Seize and Record Electronic Evidence Sources
Total Page:16
File Type:pdf, Size:1020Kb
Unit Title
CO2 Seize and record electronic evidence sources
Summary
This unit covers seizing and recording electronic evidence sources to assist an investigation. The subjects of the investigations covered by this unit may be individuals and/or organisations.
The unit may relate to a criminal or civil investigation, or to due diligence and internal discipline.
A separate unit about capturing and preserving electronic evidence covers the capturing of electronic evidence at the scene.
There is one element:
CO2.1 Seize and record electronic evidence sources
Target Group
This unit is aimed at trained members of staff who work in the specialist area of e-crime investigation.
This unit was developed by Skills for Justice
Skills for Justice Page 1 National Occupational Standards for Countering E-Crime Approved December 2005 Element
CO2.1 Seize and record electronic evidence sources
Performance Criteria
To meet the standard, you must be able to:
1 Check that the necessary authorisations are in place 2 Keep a record of the state of the device and potentially relevant information in the immediate vicinity 3 Take appropriate action to safeguard the device and relevant information for the application of physical forensic examinations 4 Preview the contents of the device in a forensically sound manner 5 Choose and apply the appropriate power off method for the device 6 Photograph and label the components of the device making specific reference to ancillary leads and connections to the device 7 Appropriately package, seal and label the device in accordance with current procedures 8 Keep accurate records of the seizure using appropriate documentation
Range
1 Authorisations a Seizure b Capture c Contract or due diligence d Consent e Limitations
2 State of the device a On or off b Open encryption c Network/Remote connections d Running programs/open files
3 Relevant information a Passwords b Phone numbers c URLs d User account details e Open encrypted volumes f Information stored remotely
Skills for Justice Page 2 National Occupational Standards for Countering E-Crime Approved December 2005 4 Devices a Removable media b Disguised storage media c Convergent devices d Consumer devices e GPS/satellite navigation system f Network storage g Remote storage h Wireless and remote devices
5 Package a Faraday bag b Box c Opaque d Anti-static
Skills for Justice Page 3 National Occupational Standards for Countering E-Crime Approved December 2005 Knowledge and Understanding
To meet the standard, you need to know and understand
Legal and organisational requirements
1 relevant legislation, policies, procedures, codes of practice and guidelines for seizing and recording electronic evidence sources 2 relevant legislation and organisational requirements in relation to race, diversity and human rights 3 relevant legislation and organisational requirements in relation to health and safety 4 situations and circumstances for which authority is required and how to obtain the authority 5 how to carry out risk assessments and why these are required 6 the limits of your responsibility and level of competence
Electronic evidence
7 the types of devices that contain electronic evidence and external connections to such devices 8 how to obtain information concerning electronic evidence sources that you are unfamiliar with 9 methods of encryption 10 how to identify and deal with systems running encryption 11 the types of non-standard operating systems that you may come across and how to deal with these 12 the volatility of data and how to preserve it 13 how to preserve the information on battery powered devices 14 the types of actions necessary to preserve third party and volatile data sources (e.g. ISP data sources, PDA’s)
Seizing and recording electronic evidence sources
15 the reasons for seizing electronic evidence sources 16 how to keep a record of the state of the device and the reasons why this is important 17 the importance of considering potentially relevant information in the immediate vicinity 18 the actions necessary to safeguard the device for forensic examinations 19 how to conduct a preview of the contents of electronic devices 20 the need to consider physical forensic examinations and the implications for your work 21 how to photograph, package, seal and label the device 22 how to keep accurate records of the seizure 23 the principles of forensics
Skills for Justice Page 4 National Occupational Standards for Countering E-Crime Approved December 2005