Hacker
Professional
- Messages
- 1,041
- Reaction score
- 852
- Points
- 113
I've always wondered how "FBI" works when it takes someone's modest person into circulation. Today we will look at the whole process from the inside, because, as they say: "forewarned is forearmed."
Search tactics
When the required evidence may be on computer media, a search should be carried out in accordance with the rules below to ensure legality and probative value.
Computer storage media include removable and non-removable magnetic disks, compact disks (CDs), DVDs, flash drives, optical disks, magnetic cards, digital cassettes and some others. Such media can be contained in personal computers, servers, communication equipment, handheld computers (PDA), communicators, smartphones, mobile phones, digital cameras and camcorders, players and other similar equipment - all such equipment with built-in media is removed entirely.
Other types of technology do not contain computer information carriers available to the user, so it is not necessary to seize or examine it. These are: printers, scanners, fax machines, as well as keyboards, monitors, mice, joysticks, speakers.
It should be remembered that technology is developing rapidly and media available to the user may tomorrow appear as part of devices that do not have them today.
In the near future, manufacturers are planning to equip all household appliances with built-in computers - refrigerators, air conditioners, coffee makers, washing machines, etc. A home appliance computer is likely to include built-in or removable media and a network interface for remote access.
So, to begin with, we will outline the basic principles of handling information carriers and computer equipment during a search, and then we will describe in more detail the rules for conducting a search in the presence of such equipment.
Principles
1. During the seizure of computer equipment, no information contained on the seized media should be changed. The investigation has the duty to prove that the computer information presented to the expert or the court has not changed. Neither during the search process nor during subsequent storage.
2. Access to information and its research "on the spot" are permissible only in cases where it is impossible to remove the carrier and send it for examination. Such access should be carried out by a competent specialist who is able to understand and explain the meaning and all the consequences of the actions he performs.
3. All actions with computer equipment should be recorded so that an independent researcher could repeat them and get the same results.
General rules for the seizure of computer equipment during a search
1. Take control of the room where the equipment is installed, as well as the electrical panel. Do not allow anyone other than your specialist to touch the equipment and power supply devices. As a last resort, if it is impossible to remove local personnel from equipment, record all their actions. On those rare occasions when there is reason to believe that a search is being carried out by quick associates outside your control, you should disconnect the computers' network connections as soon as possible. To do this, remove the LAN cables from the computers and disconnect the modems. In those few minutes, while the photograph is being taken and the technician is being prepared for shutdown, the accomplice, in principle, can manage to connect via the network to the computer and destroy essential information on it.
2. Do not turn on the switched off devices.
3. Take pictures or video of computer equipment. As a last resort, you can sketch a diagram. Pay attention to the cables - which one is connected where. It is also advisable to photograph or label the cable connections to identify the connection points. All peripherals connected to the computer should be photographed and / or described in the protocol so that it is clear how everything was connected.
4. If the computer is on at the time of the search, take a photo or otherwise capture the image on the monitor.
With a computer turned on, but "sleeping", you can do two things: either immediately, without touching it, turn it off, as described below, or first activate, slightly moving the mouse, take a picture of the screen contents, and only then turn it off. The choice of the option remains with the head of the operation. When you wake up or wake up your computer, it may turn out that the exit from the sleep mode or from the screensaver is protected by a password. Then, after moving the mouse, instead of the screen content, you will see a password prompt. In this case, turn off the computer using the method described below.
5. Find and collect pieces of paper on which passwords, network addresses and other data can be written - often such records lie in the workplace, glued to the monitor, or hang on the wall.
6. If the printer prints something, wait until printing is complete. Anything in the printer's output tray is described and removed along with other computer storage media.
7. After that, the computers must be turned off. This should be done by a competent person. Do not let local personnel or the owner of the seized equipment do this, do not take their advice. If you are not with a specialist, shutdown the desktop computer by unplugging the power cord from the computer case (not from the wall outlet). Turn off the laptop by pulling out the electrical cord and removing its battery without closing the lid.
