7/11/2013 Bryan Franke

Transcription

7/11/2013 Bryan Franke
7/11/2013

Bryan Franke



Presented by
Bryan Franke
President/Founder of
2C Solutions, LLC




[email protected]
http://2CSolutions.org

http://2CSolutions.org


The information shared today are my opinion’s
and beliefs based on my training, experience
and research of these topics.
Although NNEDV is hosting this seminar, I
feel it is important to express right up front that
“the buck stops here”, with me. So if you have
concerns or disagree with what I present, that
is on me…Not NNEDV.
http://2CSolutions.org




The first responder’s responsibilities in these cases
are very important. These types of cases can be
time sensitive.
The evidence in these cases is often still accessible
by the suspect.
Some evidence is only stored for very short
amounts of time by the service providers, so
preservation orders are very important.
L.E. Personnel and the victim’s are the only ones
that should be collecting or preserving evidence.
Advocates do NOT want to be directly involved in
this process as they would then become part of the
chain of custody in the trial.
http://2CSolutions.org
25 year veteran of the Longmont Police Department
Computer Forensic Analyst/Detective
Cross designation with Department of Homeland
Security
Assigned to Patrol, K9, SWAT, Detectives, Cyber Crimes.
Founded 2C Solutions, LLC
Pretty much alphabet soup for various certifications,
CFCE, CEECS, CFSI, CUCE
Trained the state of WY and LA Probation/Parole Units,
various agents from Ireland, England, America, US
Army/CID, etc.
Testified as an expert witness in District Court, 20th
Judicial District.
http://2CSolutions.org





Recognizing when and where the investigation
starts
How to recognize evidence in your case
How to preserve it
How to document it
How to prepare it for the forensic analyst
and/or court
http://2CSolutions.org
The first conversation you have with the victim
will really help you form a plan of attack, as long
as you ask the right questions.
Those questions will be based on what type of
issue is being reported; email communications,
SMS (text) communications, MMS
(picture/audio) communications, GPS tracker,
spyware, photographing/stalking, on-line social
network harassment, stalking, etc.
http://2CSolutions.org
1
7/11/2013

Capture the communication from the victim’s
computer.




Having it forwarded to you will NOT give you the
evidence you need (header data).
Photograph, print or copy & paste the message(s),
showing the expanded “address” fields.
Access the header data for the communication(s) then
photograph, print or copy & paste them.
Save all data in digital format as well.
 Consider naming each communication by the date & time
shown on communication.
 If you have cases involving multiple senders consider
creating a folder for each sending account, then name as
above.
http://2CSolutions.org
http://2CSolutions.org
http://2CSolutions.org
http://2CSolutions.org
2013 Denver Race Recap
Inbox
x
Rugged Maniac [email protected] via mail82.us2.mcsv.net

May 17 (3 days ago)
to Bryan
Images are not displayed. Display images below - Always display images from [email protected]
Is this email not displaying correctly? View it in your browser.

Rugged Maniac!
Greetings Denver Maniacs!
You've just completed one of the biggest tests of your life, overcoming fear, exhaustion and our wildest water
slide yet to become true Rugged Maniacs! What are you going to do now? “Go to Disney World!” “Sign up
for next year’s race at the ridiculously low price of $29!” Great idea! Registration is now open for the 2014
Denver Rugged Maniac and you can get in on the fun for a limited time price of only $29! Simply register by
August 5th with the code CO2014 and you'll be on your way to another weekend of epic obstacles, new
friends and glorious achievements, all for an insanely low price! So get your team together and lock down
your preferred start time before it sells out (which won't take long at this price). NOTE: The event will be held
on a to-be-determined weekend in May, but we’ll send an email once the exact date has been finalized.
http://2CSolutions.org

The header data is very important in these
investigations. Header data is NOT the TO &
FROM fields.
Header Data is the technical data which is kind
of like a “travel log” for the message as it
moves from the sender to the receiver.
Some providers remove the sender’s header
data and replace it with their own data.
(Google, Yahoo!)
http://2CSolutions.org
2
7/11/2013
http://2CSolutions.org






