Electronic Law and Evidence Overview

Questions and Answers

What is the primary requirement when executing a search warrant for computer-related evidence?

• It must be executed within 30 days of issuance.
• It must be accompanied by a digital forensics expert.
• It must occur during business hours.
• It must be executed within 14 days of warrant authorization. (correct)

During a search incident to arrest, what can law enforcement legally do with a mobile device?

• Access cloud data linked to the phone.
• Review all contents of the phone.
• Remove the case and physically examine the phone. (correct)
• Seize the phone without examination.

Which of the following best describes exigent circumstances?

• Instances where evidence is at risk of being destroyed. (correct)
• Scenarios where a warrant must be obtained beforehand.
• Conditions that allow for a search without probable cause.
• Situations where consent is not needed.

Which of the following is NOT a consideration when evaluating the authentication of computer information?

What is the file size of the data? (B)

What should NOT be done to ensure digital officer safety during online investigative activities?

Respond to unsolicited emails. (C)

Why do criminals prefer engaging in activities within the cyber environment?

It offers them greater physical safety. (B)

What should be the first priority when seizing electronics during an investigation?

Maintaining officer safety (D)

Which of the following is essential when transporting computers as evidence?

Maintaining the chain of custody (A)

What aspect of a plain view seizure is crucial to understand?

Evidence must be readily observable from a legal vantage point. (B)

Which type of system can be critically impacted by skilled cyber terrorists?

SCADA systems. (A)

What is a characteristic feature of a bitcoin address?

Starts with 1, 3, or bc1 (A)

Which action is NOT recommended when handling a computer that contains potential evidence?

Turning the computer off immediately (A)

Which type of evidence must be preserved in a way that can be validated in court?

All forms of evidence including digital (B)

When collecting RAM for password cracking, what is the purpose of the pagefile?

To hold overflow information when RAM is full (B)

What is a seed phrase in the context of cryptocurrency wallets?

A list of 12-24 words that unlock an account (D)

Which method enhances the credibility of evidence presented in court?

Having multiple witnesses with personal knowledge (C)

What is required to obtain a T-III wiretap for electronic communications?

Probable cause to believe a felony has been committed (C)

Under what condition is a T-III wiretap not necessary?

Recording conversations with two-party consent (A), Collecting data from a subpoena (B)

What defines 'reasonable expectation of privacy' (REP) under Katz?

Subjective belief that privacy is maintained (A)

What is a key factor from the Carpenter decision regarding tracking movements?

Tracking for more than 7 days requires a search warrant (D)

Which types of prior convictions can be used to impeach a witness?

Any felony conviction (D)

What must the defense prove during their case in a criminal prosecution?

Nothing, they have no burden of proof (D)

Which type of judge is authorized to grant a T-III wiretap?

District court judge or above (C)

What is the purpose of a Preservation Letter?

To request online data retention by ISPs (D)

In the context of drug identification, what information can the Drug Identification Bible provide?

Active ingredients, color, shape, dosage, and control level (D)

What is a distinctive physical characteristic of heroin?

White, tan, or gray powder with a strong vinegar smell (A)

What criteria must be demonstrated to justify a search of stored data?

Probable cause related to the crime being investigated (C)

During which stage of criminal prosecution does jury selection occur?

Voir Dire (A)

What does Locard's principle state about evidence left at a crime scene?

People cannot leave a scene without taking something with them and leaving something behind. (B)

What does the 'necessity statement' in a T-III application require?

Documentation of all investigative techniques exhausted (C)

How can the government respond to evidence presented by the defense?

Through the Rebuttal Case (A)

Which characteristic type describes items that can uniquely link to a specific source?

Individual characteristic (D)

What is a characteristic of cocaine base/crack?

Can only be smoked to achieve a high (C)

In measuring for crime scene documentation, which method is considered the most accurate?

Triangulation measurement (D)

What is essential to include in sketches of crime scenes?

A North arrow and key/title block (A)

Which of the following is NOT a stage in criminal prosecution?

Witness Cross Examination (D)

What unique feature can help identify the source of a printed document from laser printers?

