Highfill - 392 - Policies and Procedures - Investigative Procedures Flashcards
If an officer/detective comes into contact with any digital media device which meets ___________ standards or the device may contain evidence, they should first seek
____________ by completing a ___________, and have the form signed by the owner or the authorized agent of the device.
probable cause
consent to search
Consent to Search Computer(s), Computer Peripherals, & Related Audiovisual or Digital Media/Devices Form (P-0527)
Form P-0527 should be _______________ and stored in the ___________.
Note that consent to search ______ valid if the PIN or password to the device is not provided.
retained as evidence
Property and Evidence Facility
is not
Regardless of computer knowledge or technical aptitude, an officer/detective __________ search through any digital device or request a complainant, victim, or suspect to search any device acting as an agent of the Jacksonville Sheriff’s Office (JSO). Any search done in this manner could render the evidence ________ in court.
should not
inadmissible
Any ___________ who searches through a digital device (scrolling through cell phone image gallery, searching computer internet history, etc.) will __________ in an Incident or Supplement Report.
officer/detective
document the actions taken
If Consent to Search Form (P-0527) cannot be obtained, and there exists exigency
and/or facts are known to indicate a crime has been committed using the digital device, __________. A _________ can be obtained later to conduct an examination of the device.
seize the device
search warrant
An officer/detective attempting to obtain a search warrant should consult with a ________________ to ensure that a properly structured and worded search warrant is drafted.
Digital Forensic Examiner
An officer/detective should ________ inform the owner/agent of a digital device to remove or delete any item(s) from a digital device.
NOT
If data, image, or digital evidence is ___________ on a computer or mobile device
screen, the officer/detective should if possible _____________ of what is in plain
view, without manipulating the digital device and consult a digital forensic examiner.
in plain view
take a photograph
An officer/detective not assigned to the Computer Forensic Investigations Unit ________
guess or otherwise make __________ to enter the unknown password of a locked
device.
will not
blind attempts
Blindly attempting to enter a device may ________ or ________ the device, without warning, and cause permanent evidence destruction that could have been otherwise obtained during
a forensic analysis.
permanently disable
wipe
If the digital device is OFF, ____________.
leave it OFF
If the digital device is ON, document _________, _______, and _______, without imputing
data into the device.
open screens,
time,
and dates
If the digital device is ON, _______ or _________ into the device.
Exception:
There may be times when this cannot be avoided. If this happens, document ________
used and document ______ this step was necessary.
do NOT type
input anything
every step
why
An officer/detective should NOT ______ or _______ any type of software or hardware (i.e., flash/thumb drives, external hard drives, etc.).
remove
install
When collecting a desktop computer: if it is ON, _________ and simply unplug the power cord from the back of the computer.
*** However, if the computer is on and there is an articulable belief that hard drive(s) are encrypted, ____________ the computer.
Instead, consult with the on-call digital forensic examiner. Encryption may be an issue if the subject of the investigation displays computer knowledge that exceeds that of an average user.
leave it ON
do NOT unplug or power off
When collecting a laptop computer: if it is ON, __________ and ____________ first,
then the power cord. Upon removal, do NOT reinsert the battery to prevent accidental
start-up. The same policy concerning encryption applies.
leave it ON
remove the battery
Cellular phones and mobile devices (eReaders, tablets, GPS, etc.) should be collected in
the same manner as laptops. Remove the _________ from the device and do ____ reinsert
it. This will prevent remote wipe and GPS tracking by the device owner.
battery
NOT
Cellular phones and mobile devices considering that powering off the device
may require __________ when powered back on, it is imperative to obtain the password
before turning the device off.
a password
Cell phone and mobile devices: If removing the battery is ________; turn off the device and wrap it in at least ____ layers of aluminum foil. Note, however, that doing so while the device is powered on will quickly drain the battery and could cause damage due to overheating.
not possible
four
To prevent evidence tampering and destruction of digital evidence, _________ search through it. Scrolling through __________, __________, and _________ can modify metadata that is vital to the investigation and cannot be unchanged.
do not
messages, images and other files
If a seized/obtained device may need a password to gain entry, the _______ receiving the device shall ask the possessor/owner of the device for the ____________.
officer/detective
password
An officer/detective should document the name of the individual who provided the information about a seized device even if the password is ________.
unknown or refused
If a device’s password is a ________, document the pattern and have it confirmed by the possessor/owner of the device.
swipe pattern
Investigations involving computers or any other related device where individuals have user profiles (user accounts), require the investigating officer/detective to obtain all of the user _______ and ________ used on the device.
profile names
passwords
When computers are submitted for analysis, the case agent or detective must submit a searchable _________ to the digital forensic examiner conducting the analysis.
keyword list
Forensic examinations can have extensive processing times that are subject to change without notice, and owners/agents of electronic devices should NOT be given __________ on the completion of the examination.
specific time frames
