Signature: Signed by GNT Date Signed: 6/15/2015. To establish the policies and procedures of the Cyber Crimes Squad.

Transcription

1 Atlanta Police Department Policy Manual Standard Operating Procedure Effective Date: June 15, 2015 Applicable To: All employees Approval Authority: Chief George N. Turner Signature: Signed by GNT Date Signed: 6/15/2015 Table of Content 1. PURPOSE 1 2. POLICY 1 3. RESPONSIBILITIES 1 4. ACTION Recognizing Potential Evidence Requests for Assistance Operations Preparing for the Search and/or Seizure Conducting the Search and/or Seizure Other Electronic Storage Devices Transporting Computer-related Equipment Forensic Analysis Electronic Evidence Storage Training Reporting DEFINITIONS CANCELLATIONS REFERENCES PURPOSE 2. POLICY To establish the policies and procedures of the Squad. The Squad shall assist other units in the investigation of any crime that involves the use of computers, enhance investigations where computers are a factor in the crime, preserve the integrity of seized computer evidence, and provide expert testimony in court. 3. RESPONSIBILITIES 3.1 The Squad exists to provide investigative and technical support to officers and investigators in the area of high technology crime (i.e. computer crime, computer media evidence, and major technology component theft). 3.2 The Special Enforcement Section commander shall be responsible for the procurement and maintenance of a technical forensic laboratory and any investigative equipment needed by the Squad, and shall be responsible for the selection of unit members. 3.3 The Homeland Security Unit commander shall implement and oversee this directive. 3.4 Squad investigators shall be a liaison with the Federal Taskforce and provide support to Department investigations to include, but not limited to, the following: computer-related criminal investigations; child pornography; preparation of search warrants for electronic media; on-site support for the execution of search warrants; and initial review of electronic media in situations that are beyond the capabilities of the case investigator.

2 3.5 Employees shall follow this directive when assisting in the investigation of computer-related crimes or evidence. 4. ACTION 4.1 Recognizing Potential Evidence Computer-related Evidence 1. Computers and digital media are increasingly used in unlawful activities. The computer may be contraband, fruits of the crime, or a storage container holding evidence of the offense. 2. Investigation of any criminal activity may produce electronic evidence. Computers and related evidence may range from large mainframe computers to pocket-sized personal data assistants, External Drives, DVDs, CDs, or the smallest electronic chip device. Images, audio, text, and other data on these forms of media are easily altered or destroyed. 3. It is imperative that law enforcement officers recognize, protect, seize and search such devices in accordance with applicable statutes, policies and best practices Answering the following questions shall assist in determining the role of the computer in the crime: 1. Is the computer contraband or fruits of a crime? For example: Was the computer software or hardware stolen? 2. Is the computer system a tool of the offense? For example: Was the system actively used by the defendant to commit the offense? Were factitious IDs or other counterfeit documents prepared using the computer, scanner, and color printer? 3. Is the computer system only incidental to the offense, i.e., being used to store evidence of the offense? For example: Is a drug dealer maintaining trafficking records in the computer? 4. Is the computer system both instrumental to the offense and a storage device for evidence? For example: Did the computer hacker use the computer to attack other systems and/or to store stolen credit card information? Once the computer s role is understood, the following essential questions should be answered: 1. Is there probable cause to seize hardware? 2. Is there probable cause to seize software? 3. Is there probable cause to seize data? 4. Where shall the search be conducted? Page 2 of 11

3 a. Is it practical to search the computer system on site or must the examination be conducted at a field office or lab? b. If law enforcement officers remove the system from the premises to conduct the search, must they return the computer system, or copies of the seized data, to its owner/user before trial? c. Considering the incredible storage capacities of computers, how shall experts search this data in an efficient and timely manner? 4.2 Requests for Assistance During normal business hours, requests for assistance shall be routed to the Homeland Security Unit commander or his or her designee. 1. Requests shall be handled according to priority, and Squad availability. A response protocol shall be developed and followed by the Squad. 2. The Homeland Security Unit shall provide after hours contact information for the Cyber Crimes Squad investigator to the Communications Section. The unit commander or his or her designee must authorize compensatory time or overtime for after hours work by the Cyber Crime Squad Squad employees can provide telephone consultation and/or respond to the scene in situations where evidence-related computer equipment is powered on and such equipment involves standard operating systems The unit commander or his or her designee can authorize other responses, as warranted by circumstances Squad members shall not usually respond to assist with routine seizures of computer evidence where systems are powered off and not networked. 4.3 Operations When Squad members respond to scenes to assist with computer related evidence, they shall have final authority on the handling, collection, and preservation of such evidence When Squad investigators are not on the scene: 1. Department employees are cautioned not to turn on computer equipment that is off, and not to disturb any equipment already on, except for powering it down properly. 2. Employees not familiar with procedures for the proper shutdown and powering off of computer equipment should confer with a Squad member before doing so. 3. Employees should not attempt to view files, or operate software on any computer equipment that potentially contains criminal evidence. Doing so may damage evidence, compromise the integrity of an investigation, and limit any digital evidence that can be forensically recovered. Page 3 of 11

