Guidelines for Digital Forensics First Responders

GUIDELINES FOR DIGITAL FORENSICS FIRST RESPONDERS

Best practices for search and seizure of electronic and digital evidence

March 2021 01010101010101€01010101010101¥01010101010101$01010101010101€01010101010101¥01010101010101$01010101010101€01010101010101¥01010101010101$01010101010 101€01010101010101¥01010101010101$01010101010101€01010101010101¥01010101010101$01010101010101€01010101010101¥01010101010101$01010101010101€0101010 010101¥01010101010101$01010101010101€01010101010101¥01010101010101$01010101010101€01010101010101¥01010101010101$01010101010101€01010101010101¥0101 0101010101$10101010101010101¥01010101010101€01010101010101¥01010101010101$01010101010101€01010101010101¥01010101010101$01010101010101€010101010101 01¥010101010101012 $01010101010101€01010101010101¥01010101010101$01010101010101€01010101010101¥01010101010101$01010101010101€01010101010101¥01010101 01010101$01010101010101 €01010101010101¥01010101010101$01010101010101€01010101010101¥01010101010101$01010101010101€01010101010101¥01010101010101$01

Disclaimer

These “Guidelines for Digital Forensics First Responders” (the “Guidelines”) have been prepared as technical guidelines to provide information and advice on digital forensic approaches that may be adopted when seizing and analysing different kinds of devices. These Guidelines are solely for the use of law enforcement professionals having the necessary legal basis or authorisation to perform the actions described herein.

The legal, procedural and customary frameworks in respect of search, seizure, chain of custody, analysis, reporting, submission in criminal/prosecution/judicial process, evidentiary evaluation, admissibility and probative value, etc., differ widely by jurisdiction. These Guidelines do not provide any recommendations, advice or instructions in respect of requirements under such legal and procedural frameworks in any jurisdiction and any references seemingly suggesting as such should be read as being subject to domestic laws and procedures in this regard.

Readers are advised to ensure, when taking any actions based on these Guidelines, to verify and be satisfied that such actions are in compliance with appropriate legal and procedural requirements or standards in their jurisdictions.

These Guidelines are not mandatory in nature and have no enforceability. INTERPOL shall not be liable for any actions taken by any parties based on these Guidelines which are contrary to or inconsistent with or not in compliance with any relevant legal, regulatory, administrative, procedural, evidentiary, customary, or other requirements, exhibit extraction processes, chain of custody records to be maintained, etc.

These Guidelines also include mentions of open source, proprietary and publicly available tools and services (collectively, the “Tools” and each, a “Tool”) that offer various functionalities. They may be viewed, downloaded and/or used at the discretion of the user. In relation to these, please note the following:

 INTERPOL has not developed or verified the Tools, does not endorse them, has no association with their providers, and does not license or provide any support for the use of such Tools. INTERPOL provides no warranties (express or implied) in relation to the Tools or any of them, their utility for any purpose or effectiveness.

 Links to other websites from these Guidelines do not constitute an endorsement by INTERPOL, and are only provided as a convenience. It is the responsibility of the user to evaluate the content and usefulness of information obtained from other websites/ using these Tools.

 INTERPOL does not control, monitor or guarantee the contents of the links or the Tools provided herein, or their data collection practices; it does not endorse any views expressed or products or services offered therein.

Disclaimer  t may be necessary to create user accounts, pay subscription or onetime fees or upradation fees in order to use some of these Tools. eistration or creation of user accounts, payment These “Guidelines for Digital Forensics First Responders” (the “Guidelines”) have been prepared as of fees or chares may reuire authorisation from your oranisation and be subect to leal technical guidelines to provide information and advice on digital forensic approaches that may be reuirements in your urisdiction (includin for the creation of fae or assumed identities for adopted when seizing and analysing different kinds of devices. These Guidelines are solely for the use this purpose). lease ensure that you have the reuisite authorisations to use the Tools. of law enforcement professionals having the necessary legal basis or authorisation to perform the T does not encourae or in any manner, authorise doin so, and ill not be liable in actions described herein. respect of any actions you tae to create accounts or reistrations, pay any fees or subscriptions, or if you assume any identities or create fae credentials, in order to use any The legal, procedural and customary frameworks in respect of search, seizure, chain of custody, Tool. analysis, reporting, submission in criminal/prosecution/judicial process, evidentiary evaluation, admissibility and probative value, etc., differ widely by jurisdiction. These Guidelines do not provide  ach of these Tools may be subect to licenses, privacy policies and to the terms contained any recommendations, advice or instructions in respect of requirements under such legal and therein. lease revie carefully any such terms, conditions or privacy policies that apply to procedural frameworks in any jurisdiction and any references seemingly suggesting as such should be the use of any Tool you ish to use. read as being subject to domestic laws and procedures in this regard.  nformation entered into any of the Tools may be saved on the servers of the company that Readers are advised to ensure, when taking any actions based on these Guidelines, to verify and be provides the Tool, and the leality of this ithin your urisdiction must be tested and verified satisfied that such actions are in compliance with appropriate legal and procedural requirements or by you. t is also the responsibility of the user to test the data collection practices and privacy standards in their jurisdictions. policies of the Tools as aainst their national leal reuirements.

These Guidelines are not mandatory in nature and have no enforceability. INTERPOL shall not be liable  ny use of the Tools (or any of them) is at your on ris, and T shall not be liable or for any actions taken by any parties based on these Guidelines which are contrary to or inconsistent responsible under any circumstances for any damae or loss incurred, caused or alleed to be with or not in compliance with any relevant legal, regulatory, administrative, procedural, evidentiary, caused due to your use of or reliance upon any of these Tools. ny claims or actions in relation customary, or other requirements, exhibit extraction processes, chain of custody records to be to any damae or loss incurred by a user should be directed to the providers of the Tool(s) maintained, etc. and not T.

These Guidelines also include mentions of open source, proprietary and publicly available tools and  o data that is input in the use of any of these Tools ill be transmitted to or be available to services (collectively, the “Tools” and each, a “Tool”) that offer various functionalities. They may be T in any ay. hould you choose to use any of the Tools for forensic, analytical or viewed, downloaded and/or used at the discretion of the user. In relation to these, please note the investiative purposes, you acnolede that T shall not receive any information in following: this reard, and at no point ill be in the chain of custody of any evidence analyed or enerated usin any such Tool.  INTERPOL has not developed or verified the Tools, does not endorse them, has no association with their providers, and does not license or provide any support for the use of such Tools. INTERPOL provides no warranties (express or implied) in relation to the Tools or any of them, their utility for any purpose or effectiveness.

cnoledements

The Guidelines are based on the lectronic vidence Guide of the ouncil of urope, on the iital vidence ollection ertificate anual of the ational enter of cellence in ybersecurity in pain (), and other best practice uides of la enforcement aencies concernin the seiure and treatment of electronic evidence. The T nnovation entre iital orensics aboratory ( ) also received feedbac from diital forensic eperts from different parts of the orld, to meet a consensus for some of the debated or troublesome aspects encountered by diital forensic first responders. e ish to mention and than the folloin colleaues belo, hose valuable input has helped to improve the aencies orldide

 ational nstitute of riminalistics railian ederal olice  ybercrime nit, General ommissary of riminal olice (G) of panish ational olice ()  The cientific orin Group on iital vidence (G)

T ould also lie to epress its sincere ratitude to the oreian inistry of orein ffairs for their support and contribution in the creation of the Guidelines.

The Guidelines ill be referenced durin an online trainin activity (ovec ), conducted in the frameor of T roect a threeyear capacity buildin initiative funded by the oreian inistry of orein ffairs. The proect focuses on enhancin diital forensics capacities of beneficiaries’ in the South and Southeast Asia region. Through such endeavours, key stakeholders’ of the proect includin diital forensic first responders and their la enforcement institutions ill have the opportunity to strenthen their nolede on the best practices articulated herein. oreover, the uidelines ill also serve the purpose as an invaluable reference tool across all T member countries ensurin that advice on the handlin, collectin and preservation of diital evidence to support investiations, are available to those la enforcement officers involved in such procedures.

