Month December 2014

Electronic Crime Scene Investigations; Evidence Collection. II/II

Lina M. Maini Leave a comment

In Part I of our two-part Electronic Crime Scene Investigations series, we covered recognizing and securing an electronic crime scene.  In this post, we delve into the actual investigation itself.

First and foremost, now that you have identified and isolated all persons with access from the crime scene, please ensure that they provide your investigator with a release similar to the below.  (Please check with your local law enforcement on particular jurisdictional guidelines.)

CONSENT TO SEARCH ELECTRONIC MEDIA AND CLOUD STORAGE
I, __________________, hereby authorize __________________, who has identified himself / herself as an investigator lawfully engaged by _____________________, and any other person(s), including but not limited to a computer forensic examiner, he / she may designate to assist him / her, to remove, take possession of and / or conduct a complete search of the following: computer systems, electronic data storage devices, computer data storage diskettes, DVDs, or any other electronic equipment capable of storing, retrieving, processing and / or accessing data and any and all cloud storage accounts that may contain any company information, files and references.
The aforementioned equipment and storage will be subject to data duplication / imaging and a forensic analysis for any data pertinent to the incident / criminal investigation.
I give this consent to search freely and voluntarily without fear, threat, coercion or promises of any kind and with full knowledge of my constitutional right to refuse to give my consent for the removal and / or search of the aforementioned equipment /data, which I hereby waive. I am also aware that if I wish to exercise this right of refusal at any time during the seizure and or search of the equipment / data, it will be respected.

This consent to search is given by me this ________ day of, __________________
20__________, at ____________ am / pm.

Location items taken from: ____________________________________________
Consenter Signature: ________________________________________________
Witness Signature: _________________________________________________
Witness Signature: _________________________________________________

Evidence Collection
Handling digital evidence correctly is essential to preserving the integrity of the physical device as well as the information or data it contains. Turning off the power to a computer or other electronic device may cause the information or data stored on it to be damaged or lost.
If you are not trained in handling digital evidence —
• Do not attempt to explore the contents of a computer or other electronic device or to
recover information from it.
• Do not alter the state of a computer or other electronic device.
• Do not press any keys or click the mouse.
• If the computer or device is off, leave it off.
• Do not move a computer or other electronic device that is powered on.
• Do not accept offers of help or technical assistance from unauthorized persons.
• DO request technical assistance from personnel with advanced equipment and training in digital evidence collection.  See http://www.ecpi-us.org/Technicalresources.html for a list of available resources.

Assess the Situation

Before caputring digital evidence, make sure you have the legal authority to do so. Improper access to information or data stored on electronic devices may violate provisions of various local, sate and federal laws.

After securing the scene and identifying the computer’s power status, follow the steps listed below for the situation most like your own. (If the final suggestion in each situation is “Proceed to If Computer Is On” or “Proceed to If Computer Is Off.”, those two sections are posted on the bottom on this article.)

Situation 1: Monitor is on. Program, application, work product, picture, e-mail or Internet site is displayed.

1. Photograph screen and record information displayed.
2. Proceed to “If the Computer Is ON”

Situation 2: Monitor is on. Screen saver or picture is visible.
1. Move mouse slightly without depressing buttons or rotating wheel if present.
2. Note any onscreen activity that causes a change in the display.
3. Photograph screen and record information displayed.
4. Proceed to “If the Computer Is ON”

Situation 3: Monitor is on. Display is blank.
1. Move mouse slightly without depressing buttons or rotating wheel if present.
2. Display changes to login screen, work product, or other visible display.
3. Note change in display.
4. Photograph screen and record information displayed.
5. Proceed to “If the Computer Is ON”

Situation 4a: Monitor is off. Display is blank.
1. If monitor’s power switch is in off position, turn monitor on.
2. Display changes to a login screen, work product or other visible display.
3. Note change in the display.
4. Photograph screen and record information displayed.
5. Proceed to “If the Computer Is ON”

Situation 4b: Monitor is off. Display is blank.
1. If monitor’s power switch is in off position, turn monitor on.
2. Display does not change. Screen remains blank.
3. Note that the display does not change.
4. Photograph blank screen.
5. Proceed to “If the Computer Is OFF”.

