DOJ HACKER SHIT.pdf

Transcript

U.S. Department of Justice
Office of Justice Programs
National Institute of Justice
OCT. 07

Special REPORT

Investigative Uses of Technology:
Devices, Tools, and Techniques

www.ojp.usdoj.gov/nij
U.S. Department of Justice
Office of Justice Programs
810 Seventh Street N.W.
Washington, DC 20531

Peter D. Keisler
Acting Attorney General

Cybele K. Daley
Acting Assistant Attorney General

David W. Hagy
Acting Principal Deputy Director, National Institute of Justice

This and other publications and products of the National Institute
of Justice can be found at:

National Institute of Justice
www.ojp.usdoj.gov/nij

Office of Justice Programs
Innovation Partnerships Safer Neighborhoods
www.ojp.usdoj.gov
01-Chap 1 InvestigTech 10/10/07 12:41 PM Page i

OCT. 07

Investigative Uses of Technology:
Devices,Tools, and Techniques

NCJ 213030
01-Chap 1 InvestigTech 10/10/07 12:41 PM Page ii

David W. Hagy
Acting Principal Deputy Director, National Institute of Justice

This document is not intended to create, does not create, and may not be relied upon to create
any rights, substantive or procedural, enforceable by law by any party in any matter civil or criminal.
Photos used in this document are taken from public Web sites; they are in no way an endorse­
ment of the product illustrated.
Opinions or points of view expressed in this document represent a consensus of the authors
and do not necessarily reflect the official position or policies of the U.S. Department of Justice.
The products, manufacturers, and organizations discussed in this document are presented for
informational purposes only and do not constitute product approval or endorsements by the U.S.
Department of Justice.
This material should not be relied upon as legal advice. Those considering legal issues related to
the use of high-tech materials should consult with their legal counsel.
This document was prepared under Interagency Agreement #2003–IJ–R–029 between the
National Institute of Justice and the National Institute of Standards and Technology, Office of
Law Enforcement Standards.
The National Institute of Justice is a component of the Office of Justice Programs, which also
includes the Bureau of Justice Assistance; the Bureau of Justice Statistics; the Community
Capacity Development Office; the Office for Victims of Crime; the Office of Juvenile Justice
and Delinquency Prevention; and the Office of Sex Offender Sentencing, Monitoring,
Apprehending, Registering, and Tracking (SMART).
01-Chap 1 InvestigTech 10/10/07 12:41 PM Page iii

Technology Working Group for
Investigative Uses of High Technology*
Planning panel Phillip Osborn
Senior Special Agent
James R. Doyle National Program Manager
First Group Associates Cyber Crimes Center (C3)
New York, New York Bureau of Immigration and Customs
Enforcement (ICE)
Joseph Duke U.S. Department of Homeland Security
Drive-Spies, LLC Fairfax, Virginia
Clarkston, Michigan
John Otero
Barry Grundy Lieutenant
Computer Crime Investigator/ Computer Crimes Squad
Special Agent New York Police Department
NASA Office of the Inspector General New York, New York
Office of Investigations
Computer Crimes Division David Poole
Goddard Space Flight Center Chief
Greenbelt, Maryland Information Operations and Investigations
Air Force Office of Special Investigations
Keith Hodges Andrews Air Force Base, Maryland
Senior Instructor, Legal Division
Federal Law Enforcement Training Center Michael Weil
Glynco, Georgia Huron Consulting Group
Chicago, Illinois
Dan Mares
President
Mares and Company Technology working group
Lawrenceville, Georgia members
Mark J. Menz Todd Abbott
M. J. Menz and Associates Vice President
Folsom, California Corporate Information Security
Bank of America
Robert Morgester Charlotte, North Carolina
Deputy Attorney General
State of California Department of Justice Abigail Abraham
Office of the Attorney General Assistant Attorney General
Criminal Law Division Illinois Attorney General’s Office
Sacramento, California Chicago, Illinois

David Arnett
Detective
Arizona Department of Public Safety
Phoenix, Arizona

iii
01-Chap 1 InvestigTech 10/10/07 12:41 PM Page iv

Dave Ausdenmoore Don Flynn
Detective Attorney Advisor
Regional Electronics and Computer Department of Defense
Investigation Section Cyber Crime Center
Hamilton County Sheriff’s Office/ Linthicum, Maryland
Cincinnati Police Department
Cincinnati, Ohio G.D. Griffin
Assistant Inspector in Charge
Rick Ayers Digital Evidence Unit
National Institute of Standards and U.S. Postal Inspection Service
Technology Dulles, Virginia
Gaithersburg, Maryland
Amber Haqqani
Ken Basore Director, Digital Evidence
Director of Professional Services American Academy of Applied Forensics
Guidance Software (EnCase) Central Piedmont Community College
Reston, Virginia Charlotte, North Carolina

David Benton Dave Heslep
Chief Systems Engineer Sergeant
Home Depot Technical Assistance Section Supervisor
Atlanta, Georgia Maryland State Police
Technical Investigation Division
Walter E. Bruehs Columbia, Maryland
Forensics Examiner
Forensic Audio, Video and Imaging Chip Johnson
Analysis Unit Lieutenant
Federal Bureau of Investigation South Carolina Computer Crime Center
Quantico, Virginia Columbia, South Carolina

Carleton Bryant Nigel Jones
Staff Attorney NSLEC Centre for National High Tech
Knox County Sheriff’s Office Crime Training
Knoxville, Tennessee Wyboston Lakes Business and
Leisure Centre
Scott Christensen Bedfordshire, England
Sergeant
Computer Crimes/ICDC Unit Keith Kelly
Nebraska State Patrol Telecommunication Specialist
Omaha, Nebraska Washington, D.C.

Bill Crane Tom Kolpacki
Assistant Director Detective
National White Collar Crime Center Ann Arbor Police
Fairmont, West Virginia Livonia, Michigan

iv
01-Chap 1 InvestigTech 10/10/07 12:41 PM Page v

Al Lewis Henry (Dick) Reeve
Special Agent General Counsel
Investigator/DE Examiner Deputy District Attorney
USSS Electronic Crimes Task Force Denver District Attorney’s Office
Chicago, Illinois Denver, Colorado

Glenn Lewis Jim Riccardi, Jr.
Computer Training Specialist Electronic Crime Specialist
Training Services CyberScience Lab
SEARCH Group, Inc National Law Enforcement and
Sacramento California Corrections Technology Center–Northeast
Rome, New York
Thomas Musheno
Forensic Examiner Richard Salgado
Forensic Audio, Video and Image Analysis Senior Counsel
Federal Bureau of Investigation Computer Crime and Intellectual
Engineering Research Facility Property Section
Quantico, Virginia U.S. Department of Justice
Washington, D.C.
Larissa O’Brien
Chief, Research and Development Chris Stippich
Information Operations and Investigations President
Air Force Office of Special Investigations Digital Intelligence, Inc.
Andrews Air Force Base, Maryland Waukesha, Wisconsin