Marks left from improper maintenance (C)

Which type of physical evidence is considered tangible?

A bullet (C)

Which aspect is NOT required for effective crime scene documentation?

Witness statements (B)

What is a typical use for the largest ink library maintained by the USSS?

Identifying ink types in questioned documents (B)

What advantage is associated with compelled handwriting exemplars?

Can control conditions of the sample (A)

Which of the following correctly defines a mental health crisis?

A state of severely reduced behavioral and emotional functioning (A)

What is a primary disadvantage of obtaining non-request handwriting exemplars?

They are more likely to be disguised (A)

What key component is essential for the chain of custody to be valid in court?

A narrative of the evidence's history (C)

What role can an individual in a mental health crisis assume?

Disorderly person (B)

Which of the following is NOT a sign of mental illness?

Coping well with loss (D)

What is the main purpose of a Letter of Transmittal in evidence submission?

To describe the case and request analysis (A)

What is an important initial step in dealing with a situation involving a mental health crisis?

Obtain comprehensive information about the situation (A)

Flashcards

Title III Wiretap

A court order authorizing the interception of wire, oral, or electronic communications. It's required when real-time communication content is intercepted using a device without consent.

Preservation Letter

A legal document that allows law enforcement to request an ISP (Internet Service Provider) to preserve electronic data for up to 90 days to prevent its deletion.

Search under Jones

When law enforcement uses physical intrusion with the intent to obtain information, it's considered a search under the Fourth Amendment.

Search under Katz

The Fourth Amendment protects individuals' reasonable expectation of privacy against government intrusion. It applies to both physical and non-physical intrusions.

Carpenter Doctrine

This doctrine establishes that individuals have a reasonable expectation of privacy in their movement data when tracked for extended periods. This means tracking someone for more than 7 days requires a search warrant.

Necessity Statement

A legal requirement for obtaining a Title III wiretap. Investigators must provide a detailed explanation of prior investigative steps taken, why those steps were unsuccessful, and why the wiretap is necessary.

Search or Seizure of Computers w/o Warrant

Computers can be searched or seized without a warrant if there's probable cause to believe they contain evidence of a crime, and it's in danger of being destroyed or removed.

External Threats to Electronic Evidence

External factors that can damage electronic evidence, such as magnets, high temperatures, and water.

Internal Threats to Electronic Evidence

Internal factors that can damage electronic evidence, such as overwriting data.

Traditional Forensics for Electronic Crimes

Traditional forensic techniques that focus on physical evidence related to electronic crimes, such as fingerprints, DNA samples, and trace evidence.

What is Bitcoin?

A digital currency that uses cryptography for security and operates independently of central banks. It's not physical and exists as a record on a distributed ledger.

What is a Seed Phrase?

A list of 12 to 24 words that act like a key to access and manage Bitcoin accounts or cryptocurrency wallets. If lost, the account's access is irretrievable.

On/Off Ramps for Crypto

The process of converting traditional currency (like USD) into cryptocurrency or vice versa. It's how you enter and exit the world of digital assets.

Chain of Custody

The process of documenting the chain of custody for evidence, including who handled it, when, and where.

Laying a Foundation for Evidence in Court

A process where a witness's testimony is supported by evidence and documentation, demonstrating the connection between the evidence and the case.

Consent in searches

A legal concept where a person can give permission for something, like a search, with limitations. These limitations can be specific, like not looking in emails, or more general, like only allowing search by someone with authority.

Exigent circumstances

Circumstances that create a dire need for immediate action, usually overriding the need for a warrant. This can involve a threat of destruction of evidence or an imminent danger.

Plain view doctrine

The ability to seize evidence clearly visible in plain sight, but not to extend a warrant based on what's seen. You can't expand a search based on something found in plain view.

Search incident to arrest (SIA)

A search conducted immediately after an arrest. You can't search a phone's contents, but can remove the case and examine the phone itself.

Search warrant for computers

A type of warrant specifically designed for searching and seizing digital devices like computers, phones, and network equipment.

Devices to seize in a computer warrant

Digital devices hold various types of data, so the warrant should list all possible devices that might contain relevant information.

