Unformatted text preview: U.S. Department of Justice Office of Justice Programs National Institute of Justice
A Guide for First Responders
U.S. Department of Justice Office of Justice Programs 810 Seventh Street N.W. Washington, DC 20531
John Ashcroft Attorney General
Office of Justice Programs World Wide Web Site http://www.ojp.usdoj.gov
National Institute of Justice World Wide Web Site http://www.ojp.usdoj.gov/nij
Cover photographs copyright 2001 PhotoDisc, Inc.
Electronic Crime Scene
Electronic Crime Scene Investigation: A Guide for First Responders
Written and Approved by the Technical Working Group for Electronic Crime Scene Investigation
U.S. Department of Justice Office of Justice Programs National Institute of Justice
This document is not intended to create, does not create, and may not be relied upon to create any rights, substantive or procedural, enforceable at law by any party in any matter civil or criminal.
Opinions or points of view expressed in this document represent a consensus of the authors and do not necessarily represent the official position or policies of the U.S. Department of Justice. The products and manufacturers discussed in this document are presented for informational purposes only and do not constitute product approval or endorsement by the U.S. Department of Justice.
NCJ 187736 The National Institute of Justice is a component of the Office of Justice Programs, which also includes the Bureau of Justice Assistance, the Bureau of Justice Statistics, the Office of Juvenile Justice and Delinquency Prevention, and the Office for Victims of Crime.
The Internet, computer networks, and automated data systems present an enormous new opportunity for committing criminal activity. Computers and other electronic devices are being used increasingly to commit, enable, or support crimes perpetrated against persons, organizations, or property. Whether the crime involves attacks against computer systems, the information they contain, or more traditional crimes such as murder, money laundering, trafficking, or fraud, electronic evidence increasingly is involved. It is no surprise that law enforcement and criminal justice officials are being overwhelmed by the volume of investigations and prosecutions that involve electronic evidence. To assist State and local law enforcement agencies and prosecutorial offices with the growing volume of electronic crime, a series of reference guides regarding practices, procedures, and decisionmaking processes for investigating electronic crime is being prepared by technical working groups of practitioners and subject matter experts who are knowledgeable about electronic crime. The practitioners and experts are from Federal, State, and local law enforcement agencies; criminal justice agencies; offices of prosecutors and district attorneys general; and academic, commercial, and professional organizations. The series of guides will address the investigation process from the crime scene first responder, to the laboratory, to the courtroom. Specifically, the series of guides will address:
x x x x x x
Crime scene investigations by first responders. Examination of digital evidence. Investigative uses of technology. Investigating electronic technology crimes. Creating a digital evidence forensic unit. Courtroom presentation of digital evidence.
Due to the rapidly changing nature of electronic and computer technologies and of electronic crime, efforts will be periodically undertaken to update the information contained within each of the guides. The guides, and any subsequent updates that are made to them, will be made available on the National Institute of Justice's World Wide Web site (http://www.ojp.usdoj.gov/nij).
Technical Working Group for Electronic Crime Scene Investigation
The Technical Working Group for Electronic Crime Scene Investigation (TWGECSI) was a multidisciplinary group of practitioners and subject matter experts from across the United States and other nations. Each of the individual participants is experienced in the intricacies involved with electronic evidence in relation to recognition, documentation, collection, and packaging. To initiate the working group, a planning panel composed of a limited number of participants was selected to define the scope and breadth of the work. A series of guides was proposed in which each guide will focus on a different aspect of the discipline. The panel chose crime scene investigation as the first topic for incorporation into a guide.
Susan Ballou Program Manager for Forensic Sciences Office of Law Enforcement Standards National Institute of Standards and Technology Gaithersburg, Maryland Jaime Carazo Special Agent United States Secret Service Electronic Crimes Branch Washington, D.C. Bill Crane Assistant Director Computer Crime Section National White Collar Crime Center Fairmont, West Virginia Fred Demma National Law Enforcement and Corrections Technology CenterNortheast Rome, New York Grant Gottfried Special Projects National Center for Forensic Science Orlando, Florida Sam Guttman Assistant Inspector in Charge Forensic and Technical Services U.S. Postal Inspection Service Dulles, Virginia Jeffrey Herig Special Agent Florida Department of Law Enforcement Florida Computer Crime Center Tallahassee, Florida Tim Hutchison Sheriff Knox County Sheriff's Office Knoxville, Tennessee David Icove Manager, Special Projects U.S. TVA Police Knoxville, Tennessee
Bob Jarzen Sacramento County Laboratory of Forensic Science Sacramento, California Tom Johnson Dean School of Public Safety and Professional Studies University of New Haven West Haven, Connecticut Karen Matthews DOE Computer Forensic Laboratory Bolling AFB Washington, D.C. Mark Pollitt Unit Chief FBICART Washington, D.C. David Poole Director DoD Computer Forensics Laboratory Linthicum, Maryland Mary Riley Price Waterhouse Coopers, LLP Washington, D.C. Kurt Schmid Director National HIDTA Program Washington, D.C. Howard A. Schmidt Corporate Security Officer Microsoft Corp. Redmond, Washington
Raemarie Schmidt Computer Crime Spet National White Collar Crime Center Computer Crime Section Fairmont, West Virginia Carl Selavka Massachusetts State Police Crime Laboratory Sudbury, Massachusetts Steve Sepulveda United States Secret Service Washington, D.C. Todd Shipley Detective Sergeant Reno Police Department Financial/Computer Crimes Unit Reno, Nevada Chris Stippich Computer Crime Spet Computer Crime Section National White Collar Crime Center Fairmont, West Virginia Carrie Morgan Whitcomb Director National Center for Forensic Science Orlando, Florida Wayne Williams Sr. Litigation Counsel Computer Crime and Intellectual Property Section Criminal Division U.S. Department of Justice Washington, D.C.
Additional members were then incorporated into TWGECSI to provide a full technical working group. The individuals listed below, along with those participants on the planning panel, worked together to produce this guide for electronic crime scene first responders.
Abigail Abraham Assistant State's Attorney Cook County State's Attorney's Office Chicago, Illinois Keith Ackerman Head of CID Police HQ Hampshire Constabulary Winchester, Hants United Kingdom Michael Anderson President New Technologies, Inc Gresham, Oregon Bill Baugh CEO Savannah Technology Group Savannah, Georgia
Randy Bishop Special Agent in Charge U.S. Department of Energy Office of Inspector General Technology Crime Section Washington, D.C. Steve Branigan Vice President of Product Development Lucent Technologies Murray Hill, New Jersey Paul Brown CyberEvidence, Inc. The Woodlands, Texas Carleton Bryant Staff Attorney Knox County Sheriff's Office Knoxville, Tennessee Christopher Bubb Deputy Attorney General New Jersey Division of Criminal Justice Trenton, New Jersey Don Buchwald Project Engineer National Law Enforcement and Corrections Technology CenterWest The Aerospace Corporation Los Angeles, California Cheri Carr Computer Forensic Lab Chief NASA Office of the Inspector General Network and Advanced Technology Protections Office Washington, D.C. Nick Cartwright Manager Canadian Police Research Centre Ottawa, Ontario Canada Ken Citarella Chief High Tech Crimes Bureau Westchester County District Attorney White Plains, New York Chuck Coe Director of Technical Services NASA Office of the Inspector General Network and Advanced Technology Protections Office Washington, D.C. Fred Cohen Sandia National Laboratories Cyber Defender Program Livermore, California
Fred Cotton Director of Training Services SEARCH The National Consortium for Justice Information and Statistics Sacramento, California Tony Crisp Lieutenant Maryville Police Department Maryville, Tennessee Mark Dale New York State Police Forensic Investigation Center Albany, New York Claude Davenport Senior SA United States Customs Service Sterling, Virginia David Davies Photographic Examiner Federal Bureau of Investigation Washington, D.C. Michael Donhauser Maryland State Police Columbia, Maryland James Doyle Sergeant Detective Bureau New York City Police Department New York, New York Michael Duncan Sergeant Royal Canadian Mounted Police Economic Crime Branch Technological Crime Section Ottawa, Ontario Canada Jim Dunne Group Supervisor Drug Enforcement Agency St. Louis, Missouri Chris Duque Detective Honolulu Police Department White Collar Crime Unit Honolulu, Hawaii Doug Elrick Iowa DCI Crime Lab Des Moines, Iowa Paul French Computer Forensics Lab Manager New Technologies Armor, Inc. Gresham, Oregon
Gerald Friesen Electronic Search Coordinator Industry Canada Hull, Quebec Canada Pat Gilmore, CISSP Director Information Security Atomic Tangerine San Francisco, California Gary Gordon Professor Economic Crime Programs Utica College WetStone Technologies Utica, New York Dan Henry Chief Deputy Marion County Sheriff's Department Ocala, Florida Jeff Hormann Special Agent In Charge Computer Crime Resident Agency U.S. Army CID Ft. Belvoir, Virginia Mary Horvath Program Manager FBICART Washington, D.C. Mel Joiner Officer Arizona Department of Public Safety Phoenix, Arizona Nigel Jones Detective Sergeant Computer Crime Unit Police Headquarters Kent County Constabulary Maidstone, Kent United Kingdom Jamie Kerr SGT/Project Manager RCMP Headquarters Training Directorate Ottawa, Ontario Canada Alan Kestner Assistant Attorney General Wisconsin Department of Justice Madison, Wisconsin Phil Kiracofe Sergeant Tallahassee Police Department Tallahassee, Florida
Roland Lascola Program Manager FBI-CART Washington, D.C. Barry Leese Detective Sergeant Maryland State Police Computer Crimes Unit Columbia, Maryland Glenn Lewis Computer Spet SEARCH The National Consortium for Justice Information and Statistics Sacramento, California Chris Malinowski Forensic Computer Investigation University of New Haven West Haven, Connecticut Kevin Manson Director Cybercop.org St. Simons Island, Georgia Brenda Maples Lieutenant Memphis Police Department Memphis, Tennessee Tim McAuliffe New York State Police Forensic Investigation Center Albany, New York Michael McCartney Investigator New York State Attorney General's Office Criminal Prosecution Bureau Organized Crime Task Force Buffalo, New York Alan McDonald SSA Washington, D.C. Mark Menz SEARCH The National Consortium for Justice Information and Statistics Sacramento, California Dave Merkel AOL Investigations Reston, Virginia Bill Moylan Detective Nassau County PD Computer Crime Section Crimes Against Property Squad Westbury, New York
Steve Nesbitt Director of Operations NASA Office of the Inspector General Network and Advanced Technology Protections Office Washington, D.C. Glen Nick Program Manager U.S. Customs Service Cyber Smuggling Center Fairfax, Virginia Robert O'Leary Detective New Jersey State Police High Technology Crimes & Investigations Support Unit West Trenton, New Jersey Matt Parsons Special Agent/Division Chief Naval Criminal Investigative Service Washington, D.C. Mike Phelan Chief Computer Forensics Unit DEA Special Testing and Research Lab Lorton, Virginia Henry R. Reeve General Counsel/Deputy D.A. Denver District Attorney's Office Denver, Colorado Jim Riccardi, Jr. Electronic Crime Spet National Law Enforcement and Corrections Technology CenterNortheast Rome, New York David Roberts Deputy Executive Director SEARCH The National Consortium for Justice Information and Statistics Sacramento, California Leslie Russell Forensic Science Service Lambeth London, England United Kingdom Greg Schmidt Sr. Investigator EDS-Investigations/Technical Plano, Texas
George Sidor Law Enforcement Security Consultant Jaws Technologies Inc. St. Albert, Alberta Canada William Spernow CISSP Research Director Information Security Strategies Group Gartner, Inc. Suwanee, Georgia Ronald Stevens Senior Investigator New York State Police Forensic Investigation Center Albany, New York Gail Thackeray Special CounselTechnology Crimes Arizona Attorney General's Office Phoenix, Arizona Dwight Van de Vate Chief Deputy Knox County Sheriff's Office Knoxville, Tennessee Jay Verhorevoort Lieutenant Davenport Police Department Davenport, Iowa Richard Vorder Bruegge Photographic Examiner Federal Bureau of Investigation Washington, D.C. Robert B. Wallace U.S. Department of Energy Germantown, Maryland Craig Wilson Detective Sergeant Computer Crime Unit Police Headquarters Kent County Constabulary Maidstone, Kent United Kingdom Brian Zwit Chief Counsel (former) Environment, Science, and Technology National Association of Attorneys General Washington, D.C.
