7/11/2013 Bryan Franke
Transcription
7/11/2013 Bryan Franke
7/11/2013 Bryan Franke Presented by Bryan Franke President/Founder of 2C Solutions, LLC [email protected] http://2CSolutions.org http://2CSolutions.org The information shared today are my opinion’s and beliefs based on my training, experience and research of these topics. Although NNEDV is hosting this seminar, I feel it is important to express right up front that “the buck stops here”, with me. So if you have concerns or disagree with what I present, that is on me…Not NNEDV. http://2CSolutions.org The first responder’s responsibilities in these cases are very important. These types of cases can be time sensitive. The evidence in these cases is often still accessible by the suspect. Some evidence is only stored for very short amounts of time by the service providers, so preservation orders are very important. L.E. Personnel and the victim’s are the only ones that should be collecting or preserving evidence. Advocates do NOT want to be directly involved in this process as they would then become part of the chain of custody in the trial. http://2CSolutions.org 25 year veteran of the Longmont Police Department Computer Forensic Analyst/Detective Cross designation with Department of Homeland Security Assigned to Patrol, K9, SWAT, Detectives, Cyber Crimes. Founded 2C Solutions, LLC Pretty much alphabet soup for various certifications, CFCE, CEECS, CFSI, CUCE Trained the state of WY and LA Probation/Parole Units, various agents from Ireland, England, America, US Army/CID, etc. Testified as an expert witness in District Court, 20th Judicial District. http://2CSolutions.org Recognizing when and where the investigation starts How to recognize evidence in your case How to preserve it How to document it How to prepare it for the forensic analyst and/or court http://2CSolutions.org The first conversation you have with the victim will really help you form a plan of attack, as long as you ask the right questions. Those questions will be based on what type of issue is being reported; email communications, SMS (text) communications, MMS (picture/audio) communications, GPS tracker, spyware, photographing/stalking, on-line social network harassment, stalking, etc. http://2CSolutions.org 1 7/11/2013 Capture the communication from the victim’s computer. Having it forwarded to you will NOT give you the evidence you need (header data). Photograph, print or copy & paste the message(s), showing the expanded “address” fields. Access the header data for the communication(s) then photograph, print or copy & paste them. Save all data in digital format as well. Consider naming each communication by the date & time shown on communication. If you have cases involving multiple senders consider creating a folder for each sending account, then name as above. http://2CSolutions.org http://2CSolutions.org http://2CSolutions.org http://2CSolutions.org 2013 Denver Race Recap Inbox x Rugged Maniac [email protected] via mail82.us2.mcsv.net May 17 (3 days ago) to Bryan Images are not displayed. Display images below - Always display images from [email protected] Is this email not displaying correctly? View it in your browser. Rugged Maniac! Greetings Denver Maniacs! You've just completed one of the biggest tests of your life, overcoming fear, exhaustion and our wildest water slide yet to become true Rugged Maniacs! What are you going to do now? “Go to Disney World!” “Sign up for next year’s race at the ridiculously low price of $29!” Great idea! Registration is now open for the 2014 Denver Rugged Maniac and you can get in on the fun for a limited time price of only $29! Simply register by August 5th with the code CO2014 and you'll be on your way to another weekend of epic obstacles, new friends and glorious achievements, all for an insanely low price! So get your team together and lock down your preferred start time before it sells out (which won't take long at this price). NOTE: The event will be held on a to-be-determined weekend in May, but we’ll send an email once the exact date has been finalized. http://2CSolutions.org The header data is very important in these investigations. Header data is NOT the TO & FROM fields. Header Data is the technical data which is kind of like a “travel log” for the message as it moves from the sender to the receiver. Some providers remove the sender’s header data