Now that you have the data lets see what it
tells us.
Where did the message originate (where was it
sent from)?
What shows as a return path?
When did it get sent?
Where did it end up?
What is the message ID for this specific
message?
http://2CSolutions.org
Delivered-To: [email protected]
Received: by 10.220.48.138 with SMTP id r10csp147672vcf;
Fri, 17 May 2013 11:29:32 -0700 (PDT)
X-Received: by 10.224.78.193 with SMTP id m1mr37970227qak.79.1368815371833;
Fri, 17 May 2013 11:29:31 -0700 (PDT)
Return-Path: <SRS0=GlwPgl=PC=mail82.us2.mcsv.net=bounce-mc.us2_3382298.1315773-bryan=2csolutions.org@2csolutions.org>
Received: from bosmailout18.eigbox.net (bosmailout18.eigbox.net. [66.96.186.18])
by mx.google.com with ESMTP id p13si3650815qct.85.2013.05.17.11.29.31
for <[email protected]>;
Fri, 17 May 2013 11:29:31 -0700 (PDT)
Received-SPF: pass (google.com: domain of SRS0=GlwPgl=PC=mail82.us2.mcsv.net=bounce-mc.us2_3382298.1315773bryan=2csolutions.org@2csolutions.org designates 66.96.186.18 as permitted sender) client-ip=66.96.186.18;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of SRS0=GlwPgl=PC=mail82.us2.mcsv.net=bounce-mc.us2_3382298.1315773-bryan=2csolutions.org@2csolutions.org
designates 66.96.186.18 as permitted sender) smtp.mail=SRS0=GlwPgl=PC=mail82.us2.mcsv.net=bounce-mc.us2_3382298.1315773bryan=2csolutions.org@2csolutions.org;
dkim=pass [email protected]
Received: from bosmailscan06.eigbox.net ([10.20.15.6])
by bosmailout18.eigbox.net with esmtp (Exim)
id 1UdPPH-0006y1-3e
for [email protected]; Fri, 17 May 2013 14:29:31 -0400
Received: from bosimpinc04.eigbox.net ([10.20.13.4])
by bosmailscan06.eigbox.net with esmtp (Exim)
id 1UdPPF-0007Ye-Nh
for [email protected]; Fri, 17 May 2013 14:29:29 -0400
Received: from mail82.us2.mcsv.net ([173.231.139.82])
by bosimpinc04.eigbox.net with NO UCE
id d6VV1l01t1mrabR016VVTu; Fri, 17 May 2013 14:29:29 -0400
X-EN-OrigIP: 173.231.139.82
X-EN-IMPSID: d6VV1l01t1mrabR016VVTu
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=k1; d=mail82.us2.mcsv.net;
h=Subject:From:Reply-To:To:Date:Message-ID:List-Unsubscribe:Sender:Content-Type:MIME-Version;
[email protected];
http://2CSolutions.org
bh=wff3NoWX8kux5WuwSdTrimy2hEw=;
b=hlnm2VGzAC+U0BkKHQJ4+dPXlrY2V1eQlEgDS6tzAOemMWscx6+d3RW1UV2Expzy2CoSbBBtfsDO
xZ2fYfHZMiSdQrKEacRpfxTuvU2PNXcTe4cWmKHnZRs9hJ3VGs0qWxL7d0XbrnBYscZISWLZArUE
WAusc/ZVg7DRGnjsq8A=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=k1; d=mail82.us2.mcsv.net;
b=aj4GEwqzrp6iL4ctDYsLOzRKlasIzXYUeZLHjWXSsWIa0zsx+t/+8Gzt0STFDL2xE1/6+EkZCel2
KdgjiHKZYmEcrirgoVEqN3L+ybeMTPdQyBCWpDi4uMVVIj4tqw71cNwomJd/R/aMo/j4pWSjl6jM
wmClpWZVynJSyUTzKOA=;
Received: from (127.0.0.1) by mail82.us2.mcsv.net (PowerMTA(TM) v3.5r16) id hiprgi11djo5 for <[email protected]>; Fri, 17 May 2013 18:29:28
+0000 (envelope-from <bounce-mc.us2_3382298.1315773-Bryan=2CSolutions.org@mail82.us2.mcsv.net>)
Subject: =?utf-8?Q?2013=20Denver=20Race=20Recap?=
From: =?utf-8?Q?Rugged=20Maniac?= <[email protected]>
Reply-To: =?utf-8?Q?Rugged=20Maniac?= <[email protected]>
To: =?utf-8?Q?Bryan?= <[email protected]>
Date: Fri, 17 May 2013 18:29:28 +0000
Message-ID: <0bfe2548a086a397140e907f3b58706b510.20130517182911@mail82.us2.mcsv.net>
X-Mailer: MailChimp Mailer - **CIDfadbe64819b58706b510**
X-Campaign: mailchimp0bfe2548a086a397140e907f3.fadbe64819
X-campaignid: mailchimp0bfe2548a086a397140e907f3.fadbe64819
X-Report-Abuse: Please report abuse for this campaign here:
http://www.mailchimp.com/abuse/abuse.phtml?u=0bfe2548a086a397140e907f3&id=fadbe64819&e=b58706b510
x-accounttype: pd
List-Unsubscribe: <mailto:unsubscribe-0bfe2548a086a397140e907f3-fadbe64819-b58706b510@mailin1.us2.mcsv.net?subject=unsubscribe>,
<http://ruggedmaniac.us2.list-manage.com/unsubscribe?u=0bfe2548a086a397140e907f3&id=8a45d0e550&e=b58706b510&c=fadbe64819>
Sender: "Rugged Maniac" <[email protected]>
x-mcda: FALSE
Content-Type: multipart/alternative; boundary="_----------=_MCPart_830103980"
MIME-Version: 1.0
This is a multi-part message in MIME format
http://2CSolutions.org
Originating IP address
Reply To Info
Date/Time (GMT)
Message ID
http://2CSolutions.org
http://2CSolutions.org
3
7/11/2013
http://2CSolutions.org
http://2CSolutions.org




