Another interesting read from the United States Secret Service. This again illustrates the importance of not changing the data/information (and therefore potential evidence) during the investigative or search process itself.

Once the computer's role is understood and legal requirements are fulfilled:

1. Secure the Scene
• Officer safety is paramount.
• Preserve area for potential fingerprints.
• Immediately restrict access to computer(s).
  Isolate from phone lines (because data on the computer can be access remotely).


2. Secure the Computer as Evidence
• If computer is "OFF", do not turn "ON".
• If computer is "ON"
• Stand-alone computer (non-networked)
• Consult computer specialist
• If specialist is not available
• Photograph screen, then disconnect all power sources; unplug from the wall AND the back of the computer.
• Place evidence tape over each drive slot.
• Photograph/diagram and label back of computer components with existing connections.
• Label all connectors/cable end to allow reassembly as needed.
• If transport is required, package components and transport/store components as fragile cargo.
• Keep away from magnets, radio transmitters and otherwise hostile environments.
• Networked or business computers
• Consult a Computer Specialist for further assistance
• Pulling the plug could:
• Severely damage the system
• Disrupt legitimate business
• Create officer and department liability

Electronic devices may contain viable evidence associated with criminal activity. Unless an emergency exists, the device should not be accessed. Should it be necessary to access the device, all actions associated with the manipulation of the device should be noted in order to document the chain of custody and insure its admission in court.

1. Wireless Telephones
• Potential Evidence Contained in Wireless Devices
• Numbers called
• Numbers stored for speed dial
• Caller ID for incoming calls
• Other information contained in the memory of wireless telephones
• Phone/pager numbers
• Names and addresses
• PIN numbers
• Voice mail access number
• Voice mail password
• Debit card numbers
• Calling card numbers
• E-mail/Internet access information
• The on screen image may contain other valuable information
• On/Off Rule
• If the device is "ON", do NOT turn it "OFF".
• Turning it "OFF" could activate lockout feature.
• Write down all information on display (photograph if possible).
• Power down prior to transport (take any power supply cords present).
• If the device is "OFF", leave it "OFF".
• Turning it on could alter evidence on device (same as computers).
• Upon seizure get it to an expert as soon as possible or contact local service provider.
• If an expert is unavailable, USE A DIFFERENT TELEPHONE and contact 1-800-LAWBUST (a 24/7 service provided by the cellular telephone industry).
• Make every effort to locate any instruction manuals pertaining to the device.


2. Electronic Paging Devices
• Potential Evidence Contained in Paging Devices
• Numeric pagers (receives only numeric digits; can be used to communicate numbers and code)
• Alpha numeric pagers (receives numbers and letters and can carry full text)
• Voice Pagers (can transmit voice communications (sometimes in addition to alpha numeric)
• 2-way pagers (containing incoming and outgoing messages)
• Best Practices
• Once pager is no longer in proximity to suspect - turn it off. Continued access to electron communication over pager without proper authorization can be construed as unlawful interception of electronic communication.
• Search of stored contents of pager.
• Incident to arrest
• With probable cause + exception
• With consent


3. Facsimile Machines
• Fax machines can contain:
• Speed dial lists
• Stored faxes (incoming and outgoing)
• Fax transmission logs (incoming and outgoing)
• Header line
• Clock setting
• Best practices
• If fax machine is found "ON", powering down may cause loss of last number dialed and/or stored faxes.
• Other Considerations
  • Search issues
  • Record telephone line number fax is plugged into
  • Header line should be the same as the phone line; user sets header line.
  • All manuals should be seized with equipment, if possible.


4. Caller ID Devices
• May contain telephone and subscriber information from incoming telephone calls.
• Interruption of the power supply to the device may cause loss of data if not protected by internal battery backup.
• Document all stored data prior to seizure or loss of data may occur.


5. Smart Cards
   A plastic card the size of a standard credit card that holds a microprocessor (chip) which is capable of storing monetary value and other information.


• Awareness
• Physical characteristics of the card
• Photograph of the smart card
• Label and identify characteristics.
• Features similar to credit card/driver's license.
• Detect possible alteration or tampering during same examination.
• Uses of Smart Cards
• Point of sale transactions
• Direct exchange of value between cardholders
• Exchange of value over the Internet
• ATM capabilities
• Capable of storing other data and files similar to a computer
• Circumstances Raising Suspicion Concerning Smart Cards
• Same as credit cards
• Numerous cards (different names or same issuing vendor)
• Signs of tampering (cards can be found in the presence of computer or other electronic devices)
• Questions to Ask When Encountering Smart Cards
• Who is card issued to (the valid cardholder)?
• Who issued the card?
• What are the uses of the cards?
• Why does the person have numerous cards?
• Can this computer or device alter the card?
• Other Considerations
  • Smart Card technology is used in some cellular phones and may be found in or with cellular devices

Source: US Secret Service

Copyright © by Computer Forensics World All Right Reserved.

Published on: 2004-08-27 (10077 reads)