SHARE
TWEET

NSA Guide To Cyber Forensics

a guest Apr 23rd, 2019 271 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. NSA Guide To Cyber Forensics
  2.  
  3. Counter Cyber Intelligence and Forensic OpSec
  4.  
  5. CI means Counter Intelligence
  6.  
  7. --------------------------------
  8.  
  9. Cyber CI refers to the use of techniques and measures to identify, exploit, or
  10. neutralize adversarial operations that use information resources as the primary
  11. tradecraft methodology. Cyber CI activities include three primary subdisciplines:
  12. computer forensics support to CI investigations, CI network intrusion investigations,
  13. and cyber CI operations.
  14.  
  15. GENERAL
  16.  
  17. Cyber CI missions are conducted by specially trained and equipped CI personnel who are assigned to
  18. designated cyber CI units. Cyber CI techniques and methods can, and should, be employed in all phases of
  19. CI investigations and operations. All CI special agents should know, and plan for the opportunities to
  20. leverage cyber CI capabilities in the pursuit of their investigative and operational objectives.
  21.  
  22. Like traditional CI activities, cyber CI focuses on countering foreign intelligence and security
  23. systems (FISS) and international terrorist organizations (ITO) collection activities targeting information or
  24. material concerning U.S. personnel, activities, operations, plans, equipment facilities, publications,
  25. technology, or documents, either classified or unclassified, without official consent of designated U.S.
  26. release authorities.
  27.  
  28.  
  29. CYBER COUNTERINTELLIGENCE SUPPORT TO CORE
  30. FUNCTIONS
  31.  
  32. The U.S. military’s reliance on network centric operations as well as the availability of inexpensive
  33. commercial technology to even the smallest of U.S. adversaries has created a significant vulnerability to
  34. U.S. military operations. FISS and ITO has increased the targeting of U.S. military networks to collect
  35. information, exploit vulnerabilities, and to attack our networks. This threat has resulted in a requirement for
  36. specially trained CI special agents who can detect, identify, counter, exploit, or neutralize FISS and ITO
  37. threats that occur in cyberspace.
  38.  
  39.  
  40. COMPUTER FORENSICS SUPPORT
  41.  
  42. Computer forensics support to CI investigations includes the proper seizure, processing, examination,
  43. and analysis of digital media evidence to support approved CI investigative objectives. The use of various
  44. information systems (including but not limited to computers, networks, mobile computing devices, cellular
  45. phones, PDAs) permeates the Army work environment. These information systems, as well as other forms
  46. of digital media, are used to store, process, and distribute Army information. These data repositories can
  47. easily be concealed and used for data exfiltration, thus potentially making them excellent sources of
  48. evidence related to the crime of espionage.
  49.  
  50.  
  51. Processing and examining digital media evidence is a tedious and time-consuming process which
  52. requires special training and equipment. Failure to properly process and examine digital media evidence
  53. could corrupt the evidence or yield the evidence inadmissible. Therefore, computer forensics support to CI
  54. investigations will only be conducted by specially trained and qualified CI special agents. Computer
  55. forensics will be conducted by these qualified personnel to—
  56. * Discover and recover evidence related to espionage, terrorism, or subversion against the
  57. Army.
  58. * Develop CI investigative leads.
  59. * Collect and report intelligence.
  60. * Support exploitation efforts.
  61.  
  62. Requests for computer forensic support will be made through the appropriate ATCICA. Requests for
  63. assistance will include detailed descriptions of the digital media evidence to be seized and examined. The
  64. requests for assistance will be germane to the approved CI investigative objectives.
  65.  
  66. Every CI special agent is responsible for identifying the need for computer forensics support to their
  67. investigations. Computer forensics examinations involve a methodical process which, depending on the
  68. size and complexity of the digital media evidence, may take a significant amount of time to complete.
  69. Computer forensic operations cannot be rushed and therefore investigative time lines may need to be
  70. adjusted to accommodate the time required to complete the support.
  71.  
  72. Some digital media evidence seizures are simple and clear. However, many mobile devices (such as
  73. cell phones and PDAs) that can transmit and receive data or need a constant source of power to prevent
  74. data loss require special handling techniques to preserve the evidentiary data.
  75.  
  76. If a CI special agent is in doubt about the capabilities of, or when to leverage, cyber CI units, the
  77. agent should contact his ATCICA for guidance. All CI special agents will operate in accordance with the
  78. appropriate regulations to—
  79. * Ensure that any handling of digital media during CI investigations is performed only by
  80. qualified cyber CI special agents or information system specialists.
  81. * Notify or request assistance from properly trained cyber CI special agents as soon as practical
  82. after the initiation of an investigation.
  83. * Ensure that their actions are not detrimental to the preservation of digital evidence.
  84.  
  85.  
  86. COUNTERINTELLIGENCE NETWORK INTRUSION INVESTIGATIONS
  87.  
  88. CI network intrusion investigations involve collecting, processing, and analyzing evidence related to
  89. adversarial penetrations of Army information systems. These specialized CI investigations are generally
  90. conducted independently of other traditional CI investigations. However, given the jurisdictional issues
  91. which involve the Internet, network intrusion investigations may require coordination with other U.S. and
  92. foreign government intelligence and law enforcement entities.
  93.  
  94. Threats to Army information systems can range from exploitation of vulnerabilities in information
  95. systems which allow adversaries to penetrate Army computers and collect critical information, to trusted
  96. insiders who either willingly or unwittingly enable adversarial forces to exploit these critical infrastructure
  97. resources. Any adversary with the motive, means, opportunity, and intent to do harm poses a potential
  98. threat. Threats to Army information resources may include disruption, denial degradation, ex-filtration,
  99. destruction, corruption, exploitation, or unauthorized access to computer networks and information systems
  100. and data. Cyber CI units are uniquely qualified to investigate and counter these threats.
  101.  
  102. All CI network intrusion investigations will be coordinated, to the extent necessary, with the
  103. USACIDC, specifically the Cyber Criminal Investigations Unit (CCIU). This coordination is necessary to
  104. ensure that investigative activities are not duplicated and that each organization does not impede or disrupt
  105. each other’s investigative or prosecutorial options.
  106.  
  107. A CI network intrusion investigation may be initiated under, but not necessarily be limited to, the
  108. following circumstances:
  109. * Known, suspected, or attempted intrusions into classified or unclassified information systems
  110. by unauthorized persons.
  111. * Incidents which involve intrusions into systems containing or processing data on critical
  112. military technologies, export controlled technology, or other weapons systems related
  113. RDT&E data.
  114. * Intrusions which replicate methods associated with foreign intelligence or adversary
  115. collection or which involve targeting that parallels known foreign intelligence or adversary
  116. collection requirements.
  117.  
