The Best Practices For Seizing Electronic Evidence

Outline

Purpose

To develop a basic understanding of key technical and legal factors regarding searching and seizing electronic storage devices and media.

Introduction

Scope of the Problem
As computers and related storage and communication devices proliferate in our society, so does the use of those devices in conducting criminal activities. Technology is employed by criminals as a means of communication, a tool for theft and extortion, and a repository to hide incriminating evidence or contraband materials. Law enforcement officers must possess up-to-date knowledge and equipment to effectively investigate today's criminal activity. The law enforcement community is challenged by the task of identifying, investigating and prosecuting individuals and organizations that use these and other emerging technologies to support their illicit operations.

Recognizing Potential Evidence

Computers and digital media are increasingly involved in unlawful activities. The computer may be contraband, fruits of the crime, a tool of the offense, or a storage container holding evidence of the offense. Investigation of any criminal activity may produce electronic evidence. Computers and related evidence range from the mainframe computer to the pocket-sized personal data assistant to the floppy diskette, CD or the smallest electronic chip device. Images, audio, text and other data on these media are easily altered or destroyed. It is imperative that law enforcement officers recognize, protect, seize and search such devices in accordance with applicable statutes, policies and best practices and guidelines.

Answers to the following questions will better determine the role of the computer in the crime:

  • Is the computer contraband of fruits of a crime?
    For example, was the computer software or hardware stolen?

  • Is the computer system a tool of the offense?
    For example, was the system actively used by the defendant to commit the offense? Were fake IDs or other counterfeit documents prepared using the computer, scanner, and color printer?

  • Is the computer system only incidental to the offense, i.e., being used to store evidence of the offense?
    For example, is a drug dealer maintaining his trafficking records in his computer?

  • Is the computer system both instrumental to the offense and a storage device for evidence?
    For example did the computer hacker use her computer to attack other systems and also use it to store stolen credit card information?

Once the computer's role is understood, the following essential questions should be answered:

  • Is there probable cause to seize hardware?
  • Is there probable cause to seize software?
  • Is there probable cause to seize data?
  • Where will this search be conducted?
    • For example, is it practical to search the computer system on site or must the examination be conducted at a field office or lab?
    • If law enforcement officers remove the system from the premises to conduct the search, must they return the computer system, or copies of the seized date, to its owner/user before trial?
    • Considering the incredible storage capacities of computers, how will experts search this data in an efficient, timely manner?



Preparing for the Search and/or Seizure

Using evidence obtained from a computer in a legal proceeding requires:

  • Probable cause for issuance of a warrant or an exception to the warrant requirement.
    Caution: If you encounter potential evidence that may be outside the scope of your existing warrant or legal authority, contact your agency's legal advisor or prosecutor as an additional warrant may be necessary.
  • Use of appropriate collection techniques so as not to alter or destroy evidence.
  • Forensic examination of the system completed by trained personnel in a speedy fashion, with expert testimony available at trial.



Conducting the Search and/or Seizure

Once the computer's role is understood and legal requirements are fulfilled:

  1. Secure the Scene
    • Officer safety is paramount.
    • Preserve area for potential fingerprints.
    • Immediately restrict access to computer(s).
      Isolate from phone lines (because data on the computer can be access remotely).

  2. Secure the Computer as Evidence
    • If computer is "OFF", do not turn "ON".
    • If computer is "ON"
      • Stand-alone computer (non-networked)
        • Consult computer specialist
        • If specialist is not available
          • Photograph screen, then disconnect all power sources; unplug from the wall AND the back of the computer.
          • Place evidence tape over each drive slot.
          • Photograph/diagram and label back of computer components with existing connections.
          • Label all connectors/cable end to allow reassembly as needed.
          • If transport is required, package components and transport/store components as fragile cargo.
          • Keep away from magnets, radio transmitters and otherwise hostile environments.
      • Networked or business computers
        • Consult a Computer Specialist for further assistance
        • Pulling the plug could:
          • Severely damage the system
          • Disrupt legitimate business
          • Create officer and department liability



Other Electronic Storage Devices

Electronic devices may contain viable evidence associated with criminal activity. Unless an emergency exists, the device should not be accessed. Should it be necessary to access the device, all actions associated with the manipulation of the device should be noted in order to document the chain of custody and insure its admission in court.

  1. Wireless Telephones
    • Potential Evidence Contained in Wireless Devices
      • Numbers called
      • Numbers stored for speed dial
      • Caller ID for incoming calls
      • Other information contained in the memory of wireless telephones
        • Phone/pager numbers
        • Names and addresses
        • PIN numbers
        • Voice mail access number
        • Voice mail password
        • Debit card numbers
        • Calling card numbers
        • E-mail/Internet access information
        • The on screen image may contain other valuable information
    • On/Off Rule
      • If the device is "ON", do NOT turn it "OFF".
        • Turning it "OFF" could activate lockout feature.
        • Write down all information on display (photograph if possible).
        • Power down prior to transport (take any power supply cords present).
      • If the device is "OFF", leave it "OFF".
        • Turning it on could alter evidence on device (same as computers).
        • Upon seizure get it to an expert as soon as possible or contact local service provider.
        • If an expert is unavailable, USE A DIFFERENT TELEPHONE and contact 1-800-LAWBUST (a 24:7 service provided by the cellular telephone industry).
        • Make every effort to locate any instruction manuals pertaining to the device.