In May 1998, the National Cybercrime Training Partnership (NCTP), the Office of Law Enforcement Standards (OLES), and the National Institute of Justice (NIJ) collaborated on possible resources that could be implemented to counter electronic crime. Continuing meetings generated a desire to formulate one set of protocols that would address the process of electronic evidence from the crime scene through court presentations. NIJ selected the technical working group process as the way to achieve this goal but with the intent to create a publication flexible enough to allow implementation with any State and local law enforcement policy. Using its "template for technical working groups," NIJ established the Technical Working Group for Electronic Crime Scene Investigation (TWGECSI) to identify, define, and establish basic criteria to assist agencies with electronic investigations and prosecutions. In January 1999, planning panel members met at the National Institute of Standards and Technology (NIST) in Gaithersburg, Maryland, to review the fast-paced arena of electronic crime and prepare the scope, intent, and objectives of the project. During this meeting, the scope was determined to be too vast for incorporation into one guide. Thus evolved a plan for several guides, each targeting separate issues. Crime scene investigation was selected as the topic for the first guide. The initial meeting of the full TWGECSI took place March 1999 at NIST. After outlining tasks in a general meeting, the group separated into subgroups to draft the context of the chapters as identified by the planning panel. These chapters were Electronic Devices: Types and Potential Evidence; Investigative Tools and Equipment; Securing and Evaluating the Scene; Documenting the Scene; Evidence Collection; Packaging, Transportation, and Storage; and Forensic Examination by Crime Category. The volume of work involved in preparing the text of these chapters required additional TWGECSI meetings. The planning panel did not convene again until May 2000. Due to the amount of time that had transpired between meetings, the planning panel reviewed the draft content and compared it with changes that had occurred in the electronic crime environment.
These revisions to the draft were then sent to the full TWGECSI in anticipation of the next meeting. The full TWGECSI met again at NIST in August 2000, and through 2 days of intense discussion, edited most of the draft to represent the current status of electronic crime investigation. With a few more sections requiring attention, the planning panel met in Seattle, Washington, during September 2000 to continue the editing process. These final changes, the glossary, and appendixes were then critiqued and voted on by the whole TWGECSI during the final meeting in November 2000 at NIST. The final draft was then sent for content and editorial review to more than 80 organizations having expertise and knowledge in the electronic crime environment. The returned comments were evaluated and incorporated into the document when possible. The first chapter, Electronic Devices: Types and Potential Evidence, incorporates photographic representations of highlighted terms as a visual associative guide. At the end of the document are appendixes containing a glossary, legal resources, technical resources, training resources, and references, followed by a list of the organizations to which a draft copy of the document was sent.
The National Institute of Justice (NIJ) wishes to thank the members of the Technical Working Group for Electronic Crime Scene Investigation (TWGECSI) for their tireless dedication. There was a constant turnover of individuals involved, mainly as a result of job commitments and career changes. This dynamic environment resulted in a total of 94 individuals supplying their knowledge and expertise to the creation of the guide. All participants were keenly aware of the constant changes occurring in the field of electronics and strove to update information during each respective meeting. This demonstrated the strong desire of the working group to produce a guide that could be flexible and serve as a backbone for future efforts to upgrade the guide. In addition, NIJ offers a sincere thank you to each agency and organization represented by the working group members. The work loss to each agency during the absence of key personnel is evidence of management's commitment and understanding of the importance of standardization in forensic science. NIJ also wishes to thank Kathleen Higgins, Director, and Susan Ballou, Program Manager, of the Office of Law Enforcement Standards, for providing management and guidance in bringing the project to completion. NIJ would like to express appreciation for the input and support that Dr. David G. Boyd, Director of NIJ's Office of Science and Technology (OS&T), and Trent DePersia, Dr. Ray Downs, Dr. Richard Rau, Saralyn Borrowman, Amon Young, and James McNeil, all of OS&T, gave the meetings and the document. A special thanks is extended to Aspen Systems Corporation, specifically to Michele Coppola, the assigned editor, for her patience and skill in dealing with instantaneous transcription. In addition, NIJ wishes to thank the law enforcement agencies, academic institutions, and commercial organizations worldwide that supplied contact information, reference materials, and editorial suggestions. Particular thanks goes to Michael R. Anderson, President of New Technologies, Inc., for contacting agencies knowledgeable in electronic evidence for inclusion in the appendix on technical resources.
Foreword........................................................................................iii Technical Working Group for Electronic Crime Scene Investigation ........................................................................v Acknowledgments ......................................................................xiii Overview ........................................................................................1 The Law Enforcement Response to Electronic Evidence..........1 The Latent Nature of Electronic Evidence ................................2 The Forensic Process..................................................................2 Introduction ....................................................................................5 Who Is the Intended Audience for This Guide? ........................5 What is Electronic Evidence? ....................................................6 How Is Electronic Evidence Handled at the Crime Scene? ......6 Is Your Agency Prepared to Handle Electronic Evidence? ........7 Chapter 1. Electronic Devices: Types and Potential Evidence ......9 Computer Systems....................................................................10 Components..............................................................................12 Access Control Devices............................................................12 Answering Machines................................................................13 Digital Cameras........................................................................13 Handheld Devices (Personal Digital Assistants [PDAs], Electronic Organizers)..............................................................14 Hard Drives ..............................................................................15 Memory Cards..........................................................................15 Modems ....................................................................................16 Network Components ..............................................................16 Pagers ......................................................................................18 Printers......................................................................................18 Removable Storage Devices and Media ..................................19 Scanners....................................................................................19 Telephones................................................................................20 Miscellaneous Electronic Items ..............................................20
Chapter 2. Investigative Tools and Equipment. ............................23 Tool Kit ....................................................................................23 Chapter 3. Securing and Evaluating the Scene ............................25 Chapter 4. Documenting the Scene ..............................................27 Chapter 5. Evidence Collection ....................................................29 Nonelectronic Evidence ..........................................................29 Stand-Alone and Laptop Computer Evidence ........................30 Computers in a Complex Environment....................................32 Other Electronic Devices and Peripheral Evidence ................33 Chapter 6. Packaging, Transportation, and Storage ....................35 Chapter 7. Forensic Examination by Crime Category ................37 Auction Fraud (Online) ............................................................37 Child Exploitation/Abuse ........................................................37 Computer Intrusion ..................................................................38 Death Investigation ..................................................................38 Domestic Violence....................................................................38 Economic Fraud (Including Online Fraud, Counterfeiting) ....38 E-Mail Threats/Harassment/Stalking ......................................39 Extortion ..................................................................................39 Gambling ..................................................................................39 Identity Theft ............................................................................39 Narcotics ..................................................................................40 Prostitution ..............................................................................40 Software Piracy ........................................................................41 Telecommunications Fraud ......................................................41 Appendix A. Glossary ..................................................................47 Appendix B. Legal Resources List ..............................................53 Appendix C. Technical Resources List ........................................55 Appendix D. Training Resources List ..........................................73 Appendix E. References ..............................................................77 Appendix F. List of Organizations ..............................................81
Computers and other electronic devices are present in every aspect of modern life. At one time, a single computer filled an entire room; today, a computer can fit in the palm of your hand. The same technological advances that have helped law enforcement are being exploited by criminals. Computers can be used to commit crime, can contain evidence of crime, and can even be targets of crime. Understanding the role and nature of electronic evidence that might be found, how to process a crime scene containing potential electronic evidence, and how an agency might respond to such situations are crucial issues. This guide represents the collected experience of the law enforcement community, academia, and the private sector in the recognition, collection, and preservation of electronic evidence in a variety of crime scenes.
The Law Enforcement Response to Electronic Evidence
The law enforcement response to electronic evidence requires that officers, investigators, forensic examiners, and managers all play a role. This document serves as a guide for the first responder. A first responder may be responsible for the recognition, collection, preservation, transportation, and/or storage of electronic evidence. In today's world, this can include almost everyone in the law enforcement profession. Officers may encounter electronic devices during their day-to-day duties. Investigators may direct the collection of electronic evidence, or may perform the collection themselves. Forensic examiners may provide assistance at crime scenes and will perform examinations on the evidence. Managers have the responsibility of ensuring that personnel under their direction are adequately trained and equipped to properly handle electronic evidence. Each responder must understand the fragile nature of electronic evidence and the principles and procedures associated with its collection and preservation. Actions that have the potential to alter, damage, or destroy original evidence may be closely scrutinized by the courts.
Procedures should be in effect that promote electronic crime scene investigation. Managers should determine who will provide particular levels of services and how these services will be funded. Personnel should be provided with initial and ongoing technical training. Oftentimes, certain cases will demand a higher level of expertise, training, or equipment, and managers should have a plan in place regarding how to respond to these cases. The demand for responses to electronic evidence is expected to increase for the foreseeable future. Such services require that dedicated resources be allocated for these purposes.
The Latent Nature of Electronic Evidence
Electronic evidence is information and data of investigative value that is stored on or transmitted by an electronic device. As such, electronic evidence is latent evidence in the same sense that fingerprints or DNA (deoxyribonucleic acid) evidence are latent. In its natural state, we cannot "see" what is contained in the physical object that holds our evidence. Equipment and software are required to make the evidence visible. Testimony may be required to explain the examination process and any process limitations. Electronic evidence is, by its very nature, fragile. It can be altered, damaged, or destroyed by improper handling or improper examination. For this reason, special precautions should be taken to document, collect, preserve, and examine this type of evidence. Failure to do so may render it unusable or lead to an inaccurate conclusion. This guide suggests methods that will help preserve the integrity of such evidence.
The Forensic Process
The nature of electronic evidence is such that it poses special challenges for its admissibility in court. To meet these challenges, follow proper forensic procedures. These procedures include, but are not limited to, four phases: collection, examination, analysis, and reporting. Although this guide concentrates on the collection phase, the nature of the other three phases and what happens in each are also important to understand.
The collection phase involves the search for, recognition of, collection of, and documentation of electronic evidence. The collection phase can involve real-time and stored information that may be lost unless precautions are taken at the scene. The examination process helps to make the evidence visible and explain its origin and significance. This process should accomplish several things. First, it should document the content and state of the evidence in its totality. Such documentation allows all parties to discover what is contained in the evidence. Included in this process is the search for information that may be hidden or obscured. Once all the information is visible, the process of data reduction can begin, thereby separating the "wheat" from the "chaff." Given the tremendous amount of information that can be stored on computer storage media, this part of the examination is critical. Analysis differs from examination in that it looks at the product of the examination for its significance and probative value to the case. Examination is a technical review that is the province of the forensic practitioner, while analysis is performed by the investigative team. In some agencies, the same person or group will perform both these roles. A written report that outlines the examination process and the pertinent data recovered completes an examination. Examination notes must be preserved for discovery or testimony purposes. An examiner may need to testify about not only the conduct of the examination but also the validity of the procedure and his or her qualifications to conduct the examination.