  118. The purpose for conducting a CI network intrusion investigation will be to—
  119. * Fully identify the FISS and ITO entity involved.
  120. * Determine the FISS and ITO objectives.
  121. * Determine the FISS and ITO tools, techniques, and procedures used.
  122. * Assist the appropriate authorities with determining the extent of damage to Army and
  123. Department of Defense equities.
  124.  
  125. If the network intrusion appears to originate from a trusted insider who is under Army jurisdiction
  126. and appears to be working for an adversary, the ATCICA or ACICA may authorize an FFI for the purposes
  127. of legally prosecuting the subject or to develop the situation to enable neutralization or exploitation of the
  128. foreign threat. If it is determined the activity is purely criminal in nature and does not constitute a threat to
  129. national security, CI will refer the matter to the appropriate criminal law enforcement organization.
  130.  
  131.  
  132. CYBER COUNTERINTELLIGENCE OPERATIONS
  133.  
  134. Cyber CI operations rely on cyber mechanisms to collect against, neutralize, or exploit an FISS and
  135. ITO threat. Since the FISS and ITO threats to Army information systems are prevalent and very aggressive,
  136. cyber CI operations should be designed to assertively counter these pervasive threats.
  137.  
  138. Cyber CI units may conduct CI operations in accordance with appropriate regulations to deter, detect,
  139. neutralize, and/or support the exploitation of FISS and ITO threats. All proposed cyber CI operations will
  140. be documented as a CI special operational concept or CI project and submitted for command and legal
  141. endorsement before being forwarded to G-2 for approval.
  142.  
  143. The 1st Information Operations Command provides cyber CI elements to support TAs and VAs and
  144. red team evaluations. INSCOM provides additional personnel allotments to each theater major subordinate
  145. command to provide a dedicated CI LNO to each of the theater regional computer emergency response
  146. teams.
  147.  
  148. Cyber CI operations include conducting cyber-based collection activities focused on cyber terrorist
  149. and foreign intelligence threats that target U.S. interests. In addition to traditional CI collection, which is
  150. conducted through the use of sources and other human or multimedia sources, cyber CI collection is
  151. primarily conducted via the global information grid to obtain information that impacts the supported unit.
  152. Cyber CI collection can result from ongoing CI investigations and/or operations or serve to initiate further
  153. CI investigations and/or operations. The goal of cyber CI collection is to provide timely actionable threat
  154. intelligence to the supported commander.
  155.  
  156.  
  157. Liaison
  158.  
  159. Cyber CI elements conduct liaison with U.S., multinational, and HN military and civilian agencies,
  160. including NGO, for the purpose of obtaining information of cyber CI interest and coordinating or deconflicting CI activities.
  161. Liaison activitiesare designed to ensure a cooperative operating environment for
  162. cyber CI elements and to develop leads for further exploitation. This is equally true for liaison conducted
  163. for cyber CI purposes.
  164.  
  165. CI special agents conduct debriefings of friendly force, HN, or the local population who may have
  166. information of CI interest regarding adversary intelligence collection or targeting efforts focused on U.S.
  167. and multinational interests. Traditional CI special agents conducting this type of collection can provide
  168. support to the commander’s operational plans and integrated information tasks (information engagement,
  169. command and control warfare, information protection, operations security, and military deception), as well
  170. as identifying targets for additional cyber collection operations.
  171.  
  172. CI special agents work jointly with HUMINT collectors during screening operations to identify
  173. civilians in the operational environment, detainees, and other noncombatants who may have information of
  174. CI interest to develop leads. During the course of traditional screening operations, if computer software or
  175. media is obtained from detainees, cyber CI special agents can be used in a DOMEX role to screen the
  176. media for time-sensitive, actionable intelligence information.
  177. Support to Analysis and Production
  178.  
  179. CI analysis is used to provide timely, accurate, and relevant all-source assessments regarding the
  180. actual and potential foreign intelligence and terrorist threat to DOD, with the objective of protecting DOD
  181. personnel, plans, information, research and technology, critical infrastructure, and other national security
  182. interests
  183.  
  184. Cyber CI analysis is a uniquely technical discipline. The cyber environment differs from the
  185. traditional operational environment in that it is worldwide and “virtual” in nature, not theater specific. In
  186. addition to traditional CI analytical work concerning the terrorist and FISS and ITO organizations and
  187. operations, it requires detailed technical knowledge of information systems, Army networks, and the global
  188. information grid.
  189.  
  190. Analysis occurs at all levels from tactical to strategic, but cyber CI analysis is operational and
  191. strategic in nature. Because of the uniqueness of the operational environment, and the joint nature of the
  192. defenders, cyber CI analysis is conducted by many non-CI activities as well as the Cyber Intelligence
  193. Center of the 1st Information Operations Command and the ACIC for the Army.
  194.  
  195. At the tactical level, CI teams focus their efforts on supporting mission requirements. These tactical
  196. CI teams have a role in providing CI support to all the information tasks. They may provide support to
  197. CNO by performing initial incident responder duties when a dedicated cyber CI unit is not available.
  198.  
  199. Cyber CI products consist of, but are not limited to, IIRs, target nomination, CI input to TAs and
  200. VAs, CI estimates and appendices to OPLANs and OPORDs. Finalized intelligence derived from cyber CI
  201. activities may be incorporated into joint and national intelligence databases, assessments, and analysis
  202. products, but must be provided in a timely manner to the supported commanders on the ground. Cyber CI
  203. production takes place at all levels.
  204.  
  205.  
  206. Support to Technical Services
  207.  
  208. CI organizations with technically trained cyber CI special agents are chartered with providing unique
  209. technical capabilities to augment CI investigations, collection, and operations. These cyber CI technical
  210. capabilities are not used as substitutes for traditional CI activities, but support traditional CI techniques
  211. employed to counter and neutralize foreign (adversary) intelligence CNO activities.
  212.  
  213. In addition to supporting technical CI investigative and operational activities, cyber CI special agents
  214. perform highly technical analytical and investigative operations to support Army CNO. Cyber CI special
  215. agents are specially trained in the areas of computer operations, network theory and administration, and
  216. forensics, and are instrumental in maintaining U.S. information dominance. The reliance on networked
  217. systems will result in greater emphasis being placed on information assurance.
  218.  
  219.  
  220. CYBER THREAT BRIEFINGS
  221.  
  222. In accordance with AR 381-10 and appropriate regulations cyber threat briefings are a periodic
  223. requirement. Cyber threat briefings should—
  224. * Demonstrate CI’s understanding of the regulatory purpose and responsibilities regarding
  225. cyber issues.
  226. * Be tailored to the audience.
  227. * Identify the cyber threat and what they are targeting.
  228. * Indicate what is reportable.