Sometimes you can make the mistake of mistaking a computer turned on for a turned off one. When hibernating ("falling asleep"), the screen turns off, and some functions of the computer are suspended. The LED indicators may go out or change color. Nevertheless, when the computer is turned on, although it is “asleep,” the power indicator on the system unit is always on. When turned off, on the contrary, all indicators on the system unit are extinguished, although the indicator on the monitor may be on.
8. The equipment is sealed in such a way as to exclude both physical access to the inside of the case and the connection of power supply. This circumstance is reflected in the protocol.
9. The seized equipment is packed in accordance with its fragility and sensitivity to external influences. Hard magnetic disks (HDD) are especially sensitive to vibration; their mechanical damage (for example, due to transportation in the trunk) leads to the complete inaccessibility of data.
10. Ask all users for passwords. It is necessary to try to find out from each employee all the passwords known to him (more precisely, the login-password pairs) related to the seized equipment. Passwords should not be heard. They must be written down by symbol, paying attention to the alphabet and case of each symbol and verified at the source. It is permissible not to enter passwords in the interrogation protocol or an explanation, but simply write them down on a piece of paper. This does not diminish their probative value.
Features
Relevant computer information and other digital traces of criminal activity can be found on a variety of digital devices and media. During a search, one should try to find all such devices and media, quickly decide whether they can contain information of interest, and seize them, if possible.
Detection of such media or devices requires the participation of a specialist.
Below are recommendations for handling some types of computer equipment. They should only be used when there is no technician in your team. The specialist must know how to handle each specific model of technology in order to keep the information unchanged. In the presence of a specialist, you must follow his instructions.
Notebook (laptop)
If the laptop is turned on at the time of the start of the search, then first of all, you should photograph or otherwise fix the contents of the screen, as indicated above.
To turn off the laptop, it is not enough to unplug the power cord; this will switch the laptop to battery power. To de-energize, you must remove the battery. In this case, you should not close the laptop lid, fold it. When folding, the hibernation function ("falling asleep") is usually activated, which means changes to the information on the disk, which violate the above principles. Handheld computer (PDA). This class includes: PDA, PDA (Personal Digital Assistant), palmtop, pocket PC, organizers, smartphones, communicators, electronic diaries. A feature of this class of computers is that a significant part of user data is stored in their random access memory. When you turn off the power of the handheld, all such information will be irretrievably lost.
The normal "off" state of the handheld actually means not shutdown, but the "sleep" or hibernation mode. In this case, electricity is consumed only to maintain the RAM. It can be stored in this state for up to several days, depending on the current state of the battery. If the handheld is turned on (active) at the time of the start of the search, then first of all, you should photograph or otherwise fix the contents of the screen, as indicated above. When inactive, the screen automatically turns off, and the handheld goes into hibernation mode after a few minutes. After taking a photo, you can turn it off manually with the "power" button, if there is such a button. You must not touch the screen of the handheld, since the screen is sensitive; every touch of the screen is perceived as a command.
You cannot remove the battery from the handheld. Along with it, be sure to remove the cradle (stand with a power supply and interface device) or other charger. You can store the handheld by itself, without recharging, for a short time, usually a few days. The storage time depends on the initial state of the battery. After its depletion, the contents of the RAM will be lost. It is better not to risk it and after the seizure, hand over the computer to the expert as soon as possible. And before such a transfer, if possible, store it inserted into the cradle so that the battery does not deplete. You can store the handheld in the cradle (which, of course, must be connected to the mains) for an unlimited time. However, storage in a cradle is incompatible with computer sealing. The protocol of the search (seizure, personal search) should indicate approximately the following: “When inspecting and removing the handheld computer, its buttons were not pressed, the screen was not touched, the battery or removable drives were not removed. The hibernating (falling asleep) handheld computer was packed and sealed so as to exclude any access to its controls (keys, screen) and its connectors without damaging the seals.
