Preserving Digital Evidence For Court Presentation by:  Sgt. Andrew Obushowski Sgt. Andrew Obuchowski of the Milville, MA Police Department, is a Professor of Criminal Justice at Anna Maria College in Paxton, MA, and a Computer, Cell Phone and Video Forensic Analyst. He is a member of the Massachusetts Financial Crimes Task Force, and the Regional Electronic & Computer Crime Task Force -Raynham, MA. In this DVD, Sgt. Obuchowski will explain how to preserve digital evidence.

Table of Contents

You will learn:

I.             Internet Basics

1.             Getting Online

a) Work, home, schools, library, handhelds, wireless

2.             Internet Service Providers

a)             Dial-up, DSL/cable modem, wireless, T1 and T3 lines

3.             IP Addresses

a)             Static, dynamic

II.            Instant Messaging Investigations

1.             File Transfer Protocol

a) Transferring of files among computers in 3 ways: Web, Dos, GUI (Cute FTP, Dreamweaver, Front Page) b) Can be used to copy files illegally

2.             Peer-To-Peer File Sharing

a)             Share files and music between computers

Chat a) IM public and private

IM Recording and Investigating

a)             How to’s

III.          Email Investigations

1.             Email

a) Most widely used b) Geographical location can be found c) Almost all investigations will involve email d) Easy ways to hide identity; spoofing/masquerading

Email addresses

Post Office Protocol (POP)

a) Protocol for receiving email b) Mail sent to mail server and stored in user folder

4.             Simple Mail Transfer Protocol (SMTP)

a) Protocol for sending email b) Mail is sent to mail server then to recipients

5.             Tracing Email

a) Need original email file b) Some information is difficult to forge c) Need to view full email headers

Email Body Reading

Anonymous Re-Mailers & Proxy Servers

a) Re-mailers change certain fields b) Re-mailers strip header information c) Sometimes bounce email to other re-mailers

8.             Recording Email Evidence

a) 12 steps for recording evidence b) Web based instructions

9.             Email Investigation Summary

a) Locate originating IP address b) Lookup information for IP address c) Send preservation letter d) Government process for information

IV.          Preservation, Subpoena, Search Warrants

Freeze Orders/Preservation Letters

Types of Orders to Obtain

a) Administrative subpoena b) Grand jury subpoena c) Search warrant

3.             Subpoena v. Search Warrant

a) What type of information do you want? b) Do you have probable cause?

Requirements for Government Access

Search Warrant Exceptions

a) Consent b) Third party & implied c) Exigent circumstances d) Plain view e) Search incident to a lawful arrest

6.             Basic Information

a)             Obtain thru subpoena

7.             Transactional Records

a) Obtain thru Articulable Facts Order --18 USC 2703(d) b) Credit card information c) Activity logs

8.             Content

V.            Scene Processing

Understanding personal computers & peripherals

Intelligence gathering

Raid precautions

Basic scene toolkit

Scene “Do Nots”

Computer shutdown

Scene processing

Storage control