Electronic Cybercrime and Surveillance Flashcards
What does the Police Electronic
Crime Laboratory help with?
• evidential preservation of data from electronic devices including computers, removable media, digital cameras, cell phones, digital diaries, smart cards and PDAs
• forensic examination of preserved data
• capturing and downloading electronic data
• providing specialist advice to investigators, other government agencies, institutions and the public particularly about data security and electronic
related offending.
What is The National Cybercrime Centre able to do?
• assist with internet-related investigations
• examine and determine the source of emails
• help investigators locate possible evidence from online databases
• provide specialist advice to investigators, other government agencies and institutions about online investigative process, locating and obtaining data
from service providers and legislation
• investigate computer crime offences (s249 to s252 Crimes Act 1961).
What do you NOT do when you come across electronic material at a crime scene?
Do not:
• attempt to access information on the computer at this stage
• allow the suspect near the computer or device as electronic data can be
altered or destroyed. (Computer users can write ‘logic bombs’ that cause a
computer to crash and destroy data if the correct sequence of keystrokes is
not used).
Can Police requests a person’s password to access an electronic device?
Yes.
The Search and Surveillance Act 2012 (see section 130) provides Police with the power to require a person (specified person) to reveal their passwords etc
to facilitate a search of a computer or data storage device. Failure to do so is an offence (section 178).
What information is required when submitted electronic devices to ECL?
• brief circumstances and known history of the items submitted
• details of the examination required including any keywords to
be searched against
• details of the items being submitted
• a copy of the warrant under which the items were seized and the
POL 268 form
• details of any other proposed forensic testing
• your contact details
What are the principles for data evidence gathering?
- No Action taken by law enforcement agencies or their agents should change data held on a computer or storage media which be subsequently be relied upon in court.
- Any person accessing original data held on a computer or on storage media must be competent to do so and able to give evidence explaining the relevance and implications of their actions.
- An audit trail or other record of all processes applied to computer-based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
- The person in charge of the investigation has overall responsibility for ensuring the law and these principles are adhered to.
What computer material can be seized?
The search and surveillance Act 2012 provides for the search and seizure of ‘intangible data’ held in data storage devices such as computers, cell phones.
A search of vehicle or places also extends to the search of any computer system or data storage device located in whole or in part at that place, vehicle or thing.
A search of a ‘business’ computer network is therefore permitted even though the server is at premises other than those being searched.
A search of any internet data accessible by the computer’s user on the premises being searched is also permitted. Thus emails, on gmail, hotmail or data held in the ‘cloud’ may be accessible.
What are the requirements when searching computers with or without a warrant?
With Warrant:
- Be specific about the material that you are looking for.
- Where practicable, specify the procedures you will adopt to locate the material.
Without Warrant:
- Conduct the search in a way that most effectively targets the material that you are looking for.
- Distinguish between the material that may come within the scope of the search and material which is clearly irrelevant information.
What are the procedures for remote access searches?
- The issuing officer must be satisfied that the thing is not situated at a physical address that is capable of being entered and searched (103,6)
- Warrant should specify why the applicant believes that the data is not held at an accessible location.
- It must also specify with sufficient particularity the access information that identifies the thing to be searched remotely, such as the email address of the logon information relating to the site to be searched.
When can you NOT obtain a remote access search warrant?
- Merely because a server with web-based material is inaccessible in that particular circumstance e.g because it is overseas or its location has not been researched.
In this event you should:
- Seek co-operation of the organisation that hosts the server
- Or obtained a production order under s.74
- Or seek mutual assistance through the Mutual Assistance in Criminal Matters Act 1992.
What are your powers when carrying out a search of a computer?
- Use any reasonable measures to access it
- Remove the computer for further examination if it is not practicable to search it on the premises
- take a forensic copy of the hard drive to preserve the evidential integrity of the material and maintain possession of the data
- require a person who owns, leases, possesses or controls the computer device or system or an employee of such a person to provide access information eg, passwords, de encryption information that is reasonable and necessary to allow access
Section 46 – Activities for which surveillance device warrant required
(1) Except as provided in sections 47 and 48, an enforcement officer who wishes to undertake any 1 or more of the following activities must obtain a surveillance device warrant:
(a) use of an interception device to intercept a private communication:
(b) use of a tracking device, except where a tracking device is installed solely for the purpose of ascertaining whether a thing has been opened, tampered with,
or in some other way dealt with, and the installation of the device does not involve trespass to land or trespass to goods:
(c) observation of private activity in private premises, and any recording of that observation, by means of a visual surveillance device:
(d) use of a surveillance device that involves trespass to land or trespass to goods:
(e) observation of private activity in the curtilage of private premises, and any recording of that observation, if any part of the observation or recording is by
means of a visual surveillance device, and the duration of the observation, for the purposes of a single investigation, or a connected series of investigations,
exceeds—
(i) 3 hours in any 24-hour period; or
(ii) 8 hours in total.
(2) This section is subject to section 45.
Section 47 – Some activities that do not require warrant
under this subpart
(1) No warrant under this subpart is required by an enforcement officer for any 1 or more of
the following activities:
(a) the enforcement officer—
(i) being lawfully in private premises; and
(ii) recording what he or she observes or hears there
(provided that the enforcement officer records only those matters that he or she could see or hear without the use of a surveillance device):
(b) covert audio recording of a voluntary oral communication between 2 or more persons made with the consent of at least 1 of them:
(c) activities carried out under the authority of an interception warrant issued under—
(i) section 4A(1) or (2) of the New Zealand Security Intelligence Service Act
1969; or
(ii) section 17 of the Government Communications Security Bureau Act 2003:
(d) activities carried out by the enforcement officer’s use of a surveillance device, if that use is authorised under any enactment other than this Act.
(2) Subsection (1)(b) does not prevent an enforcement officer from applying for a warrant authorising covert audio recording in the circumstances set out in that subsection.
Section 48 – Surveillance device warrant need not be
obtained for use of surveillance device in some situations of emergency or urgency
(1) An enforcement officer who is in any 1 or more of the situations set out in subsection
(2) may use a surveillance device for a period not exceeding 48 hours from the time the surveillance device is first used without obtaining a surveillance device warrant, if—
(a) he or she is entitled to apply for a surveillance device warrant in relation to those
situations; but
(b) obtaining a surveillance device warrant within the time in which it is proposed to undertake the surveillance is impracticable in the circumstances.