Flash drives
Flash memory drives are available as stand-alone devices or as part of other devices such as audio players or digital cameras. The shape and size of flash drive devices are also very diverse. Most often, such drives are equipped with a USB type interface, by which they can be identified.
Such drives do not lose data in the absence of power supply, so they can be stored for a long time. When removed, it should be sealed to exclude access to the USB connector and controls (if any). In principle, it is possible to remove a copy of the flash drive in place. How to do this is described in the "Computer-technical expertise" section. But there is no particular need for such copying, since the flash drive is still removed when there is reason to believe that
it may contain information material to the case. Then he is transferred for examination. It is logical to make a copy on site in cases where there is no time to wait for the results of the examination and you need to quickly obtain information to continue the investigation. In such cases, a specialist makes a copy of the drive on the spot, the drive itself is sealed, confiscated and postponed to await an examination, and its copy is examined in order to obtain unofficial, but urgent information.
Cell phones
Before considering the seized mobile phone as a carrier of computer information, one should decide whether it is required to obtain material traces from it - fingerprints, drug traces, and others. Please be aware that some fingerprinting methods may render your phone unusable. In most cases, when withdrawing, you need to turn off your mobile phone to prevent the loss of existing data due to new calls and new SMS. Do not remove the battery.
However, in some cases, the operation manager may decide that it is more important to control incoming calls. Then the phone should be left on and recharged as needed. The switched off phone is packed in hard packaging and sealed so as to exclude access to its controls. This is noted in the protocol. When you turn off your phone, you do not need to worry about the PIN code for accessing data in the phone's SIM card. You can find out the PUK (PIN unlock key) from your telecom operator at any time and use it to get access to the SIM card. There is a lot of technical literature about field and laboratory research of information from mobile phones.
Modems
Some modems store user information - network settings or provider phone numbers. If there is no specialist who can indicate which model of the modem is present here - with or without memory - then the modem must be disconnected from the power supply, sealed and removed.
Search tactics
When the required evidence may be on computer media, a search should be carried out in accordance with the rules below to ensure legality and probative value.
Computer storage media include removable and non-removable magnetic disks, compact disks (CDs), DVDs, flash drives, optical disks, magnetic cards, digital cassettes and some others. Such media can be contained in personal computers, servers, communication equipment, handheld computers (PDA), communicators, smartphones, mobile phones, digital cameras and camcorders, players and other similar equipment - all such equipment with built-in media is removed entirely.
Other types of technology do not contain computer information carriers available to the user, so it is not necessary to seize or examine it. These are: printers, scanners, fax machines, as well as keyboards, monitors, mice, joysticks, speakers.
It should be remembered that technology is developing rapidly and media available to the user may tomorrow appear as part of devices that do not have them today.
In the near future, manufacturers are planning to equip all household appliances with built-in computers - refrigerators, air conditioners, coffee makers, washing machines, etc. A home appliance computer is likely to include built-in or removable media and a network interface for remote access.
So, to begin with, we will outline the basic principles of handling information carriers and computer equipment during a search, and then we will describe in more detail the rules for conducting a search in the presence of such equipment.
Principles
1. During the seizure of computer equipment, no information contained on the seized media should be changed. The investigation has the duty to prove that the computer information presented to the expert or the court has not changed. Neither during the search process nor during subsequent storage.
2. Access to information and its research "on the spot" are permissible only in cases where it is impossible to remove the carrier and send it for examination. Such access should be carried out by a competent specialist who is able to understand and explain the meaning and all the consequences of the actions he performs.
3. All actions with computer equipment should be recorded so that an independent researcher could repeat them and get the same results.
