Computer Technical Procedure For Vehicle Data Extraction (PDF) 2019
Document Details
Uploaded by Deleted User
2019
Tags
Summary
This document is a technical procedure for vehicle data extraction. It outlines the steps and procedures for extracting data from motor vehicles. It includes definitions, equipment, and the procedure to be followed, along with considerations for different types of extraction, including physical and logical methods, and the importance of PPE and safety.
Full Transcript
Technical Procedure for Vehicle Data Extraction Version 1 Digital Evidence Section Effective Date: 07/02/2019 Issued by Digital Evidence Section Forensic Scientist Manage...
Technical Procedure for Vehicle Data Extraction Version 1 Digital Evidence Section Effective Date: 07/02/2019 Issued by Digital Evidence Section Forensic Scientist Manager Technical Procedure for Vehicle Data Extraction 1.0 Purpose –This procedure establishes a systematic process for data extraction from motor vehicles. 2.0 Scope - This procedure describes the steps to be taken by personnel of the State Crime Laboratory in extracting data from motor vehicles. 3.0 Definitions Target drive – A sterile piece of media used to store forensic image(s) and case related data. SIM card – The Subscriber Identity Module card used in some devices that allows the device to connect to a carrier network (AT&T, Verizon, Sprint, etc.). SIM cards may contain identifying information and other data. SIM card Adapter – A device used to connect the various types of SIM cards (micro or nano) to the forensic tool for extraction. Micro SD card – The micro SD (Secure Digital) card found in some devices that may contain user data. Physical extraction – A method of extraction that includes a bit-by-bit image of the flash memory of a device that contains system and user data to include deleted data, hidden data, and unallocated space. Logical extraction – A method of extraction that includes user data available through the device’s Application Program Interface but does not include deleted data or unallocated space. Chip-Off Extraction– A method of data extraction which involves the removal a flash memory chip from the printed circuit board (PCB) of a device and directly reading the binary data from the flash memory chip. This type of data extraction is considered destructive as the device will be permanently inoperable after the memory chip is removed from the PCB. Device Interface Board (DIB) – An adapter affixed to a circuit board to enable connection between the circuit board and the forensic computer. VIN - Vehicle Identification Number PPE – Personal Protective Equipment 4.0 Equipment, Materials and Reagents Approved tools for vehicle data extraction (software or hardware) Forensic computer Target drive (internal hard drive with dock or USB storage device) Set of cables and connectors 5.0 Procedure 5.1 Extraction 5.1.1 Prior to any vehicle submission, the submitting agency must call the Digital Evidence section to determine if the vehicle is supported by the forensic software. 5.1.2 In the event that it is not possible for the submitting agency to deliver the vehicle to the Raleigh Laboratory, the Digital Evidence Section’s Forensic Science Manager may authorize scientists to travel to the vehicle’s location. See “Technical Field Assist” section below. 5.1.3 Prior to removing any infotainment center modules or performing any data extractions, at a minimum, the following information must be documented in the scientist’s notes: Year, Page 1 of 4 All copies of this document are uncontrolled when printed. Technical Procedure for Vehicle Data Extraction Version 1 Digital Evidence Section Effective Date: 07/02/2019 Issued by Digital Evidence Section Forensic Scientist Manager Make, Model, Trim, VIN, and odometer. 5.1.4 When vehicles are submitted, regardless of location, the vehicle keys shall accompany the vehicle at all times. For purposes of evidence submission, the vehicle and accompanying keys are considered to be one item. 5.1.5 A physical inspection shall be conducted, and the scientist shall take pictures of all four sides of the vehicle and the center stack. The pictures shall be uploaded into FA (see Technical Procedure for the Physical Inspection of Digital Evidence). 5.1.6 The scientist shall determine if the infotainment center is required to remain in the vehicle to complete the data extraction. If the infotainment center is required to remain in the vehicle, all known actions since the incident/seizure must be documented by the submitting agency prior to data extraction and provided to the scientist, as data may be written to the infotainment center’s internal storage. 5.1.7 The scientist shall determine if the infotainment center contains a SIM card or other removable media, such as a micro SD card. If possible, all SIM cards and removable media shall be physically removed from the device prior to beginning the data extraction. 5.1.7.1 Some infotainment centers require an SD card to be installed prior to beginning the data extraction. The SD card shall be of appropriate size and formatted according to forensic tool specification. 