Seizing Electronic Evidence PDF - Boca Raton Police

BOCA RATON POLICE SERVICES DEPARTMENT Departmental Standards Directive 83.907 SEIZING ELECTRONIC EVIDENCE Revised: April 15, 2011 I. PURPOSE: The purpose of this directive is to provide information and guidelines for members of the Boca Raton Police Services Department regarding the seizure of electronic evidence. II. POLICY: The Department must possess up-to-date knowledge and equipment to investigate criminal activity effectively. It is imperative that members of the Department recognize, protect, seize, and search electronic devices in accordance with applicable statutes, policies and guidelines. III. DEFINITIONS: Electronic Evidence: Hardware, software, electronic storage devices or media, images, audio, text and other data that can be easily altered or destroyed but may be indications of a crime. Electronic Storage Devices: Any device or media used to store data, including but not limited to hard drive, CD, DVD, floppy disk, Zip disk, tape, iPod, Flash card, SanDisk, or PDA. Probable Cause: A reasonable ground of suspicion supported by circumstances sufficiently strong in themselves to warrant a cautious and prudent officer to make a similar judgment. Smart Card: A plastic card the size of a standard credit card that holds a microprocessor chip capable of storing monetary value and other information. Wireless Environment: A network that works outside the realm of Category 5 cabling, and, therefore uses no cable. IV. PROCEDURE: A. RECOGNIZING POTENTIAL EVIDENCE: 1. The computer may be contraband, fruits of the crime, a tool of offense, or a storage container holding evidence of the offense. Effective: April 5, 2000 Revised: April 15, 2011 Seizing Electronic Evidence Directive No. 83.907 Page 1 of 8 2. Answers to questions will help determine the role of the computer in the crime, as follows: a. Is the computer contraband or fruits of the crime, i.e. was the computer software or hardware stolen? b. Is the computer system a tool of the offense, i.e. was the system actively used by the defendant to commit the offense? c. Were fake IDs or other counterfeit documents prepared using the computer, scanner and color printer? d. Is the computer system only incidental to the offense, i.e. being used to store evidence of the offense? e. Is a drug dealer maintaining his trafficking records in his computer? f. Is the computer system instrumental to the offense and a storage device for evidence? g. Did the subject use their hardware, software and/or peripheral to attack other systems and use it to store stolen credit card or other information? 3. Once the investigator understands the computer’s role, the following essential questions should be answered: a. Is there probable cause to seize hardware? b. Is there probable cause to seize software? c. Is there probable cause to seize data? d. Where will the search be conducted? e. Is it practical to search the computer system on site or must the examination be conducted at a field office or a lab? f. If law enforcement officers remove the system from the premises to conduct the search, must they return the computer system, or copies of the seized data, to its owner/user before the trial? B. PREPARING FOR THE SEARCH AND/OR SEIZURE: 1. Using evidence obtained from a computer in a legal proceeding requires probable cause for issuance of a warrant or an exception to the warrant requirement. a. If an officer encounters potential evidence that may be outside the scope of their existing warrant or legal authority, the officer shall contact the prosecutor as an additional warrant may be necessary. Effective: April 5, 2000 Revised: April 15, 2011 Seizing Electronic Evidence Directive No. 83.907 Page 2 of 8 b. If computers or other appropriate electronic devices are the subject of the warrant, the officer shall arrange for the forensic examiner to be present. c. The officer shall use appropriate collection techniques so as not to alter or destroy evidence. d. Forensic examination of the system shall be completed by trained personnel in a speedy fashion, with expert testimony available at trial. C. CONDUCTING THE SEARCH AND/OR SEIZURE: 1. SECURING THE SCENE: a. Preserve area for potential fingerprints. b. Immediately restrict access to computer(s). c. Isolate the electronic device from communication and networking sources to prevent data on the computer from being accessed remotely. 2. SECURING THE COMPUTER AS EVIDENCE: a. For stand-alone, non-networked computers, consult a forensic examiner. b. ON. If an examiner is not available, and the computer is OFF, do not turn it i. Disconnect all power sources ii. Unplug the power cord from the wall and the back of the computer. iii. Place evidence tape over each drive slot. iv. Photograph/diagram and label back of computer components with existing connections. v. Label all connectors/cable ends to allow re-assembly as needed. vi. If transport is required, package components and transport/store components as fragile cargo. vii. Keep away from magnets, radio transmitters and otherwise hostile environments. c. Effective: April 5, 2000 Revised: April 15, 2011 If computer is ON, do not turn it OFF, and do the following: i. Photograph the screen ii. Secure the computer until a forensic examiner arrives Seizing Electronic Evidence Directive No. 83.907 Page 3 of 8 d. In the event child pornography is found or suspected, under no circumstances should the images be copied, forwarded, or transmitted to any type of media or other electronic device. e. For networked or business computers, consult a forensic examiner for further assistance. f. D. Pulling the plug could cause the following to occur: i. Severely damage the system ii. Disrupt legitimate business iii. Create officer and Department liability. OTHER ELECTRONIC STORAGE DEVICES: Electronic devices may contain viable evidence associated with criminal activity. Unless an emergency exists, the device should not be accessed. Should it be necessary to access the device, all actions associated with the manipulation of the device should be noted to document the chain of custody. 