and replace it with their own data. (Google, Yahoo!) http://2CSolutions.org 2 7/11/2013 http://2CSolutions.org Now that you have the data lets see what it tells us. Where did the message originate (where was it sent from)? What shows as a return path? When did it get sent? Where did it end up? What is the message ID for this specific message? http://2CSolutions.org Delivered-To: [email protected] Received: by 10.220.48.138 with SMTP id r10csp147672vcf; Fri, 17 May 2013 11:29:32 -0700 (PDT) X-Received: by 10.224.78.193 with SMTP id m1mr37970227qak.79.1368815371833; Fri, 17 May 2013 11:29:31 -0700 (PDT) Return-Path: <SRS0=GlwPgl=PC=mail82.us2.mcsv.net=bounce-mc.us2_3382298.1315773-bryan=2csolutions.org@2csolutions.org> Received: from bosmailout18.eigbox.net (bosmailout18.eigbox.net. [66.96.186.18]) by mx.google.com with ESMTP id p13si3650815qct.85.2013.05.17.11.29.31 for <[email protected]>; Fri, 17 May 2013 11:29:31 -0700 (PDT) Received-SPF: pass (google.com: domain of SRS0=GlwPgl=PC=mail82.us2.mcsv.net=bounce-mc.us2_3382298.1315773bryan=2csolutions.org@2csolutions.org designates 66.96.186.18 as permitted sender) client-ip=66.96.186.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of SRS0=GlwPgl=PC=mail82.us2.mcsv.net=bounce-mc.us2_3382298.1315773-bryan=2csolutions.org@2csolutions.org designates 66.96.186.18 as permitted sender) smtp.mail=SRS0=GlwPgl=PC=mail82.us2.mcsv.net=bounce-mc.us2_3382298.1315773bryan=2csolutions.org@2csolutions.org; dkim=pass [email protected] Received: from bosmailscan06.eigbox.net ([10.20.15.6]) by bosmailout18.eigbox.net with esmtp (Exim) id 1UdPPH-0006y1-3e for [email protected]; Fri, 17 May 2013 14:29:31 -0400 Received: from bosimpinc04.eigbox.net ([10.20.13.4]) by bosmailscan06.eigbox.net with esmtp (Exim) id 1UdPPF-0007Ye-Nh for [email protected]; Fri, 17 May 2013 14:29:29 -0400 Received: from mail82.us2.mcsv.net ([173.231.139.82]) by bosimpinc04.eigbox.net with NO UCE id d6VV1l01t1mrabR016VVTu; Fri, 17 May 2013 14:29:29 -0400 X-EN-OrigIP: 173.231.139.82 X-EN-IMPSID: d6VV1l01t1mrabR016VVTu DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=k1; d=mail82.us2.mcsv.net; h=Subject:From:Reply-To:To:Date:Message-ID:List-Unsubscribe:Sender:Content-Type:MIME-Version; [email protected]; http://2CSolutions.org bh=wff3NoWX8kux5WuwSdTrimy2hEw=; b=hlnm2VGzAC+U0BkKHQJ4+dPXlrY2V1eQlEgDS6tzAOemMWscx6+d3RW1UV2Expzy2CoSbBBtfsDO xZ2fYfHZMiSdQrKEacRpfxTuvU2PNXcTe4cWmKHnZRs9hJ3VGs0qWxL7d0XbrnBYscZISWLZArUE WAusc/ZVg7DRGnjsq8A= DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=k1; d=mail82.us2.mcsv.net; b=aj4GEwqzrp6iL4ctDYsLOzRKlasIzXYUeZLHjWXSsWIa0zsx+t/+8Gzt0STFDL2xE1/6+EkZCel2 KdgjiHKZYmEcrirgoVEqN3L+ybeMTPdQyBCWpDi4uMVVIj4tqw71cNwomJd/R/aMo/j4pWSjl6jM wmClpWZVynJSyUTzKOA=; Received: from (127.0.0.1) by mail82.us2.mcsv.net (PowerMTA(TM) v3.5r16) id hiprgi11djo5 for <[email protected]>; Fri, 17 May 2013 18:29:28 +0000 (envelope-from <bounce-mc.us2_3382298.1315773-Bryan=2CSolutions.org@mail82.us2.mcsv.net>) Subject: =?utf-8?Q?2013=20Denver=20Race=20Recap?= From: =?utf-8?Q?Rugged=20Maniac?= <[email protected]> Reply-To: =?utf-8?Q?Rugged=20Maniac?= <[email protected]> To: =?utf-8?Q?Bryan?= <[email protected]> Date: Fri, 17 May 2013 18:29:28 +0000 Message-ID: <0bfe2548a086a397140e907f3b58706b510.20130517182911@mail82.us2.mcsv.net> X-Mailer: MailChimp Mailer - **CIDfadbe64819b58706b510** X-Campaign: mailchimp0bfe2548a086a397140e907f3.fadbe64819 X-campaignid: mailchimp0bfe2548a086a397140e907f3.fadbe64819 X-Report-Abuse: Please report abuse for this campaign here: http://www.mailchimp.com/abuse/abuse.phtml?u=0bfe2548a086a397140e907f3&id=fadbe64819&e=b58706b510 x-accounttype: pd List-Unsubscribe: <mailto:unsubscribe-0bfe2548a086a397140e907f3-fadbe64819-b58706b510@mailin1.us2.mcsv.net?subject=unsubscribe>, <http://ruggedmaniac.us2.list-manage.com/unsubscribe?u=0bfe2548a086a397140e907f3&id=8a45d0e550&e=b58706b510&c=fadbe64819> Sender: "Rugged Maniac" <[email protected]> x-mcda: FALSE Content-Type: multipart/alternative; boundary="_----------=_MCPart_830103980" MIME-Version: 1.0 This is a multi-part message in MIME format http://2CSolutions.org Originating IP address Reply To Info Date/Time (GMT) Message ID http://2CSolutions.org http://2CSolutions.org 3 7/11/2013 http://2CSolutions.org http://2CSolutions.org This is where you would send, fax and email a copy of your preservation letter. http://2CSolutions.org