Timothy O’Shea
Assistant U.S. Attorney Facilitators
Western District of Wisconsin Susan Ballou
Senior Litigation Counsel Program Manager for Forensic Sciences
Computer Crime and Office of Law Enforcement Standards
Telecommunications Coordinator National Institute of Standards and
Madison, Wisconsin Technology
Gaithersburg, Maryland
Thom Quinn
Program Manager Anjali R. Swienton
California Department of Justice President & CEO
Advanced Training Center SciLawForensics, Ltd.
Rancho Cordova, California Germantown, Maryland

*This information reflects each panel member’s professional affiliation during the time that the majority of the technology working
group’s work was performed.

v
01-Chap 1 InvestigTech 10/10/07 12:41 PM Page vii

Contents
Technology Working Group for Investigative Uses of High Technology........ iii

Introduction..................................................... 1

Chapter 1. Techniques............................................. 3

Introduction.................................................. 3

Investigative assistance........................................ 3

Information gathering.......................................... 3

Digital evidence............................................... 6

Electronic communications...................................... 8

Telecommunications.......................................... 11

Video surveillance............................................ 12

Consensual monitoring........................................ 13

Tracking.................................................... 13

Practical example............................................. 14

Chapter 2. Tools and Devices...................................... 21

Introduction................................................. 21

Power concerns with battery-operated devices..................... 21

Access-control devices........................................ 22

Answering machines and voice mail systems (digital and analog)....... 24

Audio: Digital tools used to conduct examinations of audio formats..... 26

Caller ID devices............................................. 28

Cell phones................................................. 30

Computers (desktops and laptops)............................... 34

Credit card fraud devices...................................... 36

vii
01-Chap 1 InvestigTech 10/10/07 12:41 PM Page viii

SPECIAL REPORT / OCT. 07

Customer or user cards and devices.............................. 38

Data preservation (duplicating, imaging, copying).................... 40

Detection and interception (wireless)............................. 44

Digital cameras and Web cameras............................... 46

Digital security cameras....................................... 48

Encryption tools and passphrase protection........................ 50

Facsimile (fax)............................................... 53

Global positioning system devices............................... 55

Home entertainment.......................................... 57

Internet tools................................................ 59

Internet tools to identify users and Internet connections (investigative).. 61

Keystroke monitoring......................................... 68

Mass media copiers and duplicators.............................. 73

Pagers..................................................... 74

Pens and traps............................................... 76

Personal digital assistants...................................... 77

Removable storage media and players............................ 80

Sniffers.................................................... 84

Steganography.............................................. 86

Vehicle black boxes and navigation systems........................ 87

Video and digital image analysis tools............................. 89

Voice recorder (digital)......................................... 91

viii
01-Chap 1 InvestigTech 10/10/07 12:41 PM Page ix

INVESTIGATIVE USES OF TECHNOLOGY: DEVICES, TOOLS, AND TECHNIQUES

Chapter 3. Legal Issues for the Use of High Technology.................. 93

Introduction................................................. 93

Constitutional issues.......................................... 93

Searches and seizures pursuant to warrants........................ 94

Warrantless searches......................................... 96

Statutes that affect the seizure and search of electronic evidence....... 98

Appendix A. Glossary........................................... 107

Appendix B. Technical Resources List............................... 117

Appendix C. Hacked Devices..................................... 131

Appendix D. Disclosure Rules of ECPA.............................. 135

Appendix E. Sample Forms....................................... 137

Appendix F. References.......................................... 151

Appendix G. List of Reviewing Organizations......................... 153

Index........................................................ 155

ix
01-Chap 1 InvestigTech 10/10/07 12:41 PM Page 1

Introduction
This special report is intended to be a resource to any law enforcement personnel (inves­
tigators, first responders, detectives, prosecutors, etc.) who may have limited or no
experience with technology-related crimes or with the tools and techniques available to
investigate those crimes. It is not all inclusive. Rather, it deals with the most common
techniques, devices, and tools encountered.

Technology is advancing at such a rapid rate that the information in this special report
must be examined in the context of current technology and practices adjusted as appro­
priate. It is recognized that all investigations are unique and the judgment of investigators
should be given deference in the implementation of this special report. Circumstances of
individual cases and Federal, State, and local laws/rules may require actions other than
those described in this special report.

When dealing with technology, these general forensic and procedural principles should
be applied:

Actions taken to secure and collect evidence should not change that evidence.

Activity relating to the seizure, examination, storage, or transfer of electronic evidence
should be fully documented, preserved, and available for review.

Specialized training may be required for the examination of many of the devices
described in this special report. Appropriate personnel should be consulted prior to
conducting any examination. For more information on the seizure or examination of
electronic evidence, see the other special reports in this series: Electronic Crime
Scene Investigation: A Guide for First Responders (www.ojp.usdoj.gov/nij/pubs-sum/
187736.htm); Forensic Examination of Digital Evidence: A Guide for Law Enforcement
(www.ojp.usdoj.gov/nij/pubs-sum/199408.htm); Digital Evidence in the Courtroom: A
Guide for Law Enforcement and Prosecutors (www.ojp.usdoj.gov/nij/pubs-sum/
211314.htm); and Investigations Involving the Internet and Computer Networks
(www.ojp.usdoj.gov/nij/pubs-sum/210798.htm).

Note: All Web links mentioned in this document were active as of the date of
publication.

1
01-Chap 1 InvestigTech 10/10/07 12:41 PM Page 3

Chapter 1. Techniques

Note:Terms that are defined in the glossary (Appendix A) appear in bold italics on
their first appearance in the body of the report.

Introduction
This chapter describes a variety of techniques and resources that may help in investiga­
tions. The first few pages discuss traditional investigative techniques as they relate to
advanced technology, and the following sections provide an awareness of technologies
that may affect the investigation.

Law enforcement officers should not be overwhelmed by technology. The presence or
availability of technology may enhance the investigation or provide information that may
not otherwise be available to the investigator. Although technology can provide signifi­
cant information, investigators should remember that technology does not replace tradi­
tional investigative techniques.

Investigative assistance
Due to the nature of technology, particularly in crimes committed on the Internet, criminal
behavior often occurs across jurisdictional boundaries. It is important, therefore, for law
enforcement officers to collaborate with other agencies at the Federal, State, and local
levels to successfully investigate these types of crimes and apprehend the offenders.

Officers using technology in investigations should also be aware that Federal, State, and
local agencies and professional organizations can provide training and technical and
investigative assistance. See Appendix B, Technical Resources List, for more information.

Information gathering
Information of investigative value can be collected from a variety of sources including
people, places, and things (see chapter 2). The information can be collected through
interviews, crime scene and location searches, publicly available information, law
enforcement databases, and legal process.

3
01-Chap 1 InvestigTech 10/10/07 12:41 PM Page 4

SPECIAL REPORT / OCT. 07

Interviews
While conducting interviews, it is important to determine the victim’s, suspect’s, or
witness’s skill level as it relates to technology. The answers to the following questions
can affect the investigative plan:

What technology (e.g., digital camera, pager, cell phone, computer, personal digital
assistant (PDA)) did the parties involved have knowledge of, use of, or access to, and
at what locations?

What is the skill level of the user?

What is the security of the device?

— Physical security (e.g., located in a locked facility).

— Data security (e.g., passphrase protection, firewall).

Who is the owner of the equipment?

What accounts, logins, and passwords are on the device or system?

What logs are available (e.g., physical or electronic)?

What is the frequency of use (e.g., hardware, software, device, Internet)?

