Week 2 - Pre Search Planning & House Search Flashcards
What is Pre Search Planning?
This is basically everything you can do before going on scene.
What is the overall suggested methodology for an LDF examination?
- Pre Search Planning
- On site observation and analysis
- Implementing data capture procedures
- Securing the data dapture for authentication purposes
- Compile an audit trail of decisions and actions
Pre Search Planning. What do you need to do?
- Obtain detailed info about the type of investigation (e.g. type of crime, who is involved - group or indiv, what info or evidence has already been obtained and established, where is the scene).
- What does the lead investigator hope to achieve? ASK questions.
Discuss necessity for LDF
‘W’ Questions for Pre-Search Planning
All the W questions
-What offence?
What are we looking for?
Where is the search taking place?
What kind of location is it?
What do we expect to find (type of devices / numbers etc)?
Which tools / equipment do we need?
When to do the serach?
How are we getting there?
How are we going to conduct the search?
Who will be there (suspects witnesses etc)?
Who is coming on the search?
Who is in charge of what?
The search will be successfull if….
Search Location Questions for Pre Search Planning
- Physical / electronic surveillance? Guards or live monitoring
-Home or business environment?
-Type of business (e.g macs more likely in a creative environment, linux more likely in others) - CCTV?
-WLAN? How are internet connections established - Access to an ISP?
- Layout & location plans
- Open source intel - street view etc.
Equipment Preparation
- What tools are you going to use & contingencies
- prepare the media USB, laptop etc
- Use verifiable sterile ‘clean’ storage media
- Test tools & the storage devices
- Prepare back up plans where possible for equipment failure
Defining the Scope of the Investigation
Define generic data that is always required in different type of investigation / incident beforehand. This will form the basis of your plan / methodology
E.g CSAE investigations will be different to a malware investigation.
For each type of investigation ask:
- what must be checkedd before shutting down the system
- what volatile information is usually required
- what volatile information isusually nice to have.
Defining the scope allows the LDF investigator to generally know what info is most desired in certain situations.
The investigator’s methodology & tool selection is directly related to the result of the scope - no one toolkit is suitable for every type of investigation.
What 4 major connsiderations should every LDF methodology be based around?
- Order of volatility
- Perform least evasive actions first
- Gather the most valuable data first
- Document everything
remember you are doping these parallel to each other, while you are respecting the order of volatility you are performing the least evasive actions first and gathering the most valuable data first AND documenting everything - considering all at same time
After the 4 major considerations have been established then what should the LDF Investigator consider next?
- Type of device - mobile devive, tablet, server, desktop etc (also hardware and software)
- How the device will be accessed i.e
Local Host
Remote Host
Remote Server
Local Host
- where the LDF investigator is interacting directly with the suspect’s OS, device & peripherals
- where the LDF investigator is connecting media for storage & tools directly to the suspect device.
Therefore causing more changes to the suspect’s system.
May require less authetication depending on system & policies.
Easiest for LDF investigator
Remote Host
- Where the LDF investigator has access to a suspect device remotely over some for of network connection
- The LDF investigator can transfer data from the remote suspect device & store it in some sort of repositary on the network.
Must have administrative access to the remote suspect device
May change the suspect system less than the local host method, because only a driver is loaded in memory rather than a disk physically connected
Fairly easy to set up & use depending on network
Remote Server
Where a remote server exists and is accessible from the suspect device
Benefits:
- storage media used by the LDF investigator is remote possibly reducing changes to the system.
- flexibiliity of using local host tools when needed
- may require less authetication depending on policy
Drawbacks:
- This methodology means you are going to change data on other devices such as routers, IDS etc. This is because you are connecting externally to a network and log files on the router will be changed and you may flag an IDS.
- most complicated to set up
After you have your methodology and scope defined then you need a Pre Search Briefing. What should be considered in this briefing?
ADVISING SEARCH TEAM
- ID of storage media (what are they looking for, what do they look like, also scanning for wifi devices)
- containment & securing the electronic environment
- searches of persons present & seizure of items found
- complete questionaire to document everything they have done.
ADVISING FORENSIC TEAM
- what procedure will be adopted for live systems.
- what equipment is available
- who will carry it out
Considerations on a domestic premises (house search)
Safety is key
It may be messy & dirty
It may be a crime scene with blood and other contaminants
Consider:
- cuts from metalic parts of devices
- electric shocks
- weapons disguised as mobile devices (guns / taser)
- drugs traces
- explosive devices / booby traps
- live animals
What are seizable devices in terms of LDF?
- mobile devices
- tablets
- desktops / laptops
- IOT devices
- games consoles
- smart TVs
- cameras
- external storage devices (may be encrypted)
- hidden or tiny USB devives
- wifi harddisks (hard to detect - they are wireless storage - portable storage devices that connect wirelessly so can be accessed by multiple devices simultateously over wifi network)
- portable media players
- printers / copiers / scanners