Experts in warrant execution

When dealing with digital evidence, a warrant execution should involve specialists in the field to ensure proper handling and analysis of data.

Authentication of digital data

The authentication of digital evidence involves establishing its integrity, authenticity, and reliability. Factors like the source, ownership, and access history must be determined.

Bias

A person's relationship to others that could influence their testimony or perception of events. It can be blood-related, marital, professional, or based on shared experiences that could affect objectivity.

Voir Dire

To question a potential juror's qualifications and biases to ensure they can be impartial during the trial.

Case-in-Chief

The government's presentation of evidence to support their case against the defendant, including witness testimony and physical evidence.

Defense Case

The opportunity for the defense to present their own evidence to challenge the government's case, including calling witnesses and presenting evidence.

Rebuttal Argument

A type of legal argument made by one side after the other side has rested its case, to challenge the evidence presented and persuasively argue their side.

Drug Identification Bible

A detailed book that lists controlled substance information, including active ingredients, colors, shapes, dosages, and legal classification.

Physical Evidence

A physical substance found at a crime scene that can help investigators identify the perpetrator or understand what happened.

Evidence Handling

The proper techniques for locating, documenting, collecting, and packaging evidence to ensure its preservation and admissibility in court.

Compelled handwriting exemplars

Handwriting samples obtained under controlled conditions, usually for comparison purposes.

Non-requested handwriting exemplars

Handwriting samples collected without the subject's knowledge or consent, often found in everyday materials.

Letter of Transmittal

A formal document accompanying the evidence submission to a lab for analysis, outlining case details, requested analysis, and contact information.

Mental health crisis

A state of severe emotional distress or dysfunction that significantly affects a person's ability to function.

De-escalation techniques

Techniques used to calm and de-escalate situations involving individuals experiencing a mental health crisis.

Mental health crisis signs

Observable behaviors and physical indicators that suggest a mental health crisis.

Mental health crisis symptoms

Subjective experiences, feelings, and internal perceptions reported by individuals experiencing a mental health crisis.

What is physical evidence?

Physical evidence is anything tangible that can be used to prove or disprove a fact or theory. It includes visible items like blood or a gun, as well as invisible items like DNA. Physical evidence cannot be impeached, meaning it cannot be discredited or challenged by testimony.

What is a class characteristic?

Class characteristics are qualities shared by all items of a certain group. For example, a screwdriver is a class characteristic because it falls within the general category of screwdrivers. This means that a screwdriver found at a crime scene does not definitively link it to a specific person.

What is an individual characteristic?

Individual characteristics are unique features that can link an item to a specific source. For example, a screwdriver with a bent handle is an individual characteristic, as it sets it apart from other screwdrivers. Individual characteristics can be used to identify the specific object or person involved in a crime.

What is Locard's exchange principle?

Locard's exchange principle states that every contact leaves a trace. This means that when two objects come into contact, a transfer of material occurs. This material can be used to link a person or object to a crime scene, and it helps explain why trace evidence, like fibers or hair, is often found at crime scenes.

How is the age of a document determined?

The age of a document can be determined through ink and paper analysis. The US Secret Service maintains a large ink library, which can be used to identify the ink used on a document. Paper often contains watermarks that can also help date the document.

How is handwriting identified?

Handwriting can be identified through a number of methods, including comparing the writing to known samples and analyzing handwriting characteristics. It is important to obtain a variety of writing samples from the suspect in order to get a reliable comparison. Some of the features that can be analyzed include letter formation, slant, spacing, and pressure.

How can you determine where a printed document came from?

Laser printers often leave marks on paper from improper maintenance, and these markings can help trace the printer to its source. Glass copiers typically leave trash marks, which are small imperfections on the copies, that can aid in identifying the copier. Some large copier companies imprint each copy with a matrix of identifying dots that can be used to trace the copy back to its origin.

How should a crime scene be documented?

In order to properly document a crime scene, you should create thorough photographs, sketches, and notes. Sketches should include a north arrow, a note stating “Not to Scale” and a key or title block which should include the case number, date and time, as well as who, what, where, when and why. There are three methods for measuring items for inclusion on a crime scene sketch: Baseline, Rectangular,  and Triangulation. Triangulation is the most accurate method.

