Traditional Problems Associated with Finding Digital Evidence

-Digital evidence is especially volatile & voluminous, susceptible to climate or environmental factors as well as human error.
- It may be affected by power outages, electromagnetic fields, or extreme temperatures
-Unlike traditional evidence in which analysis of small samples is utilized to preserve the totality of the evidence, assessment of digital evidence requires evaluation of the whole, making one investigative mistake very costly.
- The potential of liability for criminal investigators because of the loss of critical data.
- The volume of digital evidence further complicates it's recovery, making it virtually impossible to conduct a full on-scene analysis.

- Digital evidence can be camouflaged or concealed by individuals desiring to hide information
- The new levels of software production, encryption, and stenography in order to hide files.
- Self-destructive or remote programs are used to erase data with pre-programmed commands.
- Technology is outpacing law enforcement training and knowledge.
- Resources and computer-related equipment are hard to replace due to lack of funds and approval from administrators.

The need to create and continually update the search and seizure policies for computer-related crime scene response is a necessity for law enforcement in this age of growing and changing technology.

- The BTK serial murderer Dennis Rader terrorized Wichita Kansas for 30 years until evidence on a computer disk led police to the former church council president & cub scout leader.
- Scott Peterson's computer contained a map of the island where his wife's body was found and revealed that he had shopped online for a boat, studied the water currents, and purchased a gift for his mistress.
- David Leslie Fuller's computers showed that he had stalked 3 other teenage girls before he abducted, raped, and murdered 13-year old Kacie Woody, whom he met in an online chat room.

-The creation of a technologically sound computer forensic laboratory
- A temperature controlled evidence storage facility with security
- A listed & recorded personnel need for the search & seizure
- Pre-Search intelligence information & reports
- On-Scene equipment & evidence retrieval packaging

*** A safety backup plan in case the initial search & seizure activities are foiled by the suspect or exigent circumstances

Warrants: Should be prepared and reviewed by legal specialists & computer division commanders. It ensures that all language, protections, equipment, media, and incidentals, which may be brought up in a court of law are stated. It also breeds familiarity with the investigators, & ensures judicial approval.
Probable Cause: Must state that a crime has been committed, there is evidence of the crime, & evidence resides at a particular location
Seizing Equipment: The proper seizing of all hardware & software items at the scene of the crime. Is the computer-related equipment essential in the daily tasks of business operations

- Determined by the lead investigator or supervisor on the case
- On-site allows for immediate interviewing of the suspect due to developing evidence at the crime scene
- Off-site may be impossible due to mass amounts of storage or computer devices
- Off-site searches are more relaxed, time consuming, and no evidence is overlooked
- Legal issues vary on the possibility of a secondary warrant and off-site storage of the secondary evidence

No-Knock Warrants
- If exigent circumstances dictate, a request should be included in the initial search warrant application
- Violent vs Non-violent offenses in criminal history
- The potential of evidence destruction or hiding of the evidence

Secondary/Multiple Warrants
- Investigators working one computer-related case unintentionally uncover evidence of a secondary crime NOT included in the initial search warrant language (US vs. Carey)
- Multiple Warrants are needed in the computer-related case of networked computers
- Needed if computers or data is stored in remote or secondary location
- Needed if computers contain locked or encrypted files "Expectation of Privacy" case law

Five Major Areas of Computer Crime Response
1. Situation: Clearly describe the "who" & "what" factors in the investigation. (Number of suspects, computers, equipment, geographical location(s), background of suspect(s), and any other dangerous situations which may arise.
2. Mission: What is the case scenario, and what do the case investigators want to happen during the search and seizure
3. Execution: How will the mission be accomplished?
4. Avenues: How will investigators enter the scene? How will the exit the scene? Remember the initial safety plan & escape route(s)
5. Communications: How will investigators communicate at the scene and what devices will they use? (Remember that radio units may create electromagnetic fields which may damage data) How will be keep communications ongoing with the department & commanders? Who is the primary point of contact? Who will transport and make "small talk" with the suspect.

In computer-related investigations, there are seven general categories of players.

*Case Supervisor- He/she should be the most experienced with minimum qualifications: a history of investigative experience, previous control, command, and respect from subordinates in other cases, and the ability to communicate in a professional and articulate manner.