General rules for the seizure of computer equipment during a search
1. Take control of the room where the equipment is installed, as well as the electrical panel. Do not allow anyone other than your specialist to touch the equipment and power supply devices. As a last resort, if it is impossible to remove local personnel from equipment, record all their actions. On those rare occasions when there is reason to believe that a search is being carried out by quick associates outside your control, you should disconnect the computers' network connections as soon as possible. To do this, remove the LAN cables from the computers and disconnect the modems. In those few minutes, while the photograph is being taken and the technician is being prepared for shutdown, the accomplice, in principle, can manage to connect via the network to the computer and destroy essential information on it.
2. Do not turn on the switched off devices.
3. Take pictures or video of computer equipment. As a last resort, you can sketch a diagram. Pay attention to the cables - which one is connected where. It is also advisable to photograph or label the cable connections to identify the connection points. All peripherals connected to the computer should be photographed and / or described in the protocol so that it is clear how everything was connected.
4. If the computer is on at the time of the search, take a photo or otherwise capture the image on the monitor.
With a computer turned on, but "sleeping", you can do two things: either immediately, without touching it, turn it off, as described below, or first activate, slightly moving the mouse, take a picture of the screen contents, and only then turn it off. The choice of the option remains with the head of the operation. When you wake up or wake up your computer, it may turn out that the exit from the sleep mode or from the screensaver is protected by a password. Then, after moving the mouse, instead of the screen content, you will see a password prompt. In this case, turn off the computer using the method described below.
5. Find and collect pieces of paper on which passwords, network addresses and other data can be written - often such records lie in the workplace, glued to the monitor, or hang on the wall.
6. If the printer prints something, wait until printing is complete. Anything in the printer's output tray is described and removed along with other computer storage media.
7. After that, the computers must be turned off. This should be done by a competent person. Do not let local personnel or the owner of the seized equipment do this, do not take their advice. If you are not with a specialist, shutdown the desktop computer by unplugging the power cord from the computer case (not from the wall outlet). Turn off the laptop by pulling out the electrical cord and removing its battery without closing the lid.
Sometimes you can make the mistake of mistaking a computer turned on for a turned off one. When hibernating ("falling asleep"), the screen turns off, and some functions of the computer are suspended. The LED indicators may go out or change color. Nevertheless, when the computer is turned on, although it is “asleep,” the power indicator on the system unit is always on. When turned off, on the contrary, all indicators on the system unit are extinguished, although the indicator on the monitor may be on.
8. The equipment is sealed in such a way as to exclude both physical access to the inside of the case and the connection of power supply. This circumstance is reflected in the protocol.
9. The seized equipment is packed in accordance with its fragility and sensitivity to external influences. Hard magnetic disks (HDD) are especially sensitive to vibration; their mechanical damage (for example, due to transportation in the trunk) leads to the complete inaccessibility of data.
10. Ask all users for passwords. It is necessary to try to find out from each employee all the passwords known to him (more precisely, the login-password pairs) related to the seized equipment. Passwords should not be heard. They must be written down by symbol, paying attention to the alphabet and case of each symbol and verified at the source. It is permissible not to enter passwords in the interrogation protocol or an explanation, but simply write them down on a piece of paper. This does not diminish their probative value.
Features
Relevant computer information and other digital traces of criminal activity can be found on a variety of digital devices and media. During a search, one should try to find all such devices and media, quickly decide whether they can contain information of interest, and seize them, if possible.
Detection of such media or devices requires the participation of a specialist.
Below are recommendations for handling some types of computer equipment. They should only be used when there is no technician in your team. The specialist must know how to handle each specific model of technology in order to keep the information unchanged. In the presence of a specialist, you must follow his instructions.
Notebook (laptop)
If the laptop is turned on at the time of the start of the search, then first of all, you should photograph or otherwise fix the contents of the screen, as indicated above.
