Week 4

Question 1

Three Types of Search + Seizure/Legal Authority

Answer 1

CRIMINAL CASES
- search warrant w/ probable cause (warrant can have different parameters like phone vs. building)
- 4th Amendment - protects against Search and Seizure
- consent is given by owner and can be revoked and search must stop

CIVIL CASES
- court order is the legal authority/demand
- can also come w protective order (to protect person being searched. if investigator leaked something then they can be held in contempt.
consent can still be revoked.

CORPORATE INVESTIGATIONS
- written permission by “keeper of record” who is the legal authority
- consult w/ corporate counsel

Question 2

Riley v. California (2014)

Answer 2

said that phone cannot be searched without a warrant

Question 3

Legal Authority 4th Amendment Exceptions

Answer 3

(3)

Question 4

Exigency

Answer 4

emergency

Question 5

Probationer/Parolee

Answer 5

Probation officer can ask to search parolee any time.

Question 6

Border Searches

Answer 6

protects national security

Question 7

5th Amendment

Answer 7

Person cannot be witness against themself.

Question 8

Is giving password self-incrimination?

Answer 8

Yes. cannot compel password.

Question 9

Scope of Case

Answer 9

CSAM = images and video
IP theft = computer data
peripheral drives = hard drives, thumb drives
gaming systems
Alexas - can listen in - show proof of life.

Question 10

Documentation

Answer 10

WHO WHAT WHEN WHERE WHY

document original scene meticulously

take photos of everything

Question 11

Crime Scene Considerations

Answer 11

• safety, PPE
• know state of digital evidence (encryption)
• avoid cross contamination
• what needs to be seized?
• isolate/ID main suspects
• document existing conditions
• use special packaging
• maintain chain of custody
• triage

Question 11

Triage

Answer 11

quick look @ evidence to determine what must be seized

inital survey of scene

not forensically sound

have to minorly change date to triage but it’s okay if you can justify it

can’t triage for all devices

need access to Windows system to triage

Question 12

Triage can show…

Answer 12

• web history
• IP address history
• connected devices log
• user account info
• existence of known CSAM pics

Question 12

Should triage data be used in court?

Answer 12

No! hasn’t been analyzed. just rough overview and tells you where to look for data.

Question 13

Digital Device Physical Seizure

Answer 13

Computers
Hard Drives
SSD Drives
Peripheral Drives

Question 14

Computers

Answer 14

has volatile memory or random access memory (RAM) - RAM is the waiting room between the computer hard drive and what is seen on screen.
Passwords to encryption can be in RAM.

Question 15

Hard Drives

Answer 15

need a Faraday bag

label w date, time, person who seized/packed item

Question 16

SSD Drives and Stand-alone computers

Answer 16

they have different approaches

Question 17

Peripheral Devices

Answer 17

USBs
SD Cards
portable hard drives

Question 18

All devices are self-contained and still require the same precautions as stand-alone hard drives, like Faraday bags.

Answer 18

-

Question 19

Is on-scene manipulation okay?

Answer 19

If it can be justified and isn’t too severe.

it is never worth losing valuable evidence over a legal misstep.

if you do smth wrong/change smth, don’t lie! document

Question 20

PROPER SEIZURE

Answer 20

Don’t manipulate device more.

Put in airplane mode, off wifi, off bluetooth.

Prevent remote wipe and preserves data.

faraday bags

Question 21

DON’T

Answer 21

just scroll through phone
place phone in chip bad
forget to ask for passcode

Question 22

Ensure evidence not altered

Question 23

OS Triage

Answer 23

• made by Eric Zimmerman
• provides on-scene investigators w/ real time info about systems
• can be used on mounted media
• can show times, dates, shut downs, whose account it is, which accts need password, files access, USB insertions
• can see forensic tools plugged in

Question 24

mounted media

Answer 24

making storage device’s files and directories to user and OS - can then examine contents of logical image?