Must come from Law Enforcement Simple, plain wording is all that is needed. Summary of case and what you want saved. Notify them if you do NOT want them to notify the suspect of the preservation, and pending search warrant/court order/subpoena. Kik requires a separate court order mandating no notification be made to their customer. http://2CSolutions.org Longmont Police Department 225 Kimbark Street, Longmont, CO 80501 TO: FROM: DATE: RE: 1&1 Internet Inc. Detective Bryan Franke Friday, May 17, 2013 Preservation of Data/Information Greetings, I am investigating a violation of a protection order issued by the Courts of the 20th Judicial District. I have reason to believe evidence related to this investigation is housed/stored on your server, or other system equipment. This violation involves an email account named **************@********.com. The violation occurred between the dates of May 1, 2013 to present. Please do NOT notify the owner or user of this account of this order as it could jeopardize the safety of the victim and compromise this investigation and further evidence. Please preserve all of the following items as I will begin the process of obtaining legal authority for the release of said information: 1. 2. 3. 4. 5. Session logs, including log-in/log out dates and times, associated IP addresses for each access Creation date and time for said account IP address used to create said account Credit card information (if applicable) for any upgraded or purchased services Any and all contact information for said account, including name, address, phone numbers, and secondary email addresses. 6. Any and all service requests made and the associated contact information for the individual making said requests 7. Any and all communications, messages, images stored in the associated account’s inbox, outbox, drafts, or custom stored file structures associated with said account. Should you have any questions, or need clarification on this request, please do not hesitate to contact me. Respectfully Submitted, Detective Bryan Franke #8804 Longmont Police Department 225 Kimbark Street, Longmont, CO 80501 (303) 651-8518 – desk [email protected] http://2CSolutions.org The majority of the time collection of the email message and the associated header data is going to be sufficient for evidence in the case. Collection of the victim’s device should be reserved for out of the ordinary investigations. If the email has been deleted collect the computer it was opened with and have the forensics lab try and recover it. If concerns about unauthorized access/deleting items, consider converting to PDF and saving to removable media, or printing the communication, or creating an encrypted volume on the HDD. http://2CSolutions.org 4 7/11/2013 These are time sensitive investigations and efforts need to be made quickly to preserve the evidence. Victims may not think of photographing this stuff Advocates can help remind them to do this, and to keep a log with the information already discussed. L.E. Agents – Preservation Letters, followed up by legal paperwork will be very important in these investigations. Courts and Jurors are expecting us to not only show the evidence on the victim’s device, but that it came from the suspect’s device. http://2CSolutions.org http://2CSolutions.org Options for capturing information from other sites. “Print Screen” key on keyboard, (ctrl + v) or right click then “Paste” to a new document. Limited to what you see. Lightscreen is a free screen capture software Fireshot is a free capture software for use on various browsers. Can scroll down a page and capture all of it or defined area. SnagIt is a purchased software for screen captures. Camtasia is a purchase software for video recording of computer screens. Microsoft Windows Vista and 7 have “Snipping Tool” that is a screen capture software. http://2CSolutions.org http://2CSolutions.org http://2CSolutions.org http://2CSolutions.org 5 7/11/2013 You can always copy and paste like we talked about earlier. Using your own computer you can research the site and find what they have to offer for capturing data like archiving with Facebook. Look up the registered contact for the site on Search.org and send them an email, or call, with questions of what they have and how do they want you to request it. http://2CSolutions.org Complex and somewhat unique devices. These