cnoledements oreord

The Guidelines are based on the lectronic vidence Guide of the ouncil of urope, on the iital n ursuit of roviding guidance and suort to la enforceent agencies across the gloe, the vidence ollection ertificate anual of the ational enter of cellence in ybersecurity in pain T nnovation entre develoed the INTERPOL Guidelines for Digital Forensics First (), and other best practice uides of la enforcement aencies concernin the seiure and Responders: Best Practices for Search and Seizure of Electronic and Digital Evidence. a leased to treatment of electronic evidence. The T nnovation entre iital orensics aboratory ( resent these uidelines hich ai to estalish est ractices for handling and using digital evidence ) also received feedbac from diital forensic eperts from different parts of the orld, to meet a during search and seiure rearatory and eecution stages. ey technical considerations are also consensus for some of the debated or troublesome aspects encountered by diital forensic first identified on the effective reservation of data to ensure that it can suort la enforceent in criinal investigations and it can e adissile in court. This guide is intended to assist la responders. e ish to mention and than the folloin colleaues belo, hose valuable input has enforceent officers fro different crie areas ho ay attend to a crie scene, eing resonsile helped to improve the aencies orldide for collecting, securing, and transorting electronic and digital evidence. t ill also e helful for  ational nstitute of riminalistics railian ederal olice suervisors of aforeentioned officers in guiding and suorting the. oreover, it can e useful for  ybercrime nit, General ommissary of riminal olice (G) of panish ational rosecutors to get a etter understanding of collection and handling of evidence. olice () As our society ecoes increasingly integrated ith digital technology encoassing every facet of  The cientific orin Group on iital vidence (G) our daily lives and la enforceent ork, it ay e difficult to reeer an occasion here you had limited interaction with a digital device. For today’s law enforcement community, there is a T ould also lie to epress its sincere ratitude to the oreian inistry of orein ffairs continuous trend toards investigations relying on soe for of digital evidence. hile e ould for their support and contribution in the creation of the Guidelines. consider that digital evidence indeed shares siilar asects hen coared to traditional fors of evidence, there are also uniue considerations to e taken into account. The Guidelines ill be referenced durin an online trainin activity (ovec ), conducted in the frameor of T roect a threeyear capacity buildin initiative funded by the The intangile nature of data otained in electronic for, its volatility, and the ease at hich it can e oreian inistry of orein ffairs. The proect focuses on enhancin diital forensics capacities of altered, all ose challenges to the integrity of digital evidence. Thus, it is vital that first resonders and beneficiaries’ in the South and Southeast Asia region. Through such endeavours, key stakeholders’ of la enforceent ractitioners are ale to roerly identify and handle digital evidence ensuring that the proect includin diital forensic first responders and their la enforcement institutions ill have the latter stages of the digital forensic rocess can e erfored on the asis of sound udgeent. the opportunity to strenthen their nolede on the best practices articulated herein. oreover, the uidelines ill also serve the purpose as an invaluable reference tool across all T member a grateful for the contriution of the tea, articularly its igital orensics aoratory for countries ensurin that advice on the handlin, collectin and preservation of diital evidence to sharing their knoledge and suect atter eertise. also etend y thanks to our colleagues fro support investiations, are available to those la enforcement officers involved in such procedures. the T aacity uilding and Training irectorate T ho have suorted this initiative and ill utilie the uidelines in the contet of roects focused on enhancing digital forensic caailities. inally, ould like to thank the oregian inistry of oreign Affairs for its generous suort. The Guidelines are a reflection of INTERPOL’s sustained efforts in fostering international police cooeration and our coitent to assist our eer countries in resonse to the cole gloal security challenges in the digital doain.

irector Anita aenerg T nnovation entre irectorate

ontents List of figures . INTROTION . ER N EIRE PREPRTION PE .. Planning .. Euipment preparation . ER N EIRE EETION PE .. ecure the scene .. ssessment .. ocument the scene .. ollection and the handling of digital evidence ... Live analysis of powered computers and laptops ... Inaility to access information on powered devices .. eiure Phase .. Pacaging and Transport . TENIL ONIERTION .. The forensic copy .. lternatives to the forensic copy .. function . PEIFI PROERE .. martphones Talets ... onsiderations when securing moile phone evidence ... oile Phone Evidence Preservation Process for First Responders .. iO Preservation Process and Flowchart .. ndroid Preservation Process and Flowchart .. I ard .. Removale edia ard .. loud ata .. onsiderations upon eiure Traditional Forensics ccess Networ Isolation Points to Prove .. ervers .. Personal omputers .. Laptops

ontents .. torage media memory cards, flash drives, eternal hard drives, optical discs, etc. List of figures .. Other devices igital cameras, GP navigation systems, ash ameras, etc. . INTROTION .. IoT devices . ER N EIRE PREPRTION PE ... martwatches .. Planning ... mart T .. Euipment preparation ... ome itsmart speaers . ER N EIRE EETION PE ... IP and concealed cameras .. ecure the scene .. Gaming consoles .. ssessment .. rones .. ocument the scene .. T .. ollection and the handling of digital evidence .. irtual assets devices ... Live analysis of powered computers and laptops . utomotive ehicles ... Inaility to access information on powered devices . hiporne Euipment .. eiure Phase REFERENE .. Pacaging and Transport . TENIL ONIERTION

.. The forensic copy

.. lternatives to the forensic copy .. function . PEIFI PROERE .. martphones Talets ... onsiderations when securing moile phone evidence ... oile Phone Evidence Preservation Process for First Responders .. iO Preservation Process and Flowchart .. ndroid Preservation Process and Flowchart .. I ard .. Removale edia ard .. loud ata .. onsiderations upon eiure Traditional Forensics ccess Networ Isolation Points to Prove .. ervers .. Personal omputers .. Laptops

cronyms, areviations, and initialisms T INTERPOL apacity uilding and Training T lose ircuit Television GP General ouncil of the udiciary – s the constitutional ody that governs all the udiciary of pain NP The National Police orps uerpo Nacional de Polica national civilian police force of pain NI ellular Networ Isolation ard I uscrier Identity odule ommaseparated values file format FL igital Forensics Laoratory N eoyrionucleic acid R igital Rights anagement igital elective alling EI Electronic hart isplay and Information ystem E Electronic ontrol nits EPIR Emergency Positioning Indicator Radio eacon G Gigaytes G Gloal aritime istress and afety ystem GP Gloal Positioning ystem GR Gunshot residue ard drive ard dis drive I INTERPOL Innovation entre II Integrated circuit card IEI International oile Euipment Identity INIE Instituto Nacional de ierseguridad The panish National yersecurity Institute IP Internet Protocol LRIT Long Range Tracing and Identification ystem Ne Nonolatile emory Epress O Operating ystem PP PP pointtopoint pointtomultipoint PP PIN Personal Identification Numer P Personal unlocing eys – sometimes nown as a networ unlocing code N or personal unlocing code P R Random ccess emory RI Redundant rray of Inepensive iss RF Radio Freuency RP Remotely Piloted ircraft ystem RI Removale ser Identity odule hort essage ervice olidtate rive s mall nmanned erial ystem T Terayte TP Trusted Platform odule chips nmanned erial ehicle nmanned erial ystem P ninterruptile Power upply ystem

cronyms, areviations, and initialisms – T INTERPOL apacity uilding and Training T lose ircuit Television GP General ouncil of the udiciary – s the constitutional ody that governs all the udiciary of pain NP The National Police orps uerpo Nacional de Polica national civilian police force of pain NI ellular Networ Isolation ard List of figures I uscrier Identity odule ommaseparated values file format FL igital Forensics Laoratory N eoyrionucleic acid R igital Rights anagement igital elective alling EI Electronic hart isplay and Information ystem E Electronic ontrol nits EPIR Emergency Positioning Indicator Radio eacon G Gigaytes G Gloal aritime istress and afety ystem GP Gloal Positioning ystem GR Gunshot residue ard drive ard dis drive I INTERPOL Innovation entre II Integrated circuit card IEI International oile Euipment Identity INIE Instituto Nacional de ierseguridad The panish National yersecurity Institute IP Internet Protocol LRIT Long Range Tracing and Identification ystem Ne Nonolatile emory Epress O Operating ystem PP PP pointtopoint pointtomultipoint PP PIN Personal Identification Numer P Personal unlocing eys – sometimes nown as a networ unlocing code N or personal unlocing code P R Random ccess emory RI Redundant rray of Inepensive iss RF Radio Freuency RP Remotely Piloted ircraft ystem RI Removale ser Identity odule hort essage ervice olidtate rive s mall nmanned erial ystem T Terayte TP Trusted Platform odule chips nmanned erial ehicle nmanned erial ystem P ninterruptile Power upply ystem

1. INTRODUCTION

2. SEARCH AND SEIZURE PREPARATION PHASE 2.1. Planning

SEARCH AND SEIZURE OF DIGITAL EVIDENCE

• A preparatory meeting sho

• The intervention on the scene of these specialized units should be prioritized and coordinat 1. INTRODUCTION • Nature of crime under investigation or obtain the necessary samples (pictures, videos, chat sessions, etc.) “” in an adequate and • Suspect’s Technical knowledge. 2. SEARCH AND SEIZURE PREPARATION PHASE 2.1. Planning

• Location of data storage

● ● btaining forensic images (“” or not) ● nalysis of the devices “”

● se of applications to obtain access passords ● Authorization to change the passord of email accounts or social netors, etc.

iven the number of different case scenarios, e should consider the most appropriate actions to the specific case. Although, and in most cases, it is advisable to use epressions that support ithout any doubts the different actions to be performed. or eample, “it is eeste tt te seie i sis eeti eies e tii iti i iit t i e e site.” The etent of precision and specificity that is required ill depend on the urisdiction and its legal and procedural frameors.