How was the device used (e.g., communication device, data storage device)?

Is there offsite storage? If so, where (physical storage, e.g., backup tapes or disks
and/or Internet or remote data storage)?

Was information transmitted to or shared with other recipients? If so, how (e.g., online,
telephone, personal) and to whom?

What services or service providers are used?

Who is the system administrator? Who else may have administrative privileges?

Is there remote access to the devices or computer systems?

Is the system patched and up to date?

For additional computer- or Internet-related interview questions, consult a technical
expert.

Crime scene and location searches
Whether responding to a crime scene or preparing to execute a search warrant, a consid­
eration in the search process is identifying the possible location(s) of information with
investigative value. The physical location of the devices or subjects may not necessarily
correspond to the location of the data. Information may be found in various locations or
may be associated with various devices. In conducting the search, the investigator may
want to consider the following:

4
01-Chap 1 InvestigTech 10/10/07 12:41 PM Page 5

INVESTIGATIVE USES OF TECHNOLOGY: DEVICES, TOOLS, AND TECHNIQUES

Work, personal, or public access devices or systems involved (e.g., work computer,
Internet café, library).

Computer equipment (e.g., computer, PDA, printer, media, webcam).

Computer accessories such as cradles, charging devices, batteries, or a notebook
computer bag with no computer may indicate the existence of the corresponding sup­
ported device.

Storage media (e.g., memory cards, ThumbDrives®).

Consumer electronics and accessories (e.g., answering machines, cell phones, pagers,
fax/scanner/copier machines, digital cameras, caller ID boxes).

The presence of Internet or network connectivity (e.g., phone, digital subscriber line
(DSL), and cable modems; hubs, routers, and wireless devices).

Documents or notes containing access information (e.g., user names, passwords) or
other evidence.

Books, manuals, warranty info, and software boxes (indicating potential presence of
corresponding devices or software).

Dumpster diving, trash runs, or recovering abandoned property.

Bills related to the purchase of products or services.

Presence of commercial video equipment (e.g., automated teller machines (ATMs)) at
or adjacent to the crime scene.

Alarm or access-control systems.

Vehicles—presence of OnStar®, black box, global positioning system(GPS),
LoJack®, EZPassSM, or related items.

Note: For information on preservation, collection, and transport of digital evidence,
see the digital evidence section in this chapter.

Publicly available information
Information may be obtained from the following sources:

Publicly available government records.

Internet searches (e.g., search engines, Web sites, newsgroups, discussion groups,
chat rooms).

5
01-Chap 1 InvestigTech 10/10/07 12:41 PM Page 6

SPECIAL REPORT / OCT. 07

Internet registries (see chapter 2, section on Internet tools to identify users and
Internet connections (investigative), overview).

Commercially available databases of personal and corporate records (e.g., AutoTrak,
LexisNexis®, ChoicePoint®, credit bureaus).

Law enforcement databases
In addition to traditional law enforcement resources, several Government-funded databas­
es are available, such as the following:

Consumer Sentinel (www.FTC.gov).

Internet Crime Complaint Center (www.IC3.gov).

Financial Crimes Enforcement Network (http://FINCEN.gov).

National Center for Missing & Exploited Children (www.NCMEC.org).

Legal process
Legal process may be required to compel the production of certain types of records.
State law may impose additional statutory requirements in various forms of compulsory
legal process. Types of process are discussed in more detail in Chapter 3, Legal Issues.

Encryption
Encryption may be used to protect or hide important or incriminating data or communi­
cations. (See chapter 2, section on encryption tools and passphrase protection.) The best
methods for obtaining passwords to decrypt this data are interviews and crime scene
searches. With the number of passwords that users are required to remember, a possibility
exists that passwords may be stored on paper or other electronic devices.

Digital evidence
Volatility of digital evidence
Digital data are stored in various forms (e.g., random access memory (RAM), read only
memory (ROM), hard drives, and other magnetic or optical media) and are subject to
inadvertent alteration, degradation, or loss. Almost any activity performed on a device,
whether inadvertent or intentional (e.g., powering up or shutting down), can alter or
destroy potential evidence. In addition, loss of battery power in portable devices,
changes in magnetic fields, exposure to light, extremes in temperature, and even rough
handling can cause loss of data. Due to these factors, steps should be taken in a timely
manner to preserve data.

Special precautions should be taken when documenting, collecting, preserving, and
examining digital evidence. Failure to do so may render it unusable, result in an inaccu­
rate conclusion, or affect its admissibility or persuasiveness. Consult a trained professional

6
01-Chap 1 InvestigTech 10/10/07 12:41 PM Page 7

INVESTIGATIVE USES OF TECHNOLOGY: DEVICES, TOOLS, AND TECHNIQUES

if any questions arise about handling specific digital devices or media. Activities that
should be avoided include the following:

Putting a Post-it® note (adhesive material) on the surface of a CD or floppy disk.

Using permanent markers to label CDs.

Placing magnetic media close to strong magnetic fields (e.g., radio equipment in car
trunks, electric motors, computer monitors).

Placing magnetic media in high-temperature environments.

Exposing optical media (e.g., CD-ROMs) to light or high-temperature environments.

Exposing media to static electricity (e.g., transporting or storing media in plastic bags,
photocopying).

Rough handling of a seemingly sturdy container (e.g., hard drives, laptop computers).

Wireless devices in use by law enforcement should be disabled prior to entering
a search site to avoid communicating (pairing) with subject devices.

Subjects may boobytrap electronic devices to cause data loss or personal injury.
Explosive devices have been placed inside computer cases and set to detonate when the
on/off switch is pressed.

Many electronic devices contain memory that requires continuous power (such as
a battery or AC power) to maintain information. Data can be easily lost by unplugging the
power source or allowing the battery to discharge. To avoid this, place the device in its
charger or immediately replace the batteries. If custody of the device is transferred,
receiving personnel must be alerted to the power requirements of the device.

Importance of digital evidence
Data and records obtained from digital media and Internet usage can yield significant
investigative leads. Digital information should be handled in a manner that includes a fully
documented chain of custody initiated at the point of seizure. Analysis of digital evidence
should be performed on a forensic duplicate by trained personnel while maintaining the
integrity of the original evidence. Federal, State, and local agencies; government
resources; private entities; or academic institutions may have capabilities that can assist
with the analysis of the following:

Computer forensic examinations. A discussion of computer forensic capabilities can be
found in Forensic Examination of Digital Evidence: A Guide for Law Enforcement
(www.ojp.usdoj.gov/nij/pubs-sum/199408.htm). An examination of electronic media
can reveal the following:

7
01-Chap 1 InvestigTech 10/10/07 12:41 PM Page 8

SPECIAL REPORT / OCT. 07

— Registered ownership and software registration information.

— Journals, diaries, and logs.

— Databases, spreadsheets, pictures, and documents.

— Deleted and hidden files.

— Internet activity.

— Communications-user input (e.g., e-mail, chat logs).

— Communications-data transfers (e.g., peer to peer (P2P), newsgroups)

— Financial records.

— Data to be used in a timeline analysis.

— Contraband.

Audio analysis. Audio recordings obtained by law enforcement may contain ambient
noise that interferes with interpretation. Technology exists to analyze and improve the
quality of the recordings.

