Exam 4 Review Sessions PDF

Summary

This document contains review material, likely for an exam, covering various topics, including courtroom evidence, investigative information sources, and controlled substance identification. It includes questions for the reader to consider.

Full Transcript

Lessons where Instructors did a “Review”

1121. Courtroom Evidence
1. Who decides if evidence is admissible in court?
a. Judge
2. Who decides if a witness is honest or lying?
a. Jury
3. With the exception of privileges, when do the Rules of Evidence apply?
a. At trial
4. If the Defense objects to evidence, and the judge sustains, the jury sees the evidence…
a. NEVER!
5. If the Defense does not want evidence, they can do what?
a. File a motion to suppress
6. What amount of evidence must a defendant provide at trial?
a. None, if they want
i. Gov is the party who must put forth evidence against defendant
7. What type of evidence is it if a witness saw Person X do something to Person Y?
a. Direct testimony
8. What type of evidence is it if fingerprints are found on a weapon?
a. Circumstantial
9. At trial, what type of evidence is better, direct or circumstantial?
a. Neither
10. What is the goal of the cross-examiner when a witness is on the stand?
a. Impeach the witness
11. What is the process of proving evidence is the same over time?
a. Chain of Custody
12. T/F – Chain of Custody shows that evidence is authentic and in the same condition at trial.
a. False
13. What does Chain of Custody show?
a. Who had it in their possession and that it is authentic.
14. Chain of Custody does NOT show what?
a. That the evidence is in the same condition
i. Still need an expert to testify because C.o.C does necessarily preserve evidence
15. Who sees a Witnesses notes at trial
a. Defense, not the Jury
16. What is an acceptable form of documentation evidence when the original is not provided.
a. An accurate copy
17. What documents require a Witness to testify.
a. Un-certified documents
18. What documents can stand alone?
a. Un-certified documents
2336. Investigative Information Sources & Financial Sources
1. “Cryptocurrency is a type of virtual currency”
2. “Bitcoin addresses will always be between 26 & 36 characters long.”
“Bitcoin addresses always begin with the characters 1, 3, or bc1”
3. “Examples of hardware wallets include:
a. Trezor
b. Ledger”
4. “Seed phrases typically contain a list of 12 or 24 short words that must be entered in an exact order to reconstitute the
wallet.”
5. “Conversion of fiat currency (gov issued currency, like U.S. dollar) to cryptocurrency, & vise-versa, is often referred to as
the on- / off-ramps for cryptocurrency.”
a. On-ramping is the conversion of Fiat to Crypto
b. Off-ramping is the conversion of Crypto to Fiat