.. The final destination of the evidence

ie t si te ee i se

● se of applications to obtain access passords The destination of the seized items must be defined before starting any activity of search and seizure. ● Authorization to change the passord of email accounts or social netors, etc. orensic copies, as ell as devices that require specific treatment, should be sent to the corresponding iven the number of different case scenarios, e should consider the most appropriate actions to the departmentteam for processing and analysis. specific case. Although, and in most cases, it is advisable to use epressions that support ithout any or each case, adequate pacaging, transport and documentation must be provided to maintain the doubts the different actions to be performed. or eample, “it is eeste tt te seie i chain of custody that begins during the seizure. sis eeti eies e tii iti i iit t i e e site.” The etent of precision and specificity that is required ill depend on the urisdiction and its 2.3. Equipment preparation legal and procedural frameors. t is advisable to have a checlist ith the material to be carried to the destination so that one can .. The final destination of the evidence verify that everything needed is available and in good condition. A template is provided belo (to be customized according to the procedural and legal requirements in the relevant urisdiction).

t is crucial to have enough devices here forensic images, clones or data from remote sources ill be stored. These devices should preferably be brand ne or, at least, securely iped overriting all of the data ith a non sequence of characters, usually in headecimal, to avoid any possible data contamination.

The folloing is a list that the officer must tae into account consisting of the minimum forensic tools needed for a successful search and seizure activity

oensic euipent

aptop ith the necessary standard forensic tools installed ⃝

ardare rite blocers ⃝

orensic tools dongle licenses ⃝ ongle ongle ongle

nough memory storage media (eternal s) for images and remote data destination ⃝ ard is ard is card

⃝ ith etra forensic softare or bootable devices

Tools to isassele

credrivers (flat, star, heagonal and other specific for certain models such as elett acard, ⃝ Apple) ie t si te ee i se

liers (standard and pointed) ⃝

lamps (for cutting cables) ⃝

mall teezers ⃝

hiit ocuentation

hoto or video camera (to tae pictures of the scene and the screen content) ⃝

ermanent marers (to encode and identify the investigated material) ⃝

abels (to mar and identify parts of the equipment, poer supplies) ⃝

vidence tags ⃝

esouces needed o packaging and tanspotonsuales

vidence bags and seal ⃝

vidence carton boes for media storage devices such as devices, s, or s ⃝

Antistatic ziploc evidence bags ⃝

araday ags to inhibit signals to mobile phones and other devices that may receive data from ⃝ mobileii netor

the ites

mall torch ith stand ⃝

liers (standard and pointed) loves ⃝ ⃝

lamps (for cutting cables) arge rubber bands ⃝ ⃝

mall teezers agnifying glasses ⃝ ⃝

hiit ocuentation etor cables (crossed and braided) ⃝ hoto or video camera (to tae pictures of the scene and the screen content) ⃝ as ⃝ ermanent marers (to encode and identify the investigated material) ⃝ 3. SEARCH AND SEIZURE EXECUTION PHASE abels (to mar and identify parts of the equipment, poer supplies) ⃝ Participant’s safety at the search and seizure is a priority issue. For this purpose, there are specially trained units. o one should enter the perimeter ithout having secured the area. eople ho are in the scene ill remain controlled at all times during the operations to avoid any alteration or data vidence tags compromise. ⃝ The technical procedural steps described belo are suggested, subect to applicable legal and procedural requirements in the country. esouces needed o packaging and tanspotonsuales 3.1. Secure the scene vidence bags and seal n the case of electronic evidence collection, the aim is to avoid the loss, alteration or destruction of ⃝ any possible evidence. or this, the folloing measures ill be taen

• emove and forbid unauthorized personnel from accessing the scene. They must be ept aay vidence carton boes for media storage devices such as devices, s, or s from computers, mobile phones or any other sensitive items, including poer supplies. n ⃝ addition, suspects should not be able to communicate ith anyone ho is not onsite to prevent remote data destruction. Antistatic ziploc evidence bags • uicly locate the most obvious elements, computers and mobile phones, especially those ⃝ that are connected to the nternet and those that need special assurance measures to prevent data loss. • hec the eistence of ireless netors that allo access and modification of data from araday ags to inhibit signals to mobile phones and other devices that may receive data from outside. ⃝ mobileii netor • efuse any help offered from unauthorized personnel in the investigation.

the ites 3.2. Assessment After first securing the scene, first responders should mae a general assessment of the scenario. This includes, having a global idea in quantitative terms of the material that is possible to process, the type mall torch ith stand ⃝ of processing that is going to be carried out and the costs in equipment and time that ill be required. This is the best time to produce a photographic report of the scene since in this first phase it ill have suffered minor contaminations.

lthouh the traditional ethod of conductin a search as to aintain a clear order startin ith a thorouh search of a roo to continue ith the net one, in the processin of electronic eidence it ecoes difficult to follo that orin ethod. his is due to the fact that otainin or copyin the eidence is a slo process that can last for any hours. herefore, it is crucial to start processin this eidence as soon as possile hile continuin conentional search and seizure.

t is orth pointin out that diital deices containin potential eidence ay e easily hidden, interated or contained ithin cupoards or draers, eory cards, oile phones, etc. so a careful seep for electronic deices of a crie scene ay e reuired dependin on your points to proe. 3.3. Document the scene ll processes to collect and ather the eidence should e duly docuented accordin to applicale procedural and leal reuireents. o do this, you ust eep an ehaustie record of the location and oriinal condition of the deices.

he folloin are eaples for proper docuentation of the scene

aptop coputer eidence nuer nternal hard drie eidence nuer hu drie eidence nuer eidence nuer

t that oent, the possiility of seizin only deices that contain inforation can e assessed, docuentin the effects that hae een reieed ut ill not e processed. n the preious eaple, the deices that contain data to e analyzed are internal hard diss, thu dries and s, hile the laptop ithout the aoe eleents lacs useful inforation. t should therefore e aoided to transport and store deices that e already no do not proide any data. his option ust e assessed y a specialist, since the interened effects ay hae soe ind of technical relationship ith the deice they coe fro and ithout hich it ould not e possile to analyze the. his procedure ill e discussed ore indepth in the specific procedures.

For each deice, the folloin data ust e docuented

ype oputer, hard drie, flash drie, , etc., rand and odel torae capacity, indicatin if it is , or erial nuer tate aaed, on, off, etc., ocation tay and specific place ecurity ccess passord, P oents sed only y children, not connected to the nternet, etc.,

Finally, any annotation related to the use of passords, settins, eail accounts, etc., as ell as the cardholders ith their , oriinal P and P nuer and any other releant inforation that ay e searched ill e searched and docuented. hey ill e used in the suseuent analysis of the deices.

lthouh the traditional ethod of conductin a search as to aintain a clear order startin ith a thorouh search of a roo to continue ith the net one, in the processin of electronic eidence it 3.4. Collection and the handling of digital evidence ecoes difficult to follo that orin ethod. his is due to the fact that otainin or copyin the s a eneral rule the folloin principles ill e applied, ut refer to the folloin sections for specific eidence is a slo process that can last for any hours. herefore, it is crucial to start processin this deices eidence as soon as possile hile continuin conentional search and seizure. a the euipent is on do not tun it o. t is orth pointin out that diital deices containin potential eidence ay e easily hidden, interated or contained ithin cupoards or draers, eory cards, oile phones, etc. so a erify installation of antiforensic systes local or reote erasin proras, eternal access. careful seep for electronic deices of a crie scene ay e reuired dependin on your points to top these processes een y pullin the poer cale or reoin the attery if necessary. proe. solate the deice fro the netors to hich it is connected unless you are authorized to 3.3. Document the scene access cloud serices. ll processes to collect and ather the eidence should e duly docuented accordin to applicale isale screensaers and screen locin in order to preent the euipent fro ein procedural and leal reuireents. o do this, you ust eep an ehaustie record of the location and hiernated or suspended. oriinal condition of the deices. hec if the deice has any ind of encryption syste runnin itlocer, Fileault, erarypt, he folloin are eaples for proper docuentation of the scene PP is, etc.. aptop coputer eidence nuer hec if it is connected to poer. nternal hard drie eidence nuer hu drie eidence nuer the euipent is tuned o do not tun it on until it is processed ith uarantees, as eidence nuer further eplained later.

t that oent, the possiility of seizin only deices that contain inforation can e assessed, f the local leislation allos it, the suspects passordpin ust e ased and checed if it is correct. docuentin the effects that hae een reieed ut ill not e processed. n the preious eaple, en if the deice is not fully encrypted, it is iportant to hae the suspects passords. he suspect the deices that contain data to e analyzed are internal hard diss, thu dries and s, hile the iht hae encrypted a file or used the sae pattern in another syste. laptop ithout the aoe eleents lacs useful inforation. t should therefore e aoided to transport and store deices that e already no do not proide any data. his option ust e he folloin actions can e perfored on the deices assessed y a specialist, since the interened effects ay hae soe ind of technical relationship ith the deice they coe fro and ithout hich it ould not e possile to analyze the. his ● Seiue. he deice is siply docuented, descried and sealed, leain the decision for procedure ill e discussed ore indepth in the specific procedures. further analysis to the court or any other rihtful authority. o further actions are taen on it until it is aain unsealed. For each deice, the folloin data ust e docuented ● eneate a oensic cop. For each eidence, apply the specific procedures descried in this anual. ype oputer, hard drie, flash drie, , etc., rand and odel he process perfored ill hae to e docuented torae capacity, indicatin if it is , or erial nuer ● The pocedue used cloned, iae or any other syste used. tate aaed, on, off, etc., ● Tool ardare duplicator, rite locer, softare, etc., ● estination dis, file ith the data otained fro a telephone, etc., ocation tay and specific place estination location ● lorith used and the sinature otained. ecurity ccess passord, P S oents sed only y children, not connected to the nternet, etc., ● seations ny incident arisin durin the copy process.