This guide is intended for use by law enforcement and other responders who have the responsibility for protecting an electronic crime scene and for the recognition, collection, and preservation of electronic evidence. It is not all-inclusive. Rather, it deals with the most common situations encountered with electronic evidence. Technology is advancing at such a rapid rate that the suggestions in this guide must be examined through the prism of current technology and the practices adjusted as appropriate. It is recognized that all crime scenes are unique and the judgment of the first responder/investigator should be given deference in the implementation of this guide. Furthermore, those responsible officers or support personnel with special training should also adjust their practices as the circumstances (including their level of experience, conditions, and available equipment) warrant. This publication is not intended to address forensic analysis. Circumstances of individual cases and Federal, State, and local laws/rules may require actions other than those described in this guide. When dealing with electronic evidence, general forensic and procedural principles should be applied:
x x x
Actions taken to secure and collect electronic evidence should not change that evidence. Persons conducting examination of electronic evidence should be trained for the purpose. Activity relating to the seizure, examination, storage, or transfer of electronic evidence should be fully documented, preserved, and available for review.
Who Is the Intended Audience for This Guide?
x x x x
Anyone encountering a crime scene that might contain electronic evidence. Anyone processing a crime scene that involves electronic evidence. Anyone supervising someone who processes such a crime scene. Anyone managing an organization that processes such a crime scene.
Without having the necessary skills and training, no responder should attempt to explore the contents or recover data from a computer (e.g., do not touch the keyboard or click the mouse) or other electronic device other than to record what is visible on its display.
What Is Electronic Evidence?
Electronic evidence is information and data of investigative value that is stored on or transmitted by an electronic device. Such evidence is acquired when data or physical items are collected and stored for examination purposes. Electronic evidence:
x x x x
Is often latent in the same sense as fingerprints or DNA evidence. Can transcend borders with ease and speed. Is fragile and can be easily altered, damaged, or destroyed. Is sometimes time-sensitive.
How Is Electronic Evidence Handled at the Crime Scene?
Precautions must be taken in the collection, preservation, and examination of electronic evidence. Handling electronic evidence at the crime scene normally consists of the following steps:
x x x x
Recognition and identification of the evidence. Documentation of the crime scene. Collection and preservation of the evidence. Packaging and transportation of the evidence.
The information in this document assumes that:
The necessary legal authority to search for and seize the suspected evidence has been obtained.
The crime scene has been secured and documented (photographically and/or by sketch or notes). Crime scene protective equipment (gloves, etc.) is being used as necessary.
Note: First responders should use caution when seizing electronic devices. The improper access of data stored in electronic devices may violate provisions of certain Federal laws, including the Electronic Communications Privacy Act. Additional legal process may be necessary. Please consult your local prosecutor before accessing stored data on a device. Because of the fragile nature of electronic evidence, examination should be done by appropriate personnel.
Is Your Agency Prepared to Handle Electronic Evidence?
This document recommends that every agency identify local computer experts before they are needed. These experts should be "on call" for situations that are beyond the technical expertise of the first responder or department. (Similar services are in place for toxic waste emergencies.) It is also recommended that investigative plans be developed in compliance with departmental policy and Federal, State, and local laws. In particular, under the Privacy Protection Act, with certain exceptions, it is unlawful for an agent to search for or seize certain materials possessed by a person reasonably believed to have a purpose of disseminating information to the public. For example, seizure of First Amendment materials such as drafts of newsletters or Web pages may implicate the Privacy Protection Act. This document may help in:
x x x x x
Assessing resources. Developing procedures. Assigning roles and tasks. Considering officer safety. Identifying and documenting equipment and supplies to bring to the scene.
Electronic Devices: Types and Potential Evidence
Electronic evidence can be found in many of the new types of electronic devices available to today's consumers. This chapter displays a wide variety of the types of electronic devices commonly encountered in crime scenes, provides a general description of each type of device, and describes its common uses. In addition, it presents the potential evidence that may be found in each type of equipment. Many electronic devices contain memory that requires continuous power to maintain the information, such as a battery or AC power. Data can be easily lost by unplugging the power source or allowing the battery to discharge. (Note: After determining the mode of collection, collect and store the power supply adaptor or cable, if present, with the recovered device.)
Printer CPU Location Telephone Diskettes
Description: A computer system typically consists of a main base unit, sometimes called a central processing unit (CPU), data storage devices, a monitor, keyboard, and mouse. It may be a standalone or it may be connected to a network. There are many types of computer systems such as laptops, desktops, tower systems, modular rack-mounted systems, minicomputers, and mainframe computers. Additional components include modems, printers, scanners, docking stations, and external data storage devices. For example, a desktop is a computer system consisting of a case, motherboard, CPU, and data storage, with an external keyboard and mouse. Primary Uses: For all types of computing functions and information storage, including word processing, calculations, communications, and graphics.
Potential Evidence: Evidence is most commonly found in files that are stored on hard drives and storage devices and media. Examples are:
User-created files may contain important evidence of criminal activity such as address books and database files that may prove criminal association, still or moving pictures that may be evidence of pedophile activity, and communications between criminals such as by e-mail or letters. Also, drug deal lists may often be found in spreadsheets.
x x x x x
Address books. Audio/video files. Calendars. Database files. Documents or text files.
x x x x
E-mail files. Image/graphics files. Internet bookmarks/favorites. Spreadsheet files.
Users have the opportunity to hide evidence in a variety of forms. For example, they may encrypt or password-protect data that are important to them. They may also hide files on a hard disk or within other files or deliberately hide incriminating evidence files under an innocuous name.
x x x
Compressed files. Encrypted files. Hidden files.
x x x
Misnamed files. Password-protected files. Steganography.
Evidence can also be found in files and other data areas created as a routine function of the computer's operating system. In many cases, the user is not aware that data are being written to these areas. Passwords, Internet activity, and temporary backup files are examples of data that can often be recovered and examined. Note: There are components of files that may have evidentiary value including the date and time of creation, modification, deletion, access, user name or identification, and file attributes. Even turning the system on can modify some of this information.
x x x
Backup files. Configuration files. Cookies. Hidden files. History files.
x x x x x
Log files. Printer spool files. Swap files. System files. Temporary files.
Other Data Areas
x x x x x x x
Bad clusters. Computer date, time, and password. Deleted files. Free space. Hidden partitions. Lost clusters. Metadata.
x x x x x x
Other partitions. Reserved areas. Slack space. Software registration information. System areas. Unallocated space.
Components Central Processing Units (CPUs)
Description: Often called the "chip," it is a microprocessor located inside the computer. The microprocessor is located in the main computer box on a printed circuit board with other electronic components. Primary Uses: Performs all arithmetic and logical functions in the computer. Controls the operation of the computer. Potential Evidence: The device itself may be evidence of component theft, counterfeiting, or remarking.
Description: Removable circuit board(s) inside the computer. Information stored here is usually not retained when the computer is powered down. Primary Uses: Stores user's programs and data while computer is in operation. Potential Evidence: The device itself may be evidence of component theft, counterfeiting, or remarking.
Access Control Devices
Smart Cards, Dongles, Biometric Scanners
Description: A smart card is a small handheld device that contains a microprocessor that is capable of storing a monetary value, encryption key or authentication information (password), digital certificate, or other information. A dongle is a small device that plugs into a computer port that contains types of information similar to information on a smart card. A biometric scanner is a device connected to a computer system that recognizes physical characteristics of an individual (e.g., fingerprint, voice, retina).
Primary Uses: Provides access control to computers or programs or functions as an encryption key. Potential Evidence: Identification/authentication information of the card and the user, level of access, configurations, permissions, and the device itself.
Description: An electronic device that is part of a telephone or connected between a telephone and the landline connection. Some models use a magnetic tape or tapes, while others use an electronic (digital) recording system. Primary Uses: Records voice messages from callers when the called party is unavailable or chooses not to answer a telephone call. Usually plays a message from the called party before recording the message. Note: Since batteries have a limited life, data could be lost if they fail. Therefore, appropriate personnel (e.g., evidence custodian, lab chief, forensic examiner) should be informed that a device powered by batteries is in need of immediate attention. Potential Evidence: Answering machines can store voice messages and, in some cases, time and date information about when the message was left. They may also contain other voice recordings.
x x x
Caller identification information. Deleted messages. Last number called.
x x x
Memo. Phone numbers and names. Tapes.
Description: Camera, digital recording device for images and video, with related storage media and conversion hardware capable of transferring images and video to computer media.
Snappy Device (video capture device)
Primary Uses: Digital cameras capture images and/or video in a digital format that is easily transferred to computer storage media for viewing and/or editing.
Images. Removable cartridges. Sound.
Time and date stamp. Video.
Handheld Devices (Personal Digital Assistants [PDAs], Electronic Organizers)
Description: A personal digital assistant (PDA) is a small device that can include computing, telephone/fax, paging, networking, and other features. It is typically used as a personal organizer. A handheld computer approaches the full functionality of a desktop computer system. Some do not contain disk drives, but may contain PC card slots that can hold a modem, hard drive, or other device. They usually include the ability to synchronize their data with other computer systems, most commonly by a connection in a cradle (see photo). If a cradle is present, attempt to locate the associated handheld device. Primary Uses: Handheld computing, storage, and communication devices capable of storage of information. Note: Since batteries have a limited life, data could be lost if they fail. Therefore, appropriate personnel (e.g., evidence custodian, lab chief, forensic examiner) should be informed that a device powered by batteries is in need of immediate attention. Potential Evidence:
x x x x
Palm in Cradle
Address book. Appointment calendars/ information. Documents. E-mail. Handwriting.
x x x x
Password. Phone book. Text messages. Voice messages.
Description: A sealed box containing rigid platters (disks) coated with a substance capable of storing data magnetically. Can be encountered in the case of a PC as well as externally in a standalone case. Primary Uses: Storage of information such as computer programs, text, pictures, video, multimedia files, etc. Potential Evidence: See potential evidence under computer systems.
External Hard Drive Pack
Removable Hard Drive Tray
2.5-inch IDE 5.25-inch IDE 2.5-inch IDE Hard Drive Hard Drive w/ Hard Drive (laptop) cover (Quantum removed Bigfoot)
3.5-inch IDE Hard Drive w/ cover removed
Flash Card in PCMCIA Adaptor
Description: Removable electronic storage devices, which do not lose the information when power is removed from the card. It may even be possible to recover erased images from memory cards. Memory cards can store hundreds of images in a credit cardsize module. Used in a variety of devices, including computers, digital cameras, and PDAs. Examples are memory sticks, smart cards, flash memory, and flash cards. Primary Uses: Provides additional, removable methods of storing and transporting information.
Smart Media Card
Floppy Disk Adaptor/ Memory Stick
Potential Evidence: See potential evidence under computer systems.
Smart Media Floppy
Compact Flash Card
Description: Modems, internal and external (analog, DSL, ISDN, cable), wireless modems, PC cards. Primary Uses: A modem is used to facilitate electronic communication by allowing the computer to access other computers and/or networks via a telephone line, wireless, or other communications medium. Potential Evidence: The device itself.
Network Components Local Area Network (LAN) Card or Network Interface Card (NIC)
Internal Network Interface Card
Note: These components are indicative of a computer network. See discussion on network system evidence in chapter 5 before handling the computer system or any connected devices. Description: Network cards, associated cables. Network cards also can be wireless.
Wireless PCMCIA Card
Wireless Network Interface Card
Primary Uses: A LAN/NIC card is used to connect computers. Cards allow for the exchange of information and resource sharing. Potential Evidence: The device itself, MAC (media access control) access address.