Note: In police departments which do not have the expertise or experience in computer investigations, the assignment of civilian expert and the experienced criminal investigator work as co-case supervisors, and is recommended in order to ensure the surety of the case.

*Arrest Team
- Do NOT be fooled by investigators who state that the suspect(s) in computer crime investigations is neither violent nor physically strong.
- Executions of search warrants should be prepared for the worst case scenario
- Arrest team members should be armed and experienced in arrest situations.
- The arrest teams mission is to secure the suspect subsequent to the custodial transportation back to headquarters.

*Scene Security Team
- Usually comprised of patrol officers
- Responsible of the security at the scene
- Should be aware and prevent evidence contamination at the crime scene
- There should be a visible barrier for media coverage
- There should be one member of this team which is selected as the team leader or supervisor

*Interview and Interrogation Team
- Members vary based on case characteristics
- Must be experienced in information gathering
- Responsible for interviewing witnesses and interrogating suspects
- Must possess exceptional communication skills
- Computer crime investigations are especially important because of the need for child pornography confessions, password retrieval, and voluntary search warrant authorization by the suspect in custody

* Sketch and Photo Team
- Individuals assigned to this team should be carefully screened for investigative experience
- These individuals must be meticulous because their drawings may be subpoenaed in court
- Used for crime scene reaction and re-construction purposes
- Responsibilities include diagramming and photographing the entire scene including criminal evidence, and photographing the on-scene investigators activities
- May need to change written work to digital

*Physical Search Team
- Members depend on the size of the case and the multiplicity of machines.
- In large cases, one officer per room is the standard
- May need to limit officers due to scene contamination (Murder)
- Responsibilities of members are to identify and mark all potential evidence
- These individuals are NOT responsible for the collection of evidence
- Should be well versed in ALL types of computer evidence and possible locations

* Seizure Team
- Must be experienced computer investigators
- Responsible for the "bagging and tagging" of evidence
- Must handle the evidence as stated in the guidelines
- Other responsibilities may include imaging a drive, dismantling a computer, and labeling and recording all relevant evidence
- Must have advanced computer forensic training
- May be civilian if there are no qualified law enforcement personnel

***Remember that Seizure is the last step

1. Evidence tape
2. Packaging tape
3. Evidence storage containers and labels
4. Miscellaneous writing and labeling materials
5. Sanitary materials
6. Flashlight
7. Extra batteries
8. List of contacts
9. Mobile carts or evidence transport
10. Wireless communications
11. Photographic equipment
12. Non-magnetic screw drivers and hex wrenches
13. Small diagonal cutters
14. Hammer or nail puller
15. Any additional equipment you may need due to the characteristics of the case and past experience in the field

1. Multiple Boot Disks (Helix)
2. Backup Hardware & Miscellaneous Computer Peripherals
3. Anti-Virus Software
4. Imaging Software
5. Application Software
6. Computer Forensic Software
7. Extra Media
8. Extra Cables, Serial Port Connectors, & Gender Changers
9. Extension Cords and/or Power Strips
10. Surge Protectors and/or UPS device
11. Open Purchase Order to Local Computer Supply Store

Knock, Notice, and Document
A. Execution of a Search Warrant
B. Must announce presence, interests, and intentions
C. Look for imminent danger circumstances
D. Process should be video recorded

Securing the Crime Scene
A. Scene Security
B. Chain of custody
C. Scene contamination
D. Suspect's location
E. Computer-related issues (Networks, Hacker Systems, Self-Destruction Commands)

- Determining the need for additional assistance (Why?)
- Scene Processing
- Minimum Things to Document
- Computer Specific Things to Photograph
- Non-Computer Specific Things to Photograph
- General Checklist for Evidence Preservation

- Desktops
- Monitors
- Keyboards
- Telephone
- Wallets and/or purses
- Clothing
- Trash cans, recycle bins, paper shredders, and other garbage disposal areas
-Printers
- Inside of a computer

- Image drive report
- Evidence log report
- Bag & tag report
- Scene departure and transportation of evidence to computer forensics lab
- Interview the suspect(s)