Finally, any annotation related to the use of passords, settins, eail accounts, etc., as ell as the 3.4.1. Live analysis of powered computers and laptops cardholders ith their , oriinal P and P nuer and any other releant inforation t is necessary to carry out an ehaustie record of all the actions perfored, as ell as the date and that ay e searched ill e searched and docuented. hey ill e used in the suseuent analysis tie at hich they ere fulfilled. of the deices. he ariety of possile scenarios in a capture procedure reuires specific considerations for each of the. oeer, it is adisale to follo a predeterined ethodoloy hen it coes to capturin olatile data ased on its olatility order.

f usin a forensic tool at a scene, this ust only e carried out y trained personnel and ensure that the reason for eainin the eidence at the scene is docuented and controlled.

here are soe tools specially deeloped for la enforceent that can help in the lie analysis. ne of the is iST, hich is a first responder tool part of the F proect, deeloped y the erlin tate Police erany. he purpose of Fi is to infor the first responder if the achine can e poered don. Fi checs for sins that traditional post orte forensics ay not e successful or coplete. hese sins include the presence of encryption or disipin softare, cloudnetor storae locations, irtualization, etc. f these sins are detected, the first responder is arned of the daners inherent in pullin the plu and adised to contact an epert. For ore inforation consider isitin the official pae of the proect at httpsfreetool.ucd.ie.

f a specific tool lie Fi is not aailale, you could consider the list shon elo ased on the list created y uhlee and lzo Computer Forensik Hacks, O’Reilly, ISBN 9788899, aied at facilitatin the choice of the ost appropriate tool to capture specific fraents of olatile data.

olatile agent indows tools inu tools

content upit, inen, dd, F dd, fe aer

outin tale, P cache, oute P, arp –a, netstat netstat –r –n ernel statistics route arp a

cache pconfidisplaydns dc dupd if installed

ist of runnin processes Psist, ists, urrProcess, ps –ef, sof taslist

ctie netor connections netstat –a, ifconfi

Proras and serices usin sc uerye, netstat a netstat tunp the netor

pen files andle, PsFile, penfiles, net sof, fuser file

etor shares et share, upsec shoount –e, shoount –a sclient

pen ports penPorts, ports, netstat an netstat –an, sof

onnected users Psloedon, hoai, ntlast, , ho –, last netusers l

ncrypted archies anaede itlocer, efsinfo ount –, ls edia F

f usin a forensic tool at a scene, this ust only e carried out y trained personnel and ensure that – the reason for eainin the eidence at the scene is docuented and controlled. here are soe tools specially deeloped for la enforceent that can help in the lie analysis. ne of the is iST, hich is a first responder tool part of the F proect, deeloped y the erlin tate Police erany. he purpose of Fi is to infor the first responder if the achine can e – poered don. Fi checs for sins that traditional post orte forensics ay not e successful or coplete. hese sins include the presence of encryption or disipin softare, cloudnetor storae locations, irtualization, etc. f these sins are detected, the first responder is arned of the – daners inherent in pullin the plu and adised to contact an epert. For ore inforation consider isitin the official pae of the proect at httpsfreetool.ucd.ie. f a specific tool lie Fi is not aailale, you could consider the list shon elo ased on the list created y uhlee and lzo Computer Forensik Hacks, O’Reilly, ISBN 9788899, aied at facilitatin the choice of the ost appropriate tool to capture specific fraents of olatile data. olatile agent indows tools inu tools content upit, inen, dd, F dd, fe aer

outin tale, P cache, oute P, arp –a, netstat netstat –r –n ernel statistics route arp a

cache pconfidisplaydns dc dupd if installed ● ist of runnin processes Psist, ists, urrProcess, ps –ef, sof taslist ● ctie netor connections netstat –a, ifconfi ● Proras and serices usin sc uerye, netstat a netstat tunp the netor ● The suspect’s media device should never be used to store the captured information and data. pen files andle, PsFile, penfiles, net sof, fuser ● file etor shares et share, upsec shoount –e, 3.4.2. Inability to access information on powered devices shoount –a sclient pen ports penPorts, ports, netstat an netstat –an, sof onnected users Psloedon, hoai, ntlast, , ho –, last netusers l ncrypted archies anaede itlocer, efsinfo ount –, ls edia F

a “Coldboot RAM” technique. t is a techniue consistin of freein the ith the euipment on usin liuid nitroen. nce this is done the computer is turned off and restarted ith its on operatin sstem from a or pen drive ith tools that manae to dump the . hen this memor is froen in the shutdon process it eeps the data it had.

This techniue is based on research carried out b the niversit of rinceton and miht not be useful in an operational environment.

Tanspot the inteened deice without tuning it o. nother method ma be to use portable poer sstems that eep the euipment on until the arrival at the forensic laborator here it ill be subseuentl treated. 3.5. Seizure Phase

The record of the search and seiure process usuall involves the beinnin of the chain of custod of the evidence involved. o it ill be necessar to specif the net destination and the persons responsible for the custod of transfers. This process ill be informed b the leal reuirements in the applicable urisdiction. 3.5.1 Packaging and Transport ll evidence from a search and seiure must meet the folloin conditions

● nsure that all the collected material has been properl reistered and labelled before proceedin to its pacain. ● hen possible the oriinal pacain ill be used to pacae and transport the seied devices. ● The have to be uniuel identified throuh labellin. ● The label must sho hether or not the have been subected to the clonincopin process.

uitable material must be used for its sealin to avoid possible manipulation of the devices. The seal must prevent access to internal elements hard drives or internal memories both phsicall and throuh the connection ports of the euipment.

ependin on their destination the ill be pacaed separatel ithout miin them ith other documentation or other devices. This ill facilitate the dilience of the unsealin and acuisition of forensic copies or their direct submission to the laborator. ach pacae containin electronic evidence ill have on its eterior the identification that shos the nature and oriin of the content.

The means used for transport and temporar storae must ensure the interit of the devices sufficientl protectin them from shocs and from sources of electromanetic radiation heat or humidit that ma damae them.

4. TECHNICAL CONSIDERATIONS 4.1. The forensic copy ne of the main premises in the forensic analsis process arns that ecludin eceptional cases an eamination of the evidence should not be performed usin the oriinal device. Therefore it ill be

Halderman A., Schoen S. D., Heninger N., et alia, “Lest We Remember: Cold Boot Attacks on Encryption Keys”, appeared in roc 7t SNI Security Symposium (Sec ’08), San Jose, CA, July 2008. Available at: halderman.pdf useni.or

01010101010101€01010101010101¥01010101010101$01010101010101€01010101010101¥01010101010101$01010101010101€01010101010101¥01010101010101$01010101010 101€01010101010101¥01010101010101$01010101010101€01010101010101¥01010101010101$01010101010101€01010101010101¥01010101010101$01010101010101€0101010 010101¥01010101010101$01010101010101€01010101010101¥01010101010101$01010101010101€01010101010101¥01010101010101$01010101010101€01010101010101¥0101 0101010101$10101010101010101¥01010101010101€01010101010101¥01010101010101$01010101010101€01010101010101¥01010101010101$01010101010101€010101010101 01¥01010101010101$01010101010101€01010101010101¥01010101010101$01010101010101€01010101010101¥01010101010101$01010101010101€01010101010101¥2101010101 01010101$01010101010101 €01010101010101¥01010101010101$01010101010101€01010101010101 ¥01010101010101$01010101010101€01010101010101¥01010101010101$01 a “Coldboot RAM” technique. t is a techniue consistin of freein the ith the euipment reuired to copy or clone the data contained in the original device, to avoid compromising its integrity. on usin liuid nitroen. nce this is done the computer is turned off and restarted ith its on he orensic eperts ill then use the imagedcopied data to perorm the analysis. operatin sstem from a or pen drive ith tools that manae to dump the . hen this his copy must be an eact bitbybit replica o the original device, regardless o its content. memor is froen in the shutdon process it eeps the data it had. his process can be done in to ormats: This techniue is based on research carried out b the niversit of rinceton and miht not be useful in an operational environment. eice to eice clone his can be perormed by obtaining an eact bitbybit replica o an original device in another previously iped device ith eual or greater capacity. Tanspot the inteened deice without tuning it o. nother method ma be to use portable poer sstems that eep the euipment on until the arrival at the forensic laborator here it ill be b eice to ile ie his can be perormed by generating one or more iles that contain, subseuentl treated. linked together, an identical copy o the original device. he most idespread is dd (ra) or E0 ormats. 3.5. Seizure Phase t is possible to perorm these processes through hardare duplicators or through speciic sotare installed on orensic computers. orensic duplicators protect the original device rom any riting or The record of the search and seiure process usuall involves the beinnin of the chain of custod of alteration during the process, and hen speciic sotare is used to make orensic copies it is advisable the evidence involved. o it ill be necessar to specif the net destination and the persons to use hardare or sotare rite blockers. responsible for the custod of transfers. This process ill be informed b the leal reuirements in the applicable urisdiction. Adnte o cetin ie ile