Video analysis. Video recordings obtained by law enforcement are often surveillance
tapes, which are multiplexed (multiple or split-screen views), proprietary in format, will
need to be viewed on a specific platform, or are of poor quality. Technology exists to
analyze and improve the quality of the recorded images. The technology may be avail­
able from the manufacturer or end user of the video equipment.

Picture analysis. Technology exists to analyze and improve the quality of still images.
The technology may be available from the manufacturer or end user of the equipment.

Electronic communications
Electronic communications (e.g., e-mail, text messaging, picture messaging) may be
available from Internet service providers (ISPs), pager companies, cellular or wireless
phone service providers, public access (e.g., wireless hotspots, Internet cafes, public
libraries, academic institutions), and suspect or victim computers.

E-mail
E-mail can be the starting point or a key element in many investigations. It is the elec­
tronic equivalent of a letter or a memo and may include attachments or enclosures.
E-mail can provide many investigative leads, including the following:

Possible point of origin, which can lead to the suspect’s location.

Identification of the account, which can lead to the suspect.

8
01-Chap 1 InvestigTech 10/10/07 12:41 PM Page 9

INVESTIGATIVE USES OF TECHNOLOGY: DEVICES, TOOLS, AND TECHNIQUES

— Investigators can proactively communicate with a suspect to gather identifying infor­
mation (e.g., an e-mail can be sent to communicate with a suspect and ultimately to
establish identity).

Transactional information related to the Internet connection.

Direct evidence of the crime (e.g., the content of communications between suspect
and victim may be contained in an e-mail).

For investigative purposes, the complete e-mail header information may be needed for
optimum results. For additional information see Investigations Involving the Internet and
Computer Networks (www.ojp.usdoj.gov/nij/pubs-sum/210798.htm).

Refer to Chapter 3, Legal Issues, for the legal process required to obtain this
information.

Online chat and messaging
Electronic communication services allow people to communicate in real time using a
variety of applications (e.g., Internet relay chat (IRC), instant messaging (IM), AOL
Instant MessengerTM, Windows Messenger, ICQ). These communications may involve
text, voice, video, and file transfers and may reveal the following:

Possible point of origin, which could lead to the suspect’s location.

Identification of the suspect through a screen name.

Transactional information related to the Internet connection.

Direct evidence of the crime (e.g., the content of communications between suspect
and victim may be contained in an online chat).

Identifying information about the suspect (by using online chat programs to proactively
communicate with a suspect).

Refer to Chapter 3, Legal Issues, for the legal process required to obtain this
information.

Proactive undercover operations
The Internet may be used to facilitate undercover operations such as the investigation
of child exploitation and the trafficking of contraband.

Specialized training and legal counsel may be required to engage in these operations.
Various Federal and State organizations can provide guidance or assistance.

9
01-Chap 1 InvestigTech 10/10/07 12:41 PM Page 10

SPECIAL REPORT / OCT. 07

Note: Law enforcement must take special precautions when using the Internet in an
undercover role. E-mails and chat activity contain encoded information that can reveal
the identity of the sender or the computer the sender used. Visiting a Web site may
leave behind this same coded information revealing who (or what computer) visited
the Web site. Computers and identities used in undercover operations should not be
attributable to an agency network or individual.

Web site records (e.g., FedEx®, PayPal®)
Web sites often track the Internet Protocol (IP) address, time, date of access of the
user, and other information. For example, PayPal® and FedEx® have transaction records
related to the sale and purchase of a product or service. Investigators should request
these records be preserved or obtain these records in a timely manner because they
may only be maintained for a short period of time.

Refer to Chapter 3, Legal Issues, for further information.

Service provider records
Account records may be maintained for a limited amount of time or not at all. Therefore,
a law enforcement investigator may compel that the records be preserved pursuant to
18 U.S.C. § 2703(f). With proper legal process and sufficient information (e.g., username
or IP address and date/time), the service provider may be able to provide the following
information:

Subscriber information (e.g., name and address).

Method of payment and billing information.

Transactional data (connection log, e.g., location, time, caller ID of dial-in location, and
duration of connection to the Internet).

Content of communications.

Miscellaneous (e.g., additional screen names on account, buddy lists, e-mail
forwarding).

Refer to Chapter 3, Legal Issues, for the legal process required to obtain this
information.

Voice over Internet Protocol
Voice over Internet Protocol (Voice over IP/VoIP) allows computer users to make tele­
phone calls over the Internet or computer networks. Communications providers that

10
01-Chap 1 InvestigTech 10/10/07 12:41 PM Page 11

INVESTIGATIVE USES OF TECHNOLOGY: DEVICES, TOOLS, AND TECHNIQUES

offer VoIP may maintain subscriber information and transactional information concerning
these connections. This information may be obtained using the same legal process used
to obtain information from an ISP, but the nonconsensual real-time interception of the
content of these communications may require a wiretap order.

Refer to Chapter 3, Legal Issues, for the legal process required to obtain this
information.

Telecommunications
Public telephone networks provide telecommunication services through a variety
of computer and consumer electronic devices like PDAs, cell phones, and others.
Investigators and telecommunications companies are guided by the authority and
constraints of Title III and the Communications Assistance for Law Enforcement
Act of 1994 (CALEA).

Specific orders for the production of the following types of information are
addressed in Chapter 3, Legal Issues.

Cell tower data (cell site data)
Cellular telephone tower data are available to law enforcement and may provide valuable
information regarding the specific location of the phone of a particular subscriber being
investigated. These records are stored with the provider of phone service and generally
exist through one billing cycle.

Portable communications devices
These devices (e.g., wireless phones, PDAs, pagers) can store address books, phone
lists, e-mail addresses, message content, pictures, audio files, most recent incoming and
outgoing calls, and appointment books and journals, and can perform almost any other
function found on a home computer.

Data contained on these devices may be volatile because of battery life. Adequate pro­
tective steps must be taken to ensure preservation of potential evidence. See chapter 2,
section on power concerns with battery-operated devices, for additional information, or
immediately contact personnel trained in the seizure and analysis of this type of digital
evidence for assistance.

Answering machines, answering services, and voice mail
Answering machines, answering services, and voice mail can provide valuable informa­
tion (see chapter 2, section on answering machines and voice mail systems, for more
information). The legal procedure for obtaining the data from these sources differs
depending on the location of the information and the people who have access to it.

11
01-Chap 1 InvestigTech 10/10/07 12:41 PM Page 12

SPECIAL REPORT / OCT. 07

Refer to Chapter 3, Legal Issues, for the legal process required to obtain this
information.

Video surveillance
With the proliferation of video surveillance systems, it is increasingly likely that public
conduct will be captured on video. Video security systems have been put in place by
businesses, government entities, and private citizens. To discover these systems, law
enforcement officers should carefully look for cameras and inquire of the businesses if
they have surveillance equipment.

Security and traffic cameras
Cameras can be found in airports, convenience stores, public roadways and intersec­
tions, businesses, bus and rail depots, banks, ATMs, etc. These camera systems may
capture activity inside and outside the area where they are located. As with other elec­
tronic evidence, the tapes or recordings should be obtained as soon as possible to
ensure that the data are not overwritten or destroyed. The information that can be
obtained from these cameras includes the following:

Presence of subjects.

