Forensic notes 

electronic devices : types , description , and potential evidence 

computer systems - hardware , software , documents , images , emails and attachments , dbs, financial information , Internet browsing history , chat logs , event logs , on data stored on external devices

storage devices :

hard drives – SCSI, SATA, IDE, laptop hard drives, IDE 40 pin, 2.5 IDE 44pin, SATA, SCSI hd 65 pin, SCSI IDC 50 pin

                internally : magnetically charged , glass , ceramic or metal platters that store data

external hard drives - network storage devices , 3.5 , 2.5

removable media - zip discs , floppy discs , CD & DVD

thumb drives - small lightweight and normally disguised as watches or lighters or toys

memory cards - smart media , secure digital (SD), mini cards , micro cards, memory stick , compact flash card

                evidence : email messages , Internet browser , chat logs , photos , image files , DB , financial records , event logs

handheld devices :

Phones, PDA pages, digital cameras, GPS - may contain software applications data and information such as emails , browsing, documents, email messages , photos , image files , financial records

NOTE:

• data may be lost if power not maintained
• data on some mobile phones can be overwritten while devices active
• can remotely render device unusable if lost or stolen same with the law enforcement ticket as well

peripheral devices : Keyboard, mouse, microphones , USB on firewire hubs, web cameras , memory card readers , VoIP devices.

• Sources of DNA, fingerprints
• These devices and function they perform facilitate at all potential evidence

other potential sources of digital evidence :

data storage tape drives , surveillance equipment , digital cameras and video cameras, digital audio recorders , digital video recorders , MP3 players , satellite audio , video recorders and access cards, computer chop headsets , keyboard mouse and video , sharing switch  , SIM card reader , thumbprint reader , and reference materials such as books

Computer Networks:

Network up , laptop network card , Internet modems , network switch power supply , wireless access points , wireless network server , directional antennas for wireless cards , wireless USB devices

• data contained is useful such as emails documents photo software and browsing history
• useful as evidence and for prosecution
• the device functions in settings associated with systems UN Connexions which includes the IP address on the local area network addresses are associated with the computers on their devices

Chapter 2 :

investigation tools and equipment 

Tools and materials for collecting digital evidence:

first responders need the following : cameras , cardboard boxes , notepads, gloves, evidence inventory logs, evidence tape , paper evidence bags , evidence tags and labels , crime scene tape , anti static bags, permanent markers and non magnetic tools.

• should also have radio frequency shielding materials such as Faraday isolation bags or aluminium foil to wrap cell phones or smart phones or even other mobile devices
• wrapping the phone in radio frequency shielding material prevents the phone from receiving a call or text message or other communication signal that may alter the evidence.

Securing and evaluating the scene 

first responders primary considerations: officer safety , safety of everyone at the crime scene , all actions to be compliant with the law for collecting on site evidence .

after securing the site: 

• first visually ID all potential evidence
• ensure the integrity of both the digital untraditional evidence is preserved
• digital evidence on computers can easily be changed altered and even deleted
• should document and photograph and secure digital evidence as soon as possible

when securing and evaluating the scene the first responder should: 

• follow departmental policy for securing crimes scenes
• immediately secure all electronic devices including personal and portable devices and ensure no unauthorised person has access to carry any electronic devices at the crime scene
• refuse offers of help or technical assistance from any unauthorised persons
• remove all persons from the crime scene or the immediate area from which evidence is to be collected
• ensure condition of any electronic device is not altered
• leave a computer electronic device off already off

remember components such as keyboards mouse removable storage media holds evidence such as fingerprints and DNA so physical evidence should not be compromised during documentation.

if computer is on or it cannot be determined, the first responder:

• look and listen for indications that the computer may be powered on
• check display screen for signs that digital evidence is being destroyed so look after words such as delete format remove copy move et cetera
• look for indications that computer is being accessed from a remote computer or device
• look for signs of communication with other computers or users such as instant messaging windows or even chat rooms
• note down all the cameras and webcams and determine if any active

preliminary interviews:

• First responder should ID everyone at the crime scene and record time of entry on the persons of interest
• no one should have access to any computer device
• first responders should obtain as much information from these crime scenes such as:
  1. name of all uses of the computers and devices
  2. computer and Internet user information
  3. login names user account names
  4. purpose of the computers
  5. all the passwords
  6. any automated applications in use
  7. type of Internet access
  8. any off site storage
  9. ISP
  10. installed software documentation
  11. all email accounts
  12. security provisions in use
  13. Webmail account information
  14. data access restrictions in place
  15. all instant message screen names
  16. all destructive devices or software in use
  17. social media accounts

Chapter 4 

documenting the scene 

• documentation of the crime scene creates a record for the investigation
• very important to accurately record the properly:
  1. location of the scene
  2. the scene itself
  3. the state
  4. Powell states
  5. conditions of the computer storage media wireless devices mobile phones and other devices
  6. another device is in close proximity
• avoid moving computers or devices until switched off and then look for the serial numbers

initial documentation:

• detailed recording using video
• photography
• no sketches to help recreate or convoy details of scene
• activities process is on display screen should be fully documented

documentation should include :

• entire location including type location position of the computers and their components peripheral  equipment and other devices
• physical Connexions from the computer to other computers

1. record any network or wireless access points that may be present and capable of linking other computers and devices so this may be classed as extra evidence which is beyond the crime scene
2. even if the first responder cannot collect all the devices this may be due to the laws in place he or she should still document them

Chapter 5

Evidence Collection 

• First responders had proper authority to collect and search evidence - this could be the consent or court order
• these levels must be handled carefully to preserve integrity both physical and data
• some evidence requires special packaging
• data can be damaged or altered by electromagnetic fields such as those generated by static electricity magnets radio transmitters all the devices

Chapter 6

packaging transportation storage of digital evidence 

digital evidence : is fragile and sensitive to extreme temperatures , humidity , physical shocks , static electricity and magnetic fields

packaging procedures : collected properly labelled marked photographed video recorded or sketched and inventoried before it is packaged .

-all Connections and connected devices should be labelled for easy configurations of the system later

-packing anti static bags

-plastic material should not be used when collecting digital evidence because plastic companies use or convey static electricity and allow humidity and condensation to develop so it may damage or destroy the evidence

-pack mobile phones and signal blocking materials such as the Faraday isolation bugs or radio frequency shielding material or aluminium foil to protect messages sent send for the phone

-collect all power supplies and adapters for all electronic devices seized

transportation procedures:

• when transporting keep away from magnetic fields  ( radio transmitters ,speaker magnets and magnet mount emergency lights ,)
• do not turn on heat seat in the car
• do not keep in vehicle for long periods of time as the shock and vibration can damage it
• document the transportation of digital evidence and maintain a chain of custody on all evidence transported

storing procedures:

• when storing digital evidence the first responders should ,            
  1. ensure fully inventorized accordance to policy
  2. Ensure it is stored in climate controlled environment or location not subject to extreme temperatures
  3. ensure the digital evidence is not exposed to magnetic fields moisture dust or vibration
• if more than one computer seized label the computer and the components starting with the letter A .