PCMCIA Network Interface Card
Routers, Hubs, and Switches
10Mbps or 10/100Mbps Autosensing Ethernet Hub
Description: These electronic devices are used in networked computer systems. Routers, switches, and hubs provide a means of connecting different computers or networks. They can frequently be recognized by the presence of multiple cable connections.
Standard RJ-45 Ethernet Cable
Cable or xDSL Modem
Primary Uses: Equipment used to distribute and facilitate the distribution of data through networks. Potential Evidence: The devices themselves. Also, for routers, configuration files.
CableFREE NCF600 CableFREE NBG600 PC Card in NetBlaster a Notebook
CableFREE ISA/PCI Card in a Desktop
Standard RJ-45 Ethernet Cable
Cable or xDSL Modem
Description: A server is a computer that provides some service for other computers connected to it via a network. Any computer, including a laptop, can be configured as a server.
Primary Uses: Provides shared resources such as e-mail, file storage, Web page services, and print services for a network. Potential Evidence: See potential evidence under computer systems.
Network Cables and Connectors
Description: Network cables can be different colors, thicknesses, and shapes and have different connectors, depending on the components they are connected to.
RJ-11 Phone Cable
Primary Uses: Connects components of a computer network. Potential Evidence: The devices themselves.
RJ45 LAN Cable & RJ11 Phone Cable
Centronics Printer Cable
Ultrawide SCSI Cable
Parallel Port Printer Cable
Serial Cable & Mouse
Network Cable Dongle & PC Network Card
PS2 Cable With PS2 AT Adapter
USB Cable With A&B Connectors
Description: A handheld, portable electronic device that can contain volatile evidence (telephone numbers, voice mail, e-mail). Cell phones and personal digital assistants also can be used as paging devices. Primary Uses: For sending and receiving electronic messages, numeric (phone numbers, etc.) and alphanumeric (text, often including e-mail).
Note: Since batteries have a limited life, data could be lost if they fail. Therefore, appropriate personnel (e.g., evidence custodian, lab chief, forensic examiner) should be informed that a device powered by batteries is in need of immediate attention. Potential Evidence:
x x x
Address information. E-mail. Phone numbers.
Text messages. Voice messages.
Description: One of a variety of printing systems, including thermal, laser, inkjet, and impact, connected to the computer via a cable (serial, parallel, universal serial bus (USB), firewire) or accessed via an infrared port. Some printers contain a memory buffer, allowing them to receive and store multiple page documents while they are printing. Some models may also contain a hard drive. Primary Uses: Print text, images, etc., from the computer to paper. Potential Evidence: Printers may maintain usage logs, time and date information, and, if attached to a network, they may store network identity information. In addition, unique characteristics may allow for identification of a printer.
x x x x
Documents. Hard drive. Ink cartridges. Network identity/ information.
x x x
Superimposed images on the roller. Time and date stamp. User usage log.
Removable Storage Devices and Media
Description: Media used to store electrical, magnetic, or digital information (e.g., floppy disks, CDs, DVDs, cartridges, tape). Primary Uses: Portable devices that can store computer programs, text, pictures, video, multimedia files, etc.
External CDROM Drive
New types of storage devices and media come on the market frequently; these are a few examples of how they appear. Potential Evidence: See potential evidence under computer systems.
External Zip Drive Jaz Cartridge Zip Cartridge DAT Tape Reader LS-120 Floppy Disk
8mm and 4mm Tapes
3.5-inch Floppy Diskette
DLT Tape Cartridge
DVD RAM Cartridge
External Media Disk Drive
Description: An optical device connected to a computer, which passes a document past a scanning device (or vice versa) and sends it to the computer as a file. Primary Uses: Converts documents, pictures, etc., to electronic files, which can then be viewed, manipulated, or transmitted on a computer.
Potential Evidence: The device itself may be evidence. Having the capability to scan may help prove illegal activity (e.g., child pornography, check fraud, counterfeiting, identity theft). In addition, imperfections such as marks on the glass may allow for unique identification of a scanner used to process documents.
Description: A handset either by itself (as with cell phones), or a remote base station (cordless), or connected directly to the landline system. Draws power from an internal battery, electrical plug-in, or directly from the telephone system. Primary Uses: Two-way communication from one instrument to another, using land lines, radio transmission, cellular systems, or a combination. Phones are capable of storing information. Note: Since batteries have a limited life, data could be lost if they fail. Therefore, appropriate personnel (e.g., evidence custodian, lab chief, forensic examiner) should be informed that a device powered by batteries is in need of immediate attention. Potential Evidence: Many telephones can store names, phone numbers, and caller identification information. Additionally, some cellular telephones can store appointment information, receive electronic mail and pages, and may act as a voice recorder.
x x x x x
Appointment calendars/information. x Password. Caller identification information. Electronic serial number. E-mail. Memo.
x x x x
Phone book. Text messages. Voice mail. Web browsers.
Miscellaneous Electronic Items
Caller ID Box
Cellular Phone Cloning Equipment
There are many additional types of electronic equipment that are too numerous to be listed that might be found at a crime scene. However, there are many nontraditional devices that can be an excellent source of Cellular investigative information and/or evidence. Examples Phone Cloning are credit card skimmers, cell phone cloning equipEquipment ment, caller ID boxes, audio recorders, and Web TV. Fax machines, copiers, and multifunction machines may have internal storage devices and may contain information of evidentiary value. REMINDER: The search of this type of evidence may require a search warrant. See note in the Introduction, page 7.
Some copiers maintain user access records and history of copies made. Copiers with the scan once/print many feature allow documents to be scanned once into memory, and then printed later. Potential Evidence:
Documents. Time and date stamp.
User usage log.
Credit Card Skimmers
Credit card skimmers are used to read information contained on the magnetic stripe on plastic cards. Potential Evidence: Cardholder information contained on the tracks of the magnetic stripe includes:
Credit Card Skimmer Credit Card Skimmer
Card expiration date. Credit card numbers.
User's address. User's name.
Credit Card Skimmer-- Laptop
There are several types of digital watches available that can function as pagers that store digital messages. They may store additional information such as address books, appointment calendars, e-mail, and notes. Some also have the capability of synchronizing information with computers. Potential Evidence:
x x x
Address book. Appointment calendars. E-mail.
Notes. Phone numbers.
Facsimile (fax) machines can store preprogrammed phone numbers and a history of transmitted and received documents. In addition, some contain memory allowing multiple-page faxes to be scanned in and sent at a later time as well as allowing incoming faxes to be held in memory and printed later. Some may store hundreds of pages of incoming and/or outgoing faxes.
Documents. Film cartridge.
Phone numbers. Send/receive log.
Global Positioning Systems (GPS)
Global Positioning Systems can provide information on previous travel via destination information, way points, and routes. Some automatically store the previous destinations and include travel logs. Potential Evidence:
x x x
Home. Previous destinations. Travel logs.
Way point coordinates. Way point name.
Investigative Tools and Equipment
Principle: Special tools and equipment may be required to collect electronic evidence. Experience has shown that advances in technology may dictate changes in the tools and equipment required. Policy: There should be access to the tools and equipment necessary to document, disconnect, remove, package, and transport electronic evidence. Procedure: Preparations should be made to acquire the equipment required to collect electronic evidence. The needed tools and equipment are dictated by each aspect of the process: documentation, collection, packaging, and transportation.
Departments should have general crime scene processing tools (e.g., cameras, notepads, sketchpads, evidence forms, crime scene tape, markers). The following are additional items that may be useful at an electronic crime scene.
x x x
Cable tags. Indelible felt tip markers. Stick-on labels.
Disassembly and Removal Tools
A variety of nonmagnetic sizes and types of:
x x x x x
Flat-blade and Philips-type screwdrivers. Hex-nut drivers. Needle-nose pliers. Secure-bit drivers. Small tweezers.
x x x x
Specialized screwdrivers (manufacturer-specific, e.g., Compaq, Macintosh). Standard pliers. Star-type nut drivers. Wire cutters.
Package and Transport Supplies
x x x x x x x x
Antistatic bags. Antistatic bubble wrap. Cable ties. Evidence bags. Evidence tape. Packing materials (avoid materials that can produce static electricity such as styrofoam or styrofoam peanuts). Packing tape. Sturdy boxes of various sizes.
Items that also should be included within a department's tool kit are:
x x x x x x x x x
Gloves. Hand truck. Large rubber bands. List of contact telephone numbers for assistance. Magnifying glass. Printer paper. Seizure disk. Small flashlight. Unused floppy diskettes (31/2 and 51/4 inch).
Securing and Evaluating the Scene
Principle: The first responder should take steps to ensure the safety of all persons at the scene and to protect the integrity of all evidence, both traditional and electronic. Policy: All activities should be in compliance with departmental policy and Federal, State, and local laws. (Additional resources are referenced in appendix B.) Procedure: After securing the scene and all persons on the scene, the first responder should visually identify potential evidence, both conventional (physical) and electronic, and determine if perishable evidence exists. The first responder should evaluate the scene and formulate a search plan. Secure and evaluate the scene:
Follow jurisdictional policy for securing the crime scene. This would include ensuring that all persons are removed from the immediate area from which evidence is to be collected. At this point in the investigation do not alter the condition of any electronic devices: If it is off, leave it off. If it is on, leave it on. Protect perishable data physically and electronically. Perishable data may be found on pagers, caller ID boxes, electronic organizers, cell phones, and other similar devices. The first responder should always keep in mind that any device containing perishable data should be immediately secured, documented, and/or photographed. Identify telephone lines attached to devices such as modems and caller ID boxes. Document, disconnect, and label each telephone line from the wall rather than the device, when possible. There may also be other communications lines present for LAN/ethernet connections. Consult appropriate personnel/agency in these cases.
Keyboards, the computer mouse, diskettes, CDs, or other components may have latent fingerprints or other physical evidence that should be preserved. Chemicals used in processing latent prints can damage equipment and data. Therefore, latent prints should be collected after electronic evidence recovery is complete. Conduct preliminary interviews:
Separate and identify all persons (witnesses, subjects, or others) at the scene and record their location at time of entry. Consistent with departmental policy and applicable law, obtain from these individuals information such as:
Owners and/or users of electronic devices found at the scene, as well as passwords (see below), user names, and Internet service provider. Passwords. Any passwords required to access the system, software, or data. (An individual may have multiple passwords, e.g., BIOS, system login, network or ISP, application files, encryption pass phrase, e-mail, access token, scheduler, or contact list.) Purpose of the system. Any unique security schemes or destructive devices. Any offsite data storage. Any documentation explaining the hardware or software installed on the system.
y y y y
Documenting the Scene
Principle: Documentation of the scene creates a permanent historical record of the scene. Documentation is an ongoing process throughout the investigation. It is important to accurately record the location and condition of computers, storage media, other electronic devices, and conventional evidence. Policy: Documentation of the scene should be created and maintained in compliance with departmental policy and Federal, State, and local laws. Procedure: The scene should be documented in detail. Initial documentation of the physical scene:
Observe and document the physical scene, such as the position of the mouse and the location of components relative to each other (e.g., a mouse on the left side of the computer may indicate a left-handed user). Document the condition and location of the computer system, including power status of the computer (on, off, or in sleep mode). Most computers have status lights that indicate the computer is on. Likewise, if fan noise is heard, the system is probably on. Furthermore, if the computer system is warm, that may also indicate that it is on or was recently turned off. Identify and document related electronic components that will not be collected. Photograph the entire scene to create a visual record as noted by the first responder. The complete room should be recorded with 360 degrees of coverage, when possible. Photograph the front of the computer as well as the monitor screen and other components. Also take written notes on what appears on the monitor screen. Active programs may require videotaping or more extensive documentation of monitor screen activity.