2070. Controlled Substance Identification
1. The Tablet & Capsule Imprints Section lists Rx, OTC, & controlled drugs that have a medical use in the U.S. along w/ their
numeric or alpha-numeric codes.
2. The Illicit Drug Text Literary Section has information ab. the history, manufacturing methods, street names, street prices,
CSA schedule, & the effects of abused drugs.
3. What book can you find active ingredients, color, shape, dosage, & level of control of drugs w/ a medical use in the U.S.?
a. Drug Identification Bible
4. “Asian White Heroin” can be white/tan/gray, a strong smell of vinegar, & the texture of talcum powder.
5. Cocaine Base (“crack”) is not water soluble so it can only be smoked to ‘get high’.
2194. Physical Evidence
1. Three types of evidence:
a. Physical (Real)
b. Testimonial (Statements)
c. Documentary (Written)
2. Physical Evidence
a. Characteristics:
i. Tangible
ii. Has form or Mass
iii. Visible or Invisible
3. Interchange
a. Locard’s Theory of Interchange
i. “It is highly improbable that someone can enter an enviro and leave it without leaving something of
themselves and or taking something of the enviro w them”
4. Class vs. Individual Characteristics
a. Class → a quality/feature shared by all members of a certain class of objects or substances
b. Individual → a feature, even among members of the same class, resulting from nature, accidental or chance,
occurrences, wear and tear, uses and abuse, which demonstrates uniqueness or individuality
5. Proper CrimeSearch Scene Documentation
a. 3 basic types =
i. Notes
1. Should be:
a. In chronological order
b. Written in ink
c. Legible
d. Accurate
ii. Photographs
1. 3 general views
a. Overall
b. Intermediate/Mid-Range
c. Close-Up
2. Then begin using scales & numbers
iii. Sketches
1. Rough Sketch
a. Any changes/corrections to rough sketch must be made:
i. @ the scene
b. Must be identified by the:
i. Title Block
c. Should contain the phrase:
i. “Not to scale”
2. Measurements
a. Optimal number of ppl to take measurements:
i. 2 or more
b. Three basic types of measurements:
i. Triangulation
ii. Baseline
iii. Rectangular coordinate
6. Collecting Evidence
a. You should always collect what evi first?
 i. Fragile
b. Order of packaging?
i. Document the evi
ii. Mark evi container
iii. Place evi inside
iv. Seal container
c. Should you mark the item of evi?
i. Only if necessary or commanded by policy
ii. In a non-critical area
7. Latent Prints*
a. Latent prints can be found:
i. On nearly any porous or non-porous surface (anywhere)*
8. Chain of Custody
a. Describe:
i. Life history of item to account for it from time of discovery until no longer needed by the courts for trials
or appeals
ii. Everyone taking possession of evi must acknowledge receipt of evi by their initials and date
9. Letter of transmittal*
a. Informs lab of what you want done w the evi
b. Contains a complete listing of the items submitted
c. Includes a brief synopsis of case
d. Specific forensic examination requisition
e. Is sent in duplicate, on letter inside, one outside *
10. Questioned Documents
a. How do you best determine age of document
i. Ink & paper (watermarks)*
b. What were three major components of a document
i. Paper
ii. Ink
iii. Writing instruments (copier*)
c. Can you trace a machine produced doc back to its source
i. Yes
1. How?
a. Typewriters from analysis of letter strikes
b. Color copiers imprint from a series of dot codes on doc
c. Trash marks over time that can be id.’d(*)
i. Copiers, printers often produce defects
d. What procedures should you follow when you collect a Q doc
i. Keep in og conditions → do not fold,crease,repair
ii. Full out doc container b4 inserting doc
iii. Avoid marking doc if possible(*)
e. If you have to mark a doc
i. Use a marking medium diff than that on doc in non-critical place(*)
f. Why do you mark evi container before putting doc
i. Protect against indented writing(*)
g. Which type of exemplar is free from disguise
i. Non-request(*)
h. What is primary advantage of request exemplars
i. Can more closely duplicate content of doc(*)
i. What should you have suspect do prior to taking exemplars
 i. Complete personal history form(*)
j. What can affect handwriting
i. Age, alc/drugs, health(*)
k. What examinations can be performed from an original
i. Paper & ink analysis
ii. Indented writing
iii. Fingerprints /DNA
iv. Tracings
v. (secret writing, coded, etc.)
l. Who determines what to examine on a document, you or lab examiner
i. You do (*)
m. What is correct procedure to sent to lab
i. Send in original condition
ii. Enclose letter of transmittal w synopsis of case & requested examinations
iii. Enclose one letter inside & tape a copy on outside of shipping container
iv. Send registered, return receipt (*)
3064. Introduction to Mobile Device Investigations
1. Cellular Network Technology
a. Unique Identifiers: CDMA & GSM
i. CDMA (Code Division Multiple Access)
1. MEID (Mobile Equipment Identifier)
a. 15 alphanumeric identifier
ii. GSM (Global System for Mobile Communications)
1. IMEI (International Mobile Equipment Identity)
a. 15 or 17 digits
b. Identifies Device
2. SIM (Subscriber Identity Module) Cards
a. Unique Identifier: Physical microchip that connects a device to a cellular network
b. ICCID (Integrated Circuit Card Identifier)
i. Is the Unique Identifier for a SIM card & that authenticates device & connect it to a network
ii. 19-20 digit serial #, printed on SIM Card
3. Logical Extraction
a. Most widely supported*** (unlike manual & physical)
b. Uses devices backup feature from device’s operating system
c. Limited
4. Best Practices of Mobile Device seizure:
a. Legal Authority
b. On is On
c. Off is Off
d. CDR’s (send off pres (?) record)
5. Faraday Bag vs. Airplane Mode
Lab Environment = Faraday Bags/Boxes, Assess wireless network risks, & Airplane mode if others not avail
Field Environment = Assess wireless network & GPS risks, Airplane Mode
6. External Storage Devices
a. Treat as digital evidence
b. Give to Forensic Lab
i. SD Cards → treat as a different piece of evi from device itself
ii. USB Drives → *same as above
iii. Lightning Drives → can be used to remove files from iOS devices
7. Software Interaction (Cable + USB Port)
a. What about it?
i. Cable → Device via COM port, USB*, or Bluetooth adapter for data extraction
ii. “Trust” F(x) for iOS, Toggle Program for Android
1. Integrated Phone Capabilities:
a. Call Logs e. Personal Calendars/Appointments i. Location Data
b. Contacts f. Documents/Audio/Video/Image Files j. Metadata
c. Messages g. Memos/Notes
d. Email h. Internet Browser History
2. Analysis & Reporting
a. Analytical Software Graphical User Interface (tables, data columns, data tabs)
b. Keyword Searches (table + fill extraction)
c. Filtering (file size, time/date, file type)
d. Generating Extraction Report
e. Proper Documentation for Seizure & Data Extraction (Cellebrite)
3579. Conducting Investigations in the Cyber Environment
(3) Vulnerabilities:
1. Computer Systems
2. Computer Files
3. Data Flow
a. Wireless Networks***
(1) Change service set identifier (SSID) & Default router name
(2) Change router login name & password
(3) Invoke Encryption (WPA2-PSK)
Mitigating Danger
1. Identify Danger & Act Immediately
(a) disconnect from internet (b) run virus scan (c) run anti-spyware
2. Common Operational Security
a. Principals
- Awareness of your digital profile or cyber footprint
- Common sense approach to personal/professional online safety & security
b. Goal of Digital Officer Safety
- reduce personal/professional operational risks associated w/ online activity
c. Unsolicited do not respond, never respond to unsolicited emails, do not unsubscribe
d. Don't use work related and home stuff interchangeably
Traditional threats → virus, P2P
Reputable sites (Commercial, shareware, freeware)
Not Kaspersky → reputable anti-virus programs
3. Wireless Networks
a. 3 Rules
i. △ SSID & default router name
ii. △ Router login name & password
iii. Invoke encryption (WPA2-PSK)