3.5.1 Packaging and Transport Allos the copy to be spread in multiple iles conigurable in sie, acilitating its storage and ll evidence from a search and seiure must meet the folloin conditions subseuent analysis. rovides ile compression ithout data loss, in order to save storage space on the destination ● nsure that all the collected material has been properl reistered and labelled before device. proceedin to its pacain. Allos encryption i needed, in order to provide more security. ● hen possible the oriinal pacain ill be used to pacae and transport the seied ay include case inormation, data on image creation and veriication o the integrity o the devices. evidence including the results o the HASH. ● The have to be uniuel identified throuh labellin. revents contamination o the copy. ● The label must sho hether or not the have been subected to the clonincopin process. hese ormats can be read directly and more eiciently on the analysis programs. uitable material must be used for its sealin to avoid possible manipulation of the devices. The seal must prevent access to internal elements hard drives or internal memories both phsicall and 4.2. Alternatives to the forensic copy throuh the connection ports of the euipment. here are other scenarios in hich it ill not alays be possible to obtain an eact physical copy, bit by bit, o the entire source device, such as the acuisition o iles or inormation rom servers, NAS, ependin on their destination the ill be pacaed separatel ithout miin them ith other virtual disks or encrypted volumes. documentation or other devices. This ill facilitate the dilience of the unsealin and acuisition of forensic copies or their direct submission to the laborator. ach pacae containin electronic n these cases, there are other techniues to acuire digital evidence. evidence ill have on its eterior the identification that shos the nature and oriin of the content. oicl co o olue. his method is applied, or eample, hen it is needed to acuire the The means used for transport and temporar storae must ensure the interit of the devices content o an encrypted volume that is being used on a poered computer. o preserve that sufficientl protectin them from shocs and from sources of electromanetic radiation heat or inormation, a logical copy o the volume ill be produced. By making a physical copy o the disk, a humidit that ma damae them. partition ould be obtained that ould be unreadable since the data is encrypted. Hoever, the logical copy allos the user to acuire the content in the same ay the user accesses it. 4. TECHNICAL CONSIDERATIONS b oicl co o ile. t is perormed by generating, using suitable sotare, a replica o the original 4.1. The forensic copy data ater selecting hat may be o interest to the investigation. or eample, in a business ne of the main premises in the forensic analsis process arns that ecludin eceptional cases an environment, e can make a logical copy o the suspect users older. he draback is that the ile eamination of the evidence should not be performed usin the oriinal device. Therefore it ill be slack space in our copy ill be lost, and the metadata o the original ile system may not alays be maintained.

aking orensic logical copies does not prevent the properties o the evidence rom being maintained.

Halderman A., Schoen S. D., Heninger N., et alia, “Lest We Remember: Cold Boot Attacks on Encryption Keys”, appeared in roc 7t Whenever it is carried out, use the appropriate tool and method, protect against riting, preserve SNI Security Symposium (Sec ’08), San Jose, CA, July 2008. Available at: halderman.pdf useni.or

metadata as much as possible and use a cryptographic algorithm that allos veriying the integrity o the acuired data. 4.3. HASH function he HASH unction or summary unction is used to veriy the integrity o a data set. n other ords, it is about obtaining its “fingerprint”.

n the case o electronic evidence, this procedure is applied hen making copies o the original devices, so that, once the HASH value o the origin and destination has been calculated, they must be identical. his process is knon as veriication.

his procedure is also used to detect knon iles ithin the evidence. here are reliable ile databases (rom the installation o operating systems or other applications), such as those o the NSRL (National Sotare Reerence Library) that allo them to be discarded, and other databases ith the signatures o knon iles, or eample, o child seual abuse material, hich allo investigators to identiy, track, and even share them amongst la enorcement ithout the need to distribute the original iles.

t is important to remark that some technologies like SSD are becoming a ne challenge hen considering evidence veriication methods. Due to ho the SSDs ork they can sometimes purge data all by themselves even i they are not connected to any interace ith only the poer on. Alternatives to traditional evidence hashing must be considered, such as hashing o logical partition or ile hashing.

4.3. HASH function n te preious setions a genera proeure as been epaine in orer to presere te integrit of he HASH unction or summary unction is used to veriy the integrity o a data set. n other ords, it igita eiene. oeer uring te sear an seiure te igita orensi pert i fin an is about obtaining its “fingerprint”. eies tat reuire speifi proeures ue to teir nature. t i be ue to opeit in ters of n the case o electronic evidence, this procedure is applied hen making copies o the original onnetion proesses for soe of te enrption sstes present arge aount of ata to be devices, so that, once the HASH value o the origin and destination has been calculated, they must be etrate or a of stanar etration toos. identical. his process is knon as veriication. n te fooing setions ou i fin te genera guieines for soe of te eies tat an his procedure is also used to detect knon iles ithin the evidence. here are reliable ile databases freuent be foun in sear an seiure enironents. (rom the installation o operating systems or other applications), such as those o the NSRL (National Sotare Reerence Library) that allo them to be discarded, and other databases ith the signatures o knon iles, or eample, o child seual abuse material, hich allo investigators to identiy, track, and even share them amongst la enorcement ithout the need to distribute the original iles.

Fiure eices Smart pones an talets

5.1. Smartphones - Tablets

obie pones ae beoe a priar soure of igita forensis as te are aas on an are er persona to ea user. sartpone su as an nroi or ppe eie an ontain fro to of ata.

so a obie anset a ontain a an a reoabe eia ar if supporte. a of tese eeents are essentia to an inestigation as te ontain ata tat a enabe to eiter ientif te oner or unerstan teir atiit using te obie pone.

it te aent of te sartpone an te introution of appiation stores su as ooge a an iunes store te user an insta appiations tat a ao te anset to utiie ne series su as onine gaing instant essaging an fie saring. it ea obie anset te eainer sou aess te appiation for inestigationa aue an its reeane to te ase an te points to proe subet to appiabe proeura an ega reuireents in teir urisition.

5.1.1. Considerations when securing mobile phone evidence obie eies present a uniue forensi aenge ue to rapi anges in tenoog. ere are nuerous aes an oes of obie eies in use toa. an of tese eies use ose soure operating sstes an proprietar interfaes soeties aing it iffiut to etrat igita eiene. ersion speifi epertise a be neessar to attain aess an a ater orfos iste beo. apes enountere are as foos  ncoin nd utoin inl – ttepts sou be ae to bo inoing an outgoing signas of a obie eie. oon eto inues aio reuen boing ontainers e.g. araa bag or roo. signa boing ontainers a not aas be suessfu. e a rain te batter an faiure a resut in ata ateration.  Cble – ata abes an be uniue to a partiuar eie an forensi too.  etuction o t – ere are etos to estro ata oa an reote on a obie eie. is is te eie ust be isoate fro a netors e.g. arrier ii uetoot as soon as possibe. ainers sou be ogniant tat a obie operating sste a ae autoate proesses i i estro ata on poeron or after a speifi uration of tie an oose an etration eto or seue tat aresses tese onerns ere appiabe.  ie – onfits a our ue to eisting operating sste riers proprietar riers rier ersion inonsistenies an enorspeifi riers. biit to fin proper riers a be iffiut. riers a be inue it a forensi too or onoae fro a ebsite. riers a opete for ontro for te sae resoure if ore tan one forensi prout is instae on te anasis aine.  nic tue o the t – ata on atie poereon obie eies is onstant anging. ere are no riteboing etos for obie eies.  nction – ata a be store in an enrpte state preenting aess or anasis.  quient – uipent use uring eainations a not be te ost reent ersion ue to a ariet of reasons su as purasingbugeting eas or erifiation reuireents of arare firare or softare.  ield nli – riaging obie eies is not onsiere a fu eaination. oeer if triage is perfore te eie sou be protete an isoate fro a netors.  nconitent ndut tndd – anufaturers an arriers a use proprietar etos to store ata e.g. ose operating sstes proprietar ata onnetions.  o o oe – an obie eies a ose ata or initiate aitiona seurit easures one poere off.  od – utentiation eaniss an restrit aess to a eie an its ata. raitiona passor raing etos an ea to peranent inaessibiit or estrution of ata.  Reoble Medi Cd – roessing eia ars ie sti insie te eie poses riss e.g. not obtaining a ata inuing te eete ata atering atetie staps.  dentit Module e M CM RM Cd – a of or reoa of an ientit oue a preent te eainer fro aessing ata store on te interna eor of a anset. nserting an ientit oue fro anoter eie a ause oss of ata.  inin – e iniiua oeting eaining an anaing a obie eie sou be traine to presere an aintain ata integrit.