  229. * Outline responsibilities.
  230. * Provide examples of the cyber threat.
  231. * Seek to influence behaviors of those being briefed.
  232.  
  233. A good cyber threat briefing engages the audience, uses mixed media to “grab” the attention of the
  234. audience, has easily remembered themes and goals, encourages feedback, and challenges the audience to
  235. think like a CI agent. Finally, emphasize the importance of utilizing security patches. Over 90 percent of
  236. intrusions into Army networks are due to a lack of patching.
  237.  
  238. The trusted insider is the most serious threat to DOD information systems security. The following list
  239. of indicators that could be associated with an insider threat should be addressed during threat briefings to
  240. CI customers:
  241. * Unauthorized attempts to elevate privileges.
  242. * Unauthorized sniffers.
  243. * Suspicious downloads of sensitive data.
  244. * Unauthorized modems.
  245. * Unexplained storage of encrypted data.
  246. * Anomalous work hours and/or network activity.
  247. * Unexplained modification of network security-related operating system settings.
  248. * Unexplained modification of network security devices such as routers and firewalls.
  249. * Malicious code that attempts to establish communication with systems other than the one
  250. which the code resides.
  251. * Unexplained external physical network or computer connection.
  252. * Unexplained modifications to network hardware.
  253. * Unexplained file transfer protocol (FTP) servers on the inside of the security perimeter.
  254. * Unexplained hardware or software found on internal networks.
  255. * Network interface cards that are set in a “promiscuous” or “sniffer” mode.
  256. * Unexpected open maintenance ports on network components.
  257. * Any unusual activity associated with network-enabled peripheral devices, such as printers and
  258. copiers.
  259. * Any unusual or unexplained activity focused on transfer devices authorized for moving data
  260. across classification boundaries.
  261. * Unexplained attacks appearing to originate from within the local network.
  262. * Attacks against specific network devices, such as intrusion detection systems, originating
  263. internal to the local network.
  264. * Unexplained scans for vulnerabilities originating internal to the local network.
  265. * Serious vulnerabilities remaining uncorrected after multiple notifications to the responsible
  266. individual to correct the problem.
  267. * Unusual interest in network topologies (firewalls, security hardware or software, inter-site
  268. connectivity, trust relationships).
  269. * Unexplained interest in penetration and/or vulnerability testing of the network.
  270. * Unexplained hidden accounts or expected levels of privilege.
  271. * Unauthorized attempts to elevate privileges.
  272. * Attempts to introduce software unapproved for the computing environment.
  273. * Individuals with access displaying undue affluence, unexplained travel, unexplained foreign
  274. contacts, unwillingness to take vacation, unwillingness to allow someone to assume their
  275. duties, exploitable conduct, abnormal behavior, unexplained and/or extensive technical
  276. computer-related knowledge.
  277. * Unauthorized modem connections.
  278. * Encrypted telephonic communication on lines not specifically identified as normally used for
  279. encrypted traffic.
  280. * Excessive, unusual, and/or unexplained computer connections over the telephone
  281. infrastructure to foreign countries (as identified by traffic analysis or other means).
  282. * Unexplained devices associated with the telephone infrastructure or the connections between
  283. the telephone and computing infrastructures.
  284. * Open remote maintenance ports in telephone infrastructure devices.
  285. COMPUTER NETWORK INCIDENT CATEGORIES
  286.  
  287. Computer network incidents are identified by category depending on what type of incident occurs. If
  288. the incident is deemed a crime, law enforcement takes the investigative lead. If it is determined the incident
  289. is of a foreign threat nature, CI will conduct the investigation. The nine categories of computer networkrelated incidents are listed below:
  290. * Category 1—Root level intrusion (incident). Unauthorized privileged access (administrative
  291. or root access) to a DOD system.
  292. * Category 2—User level intrusion (incident). Unauthorized non-privileged access (user level
  293. permissions) to a DOD system. Automated tools, targeted exploits, or self-propagating
  294. malicious logic may also attain these privileges.
  295. * Category 3—Unsuccessful activity attempt (event). Attempt to gain unauthorized access to
  296. the system, which is defeated by normal defensive mechanisms. Attempt fails to gain access
  297. to the system (for example, attacker attempt valid or potentially valid username and password
  298. combinations), and the activity cannot be characterized as exploratory scanning. Can include
  299. reporting of quarantined malicious code.
  300. * Category 4—Denial of service (incident). Activity that impairs, impedes, or halts normal
  301. functionality of a system or network.
  302. * Category 5—Noncompliance activity (event). This category is used for activity that due to
  303. DOD actions (either configuration or usage) makes DOD systems potentially vulnerable (for
  304. example, mission security patches, connections across security domains, installation of
  305. vulnerable applications). In all cases, this category is not used if an actual compromise has
  306. occurred. Information that fits this category is the result of non-compliant or improper
  307. configuration changes or handling by authorized users.
  308. * Category 6—Reconnaissance (event). An activity (scan or probe) that seeks to identify a
  309. computer, an open port, an open service, or any combination for later exploitation. This
  310. activity does not directly result in a compromise.
  311. * Category 7—Malicious logic (incident). Installation of malicious software (for example,
  312. Trojan, backdoor, virus, or worm).
  313. * Category 8—Investigating (event). Events that are potentially malicious or anomalous
  314. activity deemed suspicious and warrants, or is undergoing, further review. No event will be
  315. closed out as a category 8. Category 8 will be re-categorized to appropriate categories 1
  316. through 7 or 9 before closure.
  317. * Category 9—Explained anomaly (event). Events that are initially suspected as being
  318. malicious but after investigation are determined not to fit the criteria for any of the other
  319. categories (for example, system malfunction or false positive).
  320. At a minimum, categories 1, 2, 4, and 7 incidents are reported to DOD law enforcement and/or CI.
  321. All incidents involving potential or actual compromise of classified systems or networks are reported
  322. through standard CND technical reporting channels.
  323.  
  324. AR 25-2 and AR 381-12 outline the commander’s requirements for reporting such incidents to law
  325. enforcement and CI. Title 18, USC, authorizes those who monitor DOD networks for defensive purposes to
  326. share the results of that monitoring with law enforcement and CI. Cyber incident reporting should identify
  327. the following relevant information when available:
  328. * Intruder and the victim system.
  329. * Originating IP address and path to the victim system used by the intruder.
  330. * Owner of the originating IP address.
  331. * Date and time of the intrusion and the duration the intruder had access to the victim system.
  332. (Use Zulu time.)
  333. * Degree of access obtained by the intruder (for example, user or root level access).
  334. * Classification level, function (for example, web server, domain name server), operating
  335. system, and IP address of the victim system.