This is where you would send, fax and email a copy of your
preservation letter.
http://2CSolutions.org
Must come from Law Enforcement
Simple, plain wording is all that is needed.
Summary of case and what you want saved.
Notify them if you do NOT want them to
notify the suspect of the preservation, and
pending search warrant/court
order/subpoena. Kik requires a separate court
order mandating no notification be made to
their customer.
http://2CSolutions.org
Longmont Police Department
225 Kimbark Street, Longmont, CO 80501
TO:
FROM:
DATE:
RE:
1&1 Internet Inc.
Detective Bryan Franke
Friday, May 17, 2013
Preservation of Data/Information
Greetings,
I am investigating a violation of a protection order issued by the Courts of the 20th Judicial District. I have
reason to believe evidence related to this investigation is housed/stored on your server, or other system
equipment. This violation involves an email account named **************@********.com. The
violation occurred between the dates of May 1, 2013 to present. Please do NOT notify the owner or user of
this account of this order as it could jeopardize the safety of the victim and compromise this investigation
and further evidence.
Please preserve all of the following items as I will begin the process of obtaining legal authority for the
release of said information:
1.
2.
3.
4.
5.
Session logs, including log-in/log out dates and times, associated IP addresses for each access
Creation date and time for said account
IP address used to create said account
Credit card information (if applicable) for any upgraded or purchased services
Any and all contact information for said account, including name, address, phone numbers, and
secondary email addresses.
6. Any and all service requests made and the associated contact information for the individual making
said requests
7. Any and all communications, messages, images stored in the associated account’s inbox, outbox,
drafts, or custom stored file structures associated with said account.
Should you have any questions, or need clarification on this request, please do not hesitate to contact me.
Respectfully Submitted,
Detective Bryan Franke #8804
Longmont Police Department
225 Kimbark Street, Longmont, CO 80501
(303) 651-8518 – desk
[email protected]
http://2CSolutions.org




The majority of the time collection of the email
message and the associated header data is going to
be sufficient for evidence in the case.
Collection of the victim’s device should be
reserved for out of the ordinary investigations.
If the email has been deleted collect the computer
it was opened with and have the forensics lab try
and recover it.
If concerns about unauthorized access/deleting
items, consider converting to PDF and saving to
removable media, or printing the communication,
or creating an encrypted volume on the HDD.
http://2CSolutions.org
4
7/11/2013

These are time sensitive investigations and
efforts need to be made quickly to preserve the
evidence.