5.1.1. Considerations when securing mobile phone evidence  nllocted t eleted t – obie eies present a uniue forensi aenge ue to rapi anges in tenoog. ere are nuerous aes an oes of obie eies in use toa. an of tese eies use ose soure operating sstes an proprietar interfaes soeties aing it iffiut to etrat igita eiene. ersion speifi epertise a be neessar to attain aess an a ater orfos iste beo. apes enountere are as foos  ncoin nd utoin inl – ttepts sou be ae to bo inoing an outgoing signas of a obie eie. oon eto inues aio reuen boing ontainers e.g. araa bag or roo. signa boing ontainers a not aas be suessfu. e a rain te batter an faiure a resut in ata ateration.  Cble – ata abes an be uniue to a partiuar eie an forensi too.

 etuction o t – ere are etos to estro ata oa an reote on a obie eie. is is te eie ust be isoate fro a netors e.g. arrier ii 5.1.2. Mobile Phone Evidence Preservation Process for First Responders uetoot as soon as possibe. ainers sou be ogniant tat a obie operating sste a ae autoate proesses i i estro ata on poeron or after a speifi uration of tie an oose an etration eto or seue tat aresses tese onerns ere appiabe.  – onfits a our ue to eisting operating sste riers proprietar riers ie rier ersion inonsistenies an enorspeifi riers. biit to fin proper riers a be iffiut. riers a be inue it a forensi too or onoae fro a ebsite. 5.1.3 iOS Preservation Process and Flowchart riers a opete for ontro for te sae resoure if ore tan one forensi prout is instae on te anasis aine.  nic tue o the t – ata on atie poereon obie eies is onstant anging. ere are no riteboing etos for obie eies.  nction – ata a be store in an enrpte state preenting aess or anasis.  – uipent use uring eainations a not be te ost reent ersion ue quient to a ariet of reasons su as purasingbugeting eas or erifiation reuireents of arare firare or softare.  ield nli – riaging obie eies is not onsiere a fu eaination. oeer if triage is perfore te eie sou be protete an isoate fro a netors.  nconitent ndut tndd – anufaturers an arriers a use proprietar etos to store ata e.g. ose operating sstes proprietar ata onnetions.  o o oe – an obie eies a ose ata or initiate aitiona seurit easures one poere off.  od – utentiation eaniss an restrit aess to a eie an its ata. raitiona passor raing etos an ea to peranent inaessibiit or estrution of ata.  Reoble Medi Cd – roessing eia ars ie sti insie te eie poses riss e.g. not obtaining a ata inuing te eete ata atering atetie staps. Fiure n pple ione  dentit Module e M CM RM Cd – a of or reoa of an ientit oue a preent te eainer fro aessing ata store on te interna eor of a anset. nserting an ientit oue fro anoter eie a ause oss of ata.  inin – e iniiua oeting eaining an anaing a obie eie sou be traine to presere an aintain ata integrit. 17). It is the readers’

Fiure Flocart or pple iOS eice eience acuisition proceure

he hart ae is t aisie r a ersis i. ersi seii eertise a e eessar i rder t tai aess ad a ater the rei r. I the deie is ered it a tai atie data idi erti es ad shd t e tred . er sre shd e eted as s as ssie t reet the deie r eri d. e sre t seie the hari ae t ee er t the deie. It a e ssie t adst the isa t eatre t eted the eth tie ere t is eaed.

I the deie is ed the eaier shd tae stes t reet its i sh as disai the de r reeated iterati ith the thsree. Place the device in “Airplane Mode” (by swiping up from the bottom and selecting airae de) ad eri that ii ad etth are . If the device cannot be placed in “Airplane Mode”, put it in a arada a t reet etr iterati r tetia ateri data the deie. ie deies ed r eti t a etr i st er tt hie tri t tai a sia. This will drain a device’s battery at an accelerated rate. If it is necessary to keep the device powered et it t a etera er sre sh as a rtae atter a. th the ie deie ad the hari sre shd e aed iside the arada a. I the hari sre is t aed i the arada a the ae a at as a atea ad the deie a e ae t et t the etr. I the deie is eae it . et idetii data at the deie sh as de er arrier ad ie idetiiers that are isie.

5.1.4 Android Preservation Process and Flowchart drid is a iased ie erati sste deeed e ad has the arest ista ase a ie erati sste. drid is aaiae i a dieret ersis ad ie i is ered deies aatred ers aies. he i hart detais stes that shd e tae t resere diita eidee a drid deie.

The Android device may utilie hardware and software encryption, so if the device has either a password passcodeingerprintace I, then the user of the handset must supply the information reuired to gain access to the handset otherwise the forensic lab may not be able to access the handsetdata.

Fiure nroi smartpones Fiure Flocart or pple iOS eice eience acuisition proceure

Fiure Flocart or nroi eice eience acuisition proceure 5.1.4 Android Preservation Process and Flowchart

drid is a iased ie erati sste deeed e ad has the arest ista ase a ie erati sste. drid is aaiae i a dieret ersis ad ie i is The flow chart above is not allinclusive for all versions of Android. ersion specific epertise may be ered deies aatred ers aies. he i hart detais stes that necessary in order to attain access and may alter the foregoing workflow. shd e tae t resere diita eidee a drid deie.

If the device is powered on, it may contain volatile data, including encryption keys, and should not be turned off. A power source should be connected as soon as possible to avoid the device powering down. e sure to seie the charging cable to keep power to the device. If the device is unlocked, the eaminer should take steps to prevent its locking such as disabling the lock code or repeatedly interacting with the touchscreen. It may be possible to adust the isplay creen Timeout feature to etend the length of time before Autoock is enabled. Place the device in “Airplane Mode” (by swiping down from the top and selecting airplane mode) and verify that ii and luetooth are off. In order to give the best chance of accessing the evidence at a later date, enable debugging, if possible. If the device cannot be placed in “Airplane Mode”, follow the same procedure as for Apple devices. If the device is off, leave it off. ollect identifying data about the device, such as model number, carrier and uniue identifiers that are visible.

Fiure 7 SI cars

5.1.5 SIM Card A IM IM card can contain contact lists, phone calls and M messages. A IM ard may be protected by a PI ode. If the code is attempted times without success, access to the IM ard is locked. To unlock it, you will need the P code, which is located on the original IM cardholder or it can be reuested from the mobile service provider. In any case, the II (Integrated circuit card will be obtained, which is its serial number.

Fiure 8 S Cars

5.1.6 Removable Media Card If a handset allows the use of a removable memory card, then this card is used for epansion of the phone storage capacity. emovable storage is commonplace amongst Android handsets as this allows the user to store multimedia such as photographs, movies and music files as well as application data or backups of applications or mobile phone content. emovable memory cards can potentially be used across multiple handsets over time, depending on user behaviour.

Fiure 9 Components o clou storae

5.1.7 Cloud Data Fiure 7 SI cars oth Apple and Android phones reire the ser to have either a oogle Accont (Android) or an 5.1.5 SIM Card ilod accont (Apple) hese clod services enable the ser to bacp data to the clod, as well as share their photos, videos and msic files hey also mae it possible to bacp handset ser data in A IM IM card can contain contact lists, phone calls and M messages. A IM ard may be case the device is lost or it has to be transferred to a new handset protected by a PI ode. If the code is attempted times without success, access to the IM ard is locked. To unlock it, you will need the P code, which is located on the original IM cardholder or it 5.1.8 Considerations upon Seizure can be reuested from the mobile service provider. In any case, the II (Integrated circuit card will be obtained, which is its serial number. Traditional Forensics

raditional forensic processes, sch as fingerprints or A testing, may need to be condcted in order to establish a lin between a mobile device and its owner or ser If the device is not handled properly dring preservation and collection, physical evidence can be contaminated and rendered seless As sch, handle all potentially evidentiary items with gloves and sbmit to an appropriate lab as the sitation dictates raditional forensic processes (eg, A, latent prints) on a mobile device shold be completed before digital forensic processes