devices can store a lot of information Different OS http://2CSolutions.org Smartphones are more like small computers than a telephone. iPhone up to 64GB (internal) Samsung Galaxy S4 up to 64GB (microSD card) Android (1.0,1.1, Cupcake, Donut, Éclair, Froyo, Gingerbread, Honeycomb, Ice Cream Sandwich, Jelly Bean) iOS (Kodiak, Cheetah, Puma, Jaguar, Panther, Tiger, Leopard, Snow Leopard, Lion, Mountain Lion) Blackberry (4.5, 4.6, 5.0, 6.0, 7.0, 7.1) Windows Mobile (Windows CE, Pocket PC 2000, Pocket PC 2002, Pocket PC 2003, Pocket PC 2003 SE, Mobile 5, Mobile 6, Mobile 6.1, Mobile 6.5) WebOS http://2CSolutions.org Each carrier has their own set of rules and policies that L.E. must meet. Each carrier has their own set of guidelines and level of support they give their customers. http://2CSolutions.org http://2CSolutions.org Forensics on cellular telephones can be difficult. Each OS functions differently, stores data differently in different file paths. How the data is coded can vary as well. 8-bit –v- 7 bit encoding, unicode, ASCII. Turn around time for devices from the forensics lab. High dependency level of owner. Limited ability to filter data beyond file type during initial extraction. Limited scope of consent to search. Quantity of data being sought. http://2CSolutions.org 6 7/11/2013 If your evidence consists of 12 – 15 SMS/Text communications or call logs, you might be better off simply displaying the message on the victim’s phone and photographing it with a digital camera. Be sure to display the message information/properties: date, time, sending number, victim’s phone make, model and phone number. However, if your evidence consists of MMS communications (picture messages) you will want to consider contacting your forensics lab and having them extract the image that was sent so EXIF data can be viewed (if still present). In almost all cell phone stalking/harassment cases, regardless of the type of communication, I strongly encourage documenting them via photographs. The victim can photograph these with their own digital camera. Keep a log of events, feelings upon receipt, overall impact on victim’s daily life, etc. This goes to some requirements of statutes and civil hearings. Make sure date/time settings are correct in the camera. Buy a new SD card to use just for this purpose, especially in on-going or extended investigations. Corroborate the information by getting billing records that show the event. http://2CSolutions.org An application designed to allow the sharing of a picture, video or communication to someone else and then have it automatically delete after a set amount of time. Both parties must have a snapchat account for it to work. http://2CSolutions.org Can do screen captures if you are fast – it will notify the sender if it detects you did a screen capture. Does leave a footprint that may be recoverable by a forensics analyst. then roll the ends over multiple times. Snapchat servers are configured to delete the image that was sent with their service as soon as the recipient opens it Isolation Importance Phones continually communicate with the network. “Hides” device if there is malware on it that is used for tracking. Prevents suspect from knowing L.E. is involved yet. Potentially preserves data stored on device. Prevents “accidental” sends of information, calls, etc. http://2CSolutions.org Get the charger for it Get the unlock PIN or pattern for access Shut off, or place in Airplane Mode if no Faraday bag Option is to wrap in heavy duty foil at least 10 times http://2CSolutions.org When seizing a victim’s device: Get WRITTEN consent to search. Contact your forensics analyst immediately after seizing, or better yet – BEFORE seizing the phone – to arrange the extraction of data. http://2CSolutions.org Typically there is a different legal standard applied to the suspect’s devices. Most often they will be afforded protection under the 4th Amendment of the U.S. Constitution. When L.E. seizing a suspect’s device there are many things you need to do fairly quickly. Is it turned on or off? http://2CSolutions.org 7 7/11/2013 If the device is turned off, try and locate the charging cable and seize it as well. Different connections for different devices. Do NOT turn it on. There is no need to isolate the phone from the network as it is turned off and will not be communicating with the network. If you