Law Enforcement Intelligence Report

Preserving Digital Evidence For Court

Presentation by: Sgt. Andrew Obushowski
Sgt. Andrew Obuchowski sets forth the necessary steps needed to preserve digital evidence whether it is from instant messaging, email, or the information that can be found on a computer. Preservation, subpoena and search warrants are covered extensively as well crime processing.
Table of Contents
Internet Basics
  1. Getting Online
    1. Work, home, schools, library, handhelds, wireless
  2. Internet Service Providers
    1. Dial-up, DSL/cable modem, wireless, T1 and T3 lines
  3. IP Addresses
    1. Static, dynamic
Instant Messaging Investigations
  1. File Transfer Protocol
    1. Transferring of files among computers in 3 ways: Web, Dos, GUI (Cute FTP, Dreamweaver, Front Page)
    2. Can be used to copy files illegally
  2. Peer-To-Peer File Sharing
    1. Share files and music between computers
  3. Chat
    1. IM public and private
  4. IM Recording and Investigating
    1. How to's
Email Investigations
  1. Email
    1. Most widely used
    2. Geographical location can be found
    3. Almost all investigations will involve email
    4. Easy ways to hide identity; spoofing/masquerading
  2. Email addresses
  3. Post Office Protocol (POP)
    1. Protocol for receiving email
    2. Mail sent to mail server and stored in user folder
  4. Simple Mail Transfer Protocol (SMTP)
    1. Protocol for sending email
    2. Mail is sent to mail server then to recipients
  5. Tracing Email
    1. Need original email file
    2. Some information is difficult to forge
    3. Need to view full email headers
  6. Email Body Reading
  7. Anonymous Re-Mailers & Proxy Servers
    1. Re-mailers change certain fields
    2. Re-mailers strip header information
    3. Sometimes bounce email to other re-mailers
  8. Recording Email Evidence
    1. 12 steps for recording evidence
    2. Web based instructions
  9. Email Investigation Summary
    1. Locate originating IP address
    2. Lookup information for IP address
    3. Send preservation letter
    4. Government process for information
Preservation, Subpoena, Search Warrants
  1. Freeze Orders/Preservation Letters
  2. Types of Orders to Obtain
    1. Administrative subpoena
    2. Grand jury subpoena
    3. Search warrant
  3. Subpoena v. Search Warrant
    1. What type of information do you want?
    2. Do you have probable cause?
  4. Requirements for Government Access
  5. Search Warrant Exceptions
    1. Consent
    2. Third party & implied
    3. Exigent circumstances
    4. Plain view
    5. Search incident to a lawful arrest
  6. Basic Information
    1. Obtain thru subpoena
  7. Transactional Records
    1. Obtain thru Articulable Facts Order -- 18 USC 2703(d)
    2. Credit card information
    3. Activity logs
  8. Content
Scene Processing
  1. Understanding personal computers & peripherals
  2. Intelligence gathering
  3. Raid precautions
  4. Basic scene toolkit
  5. Scene "Do Nots"
  6. Computer shutdown
  7. Scene processing
  8. Storage control