  2. Electronic Paging Devices
    • Potential Evidence Contained in Paging Devices
      • Numeric pagers (receives only numeric digits; can be used to communicate numbers and code)
      • Alpha numeric pagers (receives numbers and letters and can carry full text)
      • Voice Pagers (can transmit voice communications (sometimes in addition to alpha numeric)
      • 2-way pagers (containing incoming and outgoing messages)
      • Best Practices
        • Once pager is no longer in proximity to suspect - turn it off. Continued access to electron communication over pager without proper authorization can be construed as unlawful interception of electronic communication.
      • Search of stored contents of pager.
        • Incident to arrest
        • With probable cause + exception
        • With consent

  3. Facsimile Machines
    • Fax machines can contain:
      • Speed dial lists
      • Stored faxes (incoming and outgoing)
      • Fax transmission logs (incoming and outgoing)
      • Header line
      • Clock setting
    • Best practices
      • If fax machine is found "ON", powering down may cause loss of last number dialed and/or stored faxes.
    • Other Considerations
      • Search issues
        • Record telephone line number fax is plugged into
        • Header line should be the same as the phone line; user sets header line.
        • All manuals should be seized with equipment, if possible.

  4. Caller ID Devices
    • May contain telephone and subscriber information from incoming telephone calls.
      • Interruption of the power supply to the device may cause loss of data if not protected by internal battery backup.
      • Document all stored data prior to seizure or loss of data may occur.

  5. Smart Cards
    A plastic card the size of a standard credit card that holds a microprocessor (chip) which is capable of storing monetary value and other information.

    • Awareness
      • Physical characteristics of the card
      • Photograph of the smart card
        • Label and identify characteristics.
        • Features similar to credit card/driver's license.
        • Detect possible alteration or tampering during same examination.
    • Uses of Smart Cards
      • Point of sale transactions
      • Direct exchange of value between cardholders
      • Exchange of value over the Internet
      • ATM capabilities
      • Capable of storing other data and files similar to a computer
    • Circumstances Raising Suspicion Concerning Smart Cards
      • Same as credit cards
      • Numerous cards (different names or same issuing vendor)
      • Signs of tampering (cards can be found in the presence of computer or other electronic devices)
    • Questions to Ask When Encountering Smart Cards
      • Who is card issued to (the valid cardholder)?
      • Who issued the card?
      • What are the uses of the cards?
      • Why does the person have numerous cards?
      • Can this computer or device alter the card?
    • Other Considerations
      • Smart Card technology is used in some cellular phones and may be found in or with cellular devices (see Wireless section)



Tracing an Internet E-mail

  • When an internet e-mail message is sent, the user typically controls only the recipient line(s) (To and Bcc) and the Subject line.
  • Mail software adds the rest of the header information as it is processed.
Reading an E-mail Header:

    ----- Message header follows -----
(1) Return-path: <ambottom@o167832.cc.nps.navy.mil>
(2) Received: from o167832.cc.army.mil by nps.navy.mil (4.1/SMI-4.1) id AAO868O; Thur, 7 Nov 96 17:51:49 PST
(3) Received: from localhost byo167832.navy.mil (4.1/SMI-4.1) id AA16514; Thur 7 Nov 96 17:50:53 PST
(4) Message-ID: <9611080150.AA16514@o167832.cc.army.mil>
(5) Date: Thur, 7 Nov 1996 17:50:53 -0800 (PST)
(6) From: "M. Bottoms" <ambottomo167832.cc.nps.navy.mil>
(7) To: Tom Whitt <tom_whitt@tomwhitt.com>
(8) Cc: Real 3D <real3dQmmc.com>, Denis Adams <zzxxms@ldsa.com>, Joe Arion <oerion@aol.com>
  • Line (1) tells other computers who really sent the message and where to send error messages (bounces and warning).
  • Line (2) and (3) show the route the message took from sending to delivery. Each computer that receives this message adds a Received field with its complete address and time stamp; this helps in tracking delivery problems.
  • Line (4) is the Message-ID, a unique identifier for this specific message. This ID is logged, and can be traced through computers on the message route if there is a need to track the mail.
  • Line (5) shows the date, time, and time zone when the message was sent.
  • Line (6) tells the name and e-mail address of the message originator (the "sender").
  • Line (7) shows the name and e-mail address of the primary recipient; the address may be for a:
    • mailing list,
    • system-wide alias,
    • a personal username.
  • Line (8) lists the names and e-mail addresses of the "courtesy copy" recipients of the message. There may be "Bcc:" recipients as well; these "blind carbon copy" recipients get copies of the message, but their names and addresses are not visible in the headers.


About this Publication

The Best Practices for Seizing Electronic Evidence was developed as a project of the International Association of Chiefs facilitated Advisory Committee for Police Investigative Operations. The Committee convened a working group of a variety of law enforcement representatives, facilitated by the United States Secret Service, to identify common issues encountered in today's crime scenes. This manual was developed by representatives from the following agencies:

  • Alexandria, Virginia Police Department
  • Boston, Massachusetts Police Department
  • Baltimore County Police Department
  • Clarkstown, New York Police Department
  • Department of Justice - Computer Crimes & Intellectual Property Section
  • Florida Department of Law Enforcement
  • Florida Statewide Prosecutors Office
  • High Intensity Drug Trafficking Area (HIDTA) Program
  • Los Angeles County District Attorneys Office
  • Los Angeles Police Department
  • Lubbock, Texas Police Department
  • Maryland Heights, Missouri Police Department
  • National Association of Attorneys General
  • National Institute of Justice
  • National Sheriffs Association
  • New Jersey Division of Criminal Justice
  • New York City Police Department
  • New York County District Attorneys Office
  • New York State Organized Crime Task Force
  • Provo, Utah Police Department
  • Richardson, Texas Police Department
  • Rockland County New York District Attorneys Office
  • St. Louis County Police Department
  • United States Secret Service
  • Utah County Attorneys Office