have the charger, consider plugging the phone charger in when you log it into your Evidence Unit. As soon as practical go into the settings and place the phone into Airplane Mode. Some phones may power on when plugged into a charger (iPhones are one), so consider placing it in a Faraday bag prior to connecting to power and document when you did so. If you do not have a Faraday bag consider logging the charger with the phone and notify your forensics lab of the item needing to be examined. A powered off phone uses very little power to maintain memory. Look to see if the phone has a PIN assigned under the security settings. If so, you may need to have someone assigned to keep the phone from going to sleep/hibernation. http://2CSolutions.org The charger is very important because if you isolate a phone by the use of a Faraday bag, or aluminum foil, the phone will increase the amount of energy it draws from the battery to increase the signal broadcasting strength to try and reach a tower. This will quickly drain the battery. Many SmartPhones have the ability to be wiped or locked remotely by either the owner or the carrier. Pulling the battery can cause dates and times associated with various communications to be lost, so will loosing total power in the battery. App based communications http://2CSolutions.org SIM/USIM cards can store important evidence and are fairly stable. They come in three sizes; standard, micro SIM and Nano SIM. Older phones more than newer phones. iOS devices can use iMessage, which is encrypted SMS communication and need to be extracted a different way. iPOD Touch devices can make phone calls, send SMS and MMS communications through the use of apps. Get password/log-in information for these when possible. http://2CSolutions.org Because the SIM/USIM card is what allows a GSM or world phone to operate on a network people can have several of them. http://2CSolutions.org Occasionally changing screens or swiping their finger across the screen. Change sleep settings – battery life considerations Removing of changing PIN – you might need original code to do this. http://2CSolutions.org Isolates the phone from the network so it can not receive data/communications. Each one will have it’s own assigned phone number Can store unique contact information Can store SMS communications Look for these and include them in search warrants http://2CSolutions.org 8 7/11/2013 These are time sensitive investigations and efforts need to be made quickly to preserve the evidence. Victims may not think of photographing this stuff Advocates can help remind them to do this, and to keep a log with the information already discussed. L.E. Agents – Preservation Letters, followed up by legal paperwork will be very important in these investigations. Courts and Jurors are expecting us to not only show the evidence on the victim’s device, but that it came from the suspect’s device. http://2CSolutions.org It is important to remember, and explain to the victims, the ISP’s have up to 30 days to respond to service. One to email client (Google, Yahoo!, etc) to get the originating IP address. *up to 30 days response. of cell service carriers, several customers may be assigned the same IP address and this may complicate your investigation. *up to 30 days response. One for customer that was assigned the IP address (i.e. – your suspect) to seize the computer, storage devices, and portable devices capable of accessing the Internet. http://2CSolutions.org Field Search is a free software available to justice system agencies that allows a nontechnical user to examine a computer, or other storage device, for logical data. Creates a really nice report of findings Can quickly capture TONS of data. Information can be found on Field Search on my website http://2CSolutions.org/training-classes.html http://2CSolutions.org http://2CSolutions.org Call logs showing dates/times for dialed numbers Duration of calls Dates/times associated with SMS and MMS communications, including phone numbers they were sent to (include content of communication if possible) or amount/size of data sent. Amount of communication in network –vs- out of network (in cases involving travel) http://2CSolutions.org Typical email investigation is a minimum of three search warrants/court orders/subpoenas. One to ISP that is leasing that block of IP addresses. In cases Consider asking for