  336. * Any external security systems, such as ASIM, Netranger, or any other monitoring system—
  337. this is done for additional sources—and did the monitoring system detect the activity and alert
  338. appropriate personnel.
  339. * The hacking technique used in the incident or intrusion.
  340. * How the technique exploited the victim system (use great detail).
  341. * If the technique exploited a known vulnerability in the information system; if so, provide
  342. details about the vulnerability.
  343. * If the system had a security patch or update available that could have prevented the incident
  344. and why the patch was not utilized.
  345. * If the technique is being used to target other systems or networks and details about the other
  346. victims and systems.
  347. * History of the technique and if it is being used by known hackers or other organizations
  348. known to be involved in CNO, including FISS and ITO.
  349. * Results of any inquiry or investigation into the incident.
  350. * Defensive and investigative actions taken in response to the incident.
  351. * Extent of the damage, both actual and potential, caused by the incident.
  352. * Any links between the incident and any previous incidents on DOD systems.
  353. * If the victim has been the victim of previous incidents (provide details).
  354.  
  355.  
  356. CYBER INDICATORS OF COUNTERINTELLIGENCE INTEREST
  357.  
  358. Unexplained anomalies occur on DOD networks on a daily basis. Some of the anomalies that may be
  359. of CI interest are listed below:
  360. * Encrypted data or net flows.
  361. * Unusual login times or failures.
  362. * Unauthorized modification of system files and logs.
  363. * Unauthorized modification of firewall rules.
  364. * Unexplained connectivity—physical or network.
  365. * Anomalous hardware and software.
  366. * Network interface card in “promiscuous” or “sniffer” mode.
  367. * Unusual network traffic on internal network.
  368. * Scanning activity, internal or external.
  369. * Uncorrected vulnerabilities after multiple notifications.
  370. * Unusual interest in network or systems configuration (topologies, firewalls, security
  371. measures, trust relationships).
  372. * Unusual interest in penetration or vulnerability testing.
  373. * Unexplained hidden accounts or levels of privilege.
  374. * Attempts to introduce unauthorized software.
  375. * Attempts to obtain an exception to security policy.
  376. * Unauthorized attempts to gain access.
  377. * Attempts to exceed authorized access or elevate privileges.
  378. * Vendor-initiated attempts to install or upgrade hardware or software.
  379. * Unexplained activity of programs or processes.
  380. * Unexplained connectivity of programs or processes.
  381. * Unexplained storage of encrypted files.
  382. * Unauthorized modem connections.
  383. * Excessive, unusual, and/or unexplained foreign connectivity (network or modem).
  384. * Open remote maintenance ports on automated telephone switchboards.
  385.  
  386.  
  387. RECOGNIZING POTENTIAL EVIDENCE
  388.  
  389. Although CI desires to ultimately exploit a situation to further develop information about adversarial
  390. personnel, cells, leadership, and TTP, the opportunity for an arrest or detainment may eventually evolve
  391. from any situation, and the proper handling of evidence will play a major role in ensuring prosecution and
  392. punishment. Computers and digital media are increasingly involved in cases of espionage and/or terrorism.
  393. In these cases, the computer may be contraband, fruits of the crime, a tool of the offense, or a storage
  394. container holding evidence of the offense.
  395.  
  396. Investigation of any activity that may be of CI interest may produce electronic evidence. Computers
  397. and related evidence range from the mainframe computer to the pocket-sized personal data assistant (PDA)
  398. to the floppy diskette or CD, a video gaming system, television with built-in recording chip, or the smallest
  399. electronic chip device. Images, audio, text, and other data on these media are easily altered or destroyed. It
  400. is imperative that CI special agents recognize, protect, seize, and search such devices in accordance with
  401. applicable policies, guidelines, and procedures. The following questions need to be answered to determine
  402. the role of the computer in relation to the offense:
  403. * Is the computer contraband or fruits of a crime?
  404. * Was the computer software or hardware stolen?
  405. * Is the computer system a tool of the offense?
  406. * Was the system actively used by the accused to commit the offense?
  407. * Were fake IDs or other counterfeit documents prepared using the computer, scanner, or
  408. printer?
  409. * Is the computer system only incidental to the offense; that is, being used to store evidence of
  410. the offense?
  411. * Is a terrorist using the system to maintain contacts or rosters?
  412. * Is the computer system both instrumental to the offense and a storage device for evidence?
  413. * Did the hacker use the computer to attack other systems and also to store stolen DOD
  414. information?
  415.  
  416. Once the computer or electronic device role in the offense is understood, the following essential
  417. questions need to be answered:
  418. * Is there probable cause to seize hardware?
  419. * Is there probable cause to seize software?
  420. * Is there probable cause to seize data?
  421. * Where will the search be conducted:
  422. ƒ Is it practical to search the computer system on site or must the examination be conducted
  423. at a field office or laboratory?
  424. ƒ Is it essential for the investigation to do a surreptitious mirror imaging of the hard drive
  425. rather than a search and seizure?
  426. ƒ Considering the massive storage data on today’s systems, how will computer forensics
  427. experts search the data in an efficient, timely manner?
  428.  
  429.  
  430. SEARCH AND SEIZURE
  431.  
  432. In preparation for search and seizure of electronic systems, it is essential to keep in mind that using
  433. evidence obtained from a seizure in a legal proceeding requires—
  434. * Appropriate collection techniques to avoid altering or destroying evidence.
  435. * Forensic examination of the system completed by trained cyber CI personnel in a timely
  436. manner with expert testimony available at trial.
  437. Note. Preparation for search and seizure must include a review of AR 381-10, to
  438. determine how to proceed to obtain approval.
  439.  
  440. CI special agents must determine if the search warrant or the consent search is more practical for a
  441. particular situation.
  442. * The search warrant allows for the search, seizure, and examination of electronic evidence as
  443. predefined under the warrant. This method is preferred and consistently is met with the least
  444. resistance at the scene and in the courts.
  445. * A consent search and/or seizure allows the individual giving consent an opportunity to
  446. withdraw consent at any time during the search and seizure. Continued consent is typically
  447. difficult to ensure if the examination process is conducted at a later date and another location.
  448. It would be advisable to contact the prosecutor when executing consent searches for
  449. computers for this reason.
  450.  
  451. Search warrants for electronic storage devices typically focus on two primary sources of information:
  452. * Electronic storage device search warrant (search and seizure of hardware, software,
  453. documentation, user notes, and storage media).
  454. * Service provider search warrant (service records, billing records, subscriber information).
  455. Request information via appropriate search warrant, subpoena, or court order from a variety
  456. of providers (wireless or cellular service, satellite service, electronic data storage, financial
  457. institution, Internet, pager).
  458.  
  459. Once the computer’s role is understood and legal requirements are fulfilled, CI special agents must—
  460. * Secure the scene:
  461. ƒ Agent safety is paramount.