Access Fiure 8 S Cars sercreated passwords also complicate the recovery of mobile device data ollect and docment this information if possible, and sbect to applicable procedral and legal reirements in yor 5.1.6 Removable Media Card risdiction If a handset allows the use of a removable memory card, then this card is used for epansion of the phone storage capacity. emovable storage is commonplace amongst Android handsets as this allows the user to store multimedia such as photographs, movies and music files as well as application data Network Isolation or backups of applications or mobile phone content. emovable memory cards can potentially be used isconnect mobile devices from their networs to ensre data is not remotely modified or destroyed across multiple handsets over time, depending on user behaviour. Mobile devices typically have a reset capability that clears all ser content, resetting device memory to the original factory condition ecase this may be performed in person or remotely, immediate precations (eg, separate the device from its ser, networ isolation) are necessary to ensre evidence is not modified or destroyed

enerally, eaminers isolated a mobile device from networ connectivity by placing the device in “airplane mode”. The “airplane mode” feature in newer versions of mobile operating systems may not disable letooth, ii, and other wireless protocols or may only disconnect them temporarily aminers shold manally confirm that networ connectivity has been disabled or consider alternate means of isolation, inclding placing the device in an shielded enclosre, removing the IM card from the device or tiliing a elllar etwor Isolation ard (I) for M phones

he responder shold also restrict any interaction with the device nless in a controlled environment his is to safegard the data on the device and also ensre that the device does not atomatically connect to clod services or networs as this may change the data on the device or enable wiping of the device remotely

Powering off the device to isolate it from the networ poses the ris of engaging athentication mechanisms (eg, passwords, PIs) or enabling enhanced secrity featres, potentially rendering data inaccessible

Points to Prove

he responder shold also consider points to prove for the investigation when sbmitting the device to the digital forensics lab as smartphones contain lots of data and not all data will be pertinent to the case

ome forensics software allow the data from the ehibits IM card to be cloned onto a blan IM card (lone) with the original data copied onto the cloned IM card with the networ data omitted he phone associates call logs, settings and other data with the IM card If a mobile phone is started with another card or withot a card, this information cannot be accessed and maybe be lost

ow to proceed

he deice i on

Photograph the screen in the state it is in hec the battery and if the date and time the device shows correspond to the actal date and time pon seire IMI chec dial and photograph Mae a logical image of the device with the forensic device, inclding reading the IM Mae a physical image of the device if it is spported rn off the device emove battery, IM IM card and memory epansion card and photograph the assembly with the identification tag Mae a forensic image of the memory card, as described in its specific procedre, if it has not been performed by the forensic team o not trn on the eipment again All elements are sealed together and mared as processed

b he deice i o

hec if spport is available for aciring a forensic image he battery is removed and the items to be checed are located IM card and eternal memory

enerally, eaminers isolated a mobile device from networ connectivity by placing the device in ard i read hein if it i proteted a . f aailale it i entered onl “airplane mode”. The “airplane mode” feature in newer versions of mobile operating systems may not one eaue if it i tried time ithout ue it i loed. To unlo it ou ill need the disable letooth, ii, and other wireless protocols or may only disconnect them temporarily ode hih i loated on the oriinal ardholder or that an e reueted from the aminers shold manally confirm that networ connectivity has been disabled or consider alternate moile erie proider. n an ae the nterated iruit ard dentifier ill e means of isolation, inclding placing the device in an shielded enclosre, removing the IM card otained hih i it erial numer. from the device or tiliing a elllar etwor Isolation ard (I) for M phones lan ard i reorded ith the oriinal ard data and inerted into the terminal. The phone aoiate all lo ettin and other data ith the ard. f a moile phone i he responder shold also restrict any interaction with the device nless in a controlled environment tarted ith another ard or ithout a ard thi information annot e aeed. The ard his is to safegard the data on the device and also ensre that the device does not atomatically enerated a a op of the oriinal uarantee in addition to eepin thi data that the deie connect to clod services or networs as this may change the data on the device or enable wiping of ill not onnet to the netor. the device remotely foreni op i made of the memor ard if an folloin the proedure propoed for thi tpe of torae media. Powering off the device to isolate it from the networ poses the ris of engaging athentication The deie i reompoed turned on and a loial imae i etrated folloin the tem mechanisms (eg, passwords, PIs) or enabling enhanced secrity featres, potentially rendering data intrution. inaccessible f it i upported a phial imae i alo made. ll element are ealed toether and mared a proeed. Points to Prove Tr to loate and reate a reord of oriinal ontainer and ardholder ith iile he responder shold also consider points to prove for the investigation when sbmitting the device and . to the digital forensics lab as smartphones contain lots of data and not all data will be pertinent to the case 5.2. Servers erertpe omputer euipment proide erie to other lient omputer. e an find them mainl ome forensics software allow the data from the ehibits IM card to be cloned onto a blan IM card in uine enironment performin funtion of a file erer mail e erie dataae uer (lone) with the original data copied onto the cloned IM card with the networ data omitted he manaement et. phone associates call logs, settings and other data with the IM card If a mobile phone is started with another card or withot a card, this information cannot be accessed and maybe be lost hiall the an loo lie a normal ortation or the an e mounted on ra tem.

ow to proceed efore proeedin ith a erer ome apet hae to e onidered

he deice i on hat doe the ourt orderreleant leal authoriation permit erer an e a fundamental part of the normal deelopment of a ompan atiit hih doe not hae to e neearil inoled in Photograph the screen in the state it is in hec the battery and if the date and time the the ommiion of the riminal at. it utified to leae an oraniation poil etraneou to the device shows correspond to the actal date and time pon seire rime ithout erie the euipment eiure reall needed IMI chec dial and photograph Mae a logical image of the device with the forensic device, inclding reading the IM o e hae the ollaoration of the adminitrator or tem manaement peronnel an the e Mae a physical image of the device if it is spported truted re the inoled in the riminal atiit rn off the device emove battery, IM IM card and memory epansion card and it lear hat ind of information ha to e auired photograph the assembly with the identification tag Mae a forensic image of the memory card, as described in its specific procedre, if it has not re e familiar ith erer enironment and their operatin tem an e dionnet the erer been performed by the forensic team from the data netor and een turn it off to iolate it from the outide o not trn on the eipment again All elements are sealed together and mared as processed The preferred proe to eie information from erer i to mae a eletie loial op of the upet folder. ut ou alo hae to onider ettin the eent lo the atie diretor ettin mailoe and the aup. b he deice i o 5.3. Personal Computers hec if spport is available for aciring a forensic image The firt tep ill e to determine if the omputer i turned on. an omputer an e in a poer he battery is removed and the items to be checed are located IM card and eternal ain mode ith the monitor impl turned off in a tate of leep hiernation indo iin the memory feelin that the are dionneted or poered off. e ill hae to he if the monitor ha poer and onnetion to the euipment and if the unit ha poer or ha a that indiate atiit.

To remoe the omputer from thi tate e ill aoid prein the poer or reet utton or the nter e. t i et to moe the moue firt or ue the roll or hift e. Tae note of the eat time of thi ation for further reord.

f the euipment i turned on and ho atiit it i adiale to tae the folloin meaure

● Tae a piture of the reen a it appear and inlude date time and time one. ● he the atiit the uer i performin at that moment lie atie ion proe ar and appliation operation indiator. f it i oered that an detrutie proe i ein eeuted uh a eure deletion deletion of lo or reord et. it mut e interrupted immediatel een and if neear pullin the poer ale. ● he the eitene of netor irele or ale onnetion. ● iale reenaer or poer ettin mode. The purpoe i to aoid the deie to enter ain tate or hut don loin the oriinal tate of the tem. ● he the mounted olume and their harateriti aiall looin for the ue of enrption or onnetion to hared folder on another omputer in the netor. ● he the poile eitin atiitie and onnetion to remote repoitorie uh a ropo oole rie nerie et. and the urrent atiit of roer lie email pae oial netor et.

t thi time the poiilit of maintainin or dionnetin the netor onnetion mut e aeed iolatin the euipment.

the deice i itched on

lution onite ie a ontinuation of the preeration proe and in ae here a peifi data et i ein ouht or the eitene of ertain information mut e etalihed immediatel due to leal or proedural reuirement a diret eamination of the euipment an e arried out in the preene of the intereted part and the itnee. oreni loial opie of the data of interet an e performed. Thi proedure i ommon in ae of hild eual aue in ertain uridition hoeer from a tehnial point of ie and ood pratie ertain nuane hould e onidered.

The le inaie proedure ill e ued. ut a e tr to preere a deie a muh a poile o that other tpe of trae an e otained finerprint et. in the ame a it i onenient not to ompromie the oriinal data for the ueuent anali performed epert if needed.

f ou hae to ue appliation the mut e reliale and if poile e peifiall deined for thi funtion and alidated the ompetent laorator for the enironment that i preented to u.