Note: Movement of a computer system while the system is running may cause changes to system data. Therefore, the system should not be moved until it has been safely powered down as described in chapter 5.
Additional documentation of the system will be performed during the collection phase.
REMINDER: The search for and collection of evidence at an electronic crime scene may require a search warrant. See note in the Introduction, page 7. Principle: Computer evidence, like all other evidence, must be handled carefully and in a manner that preserves its evidentiary value. This relates not just to the physical integrity of an item or device, but also to the electronic data it contains. Certain types of computer evidence, therefore, require special collection, packaging, and transportation. Consideration should be given to protect data that may be susceptible to damage or alteration from electromagnetic fields such as those generated by static electricity, magnets, radio transmitters, and other devices. Policy: Electronic evidence should be collected according to departmental guidelines. In the absence of departmental guidelines outlining procedures for electronic evidence collection, the following procedures are suggested. Note: Prior to collection of evidence, it is assumed that locating and documenting has been done as described in chapters 3 and 4. Recognize that other types of evidence such as trace, biological, or latent prints may exist. Follow your agency's protocol regarding evidence collection. Destructive techniques (e.g., use of fingerprint processing chemicals) should be postponed until after electronic evidence recovery is done.
Recovery of nonelectronic evidence can be crucial in the investigation of electronic crime. Proper care should be taken to ensure that such evidence is recovered and preserved. Items relevant to subsequent examination of electronic evidence may exist in other forms (e.g., written passwords and other handwritten notes, blank pads of paper with indented writing, hardware and software manuals, calendars, literature, text or graphical computer printouts, and photographs) and should be secured and preserved for future
analysis. These items frequently are in close proximity to the computer or related hardware items. All evidence should be identified, secured, and preserved in compliance with departmental policies.
Stand-Alone and Laptop Computer Evidence
CAUTION: Multiple computers may indicate a computer network. Likewise, computers located at businesses are often networked. In these situations, specialized knowledge about the system is required to effectively recover evidence and reduce your potential for civil liability. When a computer network is encountered, contact the forensic computer expert in your department or outside consultant identified by your department for assistance. Computer systems in a complex environment are addressed later in this chapter. A "stand-alone" personal computer is a computer not connected to a network or other computer. Stand-alones may be desktop machines or laptops. Laptops incorporate a computer, monitor, keyboard, and mouse into a single portable unit. Laptops differ from other computers in that they can be powered by electricity or a battery source. Therefore, they require the removal of the battery in addition to stand-alone power-down procedures. If the computer is on, document existing conditions and call your expert or consultant. If an expert or consultant is not available, continue with the following procedure: Procedure: After securing the scene per chapter 3, read all steps below before taking any action (or evidentiary data may be altered). a. Record in notes all actions you take and any changes that you observe in the monitor, computer, printer, or other peripherals that result from your actions. b. Observe the monitor and determine if it is on, off, or in sleep mode. Then decide which of the following situations applies and follow the steps for that situation.
Situation 1: Monitor is on and work product and/or desktop is visible. 1. Photograph screen and record information displayed. 2. Proceed to step c. Situation 2: Monitor is on and screen is blank (sleep mode) or screen saver (picture) is visible. 1. Move the mouse slightly (without pushing buttons). The screen should change and show work product or request a password. 2. If mouse movement does not cause a change in the screen, DO NOT perform any other keystrokes or mouse operations. 3. Photograph the screen and record the information displayed. 4. Proceed to step c. Situation 3: Monitor is off. 1. Make a note of "off" status. 2. Turn the monitor on, then determine if the monitor status is as described in either situation 1 or 2 above and follow those steps. c. Regardless of the power state of the computer (on, off, or sleep mode), remove the power source cable from the computer-- NOT from the wall outlet. If dealing with a laptop, in addition to removing the power cord, remove the battery pack. The battery is removed to prevent any power to the system. Some laptops have a second battery in the multipurpose bay instead of a floppy drive or CD drive. Check for this possibility and remove that battery as well. d. Check for outside connectivity (e.g., telephone modem, cable, ISDN, DSL). If a telephone connection is present, attempt to identify the telephone number. e. To avoid damage to potential evidence, remove any floppy disks that are present, package the disk separately, and label the package. If available, insert either a seizure disk or a blank floppy disk. Do NOT remove CDs or touch the CD drive. f. Place tape over all the drive slots and over the power connector. g. Record make, model, and serial numbers. h. Photograph and diagram the connections of the computer and the corresponding cables.
i. Label all connectors and cable ends (including connections to peripheral devices) to allow for exact reassembly at a later time. Label unused connection ports as "unused." Identify laptop computer docking stations in an effort to identify other storage media. j. Record or log evidence according to departmental procedures. k. If transport is required, package the components as fragile cargo (see chapter 6).
Computers in a Complex Environment
Business environments frequently have multiple computers connected to each other, to a central server, or both. Securing and processing a crime scene where the computer systems are networked poses special problems, as improper shutdown may destroy data. This can result in loss of evidence and potential severe civil liability. When investigating criminal activity in a known business environment, the presence of a computer network should be planned for in advance, if possible, and appropriate expert assistance obtained. It should be noted that computer networks can also be found in a home environment and the same concerns exist. The possibility of various operating systems and complex hardware configurations requiring different shutdown procedures make the processing of a network crime scene beyond the scope of this guide. However, it is important that computer networks be recognized and identified, so that expert assistance can be obtained if one is encountered. Appendix C provides a list of technical resources that can be contacted for assistance. Indications that a computer network may be present include:
The presence of multiple computer systems. The presence of cables and connectors, such as those depicted in the pictures at left, running between computers or central devices such as hubs. Information provided by informants or individuals at the scene. The presence of network components as depicted in chapter 1.
Other Electronic Devices and Peripheral Evidence
The electronic devices such as the ones in the list below may contain potential evidence associated with criminal activity. Unless an emergency exists, the device should not be operated. Should it be necessary to access information from the device, all actions associated with the manipulation of the device should be documented to preserve the authenticity of the information. Many of the items listed below may contain data that could be lost if not handled properly. For more detailed information on these devices, see chapter 1. Examples of other electronic devices (including computer peripherals):
x x x x x x
Audio recorders. Answering machines. Cables. Caller ID devices. Cellular telephones. Chips. (When components such as chips are found in quantity, it may be indicative of chip theft.) Copy machines. Databank/Organizer digital. Digital cameras (still and video). Dongle or other hardware protection devices (keys) for software. Drive duplicators. External drives. Fax machines.
x x x x x x x x x x x x x
Flash memory cards. Floppies, diskettes, CDROMs. GPS devices. Pagers. Palm Pilots/electronic organizers. PCMCIA cards. Printers (if active, allow to complete printing). Removable media. Scanners (film, flatbed, watches, etc.). Smart cards/secure ID tokens. Telephones (including speed dialers, etc.). VCRs. Wireless access point.
x x x x
x x x
Note: When seizing removable media, ensure that you take the associated device that created the media (e.g., tape drive, cartridge drives such as Zip, Jaz, ORB, Clik!TM, Syquest, LS-120).
Packaging, Transportation, and Storage
Principle: Actions taken should not add, modify, or destroy data stored on a computer or other media. Computers are fragile electronic instruments that are sensitive to temperature, humidity, physical shock, static electricity, and magnetic sources. Therefore, special precautions should be taken when packaging, transporting, and storing electronic evidence. To maintain chain of custody of electronic evidence, document its packaging, transportation, and storage. Policy: Ensure that proper procedures are followed for packaging, transporting, and storing electronic evidence to avoid alteration, loss, physical damage, or destruction of data. Packaging procedure: a. Ensure that all collected electronic evidence is properly documented, labeled, and inventoried before packaging. b. Pay special attention to latent or trace evidence and take actions to preserve it. c. Pack magnetic media in antistatic packaging (paper or antistatic plastic bags). Avoid using materials that can produce static electricity, such as standard plastic bags. d. Avoid folding, bending, or scratching computer media such as diskettes, CDROMs, and tapes. e. Ensure that all containers used to hold evidence are properly labeled. Note: If multiple computer systems are collected, label each system so that it can be reassembled as found (e.g., System Amouse, keyboard, monitor, main base unit; System Bmouse, keyboard, monitor, main base unit).
Transportation procedure: a. Keep electronic evidence away from magnetic sources. Radio transmitters, speaker magnets, and heated seats are examples of items that can damage electronic evidence. b. Avoid storing electronic evidence in vehicles for prolonged periods of time. Conditions of excessive heat, cold, or humidity can damage electronic evidence. c. Ensure that computers and other components that are not packaged in containers are secured in the vehicle to avoid shock and excessive vibrations. For example, computers may be placed on the vehicle floor and monitors placed on the seat with the screen down and secured by a seat belt. d. Maintain the chain of custody on all evidence transported. Storage procedure: a. Ensure that evidence is inventoried in accordance with departmental policies. b. Store evidence in a secure area away from temperature and humidity extremes. Protect it from magnetic sources, moisture, dust, and other harmful particles or contaminants. Note: Be aware that potential evidence such as dates, times, and systems configurations may be lost as a result of prolonged storage. Since batteries have a limited life, data could be lost if they fail. Therefore, appropriate personnel (e.g., evidence custodian, lab chief, forensic examiner) should be informed that a device powered by batteries is in need of immediate attention.
Forensic Examination by Crime Category
The following outline should help officers/investigators identify the common findings of a forensic examination as they relate to specific crime categories. This outline will also help define the scope of the examination to be performed. (This information is also presented as a matrix at the end of this chapter.)
Auction Fraud (Online)
Account data regarding online auction sites. Accounting/bookkeeping software and associated data files. Address books. Calendar. Chat logs. Customer information/credit card data. Databases. Digital camera software.
x x x x x x x x
E-mail/notes/letters. Financial/asset records. Image files. Internet activity logs. Internet browser history/cache files. Online financial institution access software. Records/documents of "testimonials." Telephone records.
x x x x x x
x x x x x x
Chat logs. Date and time stamps. Digital camera software. E-mail/notes/letters. Games. Graphic editing and viewing software.
x x x x
Images. Internet activity logs. Movie files. User-created directory and file names that classify images.
x x x x x x
Address books. Configuration files. E-mail/notes/letters. Executable programs. Internet activity logs. Internet protocol (IP) address and user name.
x x x
Internet relay chat (IRC) logs. Source code. Text files (user names and passwords).
x x x x x
Address books. Diaries. E-mail/notes/letters. Financial/asset records. Images.
x x x x
Internet activity logs. Legal documents and wills. Medical records. Telephone records.
x x x
Address books. Diaries. E-mail/notes/letters.
x x x
Financial/asset records. Medical records. Telephone records.
Economic Fraud (Including Online Fraud, Counterfeiting)
x x x x x x
Address books. Calendar. Check, currency, and money order images. Credit card skimmers. Customer information/credit card data. Databases. E-mail/notes/letters.
x x x x x x
False financial transaction forms. False identification. Financial/asset records. Images of signatures. Internet activity logs. Online financial institution access software.
x x x x x
Address books. Diaries. E-mail/notes/letters. Financial/asset records. Images.
x x x x
Internet activity logs. Legal documents. Telephone records. Victim background research.
x x x
Date and time stamps. E-mail/notes/letters. History log.
x x x
Internet activity logs. Temporary Internet files. User names.
x x x x x x
Address books. Calendar. Customer database and player records. Customer information/credit card data. Electronic money. E-mail/notes/letters.
x x x x x
Financial/asset records. Image players. Internet activity logs. Online financial institution access software. Sports betting statistics.