4 4.3.3 Computer Equipment (CALEA 5 th edition standard ) 1. Before handling or moving any equipment, officers shall contact an investigator. Photograph or videotape the equipment in its original position, including any information displayed on any monitors or output devices. 2. Do not remove any external memory devices, CDs, DVDs from any drives. All software, disks, external memory devices and manuals in the area of the equipment being recovered shall also be collected. 3. Leave the non-networked equipment on and unplug the power source only from the back of the equipment. Once the power is disconnected, all wires and connections shall be labeled so that they can be reconnected later exactly as they were found. 4.4 Preparing for the Search and/or Seizure Using evidence obtained from a computer in a legal proceeding requires: 1. Probable cause for the issuance of a warrant or an exception to the warrant requirement. 2. Caution: When encountering potential evidence that may be outside the scope of the existing warrant or legal authority, contact the Squad or the prosecutor, as an additional warrant may be necessary. 3. Use of appropriate collection techniques, so as not to alter or destroy evidence. 4. Forensic examination of the system completed by trained personnel in a speedy fashion, with expert testimony available at trial. 4.5 Conducting the Search and/or Seizure Once the computer s role is understood and legal requirements are fulfilled, secure the scene: 1. Officer safety is paramount. 2. Preserve the area for potential fingerprints. 3. Immediately restrict access to computer(s). 4. If a computer is determined to be evidence, the officer should immediately ascertain if a wireless router is present on the scene and, if so, any phone, cat 5, Ethernet or other data transfer cable should be removed from the router unless the target computer is part of a network that when disconnected would have detrimental effect on normal operating processes of a business. 5. Leave USB devices plugged in and conduct a soft shutdown on the computer, which is shutting down the computer under software control, without removing power from the system. Page 4 of 11

5 4.5.2 Stand-Alone Computer (non-network): 1. Consult a Squad investigator. 2. If investigator is not available: a. Photograph the screen, then disconnect all power sources; unplug from the wall and the back of the computer. b. Place evidence tape over each drive slot. c. Photograph, diagram and label the back of computer components with existing connections. 3. Label all connectors and cable ends to allow reassembly as needed Networked Computers 1. Consult a Squad investigator for further assistance; do not take action without Squad guidance. 2. Pulling the plug could: a. Severely damage the system b. Disrupt legitimate business c. Create officer and Department liability 3. All umbilical devices connected to the computer being recovered, such as mouse, printers, monitors, scanners, etc., should be recovered as well. 4.6 Other Electronic Storage Devices Electronic devices may contain viable evidence associated with criminal activity. Unless an emergency exists, the device should not be accessed. Should it become necessary to access the device, all actions associated with the manipulation of the device should be noted, in order to document the chain of custody and ensure its admission in court Wireless Communication Devices Cell Phones, Pads, and Tablets 1. Potential Evidence Contained in Wireless Communication Devices: a. Numbers called b. Names and addresses c. Caller ID for incoming calls d. Other information contained in the memory of wireless telephones e. Phone/pager numbers Page 5 of 11

6 f. PIN numbers g. Voice mail access numbers h. Voice mail password i. Debit card numbers j. Calling card numbers k. and Internet access information l. The on-screen image may contain other valuable information 2. On and Off Rule Facsimile Machines a. If the device is ON, do NOT turn it OFF (1) Turning it OFF could activate the lockout feature, do NOT power down prior to transport (take any power supply cords present). (2) Write down all information on display (photograph if possible). (3) Notify Squad personnel immediately, if you suspect critical information is on a phone that you did not turn off. Squad personnel shall advise the requesting officer how to obtain the proper warrant or waivers, and shall attempt to recover the data from the phone prior to being turned into property. The phone should be secured in a faraday bag, or placed in an area where it cannot receive radio signals until the phone is examined. b. If the device is OFF, leave it OFF (1) Turning it on could alter evidence on the device (same as computers). (2) Upon seizure get it to an expert as soon as possible or contact local service provider. (3) Make every effort to locate any instruction manuals pertaining to device. 1. Potential Evidence contained in Fax machines: a. Speed dial list b. Stored faxes (incoming and outgoing) c. Fax transmission logs (incoming and outgoing) d. Header line Page 6 of 11

