Week 4 Flashcards
Three Types of Search + Seizure/Legal Authority
CRIMINAL CASES
- search warrant w/ probable cause (warrant can have different parameters like phone vs. building)
- 4th Amendment - protects against Search and Seizure
- consent is given by owner and can be revoked and search must stop
CIVIL CASES
- court order is the legal authority/demand
- can also come w protective order (to protect person being searched. if investigator leaked something then they can be held in contempt.
consent can still be revoked.
CORPORATE INVESTIGATIONS
- written permission by “keeper of record” who is the legal authority
- consult w/ corporate counsel
Riley v. California (2014)
said that phone cannot be searched without a warrant
Legal Authority 4th Amendment Exceptions
(3)
Exigency
emergency
Probationer/Parolee
Probation officer can ask to search parolee any time.
Border Searches
protects national security
5th Amendment
Person cannot be witness against themself.
Is giving password self-incrimination?
Yes. cannot compel password.
Scope of Case
CSAM = images and video
IP theft = computer data
peripheral drives = hard drives, thumb drives
gaming systems
Alexas - can listen in - show proof of life.
Documentation
WHO WHAT WHEN WHERE WHY
document original scene meticulously
take photos of everything
Crime Scene Considerations
- safety, PPE
- know state of digital evidence (encryption)
- avoid cross contamination
- what needs to be seized?
- isolate/ID main suspects
- document existing conditions
- use special packaging
- maintain chain of custody
- triage
Triage
quick look @ evidence to determine what must be seized
inital survey of scene
not forensically sound
have to minorly change date to triage but it’s okay if you can justify it
can’t triage for all devices
need access to Windows system to triage
Triage can show…
- web history
- IP address history
- connected devices log
- user account info
- existence of known CSAM pics
Should triage data be used in court?
No! hasn’t been analyzed. just rough overview and tells you where to look for data.
Digital Device Physical Seizure
Computers
Hard Drives
SSD Drives
Peripheral Drives
Computers
has volatile memory or random access memory (RAM) - RAM is the waiting room between the computer hard drive and what is seen on screen.
Passwords to encryption can be in RAM.
Hard Drives
need a Faraday bag
label w date, time, person who seized/packed item
SSD Drives and Stand-alone computers
they have different approaches
Peripheral Devices
USBs
SD Cards
portable hard drives
All devices are self-contained and still require the same precautions as stand-alone hard drives, like Faraday bags.
-
Is on-scene manipulation okay?
If it can be justified and isn’t too severe.
it is never worth losing valuable evidence over a legal misstep.
if you do smth wrong/change smth, don’t lie! document
PROPER SEIZURE
Don’t manipulate device more.
Put in airplane mode, off wifi, off bluetooth.
Prevent remote wipe and preserves data.
faraday bags
DON’T
just scroll through phone
place phone in chip bad
forget to ask for passcode
Ensure evidence not altered
OS Triage
- made by Eric Zimmerman
- provides on-scene investigators w/ real time info about systems
- can be used on mounted media
- can show times, dates, shut downs, whose account it is, which accts need password, files access, USB insertions
- can see forensic tools plugged in
mounted media
making storage device’s files and directories to user and OS - can then examine contents of logical image?