  462. ƒ Preserve area for potential evidence and/or fingerprints.
  463. ƒ Immediately restrict access to computers and attached peripherals. (Keep in mind there
  464. are many methods to remotely access computers.)
  465. * Secure the computer as evidence:
  466. ƒ If computer is off, do not turn it on.
  467. ƒ If computer is on, consult a computer forensics specialist. If a specialist is not available,
  468. photograph the screen, then disconnect all power sources and unplug from the back of the
  469. computer. Interrupting power from the back will defeat an uninterruptible power supply.
  470. ƒ Laptops often have battery power supplies. If the laptop does not shutdown when the
  471. power cord is removed, locate and remove the battery pack. The battery is commonly
  472. placed on the bottom, and there is usually a button or switch that allows for the removal
  473. of the battery. Once the battery is removed, do not return it to or store it in the laptop.
  474. Removing the battery will prevent accidental start-up of the laptop.
  475. ƒ Place evidence tape over each drive slot.
  476. ƒ Photograph or diagram and label back of computer components with existing
  477. connections.
  478. ƒ Label all connector and cable ends to allow reassembly as needed.
  479. ƒ If transporting is required, package components and transport or store components as
  480. fragile cargo.
  481. ƒ Keep away from magnets, radio transmitters, and other potentially damaging elements.
  482. ƒ Collect instruction manuals, documentation, and notes. (User notes may contain
  483. passwords.)
  484. * For networked computers, consult a computer specialist for further assistance. Secure the
  485. scene and do not let anyone touch the system except personnel trained to handle network
  486. systems. Pulling the plug could result in severe damage to the system or network, disruption
  487. of legitimate business, or create liability.
  488.  
  489. Other electronic devices may contain viable evidence associated with a national security crime of
  490. interest to CI. Unless an emergency exits, do not access any device that may be seized. Should it be
  491. necessary to access the device, note all actions associated with the manipulation of the device to document
  492. the chain of custody and protect the integrity of the evidence.
  493.  
  494. Wireless telephones provide users with mobile communications using various protocols and formats
  495. (for example, code division multiple access, time division multiple access, global system for mobile) in
  496. various frequencies (for example, 900 MHz, 1.2 GHz).
  497. * Potential evidence contained in wireless telephone devices include—
  498. ƒ Numbers called.
  499. ƒ Names and addresses.
  500. ƒ Caller ID for incoming calls.
  501. * Other information contained in the memory of the wireless telephone device include—
  502. ƒ Phone and pager numbers.
  503. ƒ Names and addresses.
  504. ƒ PIN numbers.
  505. ƒ Voice mail access numbers.
  506. ƒ Voice mail password.
  507. ƒ Debit card numbers.
  508. ƒ Calling card numbers.
  509. ƒ Email and Internet access information.
  510. ƒ Service provider information.
  511. ƒ On-screen image, which may contain other valuable information.
  512. ƒ A wireless telephone, which may also serve as a PDA.
  513. ƒ Information on financial and retail transactions.
  514. * If the phone is on, do not turn it off:
  515. ƒ Turning off the phone could activate a lockout feature.
  516. ƒ Write down all information on display and photograph if possible.
  517. ƒ Power down before transport if transport is likely to take so long the device will lose
  518. complete battery power.
  519. * If the device is off, do not turn it on:
  520. ƒ Turning it on could alter evidence on the device.
  521. ƒ Upon seizure, deliver device to an expert as soon as possible.
  522. ƒ Delays in conducting the examination may result in loss of information if power supply
  523. becomes insufficient through battery or internal power supply.
  524. ƒ Take appropriate care in the handling and storage (for example, cold or dampness).
  525. ƒ Anticipate a compulsory process (for example, subpoena) for the service provider to
  526. supply additional information.
  527. ƒ Seize the instruction manual, power charger, power cables, and any peripherals belonging
  528. to the device.
  529.  
  530. Cordless telephones provide users with freedom of movement with the wireless handheld transmitter
  531. or receiver as long as the user remains within the range of the telephone base station. The base station
  532. serves as the connection between the wireless device and the physical wire connection for telephone
  533. service.
  534. * Potential evidence contained in cordless telephone devices include—
  535. ƒ Numbers called.
  536. ƒ Numbers stored for speed dial.
  537. ƒ Caller ID for incoming calls.
  538. * Other information in the memory of cordless telephones include—
  539. ƒ Phone and pager numbers.
  540. ƒ Names and addresses.
  541. ƒ PIN numbers.
  542. ƒ Voice mail access number.
  543. ƒ Voice mail password.
  544. ƒ Debit card numbers.
  545. ƒ Calling card numbers.
  546. ƒ On-screen image, which may contain valuable information.
  547. * If the phone is on, do not turn off:
  548. ƒ Turning off the phone could activate a lockout feature.
  549. ƒ Write down all information on display and photograph if possible.
  550. ƒ Power down before transport if transport is likely to take so long the device will lose
  551. complete battery power.
  552. * If the device is off, do not turn it on:
  553. ƒ Turning it on could alter evidence on the device.
  554. ƒ Upon seizure, deliver device to an expert as soon as possible.
  555. ƒ Delays in conducting the examination may result in loss of information if power supply
  556. becomes insufficient through battery or internal power supply.
  557. ƒ Take appropriate care in the handling and storage (for example, cold or dampness).
  558. ƒ Anticipate a compulsory process (for example, subpoena) for the service provider to
  559. supply additional information.
  560. ƒ Be aware that some home systems are becoming network connected.
  561. ƒ Seize the instruction manual, power charger, power cables, and any peripherals belonging
  562. to the device.
  563.  
  564. Answering machines provide users with a means to capture messages from callers unable to reach
  565. the device owner or operator. Some answering machines double as a phone. These devices store messages
  566. on tape or in digital memory.
  567. * Potential evidence contained in answering machines include—
  568. ƒ Incoming and outgoing messages.
  569. ƒ Home systems are becoming network connected.
  570. ƒ Numbers called.
  571. ƒ Numbers stored for speed dial.
  572. ƒ Caller ID for incoming calls.
  573. ƒ The same type of information in memory as the cordless phones.
  574. * If the device is on, leave it on:
  575. ƒ Turning off the device could activate a lockout feature.
  576. ƒ Some have remote access and must be disconnected from the line as soon as possible
  577. (incoming calls can delete evidence).
  578. ƒ Write down all information on display (photograph if possible).
  579. ƒ If possible, use a tape recorder to record saved messages.
  580. ƒ Power down if transport would take so long that device would lose total battery power.
  581. * If the device is off, leave it off:
  582. ƒ Turning it on could alter evidence.
  583. ƒ Upon seizure, deliver device to an expert as soon as possible.