Victims may not think of photographing this stuff
Advocates can help remind them to do this, and to
keep a log with the information already discussed.
L.E. Agents – Preservation Letters, followed up
by legal paperwork will be very important in
these investigations.

Courts and Jurors are expecting us to not only show
the evidence on the victim’s device, but that it came
from the suspect’s device.
http://2CSolutions.org







http://2CSolutions.org
Options for capturing information from other sites.
“Print Screen” key on keyboard, (ctrl + v) or right
click then “Paste” to a new document. Limited to
what you see.
Lightscreen is a free screen capture software
Fireshot is a free capture software for use on
various browsers. Can scroll down a page and
capture all of it or defined area.
SnagIt is a purchased software for screen captures.
Camtasia is a purchase software for video
recording of computer screens.
Microsoft Windows Vista and 7 have “Snipping
Tool” that is a screen capture software.
http://2CSolutions.org
http://2CSolutions.org
http://2CSolutions.org
http://2CSolutions.org
5
7/11/2013



You can always copy and paste like we talked
about earlier.
Using your own computer you can research the
site and find what they have to offer for
capturing data like archiving with Facebook.
Look up the registered contact for the site on
Search.org and send them an email, or call,
with questions of what they have and how do
they want you to request it.
http://2CSolutions.org

Complex and somewhat unique devices.

These devices can store a lot of information

Different OS








http://2CSolutions.org
Smartphones are more like small computers than a telephone.
iPhone up to 64GB (internal)
Samsung Galaxy S4 up to 64GB (microSD card)
Android (1.0,1.1, Cupcake, Donut, Éclair, Froyo, Gingerbread,
Honeycomb, Ice Cream Sandwich, Jelly Bean)
iOS (Kodiak, Cheetah, Puma, Jaguar, Panther, Tiger, Leopard,
Snow Leopard, Lion, Mountain Lion)
Blackberry (4.5, 4.6, 5.0, 6.0, 7.0, 7.1)
Windows Mobile (Windows CE, Pocket PC 2000, Pocket PC
2002, Pocket PC 2003, Pocket PC 2003 SE, Mobile 5, Mobile 6,
Mobile 6.1, Mobile 6.5)
WebOS
http://2CSolutions.org


Each carrier has their own set of rules and
policies that L.E. must meet.
Each carrier has their own set of guidelines and
level of support they give their customers.
http://2CSolutions.org






http://2CSolutions.org
Forensics on cellular telephones can be difficult.
Each OS functions differently, stores data
differently in different file paths. How the data is
coded can vary as well. 8-bit –v- 7 bit encoding,
unicode, ASCII.
Turn around time for devices from the forensics
lab.
High dependency level of owner.
Limited ability to filter data beyond file type
during initial extraction.
Limited scope of consent to search.
Quantity of data being sought.
http://2CSolutions.org
6
7/11/2013

If your evidence consists of 12 – 15 SMS/Text
communications or call logs, you might be better
off simply displaying the message on the victim’s
phone and photographing it with a digital camera.



Be sure to display the message information/properties:
date, time, sending number, victim’s phone make, model
and phone number.
However, if your evidence consists of MMS
communications (picture messages) you will want
to consider contacting your forensics lab and
having them extract the image that was sent so
EXIF data can be viewed (if still present).



In almost all cell phone stalking/harassment cases,
regardless of the type of communication, I strongly
encourage documenting them via photographs. The
victim can photograph these with their own digital
camera. Keep a log of events, feelings upon receipt,
overall impact on victim’s daily life, etc. This goes to
some requirements of statutes and civil hearings.
Make sure date/time settings are correct in the camera.
Buy a new SD card to use just for this purpose,
especially in on-going or extended investigations.
Corroborate the information by getting billing records
that show the event.
http://2CSolutions.org

An application designed to allow the sharing of a
picture, video or communication to someone else
and then have it automatically delete after a set
amount of time. Both parties must have a
snapchat account for it to work.



http://2CSolutions.org




Can do screen captures if you are fast – it will notify the
sender if it detects you did a screen capture.
Does leave a footprint that may be recoverable by a
forensics analyst.
then roll the ends over multiple times.