To turn off the laptop, it is not enough to unplug the power cord; this will switch the laptop to battery power. To de-energize, you must remove the battery. In this case, you should not close the laptop lid, fold it. When folding, the hibernation function ("falling asleep") is usually activated, which means changes to the information on the disk, which violate the above principles. Handheld computer (PDA). This class includes: PDA, PDA (Personal Digital Assistant), palmtop, pocket PC, organizers, smartphones, communicators, electronic diaries. A feature of this class of computers is that a significant part of user data is stored in their random access memory. When you turn off the power of the handheld, all such information will be irretrievably lost.
The normal "off" state of the handheld actually means not shutdown, but the "sleep" or hibernation mode. In this case, electricity is consumed only to maintain the RAM. It can be stored in this state for up to several days, depending on the current state of the battery. If the handheld is turned on (active) at the time of the start of the search, then first of all, you should photograph or otherwise fix the contents of the screen, as indicated above. When inactive, the screen automatically turns off, and the handheld goes into hibernation mode after a few minutes. After taking a photo, you can turn it off manually with the "power" button, if there is such a button. You must not touch the screen of the handheld, since the screen is sensitive; every touch of the screen is perceived as a command.
You cannot remove the battery from the handheld. Along with it, be sure to remove the cradle (stand with a power supply and interface device) or other charger. You can store the handheld by itself, without recharging, for a short time, usually a few days. The storage time depends on the initial state of the battery. After its depletion, the contents of the RAM will be lost. It is better not to risk it and after the seizure, hand over the computer to the expert as soon as possible. And before such a transfer, if possible, store it inserted into the cradle so that the battery does not deplete. You can store the handheld in the cradle (which, of course, must be connected to the mains) for an unlimited time. However, storage in a cradle is incompatible with computer sealing. The protocol of the search (seizure, personal search) should indicate approximately the following: “When inspecting and removing the handheld computer, its buttons were not pressed, the screen was not touched, the battery or removable drives were not removed. The hibernating (falling asleep) handheld computer was packed and sealed so as to exclude any access to its controls (keys, screen) and its connectors without damaging the seals.
Flash drives
Flash memory drives are available as stand-alone devices or as part of other devices such as audio players or digital cameras. The shape and size of flash drive devices are also very diverse. Most often, such drives are equipped with a USB type interface, by which they can be identified.
Such drives do not lose data in the absence of power supply, so they can be stored for a long time. When removed, it should be sealed to exclude access to the USB connector and controls (if any). In principle, it is possible to remove a copy of the flash drive in place. How to do this is described in the "Computer-technical expertise" section. But there is no particular need for such copying, since the flash drive is still removed when there is reason to believe that
it may contain information material to the case. Then he is transferred for examination. It is logical to make a copy on site in cases where there is no time to wait for the results of the examination and you need to quickly obtain information to continue the investigation. In such cases, a specialist makes a copy of the drive on the spot, the drive itself is sealed, confiscated and postponed to await an examination, and its copy is examined in order to obtain unofficial, but urgent information.
Cell phones
Before considering the seized mobile phone as a carrier of computer information, one should decide whether it is required to obtain material traces from it - fingerprints, drug traces, and others. Please be aware that some fingerprinting methods may render your phone unusable. In most cases, when withdrawing, you need to turn off your mobile phone to prevent the loss of existing data due to new calls and new SMS. Do not remove the battery.
However, in some cases, the operation manager may decide that it is more important to control incoming calls. Then the phone should be left on and recharged as needed. The switched off phone is packed in hard packaging and sealed so as to exclude access to its controls. This is noted in the protocol. When you turn off your phone, you do not need to worry about the PIN code for accessing data in the phone's SIM card. You can find out the PUK (PIN unlock key) from your telecom operator at any time and use it to get access to the SIM card. There is a lot of technical literature about field and laboratory research of information from mobile phones.
Modems
Some modems store user information - network settings or provider phone numbers. If there is no specialist who can indicate which model of the modem is present here - with or without memory - then the modem must be disconnected from the power supply, sealed and removed.