  584. ƒ Delays in conducting the examination may result in loss of information if power supply
  585. becomes insufficient through battery or internal power supply.
  586. ƒ Take appropriate care in the handling and storage (for example, cold or dampness).
  587. ƒ Anticipate a compulsory process (for example, subpoena) for the service provider to
  588. supply additional information.
  589. ƒ Be aware some home systems are becoming network connected.
  590. ƒ Seize the instruction manual, power charger, power cables, and any peripherals belonging
  591. to the device.
  592.  
  593. Caller ID devices collect caller information. Often these devices display incoming calls and record
  594. established numbers of recent incoming call records.
  595. * Potential evidence contained on caller ID devices include—
  596. ƒ Telephone and subscriber information from incoming telephone calls.
  597. ƒ Date and time of incoming calls.
  598. * If the device is on, leave it on:
  599. ƒ Interruption of the power supply to device may cause loss of data if not protected by
  600. internal battery back-up.
  601. ƒ Document all stored data before seizure or loss of data may occur.
  602. ƒ Seize the instruction manual, power charger, power cables, and any peripherals belonging
  603. to the device.
  604.  
  605. Electronic paging devices are becoming more sophisticated and some have evolved into two-way
  606. messaging systems. The pagers that provide such features receive wireless information and transmit
  607. information as well.
  608. * Potential evidence contained in paging devices must be handled carefully.
  609. ƒ Numeric pagers receive only numeric digits (can be used to communicate numbers and
  610. code).
  611. ƒ Alphanumeric pagers receive numbers and letters and carry full text.
  612. ƒ Voice pagers transmit voice communications, sometimes in addition to alphanumeric
  613. communication.
  614. ƒ Two-way pagers contain incoming and outgoing messages.
  615. * Once a pager is no longer in proximity to suspect, turn it off.
  616. Note. Continued access to electronic communications over a pager without proper authorization
  617. can be construed as unlawful interception of electronic communications (consult legal).
  618. ƒ Delays in conducting the examination may result in loss of information if power supply
  619. becomes insufficient through battery or internal power supply.
  620. ƒ Take appropriate care in the handling and storage (for example, cold or dampness).
  621. ƒ May also require service provider search warrant to obtain additional information.
  622. ƒ Turn it off if necessary.
  623. ƒ Change batteries if necessary.
  624. ƒ Seize the instruction manual, power charger, power cables, and any peripherals belonging
  625. to the device.
  626.  
  627. Fax machines provide the user with the ability to transmit documents via phone line from one point
  628. to another.
  629. * Fax machines can contain—
  630. ƒ Speed dial list.
  631. ƒ Stored faxes (incoming and outgoing).
  632. ƒ Fax transmission logs (incoming and outgoing).
  633. ƒ Header line.
  634. ƒ Clock setting.
  635. * If the fax machine is off, leave it off. If Fax is on, leave it on if possible:
  636. ƒ Powering down may cause loss of last number dialed and/or stored Faxes—see
  637. manufacturer’s manual if possible to power down.
  638. ƒ Record saved data before powering off if necessary.
  639. ƒ Take photographs.
  640. * Other considerations regarding Fax machines:
  641. ƒ Record telephone line number Fax is plugged into.
  642. ƒ Record network line number Fax is plugged into.
  643. ƒ Header line should be the same as the phone line (user sets the header line).
  644. ƒ Some Fax machines are also copiers, scanners, and printers.
  645. ƒ Seize the instruction manual, power charger, power cables, and any peripherals belonging
  646. to the device.
  647.  
  648. Smart cards and magnetic stripe cards serve many functions, but possess similar characteristics. Both
  649. cards interface with a reader device capable of interpreting information stored on the magnetic stripe or
  650. computer chip embedded in the plastic card. The most familiar application of these technologies is the
  651. credit card. These technologies lend themselves to many additional applications because they are capable of
  652. storing any kind of information. These applications include, but are not limited to, driver’s licenses, hotel
  653. room keys, passports, benefit cards, and security door passes. These technologies can also exist on a card
  654. together. (Example uses: point of sale transactions, ATM capabilities.)
  655.  
  656. There are two basic types of smart cards:
  657. * First is a memory card which is merely a digital storage device capable of holding large stores
  658. of information.
  659. * Second is a microprocessor card which is basically a small computer capable of completing a
  660. number of calculations.
  661.  
  662. The functionality provided in these cards allows for more robust security in protecting embedded
  663. information. The card readers for these cards can also be contact or proximity based. Uses include direct
  664. exchange of value between card holders, exchange value over the Internet, storing data or files similar to a
  665. computer, wireless telephones, and satellite service devices.
  666.  
  667. Magnetic stripe cards can be identified by a black or brown strip that runs across a card. To
  668. accurately read the information, magnetic stripe readers must include the capability to read the various
  669. tracks. This technology can also be used in a paper or disposable format such as metro passes or parking
  670. passes.
  671.  
  672. Circumstances raising suspicion concerning smart and magnetic stripe cards include—
  673. * Numerous cards with different names or same issuing vendor.
  674. * Signs of tampering (cards are found in the presence of computer or other electronic devices).
  675.  
  676. Questions that must be answered when encountering smart or magnetic stripe cards include—
  677. * To whom is the card issued (valid card holder)?
  678. * Who issued the card?
  679. * What are the uses of the card?
  680. * Why does the person have numerous cards?
  681. * Is there a device or computer present that can alter the card?
  682.  
  683. When seizing smart or magnetic stripe cards—
  684. * Photograph the card.
  685. * Label and identify characteristics of the card.
  686. * Detect possible alterations or tampering during initial examination.
  687. * Identify who possessed the card and exactly where it was found (separation from genuine
  688. identification and cards may help establish intent).
  689.  
  690. ID card printers offer users the ability to print graphics and information onto a plastic card. They can
  691. be used to produce counterfeit false identification. ID card printers—
  692. * Contain stored data.
  693. * Should not be powered down if found on unless necessary.
  694. * Should be checked to see if connected to network, are stand alone, or are portable.
  695. * With instruction manuals, power chargers, power cables, and any peripherals belonging to the
  696. device should be seized.
  697.  
  698. Scanners allow for the creation of a computer image of documents, papers, or items placed on the
  699. scanner bed. Some scanners are also copiers, printers, and Fax machines. Scanners—
  700. * Contain stored data.
  701. * Should not be powered down if found on unless necessary.
  702. * With instruction manuals, power chargers, power cables, and any peripherals belonging to the
  703. device should be seized.
  704.  
  705. Printers allow for the hardcopy creation of items generated by computers. There are many printer
  706. technologies including laser, ink jet, thermal dye, and dot matrix. Printers—
  707. * Contain stored data.
