practical to search the computer system on site or must the examination be conducted at a field office or lab?
    If Law Enforcement officers remove the computer system from the premises, to conduct the search, must they return the computer system, or copies of the seized data, to its owner/user before trial?
    Considering the incredible storage capacities of computers, how will experts search this data in an efficient and timely manner?

Preparing For The Search and/or Seizure

Using evidence obtained from a computer in a legal proceeding requires:

  1. Probable cause for issuance of a warrant or an exception to the warrant requirement.
    CAUTION: If you encounter potential evidence that may be outside of the scope of your existing warrant or legal authority, contact your agency’s legal advisor or the prosecutor as an additional warrant may be necessary.
  2. Use of appropriate collection techniques so as not to alter or destroy evidence.
  3. Forensic examination of the system completed by trained personnel in a speedy fashion, with expert testimony available at trial.

Conducting TheĀ  Search and/or Seizure

Once the computers role is understood and all legal requirements are fulfilled:

1. Secure The Scene

  • Officer Safety is Paramount.
  • Preserve Area for Potential Fingerprints.
  • Immediately Restrict Access to Computers/Systems; Isolate from Phone, Network, as well as Internet, because data can be accessed remotely on the system in question.

2. Secure The Computer As Evidence

  • If the computer is powered “OFF”, DO NOT TURN IT ON, under any circumstances!
  • If the computer is still powered “ON”…

Stand-alone computer (non-networked):

  1. Photograph screen, then disconnect all power sources; Unplug from back of computer first, and then proceed to unplug from outlet. System may be connected to a UPS which would prevent it from shutting off.
  2. Place evidence tape over each drive slot.
  3. Photograph/Diagram and label back of computer components with existing connections.
  4. Label all connectors/cable ends to allow for reassembly, as needed.
  5. If transport is required, package components and transport/store components always as fragile cargo.
  6. Keep away from magnets, radio transmitters, and otherwise hostile environments.

Networked or Business Computers: Consult a Computer Specialist for Further Assistance!

  1. Pulling the plug on a networked computer could severely damage system.
  2. Disrupt legitimate business.
  3. Create liability for investigators or law enforcement personnel.

 

DISCLOSURE:
THIS TECH JOURNAL ENTRY BY 318, INC. IS FOR REFERENCE ONLY.
THIS DOCUMENT SHOULD NOT BE USED VERBATIM TO CONDUCT ACTIVE FORENSIC INVESTIGATIONS NOR BE USED AS A LEGAL PRECEDENT OR REPLACEMENT FOR ESTABLISHED FORENSIC PRACTICES ESTABLISHED IN YOUR JURISDICTION. PLEASE FOLLOW PROPER LEGAL AND FORENSIC INVESTIGATION PROCEDURES AS ESTABLISHED BY YOUR CITY, COUNTY, AND STATE!
318, INC. SHALL NOT BE HELD LIABLE. USE OF THIS DOCUMENT IS AT YOUR OWN RISK!

Comments are closed.