Situation 5: Monitor is on. Display is blank.
1. Move mouse slightly without depressing any buttons or rotating the wheel if present.
2. If display does not change, confirm that power is supplied to the monitor.
3. If display remains blank, check computer case for active lights and listen for fans spinning or other indications computer is on.
4. If computer case gives no indication that it is powered on, proceed to “If the Computer Is OFF”.

================================

If the Computer Is OFF
For desktop, tower and minicomputers follow these steps:
1. Document, photograph, and sketch all wires, cables, and devices connected to the computer.
2. Uniquely label and photograph the power supply cord and all cables, wires or USB drives attached to the computer and the connection each of these occupies on the computer.
3. Remove and secure the power supply cord from the back of the computer and from the wall outlet, power strip or battery backup device.
4. Disconnect and secure all cables, wires and USB drives from the computer and document the device or equipment connected at the opposite end.
5. Place tape over the floppy disk slot if present. Ensure that the CD or DVD drive trays are retracted into place and tape across the drive tray to prevent it from opening.
6. Place tape over the power switch.
7. Record the make, model, serial numbers and any user-applied markings or identifiers.
8. Record or log computer and all cords, cables, wires, devices and components according to agency procedures.
9. Carefully package all evidence collected to prevent damage or alteration during transportation and storage.

For laptop computers follow these steps:
1. Document, photograph and sketch all wires, cables and devices connected to the laptop.
2. Uniquely label and photograph all wires, cables and devices connected to the laptop and the connection each occupies.
3. Remove and secure the power supply and all batteries from the laptop computer.
4. Disconnect and secure all cables, wires, and USB drives from the laptop and document the equipment or device connected at the opposite end.
5. Place tape over the floppy disk slot if present. Ensure that the CD or DVD drive trays are retracted into place and tape across the drive tray to prevent it from opening.
6. Place tape over the power switch.
7. Record the make, model, serial numbers and any user-applied markings or identifiers.
8. Record or log the laptop computer and all cords, cables, wires, devices and components according to agency procedures.
9. Carefully package all evidence collected to prevent damage or alteration during transportation and storage.

If the Computer Is ON
Removing the power supply is generally the safest option. If evidence of a crime is visible on the computer display, however, request assistance from personnel with experience in volatile data capture and preservation.

Immediate disconnection of power is recommended when —
• Information or activity on screen indicates that information or data is being deleted or overwritten.
• A destructive process appears to be in progress on the computer’s data storage device(s).
• The system is powered on in a typical Microsoft Windows® environment. Pulling the power supply cord from the back of the computer will preserve information about the last user account logged in, login time, most recently used documents, most
recently used commands, and other valuable information.

Immediate disconnection of power is NOT recommended when —
• Information or data of apparent evidentiary value is in plain view onscreen. Seek assistance from personnel with advanced training in digital evidence collection.
• Indications exist that any of the following are active or in use: Chat room(s), text documents, remote data storage, Instant Messaging (IM), child pornography, contraband, financial documents, data encryption and obvious illegal activities.
• The device is a mobile or smart phone. Leave mobile and smart phones in the power state in which they were found.

Improper shutdown of mainframe computers, servers or a group of networked computers may result in the loss of data, loss of evidence and potential civil liability. Secure the scene and request assistance from personnel with advanced training in digital evidence collection of large or complex computer systems.

(We suggest you print Parts I and II of this series into a manual format.)

BNI Operatives: Street smart; info savvy.

As always, stay safe.

Related articles

Electronic Crime Scene Investigations; Assessing & Documenting the Situation. I/II

Lina M. Maini Leave a comment

When a computer crime is suspected in the workplace, action must be taken immediately. We’ll take you through a step by step computer crime scene investigation; the same protocol that we security and information specialists conduct.

When securing and evaluating the scene:
• Do not alter the state of an electronic device. If a computer or an electronic device is off, leave it off.
• Remove all unauthorized persons from the area where evidence is to be collected.
• Identify, seize and secure all electronic devices, including personal ones used at work. (Have the employee sign a release or note the type of device and serial number – including the hard drive serial number, if s/he refuses).
• Recognize potential digital evidence in telephones, digital video recorders, other office appliances and motor vehicles.

If the computer is on or the power state cannot be determined:
• Look and listen for indications that the computer is on — e.g., fans running, drives spinning and lit light-emitting diodes (LEDs).
• If you cannot determine the power state of the computer, observe the monitor to determine if it is on, off or in sleep mode.
• Check display screen for signs of data destruction.  Look out for words such as “delete,” “format,” “remove,” “copy,” “move,” “cut” or “wipe.”
• Look for indications that the computer is being accessed remotely and/or signs of ongoing com-
munications with other computers or users — e.g., Instant Messaging (IM) windows or chat rooms.
• Take note of all cameras and determine whether they are active.

Preliminary Interviews
•Separate and identify all persons of interest and record the location they occupied when you entered the scene. Obtain the following information from interviewee(s):
• Purpose of computers and devices.
• All users of the computers and devices.
• Type of Internet access and Internet service provider.
• Computer and Internet user information — e.g., login names, user account names and passwords, and Instant Message screen names.
• E-mail and Web mail (Web-based e-mail) accounts and Web pages.
• Account information for online social networking Web sites — e.g.,  Facebook, LinkedIn
• All security provisions, data access restrictions, destructive devices or software in use.
• Any automated applications in use.
• Any other relevant information.

Documenting the Scene
Your documentation should include:
• The type, location, position, condition and power status of the device.
• A record of all activity and processes visible on the display screen(s).
• A record of all physical connections to and from the computers and other devices.
• A record of any network and wireless components capable of linking devices to each other and the Internet.
• The type, condition and power status of the device’s Internet and network access.
• Video, photos, notes and sketches to assist in recreating/conveying the details of the scene.
(Some computer systems and electronic devices — and the information they contain — may be protected under applicable laws, agency policies or other factors, that may prohibit collection of these devices or components.  That’s when you call in a pro.  However, do include the location, condition and power state of these devices in your documentation.)

Movement of a running computer or electronic device may cause changes or damage to the computer or device or the digital evidence it contains. Computers and electronic devices should not be moved until it is determined by a professional that it is safe to do so. 

In Part II/II we will get into the meat of Evidence Collection.  The instructions we will impart will not be generalizations but rather, actual, working directions.

Our Operatives: A step ahead.

As always, stay safe.

Report/Don’t Report A Vehicular Accident? Know Your State’s Rules.

Lina M. Maini Leave a comment

car crash2

by Louis C. Amen (Ret., Highway Accident Investigation Squad Detective, NYPD)

Car accidents can and will happen to even the best of drivers.  You may be driving in accordance with the rules of the road but another driver may not, thereby triggering a chain of events that ends in a vehicular collision.

Civilians are responsible for reporting accidents* either to a police officer at the accident scene or to their state’s Department of Motor Vehicles (DMV) central office.  Is there a central source of reporting information by state online?

Yes. We recommend a private site: DMV.org, to determine contact and forms information and then access any state’s DMV via links to the agency’s services such as obtaining one’s driver’s abstract, re-registering a vehicle, obtaining accident reporting forms, etc. (For example: If you wish to report a vehicular accident directly to the DMV in Alabama, select Alabama as the state of inquiry, and DMV.org will redirect you to the crash report request form).

*Depending on your states rules and regulations. See below.

Is is mandatory to report a vehicular accident?

1. Personal injury/property damage not involved: Possibly. The requirement to report a vehicular accident is based on the individual state’s directives regarding collision reporting and the necessity is generally based on the vehicle damage estimate. E.g., in NYS, it is not necessary (although allowed) to report an accident in which the projected cost of damage is less than $1,001.00.

2. Personal injury/property damage (excluding vehicle) involved. Yes.  A report of the crash incident is required in all states, when personal injury has occurred to any parties involved, including pedestrians, bicyclists and others absent participation in the original vehicular collision.

What information should I obtain at an accident scene wherein police were not notified?

From the driver involved:

  • Driver’s full name and current and policy address
  • Registrant information – name and current and policy address
  • Insurance information, including insurance company name and code, policy number and policy period
  • Telephone number(s) of all involved
  • Email information or all involved
  • Emergency or “other notification” contact information for all involved
  • Name and contact information for all vehicle occupants, others involved in the collision and witnesses.
  • Photos (to include full vehicle and areas of damage shots, of the parties involved and relevant ground markings and street signs and traffic devices that may be present at the location, to include but not limited to traffic lights, traffic signs, crossing guards…)

What are the relevant traffic accident forms I may need? (Using NYS as an example.) 

If an involved party is required or desires to submit vehicular accident reports as, for example, required by your auto insurance carrier, the following documents may be necessary:

  • Traffic accident report form
  • Witness statements
  • Liability release
  • Waiver of financial responsibility

– If you are in an accident in NY involving only property damage, New York State Vehicle and Traffic Law requires you to stop and exchange information with the involved drivers.

– If a parked vehicle or other property is damaged, or a domestic animal is injured, you must locate the owner or contact the police.

Important facts regarding vehicular collisions in New York State (yes, this includes, New York City):

  • If property damage of any person is $1,001 or more all the involved drivers are required by the NYS Vehicle and Traffic Law to file a Report (MV 104).
  • If the report is required per the above criterium, then said report must be submitted to the NYS DMV within 10 days post-incident.
  • DMV can suspend your driver’s license if you fail to report an accident.
  • If person is injured or killed, you are required by the NYS Vehicle and Traffic Law to immediately report the collision to the police and you may not leave the scene unless directed by police.
  • It is a crime to leave the scene of an accident that causes personal injury or death.
  • The DMV does make or assist in liability determination of a vehicular accident.

How do I obtain a copy of an accident report form?

  • You can obtain the form online – again, we suggest you use the DMV.org site.
  • Go in person to the local police agency and or precinct where accident occurred and request a blank form and instructions.

I realize that people are understandably upset and distracted when a collision occurs.  By remaining as calm as possible and employing basic common sense, you should be able to arrive at a decision based on the facts before you in determining whether to report an accident on scene or privately afterwards.  When in doubt, or substantial property damage and or injuries are involved, call 911.

BNI Operatives: Street smart; info savvy.

As always, stay safe.

Federal and State FOIA Request Tips & Info.

Lina M. Maini Leave a comment

foia process2

Before submitting a FOIA request, we suggest the following tips to expedite the information return: (We are citing US DOJ regulations.)

1. Research the agency’s website for the information you are seeking. (FOIA requires that federal agencies release certain information automatically, without the need for you to make a request so before you put in the effort to obtain that which is readily and immediately available. check the agency’s site.)

2. Create and submit a pre-printed FOIA request form on your firm’s letterhead.  (There is no specific form that must be used to make a request. The request simply must be in writing, reasonably describe the information you seek, and comply with specific agency requirements. Most federal agencies now accept FOIA requests electronically, including by web form, e-mail or fax.)

3. Follow up in five to six weeks post request submission if you have not received the information sought.  (The time it takes to respond to each request varies depending on the complexity of the request itself and the backlog of requests already pending at the agency. In some circumstances, the agency will be able to respond to the request within the standard time limit established by the FOIA – approximately one month. In other instances more time may be needed before the request can be completed. When an agency requires an extension of time, it will notify you in writing and provide you with an opportunity to modify or limit the scope of your request. Alternatively, you may agree to a different timetable for the processing of your request.)

Obtaining FOIA records (contact information):

For Federal Agency Records: From the Department of Agriculture to the Tennessee Valley Authority to the USPTO:   here.

For State Agency Records: Research the agency’s contact information independently as there is no there is no central state-by-state agency FOIA office registry (given the varying agencies by state) and then avail yourself of the following useful tools:

Happy hunting!

BNI Operatives: Street smart; info savvy.

As always, stay safe.