Vehicle or license plate information.

Support of witness or suspect statements.

Timeline of events.

Commission of the crime.

Subject activities.

Note: Video surveillance recordings are often of poor quality, multiplexed (multiple or
split-screen views), or may be recorded in a proprietary format requiring a special plat­
form for viewing. Investigators should take the appropriate steps to be able to view the
data at a later time.

Law enforcement use of cameras
Cameras can be placed in public areas to deter criminal activity and to capture or monitor
illegal activity. With legal authority, cameras can be placed in locations where there is a
reasonable expectation of privacy.

12
01-Chap 1 InvestigTech 10/10/07 12:41 PM Page 13

INVESTIGATIVE USES OF TECHNOLOGY: DEVICES, TOOLS, AND TECHNIQUES

Criminals’ use of cameras
Criminals use cameras for three purposes:

Conducting illegal activities, such as recording child pornography or videotaping people
where they have a reasonable expectation of privacy.

Conducting surveillance and countersurveillance. Criminals may employ surveillance
techniques against law enforcement, including audio and video surveillance and alarm
systems. Law enforcement should be aware of this potential threat when conducting
investigations.

Recording criminal acts. Criminals often pose with weapons and drugs and record their
criminal activity, such as rapes or murders.

Consensual monitoring
Consensual monitoring is the monitoring of wire, oral, or electronic communication with
the knowledge and consent of at least one involved party. Some States, however, are
more restrictive in that they require the consent of all parties to the communication.
Intercepts that may be considered consensual monitoring in some States may require
legal process elsewhere. Consult with a prosecutor in the relevant jurisdiction for guidance.
Examples of wire, oral, and electronic communications that may involve consensual mon­
itoring include the following:

Telephone conversations—wire.

Personal communications—oral (e.g., parabolic microphones, body wires).

Computer communications—electronic (e.g., keystroke monitoring, sniffer output).

— To monitor computer communications, consent may be implied through the use of
written user agreements or through legally sufficient banners that inform the users
that their activities are being monitored.

Tracking
Tracking systems provide law enforcement the ability to track the movement or identify
the location of persons or objects. A search warrant or a court order may be required.
Consult with your local prosecutor for specific guidance on this issue. Examples of track­
ing systems include the following:

GPS. (See chapter 2, section on GPS devices, for more information.) GPS satellites can
establish the location of the item being tracked. Once the location is established, this
information may be transferred to the law enforcement officer via radio frequency or
cellular frequencies, or the position may simply be logged within the device. Real-time
tracking is possible with some devices. Generally, the positions are integrated with a
software system that displays the track on a map.

13
01-Chap 1 InvestigTech 10/10/07 12:41 PM Page 14

SPECIAL REPORT / OCT. 07

Directional find (DF)/radio frequency (RF). Radio transmitters can be placed on or in
packages, persons, or vehicles, which can then be tracked in real time using direction-
finding receivers (e.g., LoJack®, BirdDog®).

Commercially available vehicle tracking systems. Some consumer products have
tracking devices built into them by the manufacturer. These devices are especially
prevalent in vehicles (e.g., vehicle black box, OnStar®). These devices may record
speed, location, or brake usage. They may also provide direct communication with
persons in the vehicle.

Some States provide electronic devices that allow passage through tolls. These
systems capture the date and time of toll passage (e.g., EZPassSM, Telco).

Access-control systems. (See chapter 2, section on access-control devices, for more
information). Access-control systems allow entry into secure areas and track employee
movements. These systems can record date and time of entry and user information.
These systems include key cards, retinal scanners, fingerprint scanners, voice recognition
systems, and similar items.

Credit or membership cards. Use of these cards creates a record, which may provide
information related to the geographic location and travel history for the use of the card
(e.g., hotel, gas, airline), as well as date/time/location of the item purchased.

Throughout this publication, scenarios may be provided to illustrate the uses of specific
devices or techniques.

Practical example

Note:This scenario is presented as an example, not as the only way to conduct an
investigation.

On March 15, your agency or department is contacted by a local power station whose
management advises that it has discovered child pornography images on one of the com­
puters in its control room. You respond to the station and discover that it is located in a
large office building and that the computer in question is located in an unsecured open
office area accessible to all employees (approximately 300), but assigned to the exclusive
use of 8 accounting employees. Company management copied the 60 suspected child
pornography images to floppy disks and turns them over to you. Unfortunately, manage­
ment reformatted the computer’s hard drive prior to your arrival in an effort to permanently
remove the offending material and placed the computer back in service.

14
01-Chap 1 InvestigTech 10/10/07 12:41 PM Page 15

INVESTIGATIVE USES OF TECHNOLOGY: DEVICES, TOOLS, AND TECHNIQUES

The investigation:
1. Evidence preservation

The floppy disks containing the child pornography images are secured and write protect­
ed, and the chain of custody is documented. Evidence that may identify the individual
responsible for the images, as well as additional evidence of criminal activity, could be
located in different areas of the hard drive. You know that reformatting the computer’s
hard drive will not necessarily destroy potential evidence, but continued use of the com­
puter might. In this case, management signs a consent form to search the computer.
Without consent, exigent circumstances, such as potential loss of evidence through the
continued use of the computer, would have allowed you to seize the computer and apply
for a search warrant.

Key points to consider:

Volatility of data if not seized.

Consent versus search warrant.

Chain of custody.

2. Interviewing

You conduct interviews with station management to collect information as to the who,
what, when, where, how, and why of the incident. Management advises you that one of
the employees (Dave Jones) discovered the child pornography in a download directory on
the computer while conducting some Internet research using Acme Online. Jones imme­
diately reported his discovery to management. Management advises you that the station
maintains an Acme Online account for research purposes and that only two employees
had access to the account. One of the employees is Jones, the other is a lineman named
Mike Smith. Management tells you that they believe that Smith is responsible for the
child pornography because of several incidents within the past year involving Smith and
his obvious preoccupation with children. This preoccupation involved Smith’s operation of
a child talent agency as a side business and a previous arrest for public sexual miscon­
duct involving a minor that management only recently discovered. Smith was fired just
days before the discovery of the child pornography. Management advises that the screen
names associated with the Acme Online account are DaveyJ123 (Jones), and MikeyS123
(Smith).

Investigative steps:

Ask station management to preserve the access logs to the building and the station’s
computer network.

Issue preservation letter to Acme Online.

— Determine retention policies of the ISP.

Determine whether network storage or backup data exist for involved systems
(e.g., tapes, etc.) and, if so, request their preservation or consider seizing them.

15
01-Chap 1 InvestigTech 10/10/07 12:41 PM Page 16

SPECIAL REPORT / OCT. 07

Obtain consent or other legal process for Acme Online and the station’s records.

Obtain the station’s computer use policy document.

— Do they have one?

— Is there documentation that the subject had knowledge of the policy?

Determine whether there are other devices to which the suspect may have had
access.

Determine whether management disabled his access to the Acme account.

3. Computer forensics

A forensic examination of the floppy disks and of the computer’s hard drive reveals child
pornography images. Analysis of the child pornography files indicates that they were
downloaded to the computer on three consecutive days: January 1, 2, and 3, and
between 3 a.m. and 5:30 a.m. on all 3 days.

