Presentation is loading. Please wait.

Presentation is loading. Please wait.

Electronic Evidence Seizure

Published byLesley Stevens Modified over 8 years ago

Similar presentations

Presentation on theme: "Electronic Evidence Seizure"— Presentation transcript:

1 Electronic Evidence Seizure

2 Bart OOMS

3 VERY IMPORTANT RULE FOR ALL INVESTIGATIONS
First...foremost...always... Officer Safety First All of the standard protocols involving a search warrant scene apply – officer safety comes FIRST. Follow established protocols to ensure your safety and that of your warrant/seizure team In addition, you’ll want to consider establishing protocols and procedures that are critical to the successful warrant execution for seizure of computers and related media. [NEXT SLIDE]

4 Search Warrant Execution
Secure the search scene Remove everyone from around the computer Do not allow anyone to touch the keyboard Do not “browse” the files [NEXT SLIDE]

5 Search Warrant Execution
Seizing a computer – take The computer Any external storage devices All floppy disks, CD's, DVD’s, and other loose media All books and manuals pertaining to the system ISP Invoices Paper information that may be on or around the computer, including “sticky notes” that may contain passwords Any unusual adapters/dongles or other hardware directly connected to or located near the computer [NEXT SLIDE]

6 Search Warrant Execution
Seizing a laptop Laptops have more than one power source – the battery and the power supply – you may need to disconnect both to shut down [NEXT SLIDE] When seizing a laptop, be sure to take the power supply !

7 Search Warrant Execution
Don’t overlook... the small stuff Compact Flash Memory Cards USB Memory “Sticks” Can hold up to 64 GB PDA’s Remember a compact flash memory card from a digital camera can also be used as a mini-hard drive – and is currently available – like this USB memory stick – in up to a 1 GB capacity – Caller ID boxes may have information regarding your investigation -- I recently completed a case where the suspect’s entire kid porn collection – well over 500 hard core images – was stored on a single zip disk – and – Unfortunately just worked another case where there was an extortion letter/death threat mailed to an individual – the only remnant I recovered from the suspect’s PC of what I believe was the probably the document was to a link file that referenced a document named: F:\SONYHANDHELD\JOEBLOW.DOC – At the time the warrant was executed, the investigator conducting the seizure held up the Sony PDA and asked the suspect “What’s this for?” – the suspect replied that he kept his appointment calendar and his client phone directory on it – the investigator handed it back to him and did not seize it.... [NEXT SLIDE] Smart Media

8 Search Warrant Execution
Or... the “big” stuff Lacie Bigger Disk Extreme Several Terrabytes of storage See Slide

9 Search Warrant Execution
Don’t overlook... the unusual “Samsonite” Special “Tool-Time” PC Nintendo PC Not every PC you encounter will LOOK like a common PC... In fact -- Given enough time, you will LIKELY encounter computer monsters disguised like THESE !!! [NEXT SLIDE]

10 “Bag and Tag” for PDA/Cell phones
The Golden Rule: If the phone is switched off – leave it off If the phone is switched on – leave it on

11 PDA/Cell Phone - field kit
Your field-kit should contain: Cables, cables, cables Universal battery charger Bluetooth adaptors …and maybe RF-Isolation bags?

12 Search Warrant Execution
Don’t overlook...what’s in plain sight Passwords are often “hidden” under keyboards on sticky notes in margins of notebooks on or near the computer... [NEXT SLIDE]

13 Interviewing the Suspect
Don’t overlook... information that may be provided by the suspect When interviewing the suspect, ask for information regarding anything unusual in the computer setup… and ask for all the passwords they use to access their system and/or files that are stored there Some general interviewing tips – Don’t allow the suspect to know your level of expertise – you may want to pretend a basic knowledge of computers and act “fascinated” with the suspect’s system and their “computer genius” level Act impressed – they may like to brag about their expertise... You can play a “Big Brother/Big Sister” – “I only want to understand...” role Never let them near the computer – even if they want to “show you” how something works or where files are stored... [NEXT SLIDE]

14 Bag & Tag Evidence Transport computer equipment
Use original packing material if available Use paper bags or anti-static wrap for diskettes and exposed media Transport away from extremes – heat/cold/magnetic/radio frequency sources How do you transport computer evidence ? Very carefully – Extremes like heat and cold, magnetic or radio frequency sources and shocks from static electricity can destroy data... [NEXT SLIDE] Very Carefully…!

15 In Summary... Isolate computers; allow no interaction with computers.
Photograph screen, if needed. Remove attachments to power from device. Sketch/diagram/photograph setup. Dismantle and label connections. Package, transport, and store securely maintaining chain of custody.

