392 - Computer Forensic Investigations Flashcards
Who is the owner of Order 392 - Computer Forensic Investigations
Commanding Officer of Computer Forensics Investigations Unit
CFI: All requests for digital examination must be accompanied with a formal request on a _____ that can be downloaded from their Unit website.
CFI Unit request form
CFI: All digital media seized or obtained for examination must be accompanied by a _____ or _____
written consent form or a search warrant (to include affidavit).
CFI: Verbal consent must be documented on an _____ or _____ from the witnessing investigator.
Intradepartmental Correspondence (P-0004) or via departmental email
All digital media brought to the CFI Unit must have been previously _____ and _____
submitted to the Property & Evidence Facility and assigned a property control number.
CFI: Evidence delivery is the responsibility of the _____
submitting/requesting officer/detective.
If data, image, or digital evidence is in plain view on a computer or mobile device screen, the officer/detective should if possible_______, without manipulating the digital device and consult a _____
take a photograph of what is in plain view
digital forensic examiner.
If the digital device is OFF, _____.
leave it OFF
If the digital device is ON, document _____, ____ and _____, without ______.
open screens, time and dates
imputing data into the device
If the digital device is ON, do NOT type or input anything into the device. Exception: There may be times when this cannot be avoided. If this happens, _____ and _____.
document every step used and document why this step was necessary
When collecting a desktop computer: if it is ON,_____ and _____
leave it ON and simply unplug the power cord from the back of the computer.
if the computer is on and there is an articulable belief that hard drive(s) are encrypted, do NOT unplug or power off the computer. Instead, _____
consult with the on-call digital forensic examiner.
When collecting a laptop computer: if it is ON, _____ and _____, _____.
leave it ON and remove the battery first, then the power cord
Cellular phones and mobile devices (eReaders, tablets, GPS, etc.) should be collected in the same manner as the rules listed above; however, it is imperative to ______ before turning the device off
obtain the password
Forensic examinations can have extensive processing times that are subject to change without notice, and owners/agents of electronic devices should NOT be given specific time frames on the completion of the examination. The owner/agent can be informed that _____
they will be contacted upon the completion of the examination.