the following from both the suspect’s and the victim’s carrier. The collection of computers has evolved over the years. Law Enforcement use to recommend people pull the plug on a running computer. After that, collect all items attached to it and log them into evidence. Now data contained in the computer will dictate what steps to take and guide whether to seize the computer or not. As a general rule it is always better to seize the computer. Pulling the plug is no longer the best option… Let’s look at some options… http://2CSolutions.org 9 7/11/2013 Most information that is viewed through the use of a computer will leave remnants of that activity on the computer. The best option to victims is to minimize the use of the computer and minimize the interaction with the evidence on their computer after a violation, until reported and examined or processed for evidence collection. As previously stated, collection of the computer for evidence is best left to the law enforcement personnel working the case. Victims computer: Have them tell you where the evidence is located (i.e. file path, account, etc. ) Have them provide you with the log in information (name and password) The victim can be a huge help in locating, collecting and documentation of the evidence, so take advantage of the help. If the computer is running and displaying the evidence in the case consider photographing it before doing a normal shut down of the computer. Consider using Field Search to create a report containing the associated data. http://2CSolutions.org http://2CSolutions.org This external hard disk drive, by BUSlink, is an encrypted drive. The two white cards on top are proximity cards. Suspect’s Computer: When you first come into the area, move the suspect away from the computer. Your first endeavor is to protect the evidence from your suspect’s ability to destroy it or encrypt it. If the computer is off, leave it off. To make sure the computer is not asleep or in hibernation you can move the mouse or depress the Shift key on the keyboard. If it is a PC, not a laptop, check to see the monitor is connected to the computer and it is turned on. If the monitor was off, turn it on and see what is displayed. If it stays dark, even after the mouse/shift key function, then the computer is off. Photograph the connections made to the computer, write down a list of what is connected to it and where it was connected. Disconnect the peripherals. You do NOT need to collect the monitor, keyboard and mouse. If external storage devices were connected to it, unplug them and collect them as they may have evidence stored. http://2CSolutions.org This drive requires Dual Key authentication. This means both USB dongles need to be plugged into the drive for the user to access the data. If one dongle is removed the data is no longer accessible. Each dongle contains a unique Cipher Key. http://2CSolutions.org If the computer is running: Immediately move the suspect away from the computer. Quickly check the screen/monitor to see if any wiping software has been started. If so, quickly try to see the name of the software running, then immediately pull the plug from the back of the computer, or pull the battery in the case of a laptop. If no wiping software running, assign someone to keep the computer awake by moving the mouse or pressing the Shift key once every minute. There are software programs out there, mouse jiggler, that are on a USB dongle that tricks Windows into thinking the mouse is moving and thereby preventing the computer from going to sleep. http://2CSolutions.org http://2CSolutions.org 10 7/11/2013 Start a log. Write down the time you do anything, and what you did. Depending on the circumstances you may need to consider disconnecting the network from the Internet. This is if you think someone may try to remote in to the network and alter or destroy data. You can do this by unplugging the CAT5 cable from the modem, router, or wall jack. Remember your wireless network, you may have to shut off the Wi-Fi in the computer (laptops may have a switch on them). Hover the mouse over the time, if it is not already displaying the date, and it will show you the system date and time. Note this and compare it to either dispatch time or the time on your cell phone. Document not only the date/time information but any differences too. Photograph what is open and running on