1. WIRELESS TELEPHONES: a. b. Effective: April 5, 2000 Revised: April 15, 2011 Potential Evidence Contained in Wireless Devices: i. Numbers called ii. Numbers stored for speed dial iii. Caller ID for incoming calls iv. Phone/pager numbers v. Names and addresses vi. PIN Numbers vii. Voice mail access number viii. Voice mail password ix. Debit card numbers x. E-mail/Internet access information xi. The on screen image may contain other valuable information. On/Off Rule: Seizing Electronic Evidence Directive No. 83.907 Page 4 of 8 i. If the device is ON, do not turn it OFF. Turning it OFF could activate lockout feature a) Write down all information on the display and photograph if possible. b) Power down before transport. Take any power cords present. ii. If the device is OFF, leave it OFF. Turning it ON could alter evidence on device. a) Upon seizure, get it to an expert as soon as possible or contact local service provider b) If an expert is unavailable, use a different telephone and contact 1-800 LAWBUST, a 24/7 service provided by the cellular telephone industry. c) Make every effort to locate any instruction manuals pertaining to the device 2. ELECTRONIC PAGING DEVICES: i. Numeric pagers receive only numeric digits and can be used to communicate numbers and code. ii. Alphanumeric pagers receive numbers and letters and can carry full text. iii. Voice pagers can transmit voice communications, sometimes in addition to alpha numeric. iv. 2-way pagers contain incoming and outgoing messages. v. Once a pager is no longer in proximity to suspect, turn it off. Continued access to electronic communications over a pager without proper authorization can be construed as unlawful interception of electronic communication. vi. The stored contents of pagers can be searched after a search warrant is obtained. 3. FACSIMILE MACHINES: a. Effective: April 5, 2000 Revised: April 15, 2011 Fax machines can contain the following: i. Speed dial lists ii. Stored incoming and outgoing faxes Seizing Electronic Evidence Directive No. 83.907 Page 5 of 8 iii. Incoming and outgoing fax transmission logs iv. Header line v. Clock setting b. If the fax machine is found ON, powering down may cause loss of last number dialed and/or stored faxes. c. Search Issues include the following: i. Record telephone line number into which the fax is plugged. ii. Header line should be the same as the phone line – user sets header line iii. Seize manuals related to the equipment, with the equipment, if possible. 4. CALLER ID DEVICES: a. Devices may contain telephone and subscriber information from incoming telephone calls. b. Interruption of the power supply to the device may cause loss of data if not protected by internal battery backup. Document all stored data before seizure or loss of data may occur. 5. SMART CARDS: a. b. Effective: April 5, 2000 Revised: April 15, 2011 Physical characteristics of the card: i. Label and identify characteristics ii. Identify features similar to credit card/driver license iii. Detect possible alteration or tampering iv. Photograph the smart card. Uses of smart card: i. Point of sale transaction ii. Direct exchange of value between cardholders iii. Exchange of value over the Internet iv. ATM capabilities Seizing Electronic Evidence Directive No. 83.907 Page 6 of 8 v. c. Capable of storing other data and files similar to a computer Circumstances raising suspicion concerning smart cards: i. Numerous cards with different names or same issuing vendor ii. Signs of tampering iii. Cards are found in the presence of a computer or other electronic devices. d. Questions to be considered when encountering smart cards: i. Who is card issued to – the valid cardholder? ii. Who issued the card? iii. What are the uses of the cards? iv. Why does the person have numerous cards? v. Can this electronic device alter the card? e. Smart card technology is used in some cellular telephones and may be found in or with cellular devices. 6. TRACING AN INTERNET E-MAIL: a. When an Internet e-mail message is sent, the user typically controls only the recipient line(s), i.e. TO: and Bcc: and the Subject: line. b. Mail software adds the rest of the header information as it is processed. c. Reading an E-Mail Header: d. Sample E-Mail Header: (1) Return-path: (2) Received: from in50210.cc.nps.navy.mil by nps.navy.mil (4.1/SMI-4.11) id AA08680; Thur, 7 Nov 96 17:51:49 PST (3) Received: from localhost by in50210.cc.nps.navy.mil (4.1/SMI-4.1) id AA16514; Thurs, 7 Nov 96 17:50:53 PST (4) Message-Id: <9611080150.AA16514@ in50210.cc.nps.navy.mil> (5) Date: Thur, 7 Nov 1996 17:50:53 –0800 (PST) (6) From: “Albert M. Bottoms” <ambottomin50210.cc.navy.mil> Effective: April 5, 2000 Revised: April 15, 2011 Seizing Electronic Evidence Directive No. 83.907 Page 7 of 8 (7) To: Tim White <ti white@ $m.ir.lo.COM> (8) Cc: Real 3D <real3dQmmc.com, Denny Adams <[email protected], Tim Arion, RAY BALCERAK <RBALCERAK’A. mil> i. Line (1) tells other computers who really sent the message, and where to send error messages, i.e. bounces and warnings. ii. Lines (2) and (3) show the route that the message took from sending to delivery. Each computer that receives this message adds a Received: field with its complete address and time stamp that helps in tracking delivery problems. iii. Line (4) is the Message ID, a unique identifier for this specific message. This ID is logged and can be traced through computers on the message route if there is a need to track the mail. iv. Line (5) shows the date, time, and time zone when the message was sent. v. Line (6) tells the name and e-mail address of the message originator or “sender”. vi. Line (7) tells the name and e-mail address of the primary recipient which may be a mailing list, a system-wide alias, or a personal username. vii. Line (8) lists the names and e-mail addresses of the “courtesy copy” recipients of the message. There may be “BCC:” recipients as well; blind carbon copy recipients get copies of the message, but their names and addresses are not visible in the headers. V. REFERENCES: A. U.S.S.S. Seizing Electronic Evidence B. Encase Directives C. Department of Treasury Standards Approved: Daniel C. Alexander Chief of Police Effective: April 5, 2000 Revised: April 15, 2011 Date: Seizing Electronic Evidence Directive No. 83.907 Page 8 of 8

Seizing Electronic Evidence PDF - Boca Raton Police

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue