Electronic Crime Scene Investigation: A Guide For First .
APR. 08U.S. Department of JusticeOffice of Justice ProgramsNational Institute of JusticeSpecial REPORTElectronic Crime Scene Investigation:A Guide for First Responders, Second Editionwww.ojp.usdoj.gov/nij
U.S. Department of JusticeOffice of Justice Programs810 Seventh Street N.W.Washington, DC 20531Michael B. MukaseyAttorney GeneralJeffrey L. SedgwickActing Assistant Attorney GeneralDavid W. HagyDirector, National Institute of JusticeThis and other publications and products of theNational Institute of Justice can be found at:National Institute of Justicewww.ojp.usdoj.gov/nijOffice of Justice ProgramsInnovation Partnerships Safer Neighborhoodswww.ojp.usdoj.gov
APR. 08Electronic Crime Scene Investigation:A Guide for First Responders,Second EditionCover photographs copyright 2001 PhotoDisc, Inc.NCJ 219941
David W. HagyDirector, National Institute of JusticeThis document is not intended to create, does not create, and maynot be relied upon to create any rights, substantive or procedural,enforceable as law by any party in any matter civil or criminal.Photos used in this document are taken from public Web sites; theyare in no way an endorsement of the product illustrated.The opinions or points of view expressed in this document representa consensus of the authors and do not necessarily represent the offi cial position or policies of the U.S. Department of Justice. The prod ucts and manufacturers discussed in this document are presented forinformational purposes and do not constitute product approval orendorsement by the U.S. Department of Justice.The National Institute of Justice is a component of the Office ofJustice Programs, which also includes the Bureau of JusticeAssistance; the Bureau of Justice Statistics; the Community CapacityDevelopment Office; the Office for Victims of Crime; the Office ofJuvenile Justice and Delinquency Prevention; and the Office of SexOffender Sentencing, Monitoring, Apprehending, Registering, andTracking (SMART).
ContentsIntroduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viiUsing This Guide . . . . . . . . . . . . . . . . . . . . . . . . . viiiIntended Audience for This Guide . . . . . . . . . . . . viiiWhat Is Digital Evidence? . . . . . . . . . . . . . . . . . . . ixHandling Digital Evidence at the Scene. . . . . . . . . ixIs Your Agency Prepared to HandleDigital Evidence? . . . . . . . . . . . . . . . . . . . . . . . . . . xChapter 1. Electronic Devices: Types, Description,and Potential Evidence . . . . . . . . . . . . . . . . . . . . . . . 1Computer Systems . . . . . . . . . . . . . . . . . . . . . . . . 1Storage Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Handheld Devices . . . . . . . . . . . . . . . . . . . . . . . . . 7Peripheral Devices . . . . . . . . . . . . . . . . . . . . . . . . . 8Other Potential Sources of Digital Evidence . . . . . 9Computer Networks . . . . . . . . . . . . . . . . . . . . . . . 11Chapter 2. Investigative Tools and Equipment. . . . 13Tools and Materials for CollectingDigital Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . 13Chapter 3. Securing and Evaluating the Scene . . . 15Preliminary Interviews . . . . . . . . . . . . . . . . . . . . . 17Chapter 4. Documenting the Scene . . . . . . . . . . . . 19iii
Chapter 5. Evidence Collection . . . . . . . . . . . . . . . . 21Computers, Components, and Devices . . . . . . . . 21Other Forms of Evidence . . . . . . . . . . . . . . . . . . . 27Other Electronic and Peripheral Devices ofPotential Evidential Value . . . . . . . . . . . . . . . . . . . 27Computers in a Business Environment . . . . . . . . 30Chapter 6. Packaging, Transportation,and Storage of Digital Evidence . . . . . . . . . . . . . . . 31Packaging Procedures . . . . . . . . . . . . . . . . . . . . . 31Transportation Procedures . . . . . . . . . . . . . . . . . . 32Storage Procedures . . . . . . . . . . . . . . . . . . . . . . . 33Chapter 7. Electronic Crime and Digital EvidenceConsiderations by Crime Category. . . . . . . . . . . . . 35Child Abuse or Exploitation . . . . . . . . . . . . . . . . . 36Computer Intrusion . . . . . . . . . . . . . . . . . . . . . . . 37Counterfeiting. . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Death Investigation . . . . . . . . . . . . . . . . . . . . . . . 38Domestic Violence, Threats, and Extortion . . . . . . 39E-mail Threats, Harassment, and Stalking . . . . . . 40Gambling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Identity Theft. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Narcotics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Online or Economic Fraud . . . . . . . . . . . . . . . . . . 43iv
Prostitution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Software Piracy . . . . . . . . . . . . . . . . . . . . . . . . . . 45Telecommunication Fraud. . . . . . . . . . . . . . . . . . . 45Terrorism (Homeland Security) . . . . . . . . . . . . . . . 46Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49v
IntroductionThis guide is intended to assist State and local law enforce ment and other first responders who may be responsible forpreserving an electronic crime scene and for recognizing, col lecting, and safeguarding digital evidence. It is not all inclusivebut addresses situations encountered with electronic crimescenes and digital evidence. All crime scenes are unique andthe judgment of the first responder, agency protocols, andprevailing technology should all be considered when imple menting the information in this guide. First responders toelectronic crime scenes should adjust their practices as cir cumstances—including level of experience, conditions, andavailable equipment—warrant. The circumstances of individualcrime scenes and Federal, State, and local laws may dictateactions or a particular order of actions other than thosedescribed in this guide. First responders should be familiarwith all the information in this guide and perform their dutiesand responsibilities as circumstances dictate.When dealing with digital evidence, general forensic andprocedural principles should be applied: The process of collecting, securing, and transporting digitalevidence should not change the evidence. Digital evidence should be examined only by those trainedspecifically for that purpose. Everything done during the seizure, transportation, andstorage of digital evidence should be fully documented,preserved, and available for review.First responders must use caution when they seize electronicdevices. Improperly accessing data stored on electronicdevices may violate Federal laws, including the ElectronicCommunications Privacy Act of 1986 and the PrivacyProtection Act of 1980. First responders may need to obtainadditional legal authority before they proceed. They shouldconsult the prosecuting attorney for the appropriate jurisdictionvii
to ensure that they have proper legal authority to seize thedigital evidence at the scene.In addition to the legal ramifications of improperly accessingdata that is stored on a computer, first responders mustunderstand that computer data and other digital evidence arefragile. Only properly trained personnel should attempt toexamine and analyze digital evidence.NOTE: Officer safety and the safety of others shouldremain the primary consideration of first responders.Nothing in this guide is intended to be, or should beconstrued as being, a higher priority than officer safetyor the safety of others.Using This GuideWhen the STOP sign is encountered in this guide, the firstresponder is advised to STOP, review the corresponding infor mation, and proceed accordingly.When the YIELD sign is encountered in this guide, the firstresponder is advised to review the corresponding informationand proceed accordingly.Intended Audience for This Guideviii Anyone who may encounter a crime scene that mightinvolve digital evidence. Everyone who processes a crime scene that includesdigital evidence. Everyone who supervises personnel who process suchcrime scenes. Everyone who manages an organization that processessuch crime scenes.
What Is Digital Evidence?Digital evidence is information and data of value to an investi gation that is stored on, received, or transmitted by an elec tronic device. This evidence is acquired when data orelectronic devices are seized and secured for examination.Digital evidence— Is latent, like fingerprints or DNA evidence. Crosses jurisdictional borders quickly and easily. Is easily altered, damaged, or destroyed. Can be time sensitive.NOTE: First responders should remember that digitalevidence may also contain physical evidence such asDNA, fingerprints, or serology. Physical evidence shouldbe preserved for appropriate examination.Handling Digital Evidence at the ScenePrecautions should be taken in the collection, preservation,and transportation of digital evidence. First responders mayfollow the steps listed below to guide their handling of digitalevidence at an electronic crime scene: Recognize, identify, seize, and secure all digital evidenceat the scene. Document the entire scene and the specific location of theevidence found. Collect, label, and preserve the digital evidence. Package and transport digital evidence in a secure manner.ix
Before collecting evidence at a crime scene, first respondersshould ensure that— Legal authority exists to seize evidence. The scene has been secured and documented. Appropriate personal protective equipment is used.First responders without the proper training and skills shouldnot attempt to explore the contents of or to recover informa tion from a computer or other electronic device other than torecord what is visible on the display screen. Do not press anykeys or click the mouse.Is Your Agency Prepared to Handle DigitalEvidence?Every agency should identify personnel—before they areneeded—who have advanced skills, training, experience, andqualifications in handling electronic devices and digital evi dence. These experts should be available for situations thatexceed the technical expertise of the first responder oragency. This preparation and use is similar to the provisions inplace for biohazard and critical incident responses. It is recom mended that protocols for how to handle electronic crimescenes and digital evidence be developed in compliance withagency policies and prevailing Federal, State, and local lawsand regulations. In particular, under the Privacy Protection Actof 1980, with certain exceptions, law enforcement is prohibit ed from seizing material from a person who has a legal rightto disseminate it to the public. For example, seizure of firstamendment material such as drafts of newsletters or Webpages may violate the Privacy Protection Act of 1980.x
This guide was developed to assist law enforcement andother first responders when they encounter electronic crimescenes. These guidelines will help first responders— Ensure that officer safety and the safety of others remainthe highest priority. Recognize the investigative value of digital evidence. Assess available resources. Identify the equipment and supplies that should be takento electronic crime scenes. Assess the crime scene and the digital evidence present. Designate the assignments, roles, and responsibilities ofpersonnel involved in the investigation.xi
Chapter 1. Electronic Devices:Types, Description, and PotentialEvidenceInternally attached computer hard drives, external drives, andother electronic devices at a crime scene may contain informa tion that can be useful as evidence in a criminal investigationor prosecution. The devices themselves and the informationthey contain may be used as digital evidence. In this chapter,such devices will be identified, along with general informationabout their evidential value.Some devices require internal or external power to maintainstored information. For these devices, the power must bemaintained to preserve the information stored. For additionalinformation about maintaining power to these devices, pleaserefer to chapter 3 of this guide, the device manufacturer’sWeb site, or other reliable sources of information.Computer SystemsDescription: A computer system consists of hardware andsoftware that process data and is likely to include: A case that contains circuit boards, microprocessors, harddrive, memory, and interface connections. A monitor or video display device. A keyboard. A mouse. Peripheral or externally connected drives, devices, andcomponents.1
SPECIAL REPORT / APR. 08Computer systems can take many forms, such as laptops,desktops, tower computers, rack-mounted systems, minicom puters, and mainframe computers. Additional componentsand peripheral devices include modems, routers, printers,scanners, and docking stations. Many of these are discussedfurther in this chapter.Types of Computer SystemsPC, monitor, keyboard, and mouseApple G3 computer, monitor,keyboard, and mouseApple iMac, keyboard, and mouseLaptop computerPotential evidence: A computer system and its componentscan be valuable evidence in an investigation. The hardware,software, documents, photos, image files, e-mail and attach ments, databases, financial information, Internet browsinghistory, chat logs, buddy lists, event logs, data stored on exter nal devices, and identifying information associated with thecomputer system and components are all potential evidence.2
ELECTRONIC CRIME SCENE INVESTIGATION, SECOND EDITIONStorage DevicesDescription: Storage devices vary in size and the manner inwhich they store and retain data. First responders mustunderstand that, regardless of their size or type, thesedevices may contain information that is valuable to an investi gation or prosecution. The following storage devices may bedigital evidence: Hard drives. Hard drives are data storage devices thatconsist of an external circuit board; external data andpower connections; and internal magnetically chargedglass, ceramic, or metal platters that store data. Firstresponders may also find hard drives at the scene that arenot connected to or installed on a computer. These loosehard drives may still contain valuable evidence.Types of Hard DrivesSCSI drivesIDE 40-pinSATA drive2.5” IDE 44-pinSerial ATA (SATA)IDE driveLaptop hard drivesIDE power and data connectionsSCSI HD 68-pinSCSI IDC 50-pin3
SPECIAL REPORT / APR. 08 External hard drives. Hard drives can also be installed inan external drive case. External hard drives increase thecomputer’s data storage capacity and provide the user withportable data. Generally, external hard drives require apower supply and a universal serial bus (USB), FireWire,Ethernet, or wireless connection to a computer system.External Hard Drive Cases3.5” Hard drive2.5” Hard driveNetwork storage device Removable media. Removable media are cartridges anddisk-based data storage devices. They are typically used tostore, archive, transfer, and transport data and other infor mation. These devices help users share data, information,applications, and utilities among different computers andother devices.Removable MediaFloppy disksCompactDisc4Zip disksDigitalVersatileDisc
ELECTRONIC CRIME SCENE INVESTIGATION, SECOND EDITION Thumb drives. Thumb drives are small, lightweight,removable data storage devices with USB connections.These devices, also referred to as flash drives, are easyto conceal and transport. They can be found as part of, ordisguised as, a wristwatch, a pocket-size multitool suchas a Swiss Army knife, a keychain fob, or any number ofcommon and unique devices.Common Thumb DrivesOther Types of Thumb Drives5
SPECIAL REPORT / APR. 08 Memory cards. Memory cards are small data storagedevices commonly used with digital cameras, computers,mobile phones, digital music players, personal digital assis tants (PDAs), video game consoles, and handheld andother electronic devices.Memory CardsSmart media (SM)cardSecure digital (SD)cardMini secure digitalcardMicro securedigital cardMemory stickCompact flash cardPotential evidence: Storage devices such as hard drives,external hard drives, removable media, thumb drives, andmemory cards may contain information such as e-mail mes sages, Internet browsing history, Internet chat logs and buddylists, photographs, image files, databases, financial records,and event logs that can be valuable evidence in an investiga tion or prosecution.6
ELECTRONIC CRIME SCENE INVESTIGATION, SECOND EDITIONHandheld DevicesDescription: Handheld devices are portable data storagedevices that provide communications, digital photography,navigation systems, entertainment, data storage, and personalinformation management.Handheld Devices7
SPECIAL REPORT / APR. 08Potential evidence: Handheld devices such as mobilephones, smart phones, PDAs, digital multimedia (audio andvideo) devices, pagers, digital cameras, and global positioningsystem (GPS) receivers may contain software applications,data, and information such as documents, e-mail messages,Internet browsing history, Internet chat logs and buddy lists,photographs, image files, databases, and financial recordsthat are valuable evidence in an investigation or prosecution.It is important to note that— Data or digital evidence may be lost if power is notmaintained. Data or digital evidence on some devices such as mobileor smart phones can be overwritten or deleted while thedevice remains activated. Software is available for mobile and smart phones that canbe activated remotely to render the device unusable andmake the data it contains inaccessible if the phone is lostor stolen. This software can produce similar results if acti vated on a device seized by law enforcement. First respon ders should take precautions to prevent the loss of data ondevices they seize as evidence.Peripheral DevicesDescription: Peripheral devices are equipment that can beconnected to a computer or computer system to enhanceuser access and expand the computer’s functions.Peripheral DevicesKeyboard and mouseWeb cameras8MicrophonesUSB and FireWire hubsMemory cardreadersVoIP devices
ELECTRONIC CRIME SCENE INVESTIGATION, SECOND EDITIONPotential evidence: The devices themselves and the func tions they perform or facilitate are all potential evidence.Information stored on the device regarding its use also isevidence, such as incoming and outgoing phone and faxnumbers; recently scanned, faxed, or printed documents; andinformation about the purpose for or use of the device. Inaddition, these devices can be sources of fingerprints, DNA,and other identifiers.Other Potential Sources of DigitalEvidenceDescription: First responders should be aware of and consideras potential evidence other elements of the crime scene thatare related to digital information, such as electronic devices,equipment, software, hardware, or other technology that canfunction independently, in conjunction with, or attached tocomputer systems. These items may be used to enhance theuser’s access of and expand the functionality of the computersystem, the device itself, or other equipment.Data storage tape drivesDigital camerasDigital audiorecordersSurveillance equipmentVideo camerasDigital video recorders9
SPECIAL REPORT / APR. 08Satellite audio, video receiver,and access cardsMP3 playersVideo game consolesComputer chat headsetKeyboard, mouse, and video (KM)sharing switchGlobal Positioning System(GPS) receiverSim card readerThumb print readerReference materialPotential evidence: The device or item itself, its intended oractual use, its functions or capabilities, and any settings orother information it may contain is potential evidence.10
ELECTRONIC CRIME SCENE INVESTIGATION, SECOND EDITIONComputer NetworksDescription: A computer network consists of two or morecomputers linked by data cables or by wireless connectionsthat share or are capable of sharing resources and data. Acomputer network often includes printers, other perip
Chapter 1. Electronic Devices: Types, Description, and Potential Evidence . Internally attached computer hard drives, external drives, and other electronic devices at a crime scene may contain informa tion that can be useful as evidence in a criminal investigation or prosecution. The devices themselves and the information
Crime Scene is the area where the original crime occurred. The Secondary Crime Scene comprises of the subsequent crime scenes. The Size of the crime scene can further be classified as Macroscopic and Microscopic. While Microscopic focuses on specific type of physical evidence at the crime scene, Macroscopic refers to one particular crime .
CHAPTER Crime-Scene Investigation and Evidence Collection 2 The 1996 homicide investiga-tion of six-year-old JonBenet Ramsey provides valuable les-sons in proper crime-scene investigation procedures. From this case, we learn how impor-tant it is to secure a crime scene. Key forensic evidence can be lost forever without a secure crime scene.
CHAPTER Crime-Scene Investigation and Evidence Collection 2 The 1996 homicide investiga-tion of six-year-old JonBenet Ramsey provides valuable les-sons in proper crime-scene investigation procedures. From this case, we learn how impor-tant it is to secure a crime scene. Key forensic evidence can be lost forever without a secure crime scene.
1.Crime Scene Vocabulary 2. Evidence Locard’s principle 3. Processing the Scene 4. Crime Scene Sketch CRIME SCENE: Any physical location in which a crime has occurred or is suspected of having occurred PRIMARY CRIME SCENE: T
b. Be aware of any persons or vehicles leaving the crime scene. c. Approach the scene cautiously. d. Assess the scene for officer safety. e. Remain alert and attentive. f. Tr eat location(s) as a crime scene until determined to be otherwise. Performance Given a crime scene scenario, the student is expected to demonstrate overall scene aware-
the crime scene as well as the evidence of the crime scene. The entire investigation hinges on that first responding officer being able to properly identify, isolate, and secure the evidence (s). The crime scene can be secured by establishing a restricted boundary and it is done by using some types of crime scene tape, rope, or barrier for the .
ISO/IEC 17020 Accreditation for Crime Scene Investigation – An overview 1. BACKGROUND 1.1 Development of standards for crime scene investigation Over recent years, there have been manydiscussions in the UK and Europe regarding standards for crime scene investigation. The main reason for requiring such standards is primarily due to the .
crime scene, explaining how the techniques they used ensured they obtained valid forensic evidence. For D1, students will evaluate their processing of the crime scene, and show how the evidence collected could be used in the investigation. See the folder Setting up a crime scene, file U13_CS, for guidance on setting up a crime scene in your