Social Networks & Online Gaming for Crim Activity:
1. Find targets
2. Spread Malware
3. Cyber Bully
4. Communicate/Create environments to meet and share content in a secure manner*
i.e. for child exploitation
5. Glamorize organization, Recruit Members, & Direct Mvmts
a. Gangs, threat groups, theft rings
b. Sell stolen goods on (1) Establish marketplaces (Facebook, Ebay, etc.)
(2) Virtual Bazaars
Internet to Commit Crimes:
a. ↓ Physical Risk
b. Anonymity
→ The internet removes the NECESSITY of the criminal being PHYSICALLY at the same LOCATION as the V
How Use Internet:
a. Targeting Infrastructure
i. Supervisory Control And Data Acquisition (SCADA) Systems
1. Automated processes, updating & more vulnerable to attacks
2. These Control mass transit, Electrical grids, Military systems, ATC systems, Medical Facilities, etc.
**Cyber criminals who possess a high degree of technical skills attack SCADA systems daily*
b. Phishing attacks → “dear Delete”
Clicking on link
Spearfishing → pointed to a certain group of people or org
c. Online Auction Fraud
d. Identity Theft
- Common ways PII obtained
- Fraud from Identity Theft: Credit Card, Employment, Tax, Phone/Utilities, Loan/Lease, Gov docs/Benefits
3122. First Responders to Digital Evidence → Riley v. California??
Roles of Computer:
1. Target of an illegal scheme (victim computer)
2. Instrument or tool to facilitate (hacker/criminal computer)
3. Repositories for crim activity
***Q on Exam will be an example and fitting it into one of these categories
Devices
1. Anything w a 1 & 0 (even digi music players, legacy media, optical/removable media, kindle)
- Optical media = CDs, DvD’s (anything read via laser)
2. Collection:
a. Don't touch anything
b. Also seize any computer or digi drive that can access device
c. Cloud requires separate SW (SW = physically at that location)
d. Wireless Routers, disconnect the ethernet but do not power off
Destruction
1. Physical/external damage
- Force
- Temperature
- water/condensation/fire
- Magnetic media w/ magnetic fields
- Flash media w/ electro-static discharge (ESD)
- Optical media (scratches, chemicals)
2. Software/internal damage

Non-Electronic Evi for an Electronic Crime:
1. Computer hardware/software documentation
2. Critical trace evidence (DNA)
3. Indicators of ownership to associate Subject
4. Printer Reports
5. Scraps of paper w/ access codes/passwords

Collecting, Preserving, Transporting:
1. Secure scene*
2. Two security types→ physical (separate from ppl)
electronic (sever connectivity)
3. If screen is dark move mouse or shift key

1380. Electronic Law & Evidence