the computer. Photograph the Task Bar (bottom of the screen) that shows various programs that are open. http://2CSolutions.org Consider running RAM capturing software. Run a triage tool What is the SSID that is being broadcast? If not being broadcast, nobody would know it existed If found, consider performing a live imaging of the data so you get what is decrypted now, before it becomes encrypted and unattainable. Consider looking to see what was connected via USB. Perform a soft/standard shut down. Proceed just like you would with a computer you found powered off. http://2CSolutions.org Other items of consideration should include: Gather Wi-Fi information OS Triage Field Search Check for encryption software/hardware. DumpIt, FTK Imager, EnCase, etc. http://2CSolutions.org to access. Is the network access point secured Query the router. If so, with what? Has the settings been modified? Has MAC filtering been activated? Is the SSID changed from the default? What wireless devices are connected? http://2CSolutions.org Include external storage devices, manuals, written ledgers that may contain log in information and passwords, documents containing log in and password information, etc. in your search warrant. If you encounter a NAS (Network Attached Storage), a Server, or a RAID (Redundant Array of Inexpensive Disks) you should call your lab personnel as these could be very complex situations and will require additional skill and knowledge we just can’t cover here. http://2CSolutions.org http://2CSolutions.org 11 7/11/2013 When you are looking at collecting a GPS tracker the first thing to consider is the type of device. Does it simply record the data, to be downloaded later. Does it transmit data via a cellular network. • This type of device will not transmit. It stores the data internally. • The suspect would need to manually recover this device, connect it to his computer via the USB connection, and download the waypoints. The waypoints are then plotted on a map through the company software or other mapping options. • In these cases, you will want to get a search warrant for the suspect’s computer, seize it and have it searched for the software application associated with this device. • The install date of the software will point to the approximate time it was purchased, you may find Internet searches (or even the order) for the device. • You may find various tracking logs saved on the computer. Each one of these will give you a creation date for the log. The logs will contain associated dates and times for the waypoints. http://2CSolutions.org This device is designed to transmit data, which is typically done over a cellular network. The presence of an antenna is a good indicator of this ability. When collecting these as evidence you will want to photograph the device in place. Then place the device in a Faraday bag when it is removed. If you do not have a Faraday bag you can wrap it at least 10 times with heavy duty aluminum foil and roll up the ends to seal the device. Examination of the SIM/USIM card will tell you what network it is operating on. This will lead you to a source to gain additional information, similar to email investigations, through the issuance of a preservation letter, search warrant, court order, subpoena, etc. You will need to research the particular device to learn how it works. This can be done by the victim and turned over to L.E. Agent at time of reporting. http://2CSolutions.org http://2CSolutions.org This is a USB type device. 80 hour battery life Vibration sensing sleep/power up. Rechargeable battery via USB 360’ antenna so it does not have to face the sky to communicate with satellites. Records exact route, stop times, speed, direction, altitude, and other data. Magnetic mount $298.00 with free software for mapping. http://2CSolutions.org If the device is one that communicates via cell network consider asking the service provider for: Purchase information (when, who, how did they pay, address provided for shipping/billing, credit card information, IP address that placed the order, email address a receipt may have been sent to) If a log is accessed on their server get an IP access log, dates and times of access, user account information (account name, associated email address, creation IP address, creation date and time), any saved trip logs or mapped way points. http://2CSolutions.org 12