Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
Modules
· Home
· Content
· FAQ
· Forensic Downloads
· Forensics Feedback
· Forums
· Members List
· Statistics
· Surveys
· Top 10
· Topics
· Training Reviews
· Web Links
· Your Account

Our Membership

Latest: oncetwice
New Today: 0
New Yesterday: 1
Overall: 29211

Computer Forensics
This is a free and open peer to peer medium for digital and computer forensics professionals and students. Please help us maintain it by contributing and perhaps linking to us from your own website.

Recent Posts

 Viewing real MAC times of a timestomped file
 software that can view files in Volume Slack
 Case Study exam questions
 Saving the digital records
 Help to setup computer forensic investigation team

Computer Forensics World Forums


Pages Served
We received
47969005
page views since August 2004

Security Sources

FTC
OnGuard Online
ISO 17799 ISO 27001
ISO 27000 Toolkit
ISO 27001 & 27000
Cryptography
Security Policies

Conducting a Search and/or Seizure




Another interesting read from the United States Secret Service. This again illustrates the importance of not changing the data/information (and therefore potential evidence) during the investigative or search process itself.





CONDUCTING THE SEARCH AND/OR SEIZURE

Once the computer's role is understood and legal requirements are fulfilled:

  1. Secure the Scene
    • Officer safety is paramount.
    • Preserve area for potential fingerprints.
    • Immediately restrict access to computer(s).
      Isolate from phone lines (because data on the computer can be access remotely).

  2. Secure the Computer as Evidence
    • If computer is "OFF", do not turn "ON".
    • If computer is "ON"
      • Stand-alone computer (non-networked)
        • Consult computer specialist
        • If specialist is not available
          • Photograph screen, then disconnect all power sources; unplug from the wall AND the back of the computer.
          • Place evidence tape over each drive slot.
          • Photograph/diagram and label back of computer components with existing connections.
          • Label all connectors/cable end to allow reassembly as needed.
          • If transport is required, package components and transport/store components as fragile cargo.
          • Keep away from magnets, radio transmitters and otherwise hostile environments.
      • Networked or business computers
        • Consult a Computer Specialist for further assistance
        • Pulling the plug could:
          • Severely damage the system
          • Disrupt legitimate business
          • Create officer and department liability



OTHER ELECTRONIC STORAGE DEVICES

Electronic devices may contain viable evidence associated with criminal activity. Unless an emergency exists, the device should not be accessed. Should it be necessary to access the device, all actions associated with the manipulation of the device should be noted in order to document the chain of custody and insure its admission in court.

  1. Wireless Telephones
    • Potential Evidence Contained in Wireless Devices
      • Numbers called
      • Numbers stored for speed dial
      • Caller ID for incoming calls
      • Other information contained in the memory of wireless telephones
        • Phone/pager numbers
        • Names and addresses
        • PIN numbers
        • Voice mail access number
        • Voice mail password
        • Debit card numbers
        • Calling card numbers
        • E-mail/Internet access information
        • The on screen image may contain other valuable information
    • On/Off Rule
      • If the device is "ON", do NOT turn it "OFF".
        • Turning it "OFF" could activate lockout feature.
        • Write down all information on display (photograph if possible).
        • Power down prior to transport (take any power supply cords present).
      • If the device is "OFF", leave it "OFF".
        • Turning it on could alter evidence on device (same as computers).
        • Upon seizure get it to an expert as soon as possible or contact local service provider.
        • If an expert is unavailable, USE A DIFFERENT TELEPHONE and contact 1-800-LAWBUST (a 24/7 service provided by the cellular telephone industry).
        • Make every effort to locate any instruction manuals pertaining to the device.

  2. Electronic Paging Devices
    • Potential Evidence Contained in Paging Devices
      • Numeric pagers (receives only numeric digits; can be used to communicate numbers and code)
      • Alpha numeric pagers (receives numbers and letters and can carry full text)
      • Voice Pagers (can transmit voice communications (sometimes in addition to alpha numeric)
      • 2-way pagers (containing incoming and outgoing messages)
      • Best Practices
        • Once pager is no longer in proximity to suspect - turn it off. Continued access to electron communication over pager without proper authorization can be construed as unlawful interception of electronic communication.
      • Search of stored contents of pager.
        • Incident to arrest
        • With probable cause + exception
        • With consent

  3. Facsimile Machines
    • Fax machines can contain:
      • Speed dial lists
      • Stored faxes (incoming and outgoing)
      • Fax transmission logs (incoming and outgoing)
      • Header line
      • Clock setting
    • Best practices
      • If fax machine is found "ON", powering down may cause loss of last number dialed and/or stored faxes.
    • Other Considerations
      • Search issues
        • Record telephone line number fax is plugged into
        • Header line should be the same as the phone line; user sets header line.
        • All manuals should be seized with equipment, if possible.

  4. Caller ID Devices
    • May contain telephone and subscriber information from incoming telephone calls.
      • Interruption of the power supply to the device may cause loss of data if not protected by internal battery backup.
      • Document all stored data prior to seizure or loss of data may occur.

  5. Smart Cards
    A plastic card the size of a standard credit card that holds a microprocessor (chip) which is capable of storing monetary value and other information.

    • Awareness
      • Physical characteristics of the card
      • Photograph of the smart card
        • Label and identify characteristics.
        • Features similar to credit card/driver's license.
        • Detect possible alteration or tampering during same examination.
    • Uses of Smart Cards
      • Point of sale transactions
      • Direct exchange of value between cardholders
      • Exchange of value over the Internet
      • ATM capabilities
      • Capable of storing other data and files similar to a computer
    • Circumstances Raising Suspicion Concerning Smart Cards
      • Same as credit cards
      • Numerous cards (different names or same issuing vendor)
      • Signs of tampering (cards can be found in the presence of computer or other electronic devices)
    • Questions to Ask When Encountering Smart Cards
      • Who is card issued to (the valid cardholder)?
      • Who issued the card?
      • What are the uses of the cards?
      • Why does the person have numerous cards?
      • Can this computer or device alter the card?
    • Other Considerations
      • Smart Card technology is used in some cellular phones and may be found in or with cellular devices






Source: US Secret Service








Copyright © by Computer Forensics World All Right Reserved.

Published on: 2004-08-27 (22588 reads)

[ Go Back ]
Content ©

 

TMs property of their respective owner. Comments property of posters. 2007 Computer Forensics Science World.
Digital forensic computing news syndication: Computer Forensics Training News or UM Text
Software is copyrighted phpnuke.org (c)2003, and is free under licence agreement. All Rights Are Reserved.