  708. * Should not be powered down if found on unless necessary.
  709. * Should be checked to see if connected to network, are standalone, or are portable.
  710.  
  711. Other considerations regarding printers:
  712. * Record telephone line number system is plugged into.
  713. * Record network line number system is plugged into.
  714. * Some printers are also copiers, scanners, and Fax machines.
  715. * Seize the instruction manual, power charger, power cables, and any peripherals belonging to
  716. the device.
  717.  
  718. Copiers allow for the duplication of items placed on the copying surface. Copy machines contain—
  719. * Speed dial lists.
  720. * Stored copies (incoming and outgoing).
  721. * Data files (complete images or documents from computers in a network environment).
  722. * Copy transmission logs (incoming and outgoing).
  723. * Header line.
  724. * Clock setting.
  725. Other considerations for copiers:
  726. * If found on, do not turn off unless necessary.
  727. * Check to see if it is network connected, standalone, or portable.
  728. * Record telephone line number system is plugged into.
  729. * Record network line number system is plugged into.
  730. * Some copiers are also printers, scanners, Fax machines.
  731. * Seize the instruction manual, power charger, power cables, and any peripherals belonging to
  732. the device.
  733.  
  734. Compact disk duplicators and labelers allow for the mass creation of compact disks. When used
  735. inappropriately, these devices may be used for sedition and/or subversion support operations.
  736. * Compact disk duplicators and labelers contain stored data.
  737. * If found on, do not turn off unless necessary.
  738. * These systems may be connected to the network, may be standalone, or may be portable.
  739. * Some networked systems contain proprietary hard drives that store images.
  740. * Seize the instruction manual, power charger, power cables, and any peripherals belonging to
  741. the device.
  742.  
  743. Digital cameras, video, and audio media can be recorded as analog or digital information. Many
  744. different formats of media are available within both analog or digital. Devices may be standalone,
  745. networked, personal, home entertainment, or business (for example, text, still images, graphics, date/time,
  746. author, system used).
  747.  
  748. Some devices may have basic personal computing functions or may be a computer device itself.
  749. Devices are found as portable and fixed devices, but can be easily moved. Devices may store data directly
  750. to internal memory and/or removable media. If device is found off, do not turn it on. If found on, consult a
  751. specialist.
  752.  
  753. If no specialist is available—
  754. * Identify and secure recorded media and media system.
  755. * If recorded media needs to be reviewed immediately, do not pause tape media unless
  756. absolutely necessary. Pausing tape media, both video and audio, causes irreversible wear
  757. (damage) to the tape resulting in poor image and/or audio quality.
  758. * Immediately secure record tabs on the media to prevent accidental overwrite (recording).
  759.  
  760. Securing the system or device:
  761. * Photograph device (screen or display), then disconnect all power sources; unplug from the
  762. back of the device. If unable to do so, recover and consult with a specialist as soon as
  763. practical.
  764. * Place evidence tape over areas of access (for example, drive slots and media slots).
  765. * Photograph or diagram and label back of components with existing connections.
  766. * Label all connector and cable ends to allow reassembly as needed.
  767. * If transport is required, package components and transport or store components as fragile
  768. cargo.
  769. * Conduct examination as soon as possible to avoid possible loss of information if power
  770. supply becomes insufficient through battery or internal power supply.
  771. * Take appropriate care in the handling and storage (for example, cold or dampness).
  772. * Seize the instruction manual, power charger, power cables, and any peripherals belonging to
  773. the device.
  774.  
  775. Electronic gaming devices now provide users with greater functionality and are increasingly more
  776. comparable with a computer. Electronic gaming devices—
  777. * May contain stored data—text, images, audio, video, other.
  778. * May have Internet access information including emails.
  779. * May contain basic personal computing functions.
  780. * Should not be turned on if found in off position.
  781. * May be found in the on position; in this case, consult a specialist if possible. If a specialist is
  782. not available—
  783. ƒ Photograph device (screen or display), then disconnect all power sources; unplug from
  784. the back of the device. If unable to do so, recover and consult with a specialist as soon as
  785. practical.
  786. ƒ Place evidence tape over areas of access (for example, drive slots and media slots).
  787. ƒ Photograph or diagram and label back of components with existing connections.
  788. ƒ Label all connector and cable ends to allow reassembly as needed.
  789. ƒ If transport is required, package components and transport or store components as fragile
  790. cargo.
  791. ƒ Conduct examination as soon as possible to avoid possible loss of information if power
  792. supply becomes insufficient through battery or internal power supply.
  793. ƒ Take appropriate care in the handling and storage (for example, cold or dampness).
  794. ƒ Seize the instruction manual, power charger, power cables, and any peripherals belonging
  795. to the device.
  796.  
  797. Home electronic devices provide users with a greater degree of interaction with the device. The
  798. devices range from interactive television guides to smart kitchen appliances, such as microwaves, that store
  799. messages for other family members or refrigerators that keep track of food in its inventory. Home
  800. electronic devices—
  801. * May contain stored data (for example, text, images, audio, video, other).
  802. * May contain Internet access information including emails.
  803. * May have telephone capabilities.
  804. * May perform basic personal computing functions.
  805. * May be standalone or networked either at home or through an off-site location.
  806. * Should not be turned on if found in off position.
  807. * May be found in the on position; in this case, consult a specialist if possible. If specialist is
  808. not available—
  809. ƒ Photograph device (screen or display).
  810. ƒ Play back and record with a tape recorder if device has a readily discernable audio
  811. playback feature.
  812. ƒ Disconnect all power sources; unplug from the back of the device. If unable to do so,
  813. recover and consult with a specialist as soon as practical.
  814. ƒ Place evidence tape over areas of access (for example, drive slots and media slots).
  815. ƒ Photograph or diagram and label back of components with existing connections.
  816. ƒ Label all connector and cable ends to allow reassembly as needed.
  817. ƒ If transport is required, package components and transport or store components as fragile
  818. cargo.
  819. ƒ Conduct examination as soon as possible to avoid possible loss of information if power
  820. supply becomes insufficient through battery or internal power supply.
  821. ƒ Take appropriate care in the handling and storage (for example, cold or dampness).
  822. ƒ Seize the instruction manual, power charger, power cables, and any peripherals belonging
  823. to the device.
  824. ƒ Ensure care is given to the ability of these systems to be remotely accessed. These
  825. systems are typically operated through a service provider. Data may not be stored on the
  826. system.
  827. ƒ May require a service provider search warrant to obtain additional information.
  828.  
  829. GPSs provide users with the ability to locate their position on the Earth’s surface by measuring
  830. signals transmitted by satellites. These devices assist with navigation and can integrate maps to help users
  831. travel from one point to another. GPSs—
  832. * May store data including text, images, and maps.
