test 2

avatar
Created by
ferdie ferdx

Cards (23)

  • Ways ISDE should present digital evidence
    • Verbally to an investigator/officer throughout a case
    • By a statement or report on conclusion of the case
    • In court if witness evidence is required
  • Devices seized as part of a search will typically be submitted to the force of Digital Forensic Unit in accordance with force policy
  • Due to the volume and complexity of data stored on digital devices, it is not possible or desirable to extract all data held on a device for review by investigators
  • Forensic strategy
    Enables the examination to be focused on the relevant data
  • Before attending a scene to capture digital evidence
    1. Ensure they have the necessary equipment
    2. Consider potential sources of evidence and know what is likely to be relevant, where possible
  • When removing the power supply cable
    1. Always remove the end connected to the computer
    2. This will avoid any data being written to the hard drive if an uninterruptible power supply is fitted
  • If the equipment was switched on
    1. Do not close down any programs or shut down the computer
    2. This will cause changes to the stored data and may trigger wiping software to run
  • Ask the user about the setup of the system, including any passwords, if circumstances dictate
    If these are given, record them accurately
  • Track any cables that can be seen
    As they may lead you to other devices in other rooms
  • Records to be kept when attending a scene
    • Sketch map/photographs of scene and digital equipment
    • Location and contact details
    • Details of all persons present where digital equipment is located
    • Details of digital items - make, model, serial number
    • Details of connected peripherals
    • Actions taken at scene showing exact time
    • Technical Notes/photographs showing state of system when found
  • If the screen is switched on
    1. Record what is on the screen by photographing it and by making a written note of the content of the screen
    2. Do not touch the keyboard or click the mouse
    3. If a short movement of the mouse restores the screen or reveals that the screen saver is password protected, photograph or video it and note its content
    4. If password protection is shown, continue without any further touching of the mouse
    5. Record the time and activity of the use of the mouse in these circumstances
  • When attending a scene, to comply with principle 3, records must be kept of all actions taken in relation to digital evidence
  • Equipment needed when attending a scene
    • Labels and tape to mark and identify component parts of the system, including leads and sockets
    • Tools such as screw drivers (flathead and crosshead), small pliers, and wire cutters for removal of cable ties
    • Anti Static Bag and evidence bags fit for the purpose of securing and sealing heavy items such as computers and smaller items such as mobile
    • Cable ties for securing cables
    • Flat pack assembly boxes
    • Colored marker pens to code and identify removed items
    • Camera and/or video to photograph the scene
  • When securing and taking control of the area containing the equipment
    1. Move people away from any computers and power supplies and do not allow any interaction with digital devices by suspect
    2. Photograph or video the scene and all the components
    3. Allow any printers to finish printing
  • If the computer is switched off
    1. Do not, in any circumstance, switch the computer on
    2. Make sure that the computer is switched off, by moving the mouse some screen savers may give the appearance that the computer is switched off, but hard drive and monitor activity lights may indicate that the machine is switched on
  • Plan
    Where to search the digital evidence, what content should be captured to be later on use as evidence, list of equipment that might be of value during planned searches, records to be kept, do's and don'ts of seizing a digital evidence
  • ACPO Guide for Good Practice of Digital Evidence
    • Plan
    • Capture
    • Analyze
    • Present
  • The person in charge of the case has overall responsibility for ensuring that a computer has been correctly examined in accordance with the law and these principles
  • Principle 1 (The Primary Rule)
    • No action taken by the law enforcement agencies or their agents should change the data held on a computer or other media which may subsequently be relied upon in Court
  • Principle 2
    • In exceptional circumstances it may be necessary to access the original data held on a target computer, but it is imperative that the person doing so is competent and can account for their actions
  • Principle 3
    • An audit trail must exist to show all the processes undertaken when examining computer data. An independent third party should be able to examine these processes and achieve the same result
  • ACPO or the Association of Chief Police Officers, was a not-for-profit private limited company that was established in 1948 and led in the development of policing practices in England, Wales and northern Ireland
  • The last ACPO president, from April 2009 until its dissolution, was Sir Hugh Stephen Roden Orde who was previously the chief constable of the Police Service of Northern Ireland