Study Notes

Electronic Law and Evidence

• EPO 1: Federal requirements for wiretaps.
  • Wiretaps needed for real-time communications content with no party consent.
  • Authorization from an Assistant U.S. Attorney (AUSA) is needed given probable cause of a felony committed.
  • Includes necessary steps and what has/hasn't been attempted.
  • District Court or higher is required to issue a T-III order.
• EPO 2: Federal requirements for tracking suspects.
  • Physical intrusion with intent of gaining information is considered a search under Jones.
  • Physical or non-physical intrusion affecting a reasonable person's subjective expectation of privacy is considered a search under Katz.
  • Tracking for longer than 7 days established a search.
  • Tracking for less than 7 days may not be a search under Katz or could be considered under Jones only.
  • A warrant from a Magistrate Judge is required for tracking.
• EPO 3: Federal requirements for tracing communications.
  • Pen registers capture dialed-out numbers.
  • Trap and traces capture incoming numbers.
• EPO 4: Video surveillance in private locations.
  • Warrant needed for video surveillance within someone's reasonable expectation of privacy.
  • Includes curtilage of a home.
• EPO 5: Stored electronic communications.
  • Stored Communications Act controls access to stored comms by Internet service providers.
  • Gathering information includes basic subscriber info (name, address, phone number, service details, and timestamps).
  • Transactional records (website visits, calls made/received).
  • Email addresses received and sent.
    • Specifics the content and process to obtain.
• EPO 6: Searching/Seizing computers without warrants.
  • Search without warrant needs consent or exigent circumstances.
  • Consent can be limited (do not look at emails).
    • Apparent authority also serves as consent.
  • Plain view allows seizing if already in view.
• EPO 7: Special considerations for searching computers.
  • Consider all devices in warrant to search/seize.
• EPO 8: Special considerations for executing computer warrants.
  • Warrant execution must be within 14 days of authorization.
• EPO 9: Authenticating computer information.
  • Identify whose data is on the computer.
  • Know who/what created the information.
  • Determine who had access.
  • Trace evidence must exist.
• EPO 10: Investigating crimes with electronic evidence.
  • Procedures for collecting and preserving physical/electronic evidence.
  • Identifying non-electronic items pertaining to electronic crimes.
  • Proper documentation of all evidence is essential for admissibility in court.
• EPO 11: Law Enforcement Response to a Mental Health Crisis.
  • Behaviors associated with crisis situations.
  • Techniques to de-escalate.
  • Steps to take after securing a scene.

Conducting Investigations in the Cyber Environment

• EPO 12: Identify precautions to prevent leaks to personal/agency identifying information.
  • General rules, areas of vulnerability for computer systems and files.
  • Handling data flow.
• EPO 13: Identifying how social networks and online gaming facilitate criminal activity.
  • Online-criminals take advantage of the virtual aspect.
  • Gaining access to many people, minimizing physical risk.
• EPO 14: Introduction to Mobile Device Investigations.
  • Determining types/identifiers associated with mobile devices.
  • User vs. Investigative perspectives.
• EPO 15: Identifies the federal requirements to control the use of video surveillance.
• Discusses situations in which surveillance is allowed without a warrant.
• EPO 16: Understands various stages of a criminal prosecution.
• Procedures from initial stages to the final stages (e.g., Pre-Trial Suppression Hearing, Jury Trial, etc.).
• EPO 17: Controlled substance identification.
  • Various methods for identifying drugs.
• EPO 18: Understanding physical evidence.
  • Methods for identifying and gathering evidence (physical, documented, testimonials).
• EPO 19: Identification, request, and non-request exemplars.
  • Document and note component details.
  • Information about ink and paper analysis.
• EPO 20: Information regarding chain of custody as it pertains to evidence for analysis in a lab.
  • Detailed processes and forms specific to legal submissions to labs.
• EPO 21: Legal requirements to obtain properly admissible evidence for trials in court.
  • Detailed procedures and steps involved in procuring usable evidence in court.