Key point to consider:

Processing of the evidence should be done by a trained forensic examiner.

4. Records collection

The station building security office advises that employees have individually assigned
passkey cards for building access. You request the building access records for the period
of December 31 through January 4.

You also request telephone billing records from station management for the telephone
line attached to the suspect computer for the same time period.

You obtain appropriate legal process for the production of Acme Online account records
associated with the Acme Online account.

You request and obtain work schedule records for the station employees.

Key points to consider:

Inquire regarding video surveillance at the station to establish suspect’s use of
assigned key card.

Inquire whether any duplicate access cards have been issued.

5. Records analysis

The station building access records indicate that Smith’s access card was the only access
card used to enter and exit the building during the 3 a.m. to 5:30 a.m. timeframe on each
of the nights the files were downloaded. Analysis of employee timesheets and schedules
indicate that Smith was scheduled and worked a 9 a.m. to 5 p.m. day shift during the
same period.

16
01-Chap 1 InvestigTech 10/10/07 12:41 PM Page 17

INVESTIGATIVE USES OF TECHNOLOGY: DEVICES, TOOLS, AND TECHNIQUES

Telephone billing records for the phone line attached to the computer indicate connec­
tions to a local Acme Online access number during the 3 a.m. to 5:30 a.m. time period
in question.

Acme Online records indicate that the MikeyS123 account was active on each of the
three nights in question and at the times associated with the child pornography file
downloads.

6. Investigation and search warrants

Smith’s Department of Motor Vehicles records and employee records identify his resi­
dence address.

Trash runs (dumpster diving) conducted on Smith’s residence reveal fragments of broken
floppy disks, empty floppy disk boxes, and several computer software manuals.

Analysis of records obtained from Acme Online pursuant to a search warrant discloses
child pornography e-mail attachments associated with the MikeyS123 screen name. No
child pornography is associated with the reporting source’s screen name of DaveyJ123.
Further analysis finds that some of the e-mail from the MikeyS123 account details an
ongoing communication with another Acme Online subscriber named TonyGTTT123. In
these communications MikeyS123 was found to be trading child pornography graphics
with this other subscriber and identified himself as Mike Smith of Virginia. MikeyS123
even provided a cellular telephone number in one communication for further contact.
Telephone subscriber records verify that this number had belonged to Smith, the station
employee.

Based on your investigation, you request and obtain a search warrant for Smith’s apart­
ment to search for computer and child pornography evidence. On execution of the war­
rant, however, you discover that Smith has fled the area.

Key points to consider:

Note that the MikeyS123 account was established through the employer’s Acme
Online account.

Expand the child pornography investigation to include TonyGTTT123 and to identify any
other accounts that Smith is using to communicate with TonyGTTT123.

Aspects of the investigation may lead to outside jurisdiction. Investigators may have to
contact appropriate law enforcement agencies for assistance.

Obtain appropriate cellular records that may lead to Smith’s location.

7. E-mail pen/trap and trace

Apply for an e-mail trap and trace on the Acme Online account for the subscriber
TonyGTTT123. Analysis of the e-mail addresses of the subscriber’s sent and received
e-mail reveals ongoing communications with several individuals.

A search of the Acme Online membership directory identifies the profiles of the Acme
Online subscribers communicating with TonyGTTT123. One member is identified as

17
01-Chap 1 InvestigTech 10/10/07 12:41 PM Page 18

SPECIAL REPORT / OCT. 07

using the screen name of LittleMS123 whose profile lists the user’s name as Mike
Smith, photographer and owner of a child talent agency in the Anytown, USA, area.

Records obtained pursuant to additional legal process issued to Acme Online for the
account associated with LittleMS123 reflect that an account has been established in the
name of Mike Smith. The account was established using a credit card associated with
the mother of the suspect. Access records from Acme Online indicate that this account
regularly uses a local Acme Online dial-up access number in the Anytown, USA, area.

Key points to consider:

Records relating to the dial-up access number may reveal a possible location for Smith.

Be aware that counterfeit, stolen, or fraudulent identification may be used to create
user accounts.

Be aware that multiple users may use the same account with different screen names
and may use the account from different locations.

8. Undercover activity

To locate the suspect, you use an undercover Acme Online account through a local
Internet Crimes Against Children (ICAC) Task Force. You make regular undercover
access to Acme Online over several days. Searches for the LittleMS123 screen name
eventually locate the suspect in a chat room in the Anytown, USA, area. Engaging the
suspect in an online conversation, you convince the suspect that you will be traveling
to the Anytown, USA, area soon, and you request and receive his telephone number to
arrange a meeting on your arrival. During these online chats with the suspect, which are
all properly logged and memorialized, the suspect indicates a preference for children and
transmits several pornographic images to you of children engaged in sexual activities.

Key points to consider:

Be sure to use a covert account for undercover activities (i.e., communications should
not be traceable to a home or agency computer).

Specialized training may be required to document undercover or online activities
properly.

Agency and legal authorization may be needed for conducting undercover activity.

9. The apprehension

Records obtained through legal process served on the telephone company for the dial-up
access identify an address in the Anytown, USA, area. Physical surveillance of the
address identifies Smith’s car parked in the driveway. An application for a search warrant
is made for the address and is ordered by the court. Sought in the search warrant are the
child pornography files received from the suspect during your online communications,
the child pornography from the station computer, and all records containing communica­
tion with, for, or about children. The warrant also includes the authority to search for,

18
01-Chap 1 InvestigTech 10/10/07 12:41 PM Page 19

INVESTIGATIVE USES OF TECHNOLOGY: DEVICES, TOOLS, AND TECHNIQUES

seize, and examine any computer or other data storage devices and media that could
contain child pornography evidence or other records.

During the execution of the search warrant, Smith is located in the residence. In addition,
several computers with attached modems, two digital still cameras, a digital camcorder,
several audio cassettes, an analog answering machine, a cellular phone, several analog
video cassettes, and several hundred laserjet prints of child pornography images are
seized. Several of the printed images appear to be identical to the images from the
station computer.

You arrest Smith and read him the Miranda warnings. He waives his rights and agrees to
answer questions. Smith provides you his password and states that he is the sole user
of this account. You send a preservation request to Acme Online for Smith’s account and
apply for a warrant a few days later.

Key points to consider:

Review Chapter 3, Legal Issues, for additional information.

10. Postarrest investigation

During booking, Smith is found to be wearing a watch that is capable of storing data,
including photographs. Analysis of this watch and Smith’s digital camera reveal images of
children engaged in sexual acts. Enhancement of the images is done to produce identifi­
able images of the victims’ faces.

Analysis of the answering machines and audio cassette tapes reveals the recorded voices
of several adults arranging a photo session for their children with Smith involving his talent
agency business. Telephone numbers recovered from Smith’s cell phone are traced. This
contact information eventually leads to the identification of some of the children depicted
in the photos recovered from Smith’s camera.

Forensic analysis of the computers seized identify numerous child pornography files, as
well as evidence that these files were printed on Smith’s laser printer.

Key points to consider:

Preservation order to cell phone provider for stored voice mail and subscriber
information.

A warrant may be necessary to access the data stored in the watch.

Similar to the watch, a variety of small wearable devices are capable of storing data.
See Chapter 2, Tools and Devices, for more information.

