Week 2 - Seizure & Handling Flashcards

1
Q

Summarise the First Considerations re Seizure & Handling

A
  • Traditional forensic trace evidence will usually take priority, therefore use protective gear such as gloves or if required forensic suit / mask etc. to preserve this.
  • do not let any suspect / owner handle any devices. In exceptional circumstances where biometrics / PIN required must be under exteremely carefull supervision.
  • Consider Biohazards. Must inform anyone handling device of any hazards such as immersion in rivers / canals / toilets etc. (if so must be examined as a priority due to likelihood of device failure). Also biohazard from user’s body such as skin, fluids / blood - especially if contagious diseases are known - comnsider medical history of people been in contact with it. Environment where micro-organisims thrive.

CONTINUITY of evidence is paramount. See seizure and handling overview flowchart.

-

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

On Scene Examination (‘triage’)

A

This is a preliminary examination - on scene.

Can obtain limited content but useful to:
- rule in or out devices for seizure
- aid prioritisation
- reduce case backlog
- free up higher skilled examiners
- provide info quickly to progess the investigation

If the device is unlocked at point of seizure it may provide temporary data that will be lost once the device is powered off.

Prelim exam is usually logical aquisition only but physical can be done depending on cost retraints.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Seizure & handling next considerations

A

CONTINUITY and CONTEMPORANEOUS NOTES. Record device location & photograph in situ.

  1. PIN / PUK code available? Check for documentation / boxes & accessories / chargers / data cables
  2. Is device powered on?
  3. Does it have any active connections obviously running / visible (if so don’t disturb them - allow any data transfer to take place. If there are multiple devices connecting together or to a shared remote storage then consider seizing all of them - content on these may assist in obtaining content from opther locked devices.
  4. Photograph and record the phone’s status. Incl date time compared to atomic clock, and location in situ.
  5. Know your legal powers for seizure as well as parameters of any powers to be there and seize
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are the three different states (or statuses) higher end (android or IOS) devices can be in?

A

BFU - Before First Unlock (when device is powered on but has not yet been unlocked for the first time since last powering on, or last reboot or reset - restricted features / functionality usually available).
Phone in this state are considered more challenging for examiners because the file based encryption will have not loaded the required file decryption keys into memory.

AFU - After First Unlock (when device is powered on and has already been unlocked one or more times since powering on or re-boot or reset). A more advantageous state for examination - more content likely to be available because the file decryption keys have been loaded into the device’s temporary memory and will remain there until the device is powered off..

Switched off.

If devices are in either BFU or AFU states then an external power source and radio frequency isolation should be considered as appropriate procedure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What information might be available from viewing the phone’s screen (whether locked or unlocked)?

A
  • Whether it needs a PIN code to unlock
  • active connections like bluetooth, wifi, cellular connections
  • texts, missed calls, voicemail / app notigfications / emails etc.
  • battery life (check this, does it need power connection - can we do this under network isolation - i.e in a faraday bag)
    -network info
  • location info (such as a weather loaction)
  • time / date
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Why do we need to isolate the device from the network?

A
  • to prevent any intentional remote wiping / deleting or altering
  • to prevent any additional data being recieved that may overwrite data
  • to prevent any changes to the device since time of seizure from automatic updates etc
  • location based technlogy (like GPS) may also need to be disabled, turning off location device updates, using the devices ‘flight mode’ or faraday bag.

When a device is contained in a functional network isolation container (like a Faraday bag), it can go into what’s known as a super mode in that it will increase current consumption and rapidly deplete the battery. Most devices will shutdown automatically when battery drops below a certain level. It may also be possible to disable any locks prior to bagging, to keep screen awake / active. If USB de-bugging can be enabledd this will allow the examiner greater access to the device.

The device user or owner should be asked questions where lawful to obtain user details / access details of the device - speeds up examimation process.

If the device cannot be isolated from the network while powered on then it should be switched off. use power button where possible. Removing battery to do so if required.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are the risks in powering off a device?

A

If the device cannot be isolated from the network while powered on then it should be switched off. use power button where possible. Removing battery to do so if required.

  • One risk is that switching off will enable power on access restriction mechanisms.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What should be included on the evidence bag / lable.

A
  • Unique ref no.
  • WHAT is it
  • WHO found it
  • WHERE was it found
  • WHEN was it found
  • HOW was it found (situation it was in & phone status).
  • clearly mark any handling requirements such as biohazard. If biohazard marker used must clearly state the nature of the biohazard e.g ‘blood, drugs, dna, infectious disease.

Consider tamper evident cardboard boxes for storage to prevent damage or accidental pressing of buttons.

SIMs should be stored in anti static bag if being transported separately. Clearly mark bag to include ICCID. Always seal multiple devices separately

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

How do Faraday bags / devices work?

A

Faraday devices come in different formats - most common is the bag.

Important that Faraday devices work under the principles of attenuating (reduce the effect of) radio frequencies and electromagnetic fields.

They DO NOT guarantee that all RF signals will be attenuated to the same level. Varies depending on the frequency.

They work by distributing any RF or electromagnetic fields outside the bag / device around the exterior, meaning the charge remains on the outside, cancelling it out of the interior.

This means that the effectiveness can vary depending on the receiver sensitivity of the device, the proximity to a tower or open wifi points- means they can leak. Test the performance regularly and seals may fail

How well did you know this?
1
Not at all
2
3
4
5
Perfectly