  833. * May have Internet access information.
  834. * May contain a two-way radio capability.
  835. * May have telephone capabilities.
  836. * May contain routes and marked locations.
  837. * Can keep track of time lines.
  838. * Should not be turned on if found in off position.
  839. * Can be found as an integrated part of other portable devices (for example, palm devices, mininotebooks, notebook PCs, and digital cameras).
  840. * May be found in the on position; in this case, consult a specialist if possible. If specialist is
  841. not available—
  842. ƒ Photograph device (screen or display), then disconnect all power sources; unplug from
  843. the back of the device. If unable to do so, recover and consult with a specialist as soon as
  844. practical.
  845. ƒ Place evidence tape over areas of access (for example, drive slots and media slots).
  846. ƒ Photograph or diagram and label back of components with existing connections.
  847. ƒ Label all connector and cable ends to allow reassembly as needed.
  848. ƒ If transport is required, package components and transport or store components as fragile
  849. cargo.
  850. ƒ Conduct examination as soon as possible to avoid possible loss of information if power
  851. supply becomes insufficient through battery or internal power supply.
  852. ƒ Take appropriate care in the handling and storage (for example, cold or dampness).
  853.  
  854.  
  855. ƒ Seize the instruction manual, power charger, power cables, and any peripherals belonging
  856. to the device.
  857.  
  858. ƒ Ensure care is given to the ability of these systems to be remotely accessed. These
  859. systems are typically operated through a service provider. Data may not be stored on the
  860. system.
  861.  
  862. PDAs and handheld computers provide users with much of the functionality of full-size personal
  863. computers, but are small in size. Palm devices—
  864. * May store data including text, images, and maps.
  865. * May have Internet access information including emails.
  866. * May contain directories.
  867. * May have basic personal computing functions.
  868. * May be standalone or networked within a home or an off-sight location.
  869. * Can keep track of time lines.
  870. * Should not be turned on if found in off position.
  871. * May be found in the on position; in this case, consult a specialist if possible. If specialist is
  872. not available—
  873. ƒ Photograph device (screen or display), then disconnect all power sources; unplug from
  874. the back of the device. If unable to do so, recover and consult with a specialist as soon as
  875. practical.
  876. ƒ Place evidence tape over areas of access (for example, drive slots and media slots).
  877. ƒ Photograph or diagram and label back of components with existing connections.
  878. ƒ Label all connector and cable ends to allow reassembly as needed.
  879. ƒ If transport is required, package components and transport or store components as fragile
  880. cargo.
  881. ƒ Conduct examination as soon as possible to avoid possible loss of information if power
  882. supply becomes insufficient through battery or internal power supply.
  883. ƒ Take appropriate care in the handling and storage (for example, cold or dampness).
  884. ƒ Seize the instruction manual, power charger, power cables, and any peripherals belonging
  885. to the device.
  886. ƒ Ensure care is given to the ability of these systems to be remotely accessed. These
  887. systems are typically operated through a service provider. Data may not be stored on the
  888. system.
  889. ƒ Keep away from magnets, radio transmitters.
  890. ƒ May require a service provider search warrant to obtain additional information.
  891.  
  892. Security systems are installed as protective measures and are often positioned in strategic locations
  893. and can prove to be valuable information for an investigation. Security systems—
  894. * May store data including text, images, and maps.
  895. * May include time stamp information.
  896. * May be standalone or networked via the Internet or a private network.
  897. * Should not be tampered with except by a trained specialist.
  898. * Must be secured. If a specialist is not available, immediately secure recorded data (for
  899. example, videotape media) and collect as much of the following information as possible:
  900. ƒ Make and model.
  901. ƒ Personal computer-based system or video-based system.
  902. ƒ Number of cameras.
  903. ƒ Type of cameras.
  904. ƒ Locations of system.
  905. ƒ Location of cameras.
  906. ƒ Recording media.
  907. ƒ Media stored and archived.
  908. ƒ Photographs or video of system.
  909.  
  910. Vehicle computer devices provide users with many computer features within their vehicle. They may
  911. contain stored data such as text, images, maps, audio, Internet access information, telephone capabilities,
  912. routes, marked locations, time lines, and emails. The device can be portable or fixed.
  913. * If the device is found off, do not turn it on. If it is found on, consult a specialist. If a specialist
  914. is not available—
  915. ƒ Photograph the device (screen or display), then disconnect all power sources (unplug
  916. from back of device). Most systems are built into the vehicle’s interior, integrated into the
  917. dash or console areas making it impractical to remove. Actual data may even be stored
  918. elsewhere in the vehicle.
  919. ƒ Place evidence tape over area of access (for example, drive slots and media slots).
  920. ƒ Photograph or diagram and label back of components with existing connections.
  921. ƒ Label all connector and cable ends to allow reassembly as needed.
  922. ƒ Conduct examination as soon as possible to avoid possible loss of information if power
  923. supply becomes insufficient through battery or internal power supply.
  924. ƒ Take appropriate care in the handling and storage (for example, cold or dampness).
  925. ƒ Seize the instruction manual, power charger, power cables, and any peripherals belonging
  926. to the device.
  927. ƒ Ensure care is given to the ability of these systems to be remotely accessed. These
  928. systems are typically operated through a service provider. Data may not be stored on the
  929. system. These systems may be integrated with many systems including communications,
  930. navigation, security, safety, entertainment, personal computing, Internet, digital audio
  931. and imaging into networked environments supported at the home, workplace, public
  932. services, and portable devices. They may also require a service provider search warrant to
  933. obtain addition information.
  934.  
  935. Storage media is used to store data from an electronic device. Some devices have fixed storage space
  936. located within the device. This form of storage requires a means of interfacing to another source to transfer
  937. the data when necessary. Many devices of today have capabilities for both fixed (internal) storage or
  938. memory and the ability to also store data solely or simultaneously to removable storage media. Removable
  939. media is used to transfer and store data.
  940.  
  941. Some of these media types come in many variations, and there are numerous other types currently in
  942. use that are not as prevalent and even more are being introduced into the market on a regular basis.
  943.  
  944.  
  945. Although there are some standards, the following list is some of the more common and well-established
  946. media types found in the consumer and commercial marketplace:
  947.  
  948. * Floppy disk.
  949. * Mini-disk.
  950. * Flash memory card.
  951. * External hard drive.
  952. * Digital linear tape.
  953. * High-density floppy disk.
  954. * Compact disk (CD) LS-120 (super disk).
  955. * Click.
  956. * Smart media.
  957. * Micro-drive.
  958. * Digital audio tape.
  959. * Digital video disk.
  960. * Zip.
  961. * Memory stick.
  962. * Removable hard drive.
  963. * Magneto optical drive.
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top