7 e. Clock setting 2. Best Practices Fax Machines: If a fax machine is found ON, leave it "ON. Powering down may cause the loss of last number dialed and/or stored faxes. Pull the plug directly from the wall. 3. Other Considerations: Caller ID Devices a. Record telephone line number fax is plugged into b. Header line should be the same as the phone line user sets header line c. All manuals should be seized with equipment, if possible 1. Potential Evidence contained in Caller ID Devices: a. May contain telephone numbers from incoming telephone calls b. May contain subscriber information from incoming telephone calls 2. Best Practices Caller ID Devices: a. Interruption of the power supply to device may cause loss of data if not protected by internal battery back-up. b. Document all stored data prior to seizure or loss of data may occur Smart Cards: A plastic card the size of a standard credit card that holds a microprocessor (chip) which is capable of storing monetary value and other information. Smart Card technology is used in some wireless telephones and may be found with wireless devices (see Section 4.6.1) 1. Potential Evidence contained in Smart Cards: a. Secure logon and authentication of users b. Storage of digital certificates, credentials and passwords c. Encryption of sensitive data 2. Best Practices Smart Cards: a. Contact a Squad investigator for further information. b. Use appropriate collection techniques so as not to alter or destroy evidence. Page 7 of 11

8 4.6.5 Tracing an Internet 1. When an internet message is sent, the user typically controls only the recipient line(s) (To: and Bcc :), the Subject: line, and the message itself. 2. software adds the rest of the header information as it is processed. Officers responding and collecting evidence shall collect the Internet Header information. This information is vital to tracing s. If the responding officer isn t sure how to collect this information, they should contact Squad investigators. 3. Reading an header: Sample Header -----Message header follows----- (1) Return-path: <abottom@abcd.gov (2) Received: from xyz.gov by abcd.gov id BB68238; Fri, 28 Dec 99 15:50:49 EST (3) Received: from local host by abcd.gov id AA12345; Fri, 28 Dec 99 15:50:01 EST (4) Message-Id: AA12345@xyz.gov (5) Date: Fri, 28 Dec 99 15:50:01 PST (6) From: A. Bottoms <abottomabct.gov> (7) To: Dave Smit dsmit@hij.com (8) CC: Ganggang@klm.net, Danny K DK99999@aol.com a. Line (1) tells other computers who really sent the message, and where to send error messages (bounces and warnings). b. Lines (2) and (3) show the route the message took, from sending to delivery. Each computer that receives this message adds the received field with its complete address and time stamp; this helps in tracking delivery problems. c. Line (4) is the Message-ID, a unique identifier for this specific message. This ID is logged, and can be traced through computers on the message route if there is a need to track the mail. d. Line (5) shows the date, time, and time zone when the message was sent. e. Line (6) tells the name and address of the message originator (the sender ). f. Line (7) shows the name and address of the primary recipient; the address may either be for a mailing list, system-wide alias, or a personal username. g. Line (8) lists the names and addresses of the courtesy copy recipients of the message. There may be Bcc. Recipients as well; these blind carbon copy recipients get copies of the message, but their names and addresses are not visible in the headers. Page 8 of 11