16 Limited Examinations Here's an example of what might lead to a limited exam!

17 Create a place to store your documentation and your results
Your case file may be electronic or paper Ultimately you will need to document: Evidence – chain of custody Your acquisition and analysis procedures Details of what you found Where you found it How does it relate to your case What does it mean? Student should begin creating their “original evidence” disk during this initial presentation part of the course. Chain of custody includes – who you received the evidence from (and how) and what you did with it (including where it was stored). Be sure that evidence is not comingled with evidence in other cases. Each piece of evidence should be uniquely identifiable and should be labeled with a case number. Do you have a case numbering system? Be sure to obtain documentation on the circumstances of seizure of the evidence (which room was it seized from, was it connected to a network, was it on?). What does it mean – this does not mean that you are required to draw the conclusions or state an opinion of guilt or innocence, rather this means that you explain the data rather than just spout facts that the reader will not comprehend. Example: A file found on a floppy disk has a Last Written date that is earlier than the creation date. What can you determine about that file? These types of facts will need to be explained. Get Organized

18 First things First Preparation: Document the case background
Determine what is required Document what you received and chain of custody information Ensure you have legal authority to search the evidence received and ask for documentation of that Form a plan (with a timeline) The case background and request may provide keywords that you can use to search the items you received. You should keep an ongoing list of relevant terms. First things First

19 ICT Investigations – Tools

20 Forensic tools - websites
Website Nirsoft – free tools for browser investigations - Dcode – convert data (example: Google Chrome to local time) SQLite Database - NetAnalysis Forensic tools FTK - EnCase - Xways - Ilook IX - NUIX -

21 IOS Investigations Different options:
Logical only: You will get only those active files on the device that have not been "deleted" by the user or "deleted" by the system (example: SMS is capped at 100 or 200 or whatever messages per contact, so the overflow is deleted). File System: All of the above, plus those "deleted" items that still remain within the database file structure. Currently, most apps are not vacuuming up that data or sending it to unallocated space.  Physical: On the later versions of the iPhone, this is pretty much worthless because the unallocated space is encrypted. Lantern (Lite) – UFED (Cellebrite) -

22 Wifi Locator Tools to locate Wifi Networks:
Ekahau Heatmapper - Works with a map (even with Google Maps) Great tool to prepare a raid inSSIDer - Xirrus Wifi Inspector- Wifi Locator

23 Ekahau Heatmapper

24 OSTriage Live Response – “Dead” box Developed by US FBI
Able to detect: USB Devices that were connected to PC Encryption (TrueCrypt – BestCrypt etc...) Information about hard drives Browser history Recent search terms P2P Information ...

25 OSTriage What OSTriage can’t do:
It can’t find information that isn’t there It doesn’t look at file headers It doesn’t look for deleted files It doesn’t check in live memory OSTriage

26 Keywords.txt contains a keyword that will be looked for in filenames when searching ShasOfInterest.txt.local SHA1 value MD5sOfInterest.txt MD5 Value Custom searches If you have a need to look for a customized list of files, you can create a new file called custom.txt and add entries to it OSTriage

27 OSTriage Live response information includes: Windows Information
Physical and logical hard drives Network information USB Device History Browser History Passwords for browsers / IM / clients ... Listing of all recently opened files OSTriage

28 OSTriage

29 OSTriage

30 OSTriage

31 OSTriage

32 OSTriage Available for free for Law Enforcement:
You need to register before you can download OSTriage OSTriage

33 Questions?

Download ppt "Electronic Evidence Seizure"

Similar presentations

Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified.

Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified.
My UM Portal Click on the weblink Register for education and exams

My UM Portal Click on the weblink Register for education and exams
Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except.

Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except.
Effective Discovery Techniques In Computer Crime Cases.

Effective Discovery Techniques In Computer Crime Cases.
HOW WELL DO YOU KNOW THE BASICS OF USING YOUR COMPUTER?

HOW WELL DO YOU KNOW THE BASICS OF USING YOUR COMPUTER?
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
BACS 371 Computer Forensics

BACS 371 Computer Forensics
Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 5: Data, PDA, and Cell Phone Forensics.

Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 5: Data, PDA, and Cell Phone Forensics.
Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 5: Data, PDA, and Cell Phone Forensics.

Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 5: Data, PDA, and Cell Phone Forensics.
Digital Literacy.

Digital Literacy.
Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition.

Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition.
CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.

CYBER FORENSICS PRESENTER: JACO VENTER. CYBER FORENSICS - AGENDA Dealing with electronic evidence – Non or Cyber Experts Forensic Imaging / Forensic Application.
Introduction to computers. What is a personal computer? Capacity: Large hard disks combined with a large working memory (RAM) Speed: Fast. Normally measured.

Introduction to computers. What is a personal computer? Capacity: Large hard disks combined with a large working memory (RAM) Speed: Fast. Normally measured.
Phases of Computer Forensics 1 Computer Forensics BACS 371 1 Management Information Systems for the Information Age 5e, Haag, Cummings, McCubbrey, 2005,

Phases of Computer Forensics 1 Computer Forensics BACS Management Information Systems for the Information Age 5e, Haag, Cummings, McCubbrey, 2005,
INFORMATION TECHNOLOGY Personal Electronic Devices Information Technology College of Public and Community Service University of Massachusetts at Boston.

INFORMATION TECHNOLOGY Personal Electronic Devices Information Technology College of Public and Community Service University of Massachusetts at Boston.
Data, PDA and Cell Phone Forensics. 2 Introduction It is important to understand how the technology works in order to properly gather evidence from the.

Data, PDA and Cell Phone Forensics. 2 Introduction It is important to understand how the technology works in order to properly gather evidence from the.
Getting Started with Application Software

Getting Started with Application Software
PURCHASING, INSTALLING, AND MAINTAINING A PERSONAL COMPUTER

PURCHASING, INSTALLING, AND MAINTAINING A PERSONAL COMPUTER
7 Handling a Digital Crime Scene Dr. John P. Abraham Professor UTPA.

7 Handling a Digital Crime Scene Dr. John P. Abraham Professor UTPA.

Similar presentations

Ads by Google