Electronic Evidence Flashcards
Should you attempt to access information on a device as a first responder?
No, unless there appears to be an immediate threat to data.
Should you allow a suspect near a device?
No, to avoid the altering of destroying of evidence.
Should you assume a device is turned-off if it has a blank screen?
No, do not assume.
If the device is a computer, move the mouse or press the shift key. Do NOT touch any other buttons on keyboard or mouse.
If the device is a mobile phone, double tap screen or push the home button. Do NOT press power button.
Should you turn a device on or off, as a general rule?
No.
If in doubt contact DFU or local responder.
If a mobile device you wish to seize is off, what should you do?
Leave it off.
If possible remove the battery to avoid it powering on in transit, otherwise remove the SIM card and attach it to the device.
If a mobile device you wish to seize if on, what should you do?
Place it on “flight mode”, connect to a charge and leave it on.
If the device is on, and UNLOCKED, and the investigation if serious, consider contacting DFU immediately.
If the device is an iPhone, keep the device ON.
What should do if you wish to obtain fingerprints and intangible material evidence from a device?
Contact DFU before submitting for testing.
What should do when taking action with regards to electronic devices you wish to seize?
Take notes of what actions you made to ensure the integrity of the evidential trail.
Where is a common place to look for passwords for computers?
By the computer itself, consider searching and capturing photograph.
When seizing a computer, what does policy dictate?
Determine if it is on or off.
Do NOT turn it on or off.
Disconnect WIFI and telephone lines to computer from wall.
Contact DFU.
Consider taking photographs of original state, rear of computer, etc.
What is a faraday bag?
A bag made of a material that blocks electromagnetic signals, used to hold devices such as mobile phones to prevent outside signals from interfering with the contents of the device.
If a mobile phone rings when seizing it, what should you do?
Do not answer you. Place it on flight mode. Do not scroll through and read text messages unless time is critical.
What three things should you remember when transporting digital exhibits?
- Clearly mark the external packaging as fragile.
- Include a HTCG001 examination request form found in Police forms.
- Contact DFU.
Section 130 of Search and Surveillance Act 2012
130 Duty of persons with knowledge of computer system or other data storage devices or Internet site to assist access
(1) A person exercising a search power in respect of any data held in a computer system or other data storage device may require a specified person to provide access information and other information or assistance that is reasonable and necessary to allow the person exercising the search power to access that data.
(2) A specified person may not be required under subsection (1) to give any information tending to incriminate the person.
(3) Subsection (2) does not prevent a person exercising a search power from requiring a specified person to provide information or providing assistance that is reasonable and necessary to allow the person exercising the search power to access data held in, or accessible from, a computer system or other data storage device that contains or may contain information tending to incriminate the specified person.
(4) Subsections (2) and (3) are subject to subpart 5 of this Part (which relates to privilege and confidentiality).
(5) In this section,—
specified person means—
(a) a user of a computer system or other data storage device or an Internet site who has relevant knowledge of that system, device, or site; or
(b) a person who provides an Internet service or maintains an Internet site and who holds access information user, in relation to a computer system or other data storage device or an Internet site, means a person who—
(a) owns, leases, possesses, or controls the system, device, or site; or
(b) is entitled, by reason of an account or other arrangement, to access data on an Internet site; or
(c) is an employee of a person described in paragraph (a) or (b).
Section 178 outlines that it is an offence of failing to carry out obligations in relation to a computer search under section 130(1). 3 months imprisonment.