Hardware and software tools.
y y y y y
y y y y y
Birth certificates. Check cashing cards. Digital photo images for photo identification. Driver's license. Electronic signatures.
Backdrops. Credit card generators. Credit card reader/writer. Digital cameras. Scanners.
y y y y x
Fictitious vehicle registrations. Proof of auto insurance documents. Scanned signatures. Social security cards.
y y y y y y y y y y y y y
Business checks. Cashiers checks. Counterfeit money. Credit card numbers. Fictitious court documents. Fictitious gift certificates. Fictitious loan documents. Fictitious sales receipts. Money orders. Personal checks. Stock transfer documents. Travelers checks. Vehicle transfer documentation.
Internet activity related to ID theft.
y y y y y y
E-mails and newsgroup postings. Erased documents. Online orders. Online trading information. System files and file slack. World Wide Web activity at forgery sites.
x x x x x
Address books. Calendar. Databases. Drug recipes. E-mail/notes/letters.
x x x x
False identification. Financial/asset records. Internet activity logs. Prescription form images.
x x x x x
Address books. Biographies. Calendar. Customer database/records. E-mail/notes/letters.
x x x x x
False identification. Financial/asset records. Internet activity logs. Medical records. World Wide Web page advertising.
x x x x x
Chat logs. E-mail/notes/letters. Image files of software certificates. Internet activity logs. Serial numbers.
Software cracking information and utilities. User-created directory and file names that classify copyrighted software.
At a physical scene, look for duplication and packaging material.
x x x
Cloning software. Customer database/records. Electronic Serial Number (ESN)/Mobile Identification Number (MIN) pair records. E-mail/notes/letters.
x x x x
Financial/asset records. "How to phreak" manuals. Internet activity. Telephone records.
The following information, when available, should be documented to assist in the forensic examination:
x x x x
Case summary. Internet protocol address(es). Keyword lists. Nicknames.
x x x x
Passwords. Points of contact. Supporting documents. Type of crime.
Crimes Against Persons
Fraud/Other Financial Crime
Databases E-Mail/notes/letters Financial/asset records Medical records Telephone records
Account data Accounting/bookkeeping software Address books Backdrops Biographies Birth certificates Calendar Chat logs Check, currency, and money order images Check cashing cards Cloning software Configuration files Counterfeit money Credit card generators Credit card numbers Credit card reader/writer Credit card skimmers Customer database/ records Customer information/ credit card data Date and time stamps Diaries Digital cameras/software/ images Driver's license Drug recipes Electronic money Electronic signatures
Ch ild E Pr xplo os tit itatio ut io n/A De bu ath n se Do Inve me sti g E- stic atio M ail Viol n Ha ra Thr enc s e e Au sme ats cti nt/ / on Sta Fr lkin Co au mp d g ut er Ec In on om tru sio ic Ex n F to rti raud on Ga mb Ide ling nt ity Th N e ar co f t So tics ftw a Te re P lec Fr om irac au m y d un ic a tio ns
Crimes Against Persons
Fraud/Other Financial Crime
Specific Information (Cont):
Erased Internet documents ESN/MIN pair records Executable programs False financial transaction forms False identification Fictitious court documents Fictitious gift certificates Fictitious loan documents Fictitious sales receipts Fictitious vehicle registrations Games Graphic editing and viewing software History log "How to phreak" manuals Images Images of signatures Image files of software certificates Image players Internet activity logs Internet browser history/cache files IP address and user name IRC chat logs Legal documents and wills Movie files Online financial institution access software Online orders and trading information Prescription form images Records/documents of "testimonials" (Continued)
Ch ild E Pr xplo os i tit tatio n/A De utio bu ath n se Do Inve sti me ga tio E- stic M n a il V io Ha len ra T h s re ce Au sme ats cti nt/ / S o Co n F talk mp rau ing d ut er Ec Int on ru om sio ic n Ex Fr to au rti d Ga on mb Ide ling nt ity Th N ar co eft So tics ftw ar Te e P i lec F r o ra c y a u mm d un ic a tio ns
Crimes Against Persons
Fraud/Other Financial Crime
Specific Information (Cont):
Scanners/scanned signatures Serial numbers Social security cards Software cracking information and utilities Source code Sports betting statistics Stock transfer documents System files and file slack Temporary Internet files User names User-created directory and file names that classify copyrighted software User-created directory and file names that classify images Vehicle insurance and transfer documentation Victim background research Web activity at forgery sites Web page advertising
Ch ild E Pr xplo os i tit tatio u De tion n/Ab us ath e Do Inv es me tig ati E- stic on M a il V io Ha len ra T h ss re ce Au men ats/ cti t/S Co on F talk mp rau ing d u Ec ter I on nt ru om sio ic n Ex Fr to au rti d on Ga mb Ide ling nt ity Th N ar co eft tic So s ftw ar e Te P l Fr ecom irac au m y d un ic a tio ns
The views and opinions of authors expressed herein do not necessarily reflect those of the United States Government. Reference herein to any specific commercial products, processes, or services by trade name, trademark, manufacturer, or otherwise does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government. The information and statements contained in this document shall not be used for the purposes of advertising or to imply the endorsement or recommendation of the United States Government. With respect to information contained in this publication, neither the United States Government nor any of its employees make any warranty, express or implied, including but not limited to the warranties of merchantability and fitness for a particular purpose. Further, neither the United States Government nor any of its employees assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed; nor do they represent that its use would not infringe on privately owned rights.
Access token: In Windows NT, an internal security card that is generated when users log on. It contains the security IDs (SIDs) for the user and all the groups to which the user belongs. A copy of the access token is assigned to every process launched by the user. BIOS: Basic Input Output System. The set of routines stored in read-only memory that enable a computer to start the operating system and to communicate with the various devices in the system such as disk drives, keyboard, monitor, printer, and communication ports. Buffer: An area of memory, often referred to as a "cache," used to speed up access to devices. It is used for temporary storage of data read from or waiting to be sent to a device such as a hard disk, CD-ROM, printer, or tape drive. Clik!TM: A portable disk drive, also known as a PocketZip disk. The external drive connects to the computer via the USB port or a PC card, the latter containing a removable cartridge slot within the card itself. CD-R: Compact disk-recordable. A disk to which data can be written but not erased. CD-RW: Compact disk-rewritable. A disk to which data can be written and erased. Compressed file: A file that has been reduced in size through a compression algorithm to save disk space. The act of compressing a file will make it unreadable to most programs until the file is uncompressed. Cookies: Small text files stored on a computer while the user is browsing the Internet. These little pieces of data store information such as e-mail identification, passwords, and history of pages the user has visited.
CPU: Central processing unit. The computational and control unit of a computer. Located inside a computer, it is the "brain" that performs all arithmetic, logic, and control functions in a computer. Deleted files: If a subject knows there are incriminating files on the computer, he or she may delete them in an effort to eliminate the evidence. Many computer users think that this actually eliminates the information. However, depending on how the files are deleted, in many instances a forensic examiner is able to recover all or part of the original data. Digital evidence: Information stored or transmitted in binary form that may be relied upon in court. Docking station: A device to which a laptop or notebook computer can be attached for use as a desktop computer, usually having a connector for externally connected devices such as hard drives, scanners, keyboards, monitors, and printers. Documentation: Written notes, audio/videotapes, printed forms, sketches, and/or photographs that form a detailed record of the scene, evidence recovered, and actions taken during the search of the scene. Dongle: Also called a hardware key, a dongle is a copy protection device supplied with software that plugs into a computer port, often the parallel port on a PC. The software sends a code to that port and the key responds by reading out its serial number, which verifies its presence to the program. The key hinders software duplication because each copy of the program is tied to a unique number, which is difficult to obtain, and the key has to be programmed with that number. DSL: Digital subscriber line. Protocols designed to allow highspeed data communication over the existing telephone lines between end-users and telephone companies. Duplicate digital evidence: A duplicate is an accurate digital reproduction of all data objects contained on the original physical item. DVD: Digital versatile disk. Similar in appearance to a compact disk, but can store larger amounts of data.
Electromagnetic fields: The field of force associated with electric charge in motion having both electric and magnetic components and containing a definite amount of electromagnetic energy. Examples of devices that produce electromagnetic fields include speakers and radio transmitters frequently found in the trunk of the patrol car. Electronic device: A device that operates on principles governing the behavior of electrons. See chapter 1 for examples, which include computer systems, scanners, printers, etc. Electronic evidence: Electronic evidence is information and data of investigative value that is stored on or transmitted by an electronic device. Encryption: Any procedure used in cryptography to convert plain text into ciphertext in order to prevent anyone but the intended recipient from reading that data. First responder: The initial responding law enforcement officer and/or other public safety official arriving at the scene. Hidden data: Many computer systems include an option to protect information from the casual user by hiding it. A cursory examination may not display hidden files, directories, or partitions to the untrained viewer. A forensic examination will document the presence of this type of information. ISDN: Integrated services digital network. A high-speed digital telephone line for high-speed network communications. ISP: Internet service provider. An organization that provides access to the Internet. Small Internet service providers provide service via modem and ISDN, while the larger ones also offer private line hookups (e.g., T1, fractional T1). Jaz: A high-capacity removable hard disk system. Latent: Present, although not visible, but capable of becoming visible. LS-120: Laser Servo-120 is a floppy disk technology that holds 120MB. LS-120 drives use a dual-gap head, which reads and
writes 120MB disks as well as standard 3.5-inch 1.44MB and 720KB floppies. Magnetic media: A disk, tape, cartridge, diskette, or cassette that is used to store data magnetically. Misnamed files and files with altered extensions: One simple way to disguise a file's contents is to change the file's name to something innocuous. For example, if an investigator was looking for spreadsheets by searching for a particular file extension, such as ".XLS," a file whose extension had been changed by the user to ".DOC" would not appear as a result of the search. Forensic examiners use special techniques to determine if this has occurred, which the casual user would not normally be aware of. Modem: A device used by computers to communicate over telephone lines. It is recognized by connection to a phone line. Network: A group of computers connected to one another to share information and resources. Networked system: A computer connected to a network. ORB: A high-capacity removable hard disk system. ORB drives use magnetoresistive (MR) read/write head technology. Original electronic evidence: Physical items and those data objects that are associated with those items at the time of seizure. Password-protected files: Many software programs include the ability to protect a file using a password. One type of password protection is sometimes called "access denial." If this feature is used, the data will be present on the disk in the normal manner, but the software program will not open or display the file without the user entering the password. In many cases, forensic examiners are able to bypass this feature. Peripheral devices: An auxiliary device such as a printer, modem, or data storage system that works in conjunction with a computer. Phreaking: Telephone hacking.
Port: An interface by which a computer communicates with another device or system. Personal computers have various types of ports. Internally, there are several ports for connecting disk drives, display screens, and keyboards. Externally, personal computers have ports for connecting modems, printers, mice, and other peripheral devices. Port replicator: A device containing common PC ports such as serial, parallel, and network ports that plugs into a notebook computer. A port replicator is similar to a docking station but docking stations normally provide capability for additional expansion boards. Printer spool files: Print jobs that are not printed directly are stored in spool files on disk. Removable media: Items (e.g., floppy disks, CDs, DVDs, cartridges, tape) that store data and can be easily removed. Screen saver: A utility program that prevents a monitor from being etched by an unchanging image. It also can provide access control. Seizure disk: A specially prepared floppy disk designed to protect the computer system from accidental alteration of data. Server: A computer that provides some service for other computers connected to it via a network. Sleep mode: Power conservation status that suspends the hard drive and monitor resulting in a blank screen to conserve energy, sometimes referred to as suspend mode. Stand-alone computer: A computer not connected to a network or other computer. Steganography: The art and science of communicating in a way that hides the existence of the communication. It is used to hide a file inside another. For example, a child pornography image can be hidden inside another graphic image file, audio file, or other file format.