19
Chapter 2. Tools and Devices

Introduction
This chapter is designed to provide a general description of the technology-related tools
and devices that either may be encountered in an investigation or may assist in the iden­
tification and examination of electronic evidence. For ease of use, tools and devices are
arranged alphabetically. An overview of their function and usefulness is provided, and
other special investigative considerations are discussed. Where applicable, this chapter
describes how persons use these devices to facilitate the commission of crimes. The
reader is encouraged to think creatively about a device and consider all possible inves­
tigative uses and forms a device may take.

Because devices can be multifunctional, investigators should ensure that all relevant
devices and storage media are collected. For example, as explained in this chapter, some
watches have data storage capability (see section on removable storage media and
players), and some cell phones can perform camera functions (see section on cell
phones). As more functions converge into a single device, investigators should be aware
that relevant information can be stored in seemingly mundane or commonplace objects
or devices.

Devices can also be modified to perform functions beyond those intended by the manu­
facturer. For example, the Microsoft Xbox® is designed to play video games but can be
altered to store data and can be modified to be a fully functional computer. In other
cases, devices are physically altered to perform functions completely different from their
original purpose. For example, cellular phones, pagers, and pens have been altered to be
firearms; narcotics have been stored in hollowed-out personal digital assistant (PDA)
styli. The investigator should be aware of the surroundings of the device to gain clues as
to the likelihood that it has been altered. (See Appendix C, Hacked Devices.)

Power concerns with battery-operated devices

Many electronic devices contain memory that requires continuous power (such as
a battery or AC power) to maintain information. Data can be easily lost by unplugging the
power source or allowing the battery to discharge. To avoid this, place the device in its
charger or immediately replace the batteries. If custody of the device is transferred,
receiving personnel must be alerted to the power requirements of the device.

21
 SPECIAL REPORT / OCT. 07

Some small electronic devices, such as PDAs, connect or synchronize data to more pow­
erful devices such as computers. Some of the small devices have two cords or sit in cra­
dles with two cords, one for power and one for data transfer. For some devices, one cord
both permits data transfer and provides power. It is not always possible to tell by looking
at the cord whether it allows data transfer functions, supplies power, or does both. Be
sure to determine the use and need of all cables attached to the device. Check the manu­
facturer’s Web site for standard configurations.

If the investigator seizing a device is unsure whether the connection performs both
functions, it is safer to provide power to the device by replacing the batteries, if possible.
If replacing the batteries on a timely basis is impractical, be aware of the risk that data
transfer may occur if the device is connected to another electronic device and both
devices are running. If the investigator chooses to connect two devices (or leave two
devices connected), it is critical that this is documented and that both devices and con­
nectors are seized if legally permitted. The person performing data recovery should be
notified of the investigator’s actions.

The investigator also should be aware that some devices have passwords that are acti­
vated when the PDA is powered off or goes into sleep mode. Those passwords can be
difficult to defeat.

Access-control devices

A traditional-access control device that uses
preprogrammed personal information on a card in
combination with a personal identification number
(PIN) to allow access to restricted areas.

A biometric device (fingerprint reader) that
allows access to the device to which
the mouse is attached.

Introduction
Access-control devices attempt to authenticate the identity of an individual.
Authentication is based on one or more elements of the following triad: “Something you
have, something you know, something you are.” Key fobs and smart cards are “some­
thing you have”: a physical object that establishes identity. These devices may work by
being inserted into a reader or by “proximity readers,” which detect the key fob or smart
card at a distance. Keypads require “something you know,” generally a passcode.
Biometric devices evaluate “something you are” by measuring or assessing a person-
specific physical characteristic. Biometric devices include iris or retina scanners, finger­
print scanners, face or voice recognition, gait detectors, and hand geometry detectors.

22
 INVESTIGATIVE USES OF TECHNOLOGY: DEVICES, TOOLS, AND TECHNIQUES

Value of access-control devices
Investigators can use these to do the following:

— Help establish the presence or absence of an individual at a controlled location
(as in identity theft and espionage cases).

— Monitor patterns or profiles of activity that may be malicious.

Subjects can additionally use these to do the following:

— Gain unauthorized access to a physical location.

— Create false alibis by implying that people were somewhere that they were not.

Identifying and obtaining access-control devices
Access-control devices can take the form of key fobs, keypads, smart cards, or biometric
sensing devices (e.g., those that measure fingerprints, gait, voice, and unique physical
characteristics).

Keypads and biometric devices are usually mounted on a wall or counter outside a
restricted area. They may also be mounted near the exit to a restricted area if the outlet
is controlled.

These devices can all be purchased from a variety of sources.

Although data may be stored on the device, usually data are stored on a centralized
database.

Special investigatory and other considerations
Data may be overwritten in a centralized database. Data may be remotely purged
if suspect(s) remain at large.

Key fobs or smart cards may be demagnetized.

Biometrics may be affected by physical injury or alterations (e.g., retinal patterns may
change during pregnancy).

Note that key fobs, smart cards, and passcodes can be stolen or compromised,
so a device’s records or logs may be unreliable.

Biometrics have defined failure rates and may not definitively establish the presence
or absence of an individual.

23
 SPECIAL REPORT / OCT. 07

Legal considerations
General Fourth Amendment principles apply.

Having the technical ability to use an access-control device does not always mean that
the device may be accessed without legal process.

Scenarios
1. A suspect has given an alibi claiming to have been at work when the crime was
committed. The company where the suspect works uses key card access devices. By
examining the key card log files, it is determined that the suspect was not at work as
claimed.

2. A homicide suspect offered an alibi to the police claiming to be at home during the
time of the murder. The police officers determined that the suspect had a home alarm
system. They obtained the information pertaining to the time the alarm was set and
the time it was disarmed. Those times corroborated the suspect’s alibi.

3. An adult is missing and presumed kidnapped. Examination of the bank automated
teller machine (ATM) records reveals use of the victim’s ATM card. Surveillance video
of the ATM shows the victim was alone while withdrawing the cash. Credit card trans­
actions also reveal motel stays along the same route in which the ATM transactions
were conducted.

Answering machines and voice mail systems
(digital and analog)

No tape (digital) With tape (analog)

Introduction
An answering machine records voice messages from callers when the called party is
unavailable or declines to answer a telephone call, usually plays a message from the
called party before recording a message, and often retains date and time stamp informa­
tion. An answering machine may have multiple settings, users, or voice boxes; may be
built into a telephone; or may be a separate device. Voice mail messages may also be
stored on an onsite device or located remotely at a communication service provider.

24
 INVESTIGATIVE USES OF TECHNOLOGY: DEVICES, TOOLS, AND TECHNIQUES

Value of answering machines and voice mail systems
Investigators can use these to do the following:

— Obtain actual recordings of telephone call content and date/time stamp of the
message, and determine whether the message has been listened to or not.

— Identify callers by content of incoming messages.

— Identify owners by prerecorded outgoing messages.

— Establish undercover identities.

— Covertly monitor incoming calls in threat or stalking investigations.

Subjects can additionally use these to do the following:

— Alter or erase original recordings to redirect or mislead investigators.

— Facilitate and lend credibility to criminal enterprise.

— Communicate with one another.