Snapchat servers are configured to delete the
image that was sent with their service as soon as
the recipient opens it
Isolation Importance




Phones continually communicate with the network.
“Hides” device if there is malware on it that is used
for tracking. Prevents suspect from knowing L.E. is
involved yet.
Potentially preserves data stored on device.
Prevents “accidental” sends of information, calls, etc.
http://2CSolutions.org
Get the charger for it
Get the unlock PIN or pattern for access
Shut off, or place in Airplane Mode if no Faraday
bag
 Option is to wrap in heavy duty foil at least 10 times

http://2CSolutions.org

When seizing a victim’s device:
Get WRITTEN consent to search.
Contact your forensics analyst immediately after
seizing, or better yet – BEFORE seizing the phone –
to arrange the extraction of data.
http://2CSolutions.org



Typically there is a different legal standard
applied to the suspect’s devices. Most often
they will be afforded protection under the 4th
Amendment of the U.S. Constitution.
When L.E. seizing a suspect’s device there are
many things you need to do fairly quickly.
Is it turned on or off?
http://2CSolutions.org
7
7/11/2013
If the device is turned off, try and locate the charging cable
and seize it as well.





Different connections for different devices.

Do NOT turn it on.
There is no need to isolate the phone from the network as it
is turned off and will not be communicating with the
network.
If you have the charger, consider plugging the phone
charger in when you log it into your Evidence Unit.
As soon as practical go into the settings and place
the phone into Airplane Mode.


Some phones may power on when plugged into a charger (iPhones
are one), so consider placing it in a Faraday bag prior to connecting
to power and document when you did so.
 If you do not have a Faraday bag consider logging the charger
with the phone and notify your forensics lab of the item needing to
be examined. A powered off phone uses very little power to
maintain memory.

Look to see if the phone has a PIN assigned under
the security settings. If so, you may need to have
someone assigned to keep the phone from going to
sleep/hibernation.



http://2CSolutions.org

The charger is very important because if you
isolate a phone by the use of a Faraday bag, or
aluminum foil, the phone will increase the
amount of energy it draws from the battery to
increase the signal broadcasting strength to try
and reach a tower. This will quickly drain the
battery.

Many SmartPhones have the ability to be wiped or
locked remotely by either the owner or the carrier.
Pulling the battery can cause dates and times
associated with various communications to be lost,
so will loosing total power in the battery.

App based communications




http://2CSolutions.org
SIM/USIM cards can store important evidence
and are fairly stable. They come in three sizes;
standard, micro SIM and Nano SIM.
Older phones more than newer phones.
iOS devices can use iMessage, which is encrypted SMS
communication and need to be extracted a different way.
iPOD Touch devices can make phone calls, send SMS and
MMS communications through the use of apps.
Get password/log-in information for these when
possible.
http://2CSolutions.org

Because the SIM/USIM card is what allows a
GSM or world phone to operate on a network
people can have several of them.




http://2CSolutions.org
Occasionally changing screens or swiping their finger
across the screen.
Change sleep settings – battery life considerations
Removing of changing PIN – you might need original
code to do this.
http://2CSolutions.org


Isolates the phone from the network so it can not receive
data/communications.
Each one will have it’s own assigned phone number
Can store unique contact information
Can store SMS communications
Look for these and include them in search warrants
http://2CSolutions.org
8
7/11/2013

These are time sensitive investigations and
efforts need to be made quickly to preserve the
evidence.





Victims may not think of photographing this stuff
Advocates can help remind them to do this, and to
keep a log with the information already discussed.


L.E. Agents – Preservation Letters, followed up
by legal paperwork will be very important in
these investigations.


Courts and Jurors are expecting us to not only show
the evidence on the victim’s device, but that it came
from the suspect’s device.
http://2CSolutions.org

It is important to remember, and explain to the
victims, the ISP’s have up to 30 days to respond to
service.