System administrator: The individual who has legitimate supervisory rights over a computer system. The administrator maintains the highest access to the system. Also can be known as sysop, sysadmin, and system operator. Temporary and swap files: Many computers use operating systems and applications that store data temporarily on the hard drive. These files, which are generally hidden and inaccessible, may contain information that the investigator finds useful. USB: Universal Serial Bus. A hardware interface for low-speed peripherals such as the keyboard, mouse, joystick, scanner, printer, and telephony devices. Volatile memory: Memory that loses its content when power is turned off or lost. Zip: A 3.5-inch removable disk drive. The drive is bundled with software that can catalog disks and lock the files for security.
Legal Resources List
Publications Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations. Washington, D.C.: U.S. Department of Justice, Computer Crime and Intellectual Property Section, March 2001. (Online under http://www.cybercrime.gov/searchmanual.htm.) Prosecuting Cases That Involve Computers: A Resource for State and Local Prosecutors (CD-ROM), National White Collar Crime Center, 2001. (See http://www.nctp.org and http://www.training.nw3c.org for information). Web Sites Computer Crime and Intellectual Property Section of the U.S. Department of Justice, 2025141026, http://www.cybercrime.gov. National Cybercrime Training Partnership, 8776287674, http://www.nctp.org. Infobin, http://www.infobin.org/cfid/isplist.htm.
Technical Resources List
Computer Analysis Response Team FBI Laboratory 935 Pennsylvania Avenue N.W. Washington, DC 20535 Phone: 2023249307 http://www.fbi.gov/programs/lab/ org/cart.htm High Tech Crime Consortium International Headquarters 1506 North Stevens Street Tacoma, WA 984063826 Phone: 2537522427 Fax: 2537522430 E-mail: firstname.lastname@example.org
National Aeronautics and Space Administration Cheri Carr Computer Forensic Lab Chief NASA Office of the Inspector General Network and Advanced Technology Protections Office 300 E Street S.W. Washington, DC 20546 Phone: 2023584298 National Aeronautics and Space Administration Charles Coe Director of Technical Services NASA Office of the Inspector General Network and Advanced Technology Protections Office 300 E Street S.W. Washington, DC 20546 Phone: 2023582573 National Aeronautics and Space Administration Steve Nesbitt Director of Operations NASA Office of the Inspector General Network and Advanced Technology Protections Office 300 E Street S.W. Washington, DC 20546 Phone: 2023582576
Information Systems Security Association (ISSA) 7044 South 13th Street Oak Creek, WI 53154 Phone: 8003704772 http://www.issa.org Internal Revenue Service Criminal Investigation Division Rich Mendrop Computer Investigative Spet Program Manager 2433 South Kirkwood Court Denver, CO 80222 Phone: 3037560646
National Center for Forensic Science University of Central Florida P.O. Box 162367 Orlando, FL 32816 Phone: 4078236469 Fax: 4078233162 http://www.ncfs.ucf.edu National Criminal Justice Computer Laboratory and Training Center SEARCH Group, Inc. 7311 Greenhaven Drive, Suite 145 Sacramento, CA 95831 Phone: 9163922550 http://www.search.org National Law Enforcement and Corrections Technology Center (NLECTC)Northeast 26 Electronic Parkway Rome, NY 13441 Phone: 8883380584 Fax: 3153304315 http://www.nlectc.org National Law Enforcement and Corrections Technology Center (NLECTC)West c/o The Aerospace Corporation 2350 East El Segundo Boulevard El Segundo, CA 90245 Phone: 8885481618 Fax: 3103362227 http://www.nlectc.org National Railroad Passenger Corporation (NRPC) (AMTRAK) Office of Inspector General Office of Investigations William D. Purdy Senior Special Agent 10 G Street N.E., Suite 3E400 Washington, DC 20002 Phone: 2029064318 E-mail: email@example.com
National White Collar Crime Center 7401 Beaufont Springs Drive Richmond, VA 23225 Phone: 8002214424 http://www.nw3c.org Scientific Working Group on Digital Evidence http://www.for-swg.org/swgdein.htm Social Security Administration Office of Inspector General Electronic Crime Team 4S1 Operations Building 6401 Security Boulevard Baltimore, MD 21235 Phone: 4109657421 Fax: 4109655705 U.S. Customs Service's Cyber Smuggling Center 11320 Random Hills, Suite 400 Fairfax, VA 22030 Phone: 7032938005 Fax: 7032939127 U.S. Department of Defense DoD Computer Forensics Laboratory 911 Elkridge Landing Road, Suite 300 Linthicum, MD 21090 Phone: 4109810100/8779813235 U.S. Department of Defense Office of Inspector General Defense Criminal Investigative Service David E. Trosch Special Agent Program Manager, Computer Forensics Program 400 Army Navy Drive Arlington, VA 22202 Phone: 7036048733 E-mail: firstname.lastname@example.org
U.S. Department of Energy Office of the Inspector General Technology Crimes Section 1000 Independence Avenue, 5A235 Washington, DC 20585 Phone: 2025869939 Fax: 2025860754 E-mail: email@example.com U.S. Department of Justice Criminal Division Computer Crime and Intellectual Property Section (CCIPS) Duty Attorney 1301 New York Avenue N.W. Washington, DC 20530 Phone: 2025141026 http://www.cybercrime.gov U.S. Department of Justice Drug Enforcement Administration Michael J. Phelan Group Supervisor Computer Forensics Special Testing and Research Lab 10555 Furnace Road Lorton, VA 22079 Phone: 7034956787 Fax: 7034956794 E-mail: firstname.lastname@example.org U.S. Department of Transportation Office of Inspector General Jacquie Wente Special Agent 111 North Canal, Suite 677 Chicago, IL 60606 Phone: 3123530106 E-mail: email@example.com
U.S. Department of the Treasury Bureau of Alcohol, Tobacco and Firearms Technical Support Division Visual Information Branch Jack L. Hunter, Jr. Audio and Video Forensic Enhancement Spet 650 Massachusetts Avenue N.W. Room 3220 Washington, DC 202260013 Phone: 2029278037 Fax: 2029278682 E-mail: firstname.lastname@example.org U. S. Postal Inspection Service Digital Evidence 22433 Randolph Drive Dulles, VA 201041000 Phone: 7034067927 U.S. Secret Service Electronic Crimes Branch 950 H Street N.W. Washington, DC 20223 Phone: 2024065850 Fax: 2024069233 Veterans Affairs Office of the Inspector General Robert Friel Program Director, Computer Crimes and Forensics 801 I Street N.W., Suite 1064 Washington, DC 20001 Phone: 2025655701 E-mail: email@example.com
By State Alabama
Alabama Attorney General's Office Donna White, S/A 11 South Union Street Montgomery, AL 36130 Phone: 3342427345 E-mail: firstname.lastname@example.org Alabama Bureau of Investigation Internet Crimes Against Children Unit Glenn Taylor Agent 716 Arcadia Circle Huntsville, AL 35801 Phone: 2565394028 E-mail: email@example.com Homewood Police Department Wade Morgan 1833 29th Avenue South Homewood, AL 35209 Phone: 2058778637 E-mail: firstname.lastname@example.org Hoover Police Department Det. Michael Alexiou FBI Innocent Images Task Force, Birmingham 100 Municipal Drive Hoover, AL 35216 Phone: 2054447798 Pager: 2058190507 Mobile: 2055677516 E-mail: email@example.com
Alaska State Troopers Sgt. Curt Harris White Collar Crime Section 5700 East Tudor Road Anchorage, AK 99507 Phone: 9072695627 E-mail: firstname.lastname@example.org Anchorage Police Department Det. Glen Klinkhart/Sgt. Ross Plummer 4501 South Bragaw Street Anchorage, AK 995071599 Phone: 9077868767/9077868778 E-mail: email@example.com firstname.lastname@example.org University of Alaska at Fairbanks Police Department Marc Poeschel Coordinator P.O. Box 755560 Fairbanks, AK 99775 Phone: 9074747721 E-mail: email@example.com
Arizona Attorney General's Office Technology Crimes 1275 West Washington Street Phoenix, AZ 85007 Phone: 6025423881 Fax: 6025425997
University of Arkansas at Little Rock Police Department William (Bill) Reardon/Bobby Floyd 2801 South University Avenue Little Rock, AR 72204 Phone: 5015698793/5015698794 E-mail: firstname.lastname@example.org email@example.com
Modesto Police Department 600 10th Street Modesto, CA 95353 Phone: 2095729500, ext. 29119 North Bay High Technology Evidence Analysis Team (HEAT) Sgt. Dave Bettin 1125 Third Street Napa, CA 94559 Phone: 7072534500 Regional Computer Forensic Laboratory at San Diego 9797 Aero Drive San Diego, CA 921231800 Phone: 8584997799 Fax: 8584997798 E-mail: firstname.lastname@example.org http://www.rcfl.org Sacramento Valley Hi-Tech Crimes Task Force Hi-Tech Crimes Division Sacramento County Sheriff's Department Lt. Mike Tsuchida P.O. Box 988 Sacramento, CA 958120998 Phone: 9168743030 E-mail: email@example.com San Diego High Technology Crimes Economic Fraud Division David Decker District Attorney's Office, County of San Diego Suite 1020 San Diego, CA 92101 Phone: 6195313660 E-mail: firstname.lastname@example.org
Bureau of Medi-Cal Fraud and Elder Abuse Luis Salazar Senior Legal Analyst/Computer Forensic Team Coordinator 110 West A Street, Suite 1100 San Diego, CA 92101 Phone: 6196452432 Fax: 6196452455 E-mail: SALAZAL@hdcdojnet.state.ca.us California Franchise Tax Board Investigations Bureau Ashraf L. Massoud Special Agent 100 North Barranca Street, Suite 600 West Covina, CA 917911600 Phone: 6268594678 E-mail: email@example.com Kern County Sheriff's Department Tom Fugitt 1350 Norris Road Bakersfield, CA 93308 Phone: 6613917728 E-mail: firstname.lastname@example.org Los Angeles Police Department Computer Crime Unit Det. Terry D. Willis 150 North Los Angeles Street Los Angeles, CA 90012 Phone: 2134853795
Silicon Valley High Tech Crime Task Force Rapid Enforcement Allied Computer Team (REACT) c/o Federal Bureau of Investigation Nick Muyo 950 South Bascom Avenue, Suite 3011 San Jose, CA 95128 Phone: 4084947161 Pager: 4089943264 E-mail: email@example.com Southern California High Technology Crime Task Force Sgt. Woody Gish Commercial Crimes Bureau Los Angeles County Sheriff's Department 11515 South Colima Road, Room M104 Whittier, CA 90604 Phone: 5629467942 U.S. Customs Service Frank Day Senior Special Agent Computer Investigative Spet 3403 10th Street, Suite 600 Riverside, CA 92501 Phone: 9062766664, ext. 231 E-mail: FDay@usa.net