5.1.8 Prior to disassembling the infotainment center module, the scientist shall document and photograph any label on the module (e.g., Bluetooth, MAC, and IP addresses) as these may be required to gain access to some systems. 5.1.9 If the circuit board is removed from the module, the scientist shall photograph both sides of the circuit board. 5.1.10 The Berla iVE vehicle data extraction software is predicated on a non-destructive methodology; however, some infotainment centers may require a chip-off extraction. 5.1.10.1 If it is determined that a chip-off extraction is necessary, refer to the XRY Advanced Acquisition Training Workbook for guidance for chip-off procedures. 5.1.10.2 Since the chip-off extraction procedure is destructive in nature, written approval shall be obtained prior to performing the chip-off procedure/extraction. The approval must include an acknowledgement by the submitting agency indicating their understanding that this process is destructive in nature and an indemnification agreement. Any acknowledgement collected under this requirement must be documented in FA, to include uploading a copy to the object repository. 5.1.11 The scientist shall extract vehicle infotainment center data onto the Berla computer. The data shall not be extracted to a target drive. Refer to the tool support documentation for the appropriate procedural steps, cable connections, and settings for the device. The scientist shall document the methods used to extract data from the device. 5.1.12 The scientist shall create a report for the data extraction. Page 2 of 4 All copies of this document are uncontrolled when printed. Technical Procedure for Vehicle Data Extraction Version 1 Digital Evidence Section Effective Date: 07/02/2019 Issued by Digital Evidence Section Forensic Scientist Manager 5.1.13 Upon completion of the vehicle data extraction, the infotainment center and/or its components shall not be reinstalled as any action taken (e.g., opening doors, seatbelts, starting, etc.) may overwrite data. 5.2 Technical Field Assist 5.2.1 If the Forensic Science Manager approves scientist to go to the vehicle’s location, the module shall be removed and retained by the requesting agency to submit to the laboratory for processing. If the infotainment center is required to remain in the vehicle to complete the data extraction, the scientist shall conduct the extraction as directed in section 5.1 and leave the extracted data with the requesting agency for submission to the laboratory for further processing. 5.2.2 A representative of the requesting agency must be present in order to maintain the agency’s chain of custody. Under no circumstances shall laboratory scientist take custody of the vehicle at the scene. 5.2.3 Scientist shall ensure documentation to search the vehicle is on-scene prior to performing any actions. A copy of the documentation to search shall be retained and uploaded in to the FA object repository. 5.2.4 Scientist shall remove the infotainment center module and turn it over to an authorized agency representative. 5.2.5 Scientist shall create a case record in the FA system to report the Technical Field Assistance. The Laboratory file number shall be provided to the submitting agency. The agency shall be instructed to submit the module under the laboratory number as a new submission. 5.3 Standards and Controls – N/A 5.4 Calibrations – N/A 5.5 Maintenance – N/A 5.6 Sampling – N/A 5.7 Calculations – N/A 5.8 Uncertainty of Measurement – N/A 6.0 Limitations 6.1 Vehicle infotainment devices present unique challenges due to numerous models of devices, proprietary software, and rapid changes in technology. Not all vehicle infotainment devices are supported by forensic tools. 6.2 Some extractions may require removable media to be inserted into the device. In the event that the forensic tool requires removable media, it is permissible to insert sterilized media into the device for extraction. 7.0 Safety 7.1 Vehicles may have sustained damaged and safety precautions must be taken, along with the use of Page 3 of 4 All copies of this document are uncontrolled when printed. Technical Procedure for Vehicle Data Extraction Version 1 Digital Evidence Section Effective Date: 07/02/2019 Issued by Digital Evidence Section Forensic Scientist Manager PPE. 7.2 Conditions that should be considered prior to beginning any vehicle data extraction are as follows, but not limited to: Airbag Condition Toxic Fluids Biological Fluids Weather Fire Sharp Objects (edges and points) Unstable Vehicles 7.3 PPE shall include the following, but limited to: Mechanics Gloves Safety Glasses Tyvek Suits Headlamps Durable Clothing Nitrile Gloves Fire Extinguisher Wheel Chocks 8.0 References Scientific Working Group on Digital Evidence, SWGDE Best Practices for Chip-Off, 2016, Version 1.0. Micro Systemation AB, XRY Advanced Acquisition Training Workbook, 2017. Berla, Vehicle Forensics iVe, Training Workbook, Version 2.2, Q1, 2019. Scientific Working Group on Digital Evidence, SWGDE Best Practices for Vehicle Infotainment and Telematics Systems, 2016, Version 2.0 Technical Procedure for the Physical Inspection of Digital Evidence 9.0 Records – N/A 10.0 Attachments – N/A Revision History Effective Date Version Reason Number 07/02/2019 1 Original Document Page 4 of 4 All copies of this document are uncontrolled when printed.