9 4.7 Transporting Computer-related Equipment If transporting is required, package components and transport/store components as fragile cargo. Keep away from magnets, radio transmitters and otherwise hostile environments Do not transport any electronic equipment in the trunk of a vehicle that has any kind of Police radio; this can cause damage to the evidence. It is best placed on the back seat Protect the equipment from the weather and transport it as soon as possible to Logistical Support Unit Place all the diskettes and other electronic storage devices in a paper bag or leave them in their own holders. 4.8 Forensic Analysis The forensic analysis of digital evidence is guided by the request of the submitting officer and the scope of the search warrant/waiver, where applicable. 1. Analyzing digital media is for the recovery of both incriminating and exculpatory evidence. 2. Examinations shall be conducted in an unbiased approach. 3. Each analysis is different, and the methods used to recover evidence shall vary somewhat from case to case Forensic examinations of computer related media for digital evidence shall be conducted upon written request, utilizing the Computer Evidence Submission form (APD-353) and accompanied by the required documents (i.e. waivers, warrant affidavits, supplements, etc.). 1. Computer analysis requests must be routed through the Homeland Security Unit commander. 2. Examinations shall be scheduled in the order they are received, unless specific needs are articulated that require certain cases be handled before others Squad members shall coordinate with the Homeland Security Unit commander on conducting casework and forensic examinations. 1. In-Lab forensic examinations of computer media shall be performed as time allows or on overtime, as appropriate. 2. The Squad equipment shall be kept secure and in a locked location. 3. For access to any Computer Crime Lab facilities in the Special Enforcement Section, non- APD members must be escorted by the SES commander, Homeland Security Unit commander, or a Squad member When conducting analyses of computers and/or digital media, the Squad shall follow generally accepted forensic examination practices as employed by federal, state, and local law enforcement agencies across the United States. Page 9 of 11

10 4.9 Electronic Evidence Storage Due to the fragile nature of computerized electronics, evidence must be stored properly The Logistical Support Unit shall maintain a storage area for all electronic evidence that is airconditioned/heated, and has humidity control. 1. Electronic evidence should be stored at degrees Fahrenheit and 25 40% relative humidity 2. The storage area must also be shielded from magnetic fields. Electric motors, car and home speakers contain magnets and should be stored far away from all electronic evidence. City transmitting radio equipment, i.e. antennas, microwave, transmitters, must also be kept away from electronic evidence. Plastic and metal shelving can carry static and magnetic fields, and should be avoided. 3. This storage area should include areas for plugging in electronic devices that may require power to maintain the evidence. These power receptacles should be backed up by UPS systems (battery backup) and protected against electrical power spikes and surges Images of electronic evidence 1. All images (copies) of electronic evidence shall be handled in the same manner as original electronic evidence. a. All accesses to the image (copy) of the electronic evidence shall be logged. b. A copy of the access log shall be maintained for a period of 10 years, or longer if the case has not reached its final conclusion. 2. All images (copies) of original evidence shall be stored for 180 days after the case is turned over to the District Attorney s office. 3. If the District Attorney requires the images (copies) to be maintained longer than the 180 days, they should be required to provide storage space for the images (copies) and they shall be turned over to the District Attorney s office for storage Original electronic evidence should be maintained until the case is adjudicated following the current logistical support guidelines. Since some electronic evidence may be, in fact, contraband (i.e. Child Pornography), or personnel information covered by the HIPPA, NO electronic evidence shall be released to the public, unless ordered by the court, without it being securely wiped (erased) to Department of Defense Standards. Original evidence returned to the original owner shall not automatically be wiped (erased), unless it contained contraband (i.e., Child Pornography,) or unless ordered by the court Training The Squad shall seek training opportunities to maintain skills and knowledge The Squad shall be knowledgeable of statutes, case law, and guidelines (state and federal) pertaining to computer crime and digital evidence. Page 10 of 11

11 Department members shall confer with the Squad on situations where they are not clear on legal or procedural issues, especially when an investigation may involve electronic communications ( seizure, publishing online or otherwise, etc.) Reporting Squad members shall follow the general Department protocols for any investigative reports they prepare Forensic analysis reports generated by Squad investigators shall be prepared according to established Unit protocols The Criminal Investigation Division supervisors shall forward copies of any incident reports or completed investigations involving the use of a computer The Criminal Investigation Division supervisors shall also forward copies of cases involving any retail, commercial or government entities and any cases involving a loss (greater than $10,000) of computer equipment. 1. If the evidence is retained for investigation by Squad investigators, a copy shall be sent to the Squad. 2. This process shall aid in tracking instances of computer-involved crime. 3. The Squad shall maintain statistics on computer-related crimes, regardless of what unit actually investigates the case. 5. DEFINITIONS 5.1 Faraday bag: A container that blocks radio frequencies. 5.2 Image: Copies of electronic evidence. 5.3 Network Computer: A computer system that operates exclusively via a network connection. It boots off the network, but runs its applications locally, using its own CPU and memory. 6. CANCELLATIONS, effective October 1, REFERENCES Electronic Crime Scene Investigation: A guide for first responders CALEA Standards: Page 11 of 11