Connecticut Department of Public Safety Division of Scientific Services Forensic Science Laboratory Computer Crimes and Electronic Evidence Unit 278 Colony Street Meriden, CT 06451 Phone: 2036396492 Fax: 2036303760 E-mail: firstname.lastname@example.org Connecticut Department of Revenue Services Special Investigations Section 25 Sigourney Street Hartford, CT 06106 Phone: 8602975877 Fax: 8602975625 E-mail: Cal.Mellor@po.state.ct.us Yale University Police Department Sgt. Dan Rainville 98100 Sachem Street New Haven, CT 06511 Phone: 2034327958 E-mail: email@example.com
Denver District Attorney's Office Henry R. Reeve General Counsel/Deputy D.A. 303 West Colfax Avenue, Suite 1300 Denver, CO 80204 Phone: 7209139000 Department of Public Safety Colorado Bureau of Investigation Computer Crime Investigation 690 Kipling Street, Suite 3000 Denver, Colorado 80215 Phone: 3032394292 Fax: 3032395788 E-mail: Collin.Reese@cdps.state.co.us
Delaware State Police High Technology Crimes Unit 1575 McKee Road, Suite 204 Dover, DE 19904 Det. Steve Whalen Phone: 3027392761 E-mail: firstname.lastname@example.org Det. Daniel Willey Phone: 3027398020 E-mail: email@example.com Sgt. Robert Moses Phone: 3027392467 E-Mail: firstname.lastname@example.org Capt. David Citro Phone: 3027341399 E-mail: email@example.com
New Castle County Police Department Criminal Investigations Unit Det. Christopher M. Shanahan/ Det. Edward E. Whatley 3601 North DuPont Highway New Castle, DE 19720 Phone: 3023958110 E-mail: firstname.lastname@example.org email@example.com University of Delaware Police Department Capt. Stephen M. Bunting 101 MOB 700 Pilottown Road Lewes, DE 19958 Phone: 3026454334 E-mail: firstname.lastname@example.org
Institute of Police Technology and Management Computer Forensics Laboratory University of North Florida 12000 Alumni Drive Jacksonville, FL 322242678 Phone: 9046204786 Fax: 9046202453 http://www.iptm.org Office of Statewide Prosecution High Technology Crimes Thomas A. Sadaka Special Counsel 135 West Central Boulevard, Suite 1000 Orlando, FL 32801 Phone: 4072450893 Fax: 4072450356 Pinellas County Sheriff's Office Det. Matthew Miller 10750 Ulmerton Road Largo, FL 33778 E-mail: email@example.com
District of Columbia
Metropolitan Police Department Special Investigations Division Computer Crimes and Forensics Unit Investigator Tim Milloff 300 Indiana Avenue N.W., Room 3019 Washington, DC 20001 Phone: 2027274252/2027271010 E-mail: firstname.lastname@example.org
Georgia Bureau of Investigation Financial Investigations Unit Steve Edwards Special Agent in Charge 5255 Snapfinger Drive, Suite 150 Decatur, GA 30035 Phone: 7709872323 Fax: 7709879775 E-mail: steve.edwards@GBI.state.ga.us
Florida Atlantic University Police Department Det. Wilfredo Hernandez 777 Glades Road, #49 Boca Raton, FL 33431 Phone: 5612972371 Fax: 5612973565 Gainsville Police Department Criminal Investigations/Computer Unit Det. Jim Ehrat 721 N.W. Sixth Street Gainsville, FL 32601 Phone: 3523342488 E-mail: email@example.com
Honolulu Police Department White Collar Crime Unit Det. Chris Duque 801 South Beretania Street Honolulu, HI 96819 Phone: 8085293112
Ada County Sheriff's Office Det. Lon Anderson, CFCE 7200 Barrister Drive Boise, ID 83704 Phone: 2083776691
Indiana State Police Det. David L. Lloyd Computer Crime Unit 5811 Ellison Road Fort Wayne, IN 46750 Phone: 2194328661 E-mail: firstname.lastname@example.org Indianapolis Police Department Det. William J. Howard 901 North Post Road, Room 115 Indianapolis, IN 46219 Phone: 3173273461 E-mail: email@example.com
Illinois State Police Computer Crimes Investigation Unit Division of Operations Operational Services Command Statewide Special Investigations Bureau 500 Illes Park Place, Suite 104 Springfield, IL 62718 Phone: 2175249572 Fax: 2177856793 Illinois State Police Computer Crimes Investigation Unit Master Sgt. James Murray 9511 West Harrison Street Des Plaines, IL 600161562 Phone: 8472944549 E-mail: firstname.lastname@example.org Tazewell County State's Attorney CID Det. Dave Frank 342 Court Street, Suite 6 Pekin, IL 615543298 Phone: 3094772205, ext. 400 Fax: 3094772729 E-mail: email@example.com
Iowa Division of Criminal Investigation Doug Elrick Criminalist 502 East Ninth Street Des Moines, IA 50319 Phone: 5152813666 Fax: 5152817638 E-mail: firstname.lastname@example.org
Kansas Bureau of Investigation High Technology Crime Investigation Unit (HTCIU) David J. Schroeder Senior Special Agent 1620 S.W. Tyler Street Topeka, KS 666121837 Phone: 7852968222 Fax: 7852960525 E-mail: email@example.com Olathe Police Department Sgt. Edward McGillivray 501 East 56 Highway Olathe, KS 66061 Phone: 9137824500 E-mail: firstname.lastname@example.org
Evansville Police Department Det. J. Walker/Det. Craig Jordan Fraud Investigations 15 N.W. Martin Luther King, Jr., Boulevard Evansville IN, 47708 Phone: 8124367995/8124367994 E-mail: Jwalker@evansvillepolice.com email@example.com
Wichita Police Department Forensic Computer Crimes Unit Det. Shaun Price/Det. Randy Stone 455 North Main, Sixth Floor Lab Wichita, KS 67202 Phone: 3162684102/3162684128 E-mail: firstname.lastname@example.org email@example.com firstname.lastname@example.org
Maine Computer Crimes Task Force 171 Park Street Lewiston, ME 04240 Det. James C. Rioux Phone: 2077846422, ext. 250 Investigator Mike Webber Phone: 2077846422, ext. 255 Det. Thomas Bureau Phone: 2077846422, ext. 256
Boone County Sheriff Det. Daren Harris P.O. Box 198 Burlington, KY 41005 Phone: 8593342175 E-mail: email@example.com
Anne Arundel County Police Department Computer Crimes Unit Sgt. Terry M. Crowe 41 Community Place Crownsville, MD 21032 Phone: 4102223419 Fax: 4109877433 E-mail: firstname.lastname@example.org Department of Maryland State Police Computer Crimes Unit D/SGT Barry E. Leese Unit Commander 7155C Columbia Gateway Drive Columbia, MD 21046 Phone: 4102901620 Fax: 4102901831 Montgomery County Police Computer Crime Unit Det. Brian Ford 2350 Research Boulevard Rockville, MD 20850 Phone: 3018402599 E-mail: CCU@co.mo.md.us
Gonzales Police Department Officer Victoria Smith 120 South Irma Boulevard Gonzales, LA 70737 Phone: 2256477511 Fax: 2256479544 E-mail: email@example.com Louisiana Department of Justice Criminal Division High Technology Crime Unit P.O. Box 94095 Baton Rouge, LA 70804 James L. Piker, Assistant Attorney General Section Chief, High Technology Crime Unit Investigator Clayton Rives Phone: 2253427552 Fax: 2253427893 E-mail: PikerJ@ag.state.la.us RivesCS@ag.state.la.us Scott Turner, Computer Forensic Examiner Phone: 2253424060 Fax: 2253423482 E-mail: TurnerS@ag.state.la.us
Massachusetts Office of the Attorney General High Tech and Computer Crime Division John Grossman, Chief Assistant Attorney General One Ashburton Place Boston, MA 02108 Phone: 6177272200
St. Louis Metropolitan Police Department High Tech Crimes Unit Det. Sgt. Robert Muffler 1200 Clark St. Louis, MO 63103 Phone: 3144445441 E-mail: firstname.lastname@example.org
Michigan Department of Attorney General High Tech Crime Unit 18050 Deering Livonia, MI 48152 Phone: 7345254151 Fax: 7345254372 Oakland County Sheriff's Department Computer Crimes Unit Det./Sgt. Joe Duke, CFCE 1201 North Telegraph Road Pontiac, MI 48341 Phone: 2488584942 Fax: 2488589565 Pager: 2485804047
Montana Division of Criminal Investigation Computer Crime Unit Jimmy Weg Agent in Charge 303 North Roberts, Room 367 Helena, MT 59620 Phone: 4064446681 E-mail: email@example.com
Lincoln Police Department Investigator Ed Sexton 575 South 10th Street Lincoln, NE 68508 Phone: 4024417587 E-mail: firstname.lastname@example.org Nebraska State Patrol Internet Crimes Against Children Unit Sgt. Scott Christensen Coordinator 4411 South 108th Street Omaha, NE 68137 Phone: 4025952410 Fax: 4026971409 E-mail: email@example.com
Ramsey County Sheriff's Department 14 West Kellogg Boulevard St. Paul, MN 55102 Phone: 6512662797 E-mail: firstname.lastname@example.org
Biloxi Police Department Investigator Donnie G. Dobbs 170 Porter Avenue Biloxi, MS 39530 Phone: 2284329382 E-mail: email@example.com
City of Reno, Nevada, Police Department Computer Crimes Unit 455 East Second Street (street address) Reno, NV 89502 P.O. Box 1900 (mailing address) Reno, NV 89505 Phone: 7753342107 Fax: 7757854026 Nevada Attorney General's Office John Lusak Senior Computer Forensic Tech 100 North Carson Street Carson City, NV 89701 Phone: 7753282889 E-mail: firstname.lastname@example.org
Ocean County Prosecutor's Office Special Investigations Unit/Computer Crimes Investigator Mike Nevil P.O. Box 2191 Toms River, NJ 08753 Phone: 7329292027, ext. 4014 Fax: 7322403338 E-mail: email@example.com
New Mexico Gaming Control Board Information Systems Division Donovan Lieurance 6400 Uptown Boulevard N.E., Suite 100E Albuquerque, NM 87110 Phone: 5058419719 E-mail: firstname.lastname@example.org Twelfth Judicial District Attorney's Office Investigator Jack Henderson 1000 New York Avenue, Room 301 Alamogordo, NM 88310 Phone: 5054371313, ext. 110 E-mail: email@example.com
New Hampshire State Police Forensic Laboratory Computer Crimes Unit 10 Hazen Drive Concord, NH 03305 Phone: 6032710300
New Jersey Division of Criminal Justice Computer Analysis and Technology Unit (CATU) James Parolski Team Leader 25 Market Street P.O. Box 085 Trenton, NJ 086250085 Phone: 6099845256/6099846500 Pager: 8888191292 E-mail: firstname.lastname@example.org
Erie County Sheriff's Office Computer Crime Unit 10 Delaware Avenue Buffalo, NY 14202 Phone: 7166626150 http://www.erie.gov/sheriff/CCU Nassau County Police Department Computer Crime Section Det. Bill Moylan 970 Brush Hollow Road Westbury, NY 11590 Phone: 5165735275
New York Electronic Crimes Task Force United States Secret Service ATSAIC Robert Weaver 7 World Trade Center, 10th Floor New York, NY 11048 Phone: 2126374500 New York Police Department Computer Investigation and Technology Unit 1 Police Plaza, Room 1110D New York, NY 10038 Phone: 2123744247 Fax: 2123744249 E-mail: email@example.com New York State Attorney General's Office Internet Bureau 120 Broadway New York, NY 10271 Phone: 2124166344 http://www.oag.state.ny.us New York State Department of Taxation and Finance Office of Deputy Inspector General W.A. Harriman Campus Building 9, Room 481 Albany, NY 12227 Phone: 5184858698 http://www.tax.state.ny.us New York State Police Computer Crime Unit Ronald R. Stevens Senior Investigator Forensic Investigation Center Building 30, State Campus 1220 Washington Avenue Albany, NY 12226 Phone: 5184575712 Fax: 5184022773 E-mail: nys...