Identifying and obtaining answering machines and voice mail
systems
Home-based answering machines can be found at retail outlets.

Voice mail systems for businesses may be purchased from major computer and
telecommunications equipment suppliers.

Voice mail service can be acquired through telephone companies or communications
service providers.

Voice over Internet Protocol (VoIP) is a form of Internet-based telephony and can be
acquired through an Internet service provider (ISP) or another Internet-based service.
VoIP may include services similar to those found in voice mail systems.

Special investigatory and other considerations
Information can be remotely purged or altered, anyone with the password can access
the systems, and there may be automatic destruction policies.

Backed-up data may be accessible for long timeframes if an investigator is seeking
voice mail at a business.

Remove the telephone cord from a local answering machine to prevent remote
purging.

Data on answering machines may be subject to loss if the device loses power.
Consider using a tape recorder to record messages before removing power.

25
 SPECIAL REPORT / OCT. 07

Day, date, and time settings found on the device should be verified against the actual
day, date, and time.

Legal considerations
General principles regarding the Fourth Amendment apply to stored communications
on the device.

Prior to obtaining remotely stored electronic communications (e.g., voice mail stored
by a third-party provider), see Chapter 3, Legal Issues, for Electronic Communica­
tions Privacy Act (ECPA) issues.

With devices having multiple mailboxes, privacy issues related to consent may exist.
For more information on stored communications, see Chapter 3, Legal Issues.

Scenario
During a homicide investigation, the suspect offered a voice mail message with date and
time stamp as an alibi. Subsequent investigation of the company’s voice mail system
revealed that the time settings did not coincide with the actual time because the system
had not been adjusted to account for daylight savings time; therefore, the suspect’s alibi
was invalidated.

Audio: Digital tools used to conduct examinations of audio
formats
Introduction
Investigations may involve the seizure or preservation (e.g., recordings during an under­
cover investigation) of audio recordings that need to be analyzed or enhanced. This sec­
tion discusses the tools that will assist in maximizing the evidentiary value of digital or
analog recordings. These tools and devices aid in the acquisition, processing, and output
of audio information.

Value of digital tools used to conduct examinations of audio formats
Investigators may use these tools to do the following:

— Enhance a recording to:

Make it more intelligible.

Eliminate, isolate, or enhance background noise (e.g., to identify location
of the call).

— Authenticate a recording to determine:

The source or origin.

Whether a recording has been altered.

26
 INVESTIGATIVE USES OF TECHNOLOGY: DEVICES, TOOLS, AND TECHNIQUES

— Determine the time, sequence, and direction of the source of sounds on a recording.

— Convert a recording to other formats (e.g., convert analog to digital).

Subjects may additionally use these tools to do the following:

— Alter original recordings, as most of the tools considered here are inexpensive and
publicly available.

Identifying and obtaining the digital tools used to conduct
examinations of audio formats
The tools needed to examine digital audio formats depend on the types of examina­
tions that are being conducted.

Software, hardware, and professional-grade signal-processing equipment that are
commonly used in the examinations can be acquired from vendors, retail stores, or
professional recording supply houses.

Special investigatory and other considerations
Various degrees of training are needed to use these tools to conduct audio examina­
tions. A wide range of computer skill levels are needed to operate most of the hard­
ware and software used in these examinations. Advanced skills are needed to analyze
and interpret audio data.

Examiners should have the original recordings available, but where feasible, examina­
tions should be made on a copy. If work on the original is necessary, consider seeking
legal guidance prior to the examination.

Consult someone with specific expertise in this area.

Legal considerations
Software tools should have appropriate licensing agreements.

There are generally no other legal considerations provided that the recording being
examined has been lawfully acquired.

Scenario
A telephonic bomb threat to a school was recorded. An audio examination and enhance­
ment of the recording identified noises in the background that indicated the call came
from a video arcade. Another voice was identified in the background; when analyzed, the
person could be heard placing a phone order in which the arcade’s address was men­
tioned. This led investigators to the site and facilitated the apprehension of the suspect.

27
 SPECIAL REPORT / OCT. 07

Caller ID devices

Caller ID devices display the telephone
number(s) of incoming calls.

Introduction
Caller ID-enabled devices record telephone numbers and other information associated
with inbound telephone calls. Information recorded by these devices may include the
date/time stamp and the name of the registered user. Caller ID service must first be
activated by the telephone company for the information to be received. Some caller ID
devices may be programmed to block certain telephone numbers. The data stored are
generally local to the device, but some data may be stored at the service provider.
Date/time information that comes from a service provider is more likely to be accurate
than information stored on the device itself. Memory is often limited and content may be
lost with the removal of power.

The telephone number that the device records may not be the one from which the
call originated due to the use of prepaid telephone cards, trunk lines, inaccurate informa­
tion from the telephone company, etc.

Value of caller ID devices
Investigators can use these to do the following:

— Determine the date, time, and source of incoming calls (e.g., to establish or
contradict an alibi or identify coconspirators).

Subjects can additionally use these to do the following:

— Determine who is calling them, including calls from law enforcement officers,
undercover agents, and confidential informants.

— Manipulate the date, time, and other information on the caller ID device to support
false alibis.

28
 INVESTIGATIVE USES OF TECHNOLOGY: DEVICES, TOOLS, AND TECHNIQUES

Identifying and obtaining caller ID devices
External caller ID devices must be attached to a telephone line.

The caller ID function can be integrated into telephones, computers, cellular phones,
satellite television receivers, and other telecommunication devices (e.g., PDAs).

Caller ID devices are commercially available.

Special investigatory and other considerations
Consider contacting the phone company to learn about the subject’s phone service
features, including information about caller ID or use of call blocker.

Investigators should be aware that subjects may identify them through caller ID and
that call blocking on their phone may be defeated by the subject’s use of the automatic
redial feature. Check with the relevant telephone service provider for further informa­
tion. Always use an undercover phone when calling suspects.

Caller ID devices have limited capacity and only retain a certain number of incoming
numbers. The most recent calls may overwrite older calls previously stored in the
device.

Some caller ID devices may not register each inbound call as a separate number when
the same telephone number calls repeatedly. In such cases, some notation by the
number may show multiple calls.

Some dial-up ISPs include call waiting when users are connected to the Internet, which
displays the number of the incoming call. In such cases, some caller ID information
may be stored on the computer.

Some caller ID devices require a constant power supply. Data may be lost if the power
is interrupted. When seizing the device, determine whether the device has a battery.
If so, install a fresh battery prior to unplugging it.

When legal authority exists, all data stored on the device should be reviewed,
photographed, and recorded before disconnecting the power.

When calling a toll-free number (e.g., 800), caller ID blocking (*67) may not be enabled
since the recipient is paying for the call.

Legal considerations
Seizing or searching caller ID devices implicates Fourth Amendment concerns.

In lieu of using the caller ID device, law enforcement may obtain records from the
communications provider, including local and long-distance call records.

A trap and trace or pen register order is needed for future nonconsensual capture of
incoming and outgoing phone numbers. (For more information, see Chapter 3, Legal
Issues.)

29
 SPECIAL REPORT / OCT. 07

Cell phones

Integrated cell phone, PDA with e-mail, text messaging, Traditional cell phone with
Web browsing, and digital camera