 One to email client (Google, Yahoo!, etc) to get the
originating IP address. *up to 30 days response.
of cell service carriers, several customers may be assigned the
same IP address and this may complicate your investigation.
*up to 30 days response.
 One for customer that was assigned the IP address (i.e. –
your suspect) to seize the computer, storage devices, and
portable devices capable of accessing the Internet.




http://2CSolutions.org
Field Search is a free software available to
justice system agencies that allows a nontechnical user to examine a computer, or other
storage device, for logical data.
Creates a really nice report of findings
Can quickly capture TONS of data.
Information can be found on Field Search on
my website
http://2CSolutions.org/training-classes.html
http://2CSolutions.org




http://2CSolutions.org
Call logs showing dates/times for dialed numbers
Duration of calls
Dates/times associated with SMS and MMS
communications, including phone numbers they
were sent to (include content of communication if
possible) or amount/size of data sent.
Amount of communication in network –vs- out of
network (in cases involving travel)
http://2CSolutions.org
Typical email investigation is a minimum of three search
warrants/court orders/subpoenas.
 One to ISP that is leasing that block of IP addresses. In cases
Consider asking for the following from both
the suspect’s and the victim’s carrier.
The collection of computers has evolved over
the years. Law Enforcement use to recommend
people pull the plug on a running computer.
After that, collect all items attached to it and
log them into evidence.
Now data contained in the computer will
dictate what steps to take and guide whether to
seize the computer or not. As a general rule it
is always better to seize the computer.
Pulling the plug is no longer the best option…
Let’s look at some options…
http://2CSolutions.org
9
7/11/2013


Most information that is viewed through the
use of a computer will leave remnants of that
activity on the computer.
The best option to victims is to minimize the
use of the computer and minimize the
interaction with the evidence on their computer
after a violation, until reported and examined
or processed for evidence collection.



As previously stated, collection of the computer for
evidence is best left to the law enforcement personnel
working the case.
Victims computer:
 Have them tell you where the evidence is located (i.e. file path,
account, etc. )
 Have them provide you with the log in information (name and
password)
 The victim can be a huge help in locating, collecting and
documentation of the evidence, so take advantage of the help.
 If the computer is running and displaying the evidence in the
case consider photographing it before doing a normal shut
down of the computer.
Consider using Field Search to create a report
containing the associated data.
http://2CSolutions.org

http://2CSolutions.org
This external hard disk
drive, by BUSlink, is an
encrypted drive. The two
white cards on top are
proximity cards.
Suspect’s Computer:

When you first come into the area, move the suspect away from
the computer.
 Your first endeavor is to protect the evidence from your suspect’s ability
to destroy it or encrypt it.
If the computer is off, leave it off.
 To make sure the computer is not asleep or in hibernation you can
move the mouse or depress the Shift key on the keyboard.
 If it is a PC, not a laptop, check to see the monitor is connected to
the computer and it is turned on.

 If the monitor was off, turn it on and see what is displayed. If it stays
dark, even after the mouse/shift key function, then the computer is off.
Photograph the connections made to the computer, write down a
list of what is connected to it and where it was connected.
 Disconnect the peripherals. You do NOT need to collect the
monitor, keyboard and mouse.
 If external storage devices were connected to it, unplug them and
collect them as they may have evidence stored.

http://2CSolutions.org
This drive requires Dual Key
authentication. This means both USB
dongles need to be plugged into the drive
for the user to access the data. If one
dongle is removed the data is no longer
accessible. Each dongle contains a unique
Cipher Key.
http://2CSolutions.org

If the computer is running:


Immediately move the suspect away from the computer.
Quickly check the screen/monitor to see if any wiping
software has been started.
 If so, quickly try to see the name of the software running,
then immediately pull the plug from the back of the
computer, or pull the battery in the case of a laptop.

If no wiping software running, assign someone to keep
the computer awake by moving the mouse or pressing
the Shift key once every minute.
 There are software programs out there, mouse jiggler, that
are on a USB dongle that tricks Windows into thinking the
mouse is moving and thereby preventing the computer from
going to sleep.
http://2CSolutions.org
http://2CSolutions.org
10
7/11/2013

Start a log.






Write down the time you do anything, and what you did.
Depending on the circumstances you may need to consider
disconnecting the network from the Internet. This is if you think
someone may try to remote in to the network and alter or destroy
data. You can do this by unplugging the CAT5 cable from the
modem, router, or wall jack.
Remember your wireless network, you may have to shut off the Wi-Fi in
the computer (laptops may have a switch on them).
Hover the mouse over the time, if it is not already displaying the
date, and it will show you the system date and time. Note this
and compare it to either dispatch time or the time on your cell
phone. Document not only the date/time information but any
differences too.
Photograph what is open and running on the computer.
Photograph the Task Bar (bottom of the screen) that shows various
programs that are open.
http://2CSolutions.org

Consider running RAM capturing software.


Run a triage tool






What is the SSID that is being broadcast?
 If not being broadcast, nobody would know it existed
If found, consider performing a live imaging of the data so you
get what is decrypted now, before it becomes encrypted and
unattainable.
Consider looking to see what was connected via USB.
Perform a soft/standard shut down.
Proceed just like you would with a computer you
found powered off.
http://2CSolutions.org

Other items of consideration should include:
 Gather Wi-Fi information

OS Triage
Field Search
Check for encryption software/hardware.


DumpIt, FTK Imager, EnCase, etc.
http://2CSolutions.org
to access.

Is the network access point secured

Query the router.
 If so, with what?




Has the settings been modified?
Has MAC filtering been activated?
Is the SSID changed from the default?
What wireless devices are connected?
http://2CSolutions.org
Include external storage devices, manuals,
written ledgers that may contain log in
information and passwords, documents
containing log in and password information,
etc. in your search warrant.
If you encounter a NAS (Network Attached
Storage), a Server, or a RAID (Redundant
Array of Inexpensive Disks) you should call
your lab personnel as these could be very
complex situations and will require additional
skill and knowledge we just can’t cover here.
http://2CSolutions.org
http://2CSolutions.org
11
7/11/2013

When you are looking at collecting a GPS
tracker the first thing to consider is the type of
device.


Does it simply record the data, to be downloaded
later.
Does it transmit data via a cellular network.
• This type of device will not transmit. It stores the data
internally.
• The suspect would need to manually recover this
device, connect it to his computer via the USB
connection, and download the waypoints. The
waypoints are then plotted on a map through the
company software or other mapping options.
• In these cases, you will want to get a search warrant for
the suspect’s computer, seize it and have it searched for
the software application associated with this device.
• The install date of the software will point to the
approximate time it was purchased, you may find
Internet searches (or even the order) for the device.
• You may find various tracking logs saved on the
computer. Each one of these will give you a creation
date for the log. The logs will contain associated dates
and times for the waypoints.
http://2CSolutions.org




This device is designed to transmit data, which is
typically done over a cellular network. The presence
of an antenna is a good indicator of this ability.
When collecting these as evidence you will want to
photograph the device in place. Then place the device
in a Faraday bag when it is removed. If you do not
have a Faraday bag you can wrap it at least 10 times
with heavy duty aluminum foil and roll up the ends to
seal the device.
Examination of the SIM/USIM card will tell you what
network it is operating on. This will lead you to a
source to gain additional information, similar to email
investigations, through the issuance of a preservation
letter, search warrant, court order, subpoena, etc.
You will need to research the particular device to learn
how it works. This can be done by the victim and
turned over to L.E. Agent at time of reporting.
http://2CSolutions.org

http://2CSolutions.org








This is a USB type device.
80 hour battery life
Vibration sensing sleep/power up.
Rechargeable battery via USB
360’ antenna so it does not have to face
the sky to communicate with satellites.
Records exact route, stop times, speed,
direction, altitude, and other data.
Magnetic mount
$298.00 with free software for mapping.
http://2CSolutions.org
If the device is one that communicates via cell
network consider asking the service provider
for:


Purchase information (when, who, how did they
pay, address provided for shipping/billing, credit
card information, IP address that placed the order,
email address a receipt may have been sent to)
If a log is accessed on their server get an IP access
log, dates and times of access, user account
information (account name, associated email
address, creation IP address, creation date and time),
any saved trip logs or mapped way points.
http://2CSolutions.org
12