Procedure of “Live data forensics” or live analysis. The purpoe i to otain the maimum information from the euipment efore it i turned off ith minimal neear alteration of the oriinal inludin thoe olatile element of the euipment that are of interet to the inetiation to e analed later uh a .

t i neear in deie that ontain enrpted olume or di ut hih are mounted at the time of the interention a in the ae of tem ith itoer ileault erarpt Truerpt etrpt or i or imilar olution. ith thi proedure e ill otain the derpted data ithout hain to reort to the paord ithout preudie to otainin it throuh the anali of other element.

imilar ae i hardare enrption uin Truted latform odule hip T or throuh e tored in eternal deie deie in hih thi proedure i performed to etrat the derpted data or it ould e neear to hae the entire oriinal tem mounted to et that information.

To remoe the omputer from thi tate e ill aoid prein the poer or reet utton or the n ae of not ein ale to proure an expert’s support, it is better to turn off the equipment in the nter e. t i et to moe the moue firt or ue the roll or hift e. Tae note of the eat manner mentioned in the folloin point to aoid detroin the oriinal eletroni ontent or time of thi ation for further reord. ontaminatin it riin it proatie alue.

f the euipment i turned on and ho atiit it i adiale to tae the folloin meaure Poer off rocedure. ne the lie proe part i ompleted e ill proeed to poer off the omputer. The et a to do thi ill depend on the tpe of deie and it operatin tem. ● Tae a piture of the reen a it appear and inlude date time and time one. onentionall huttin don the euipment ma aue u to loe information hoeer on other ● he the atiit the uer i performin at that moment lie atie ion proe ar and oaion it ill e neear to perform that onentional hutdon to aoid loin that information. appliation operation indiator. f it i oered that an detrutie proe i ein eeuted uh a eure deletion deletion of lo or reord et. it mut e interrupted immediatel peratin tem hoe proein inole performin a udden poer off proedure eeute a een and if neear pullin the poer ale. erie of tep to hut don properl. Thee proe euene impl the lo of ruial information ● he the eitene of netor irele or ale onnetion. for the anali phae. ● iale reenaer or poer ettin mode. The purpoe i to aoid the deie to enter nonentional hutdon that inole the remoal of the poer uppl ale mut e done ain tate or hut don loin the oriinal tate of the tem. remoin the ale from the deie and not from the all oet ine an ninterruptile oer ● he the mounted olume and their harateriti aiall looin for the ue of uppl tem an e loated eteen the all onnetion and the deie onnetion. enrption or onnetion to hared folder on another omputer in the netor. ● he the poile eitin atiitie and onnetion to remote repoitorie uh a ropo f te device is sitced off oole rie nerie et. and the urrent atiit of roer lie email pae oial netor et. oreni opie or diret eiure of the euipment ill e otained.

t thi time the poiilit of maintainin or dionnetin the netor onnetion mut e t mae no ene to ompromie the interit of oriinal eidene of a omputer that i hut don aeed iolatin the euipment. turnin it on. n ae of uren or in need of immediate loation of information the deie i analed in readonl mode throuh a loer o that it remain unhaned. the deice i itched on ne the ene and ituation of the omputer hae een doumented and it i erified that it i turned lution onite ie a ontinuation of the preeration proe and in ae here a peifi off e ill remoe an poer uppl onneted to the euipment to aoid unepeted eletri data et i ein ouht or the eitene of ertain information mut e etalihed immediatel due ho. Therefore the poer uppl ale ill e remoed from the deie neer from the all. to leal or proedural reuirement a diret eamination of the euipment an e arried out in the preene of the intereted part and the itnee. oreni loial opie of the data of interet an o not foret to tae note of the onneted element uin the eth or deie file. e performed. Thi proedure i ommon in ae of hild eual aue in ertain uridition The o ill e diaemled to loate the hard drie. The ill e laelled aordin to the areed hoeer from a tehnial point of ie and ood pratie ertain nuane hould e onidered. tem and proeed uin the appropriate mean.

The le inaie proedure ill e ued. ut a e tr to preere a deie a muh a poile o t mut e onidered in the poiilit of findin diss onfiured in . n ae of dout the that other tpe of trae an e otained finerprint et. in the ame a it i onenient euipment mut e eied toether ith the hardare to failitate it ueuent reontrution not to ompromie the oriinal data for the ueuent anali performed epert if needed. ithout remoin the di from the deie.

f ou hae to ue appliation the mut e reliale and if poile e peifiall deined for thi ou hould he if there i an di inide the reader. or thi it i not neear to turn on funtion and alidated the ompetent laorator for the enironment that i preented to u. the euipment it i uffiient to operate ith a lip in the mehanial unloin hole.

Procedure of “Live data forensics” or live analysis. The purpoe i to otain the maimum information eneral rule eplained efore ill alo e onidered from the euipment efore it i turned off ith minimal neear alteration of the oriinal inludin thoe olatile element of the euipment that are of interet to the inetiation to e analed later ● fter doumentin the tatu and ituation in hih the euipment i found the entire deie uh a . i ealed. n thi a e enure that the ontain all the element that an tore information. ● iaemlin the euipment i not ala traihtforard. o not do it onite if ou are not t i neear in deie that ontain enrpted olume or di ut hih are mounted at the time familiar and hae the proper tool. of the interention a in the ae of tem ith itoer ileault erarpt Truerpt etrpt ● The aailailit of the oriinal hardare in the laorator an e er ueful. or eample if or i or imilar olution. ith thi proedure e ill otain the derpted data ithout hain the omputer ha ome ind of peial element uh a a di ontroller T to reort to the paord ithout preudie to otainin it throuh the anali of other element. enrption hip or an other partiular element that ma e neear for the reontrution imilar ae i hardare enrption uin Truted latform odule hip T or throuh e of the information. t an alo mae it poile to perform a lie oot of the euipment in the tored in eternal deie deie in hih thi proedure i performed to etrat the derpted laorator for eample to tud the preene and ehaiour of ome tpe of malare data or it ould e neear to hae the entire oriinal tem mounted to et that information. infetion.

● n ase of simpe or stanarie equipment, it i not be neessar to seie the ompete equipment an it i be enouh to seie the ata storae meia, sine there i not be ompatibiit issues ● s a enera rue, those meia that o not proie researh aue are not seie n prinipe, peripheras, monitors, mie, eboars an their abes are not neessar, uness the o not orrespon to the usua ones for onnetion tpes, to be proprietar moes of a bran for exampe or, beause the are area obsoete an iffiut to fin toa o, the an be usefu in the anasis phases ● ost useree printers o not ontain usefu information oeer, the an hae imite memor that an be anae in the aborator in exeptiona ases 5.4. Laptops he same proess as for estop i be appie ith some speifiities

hen seiin a aptop, onsier usin its on ba, inuin harer, abes an aessories ne ose, it i be seae usin a sstem that seures the entire assemb o turn off the aptop, first remoe the batter if possibe an then remoe the poer abe

urrent aptops, espeia noteboo tpes, hae batteries an har ries interate into the omputer so it is not aas eas or possibe to remoe them e an fin aptops ith e tpe iss interate into the mainboar, in hih it i not be possibe to obtain a forensi op b usin methos expaine in the preious setion an of these omputers require the use of speia toos, an to aoi amain them, responers shou be famiiar ith the isassemb proeures

ne of the soutions is to boot the omputer from a bootabe meia ith its on forensi operatin sstem, either from or ne the operatin sstem is boote usin oatie memor, arious utiities an be use to arr out eauation or, triae or aquisition of eiene

here are numerous prouts both ommeria an from freeopen soure softare

● httpsaineienet ● inux httpeftinuxnet ● ata inux httpasrataomforensisoftaresmartinux ● inux httpsaioronoas

hen one of these sstems is use, the pratitioner has to eep in min that the oriina eiene shou not be atere herefore, use prouts that ou are famiiar ith an hae been erifie to protet the interit of the oriina eies he toos an sstems mentione aboe are not enorse or promote b for further information in this respet, pease reie the isaimer on pae of these uieines

5.5. Storage media (memory cards, flash drives, external hard drives, optical discs, etc.) here is a hue ariet of storae meia base on fash memories he are beomin smaer in phsia sie but neertheess ith a reater ata storae apait e an fin memories of these tpes amoufae or interate into obets of the most arie shapes, so the speiaist ho ientifies these eements has to be famiiar ith the ifferent presentations

● n ase of simpe or stanarie equipment, it i not be neessar to seie the ompete ith the emerene of other ata storae meia, optia iss are urrent fain into isuse equipment an it i be enouh to seie the ata storae meia, sine there i not be oeer, the are sti an eement to onsier e ma fin the iss roupe in bathes or tubs of ompatibiit issues iss ● s a enera rue, those meia that o not proie researh aue are not seie n prinipe, he appiations are eness e an see externa memories in irtua a eetroni eies, from peripheras, monitors, mie, eboars an their abes are not neessar, uness the o not ieo ame onsoes, phones, ameras to ieo ameras, et ut the are aso apabe of housin orrespon to the usua ones for onnetion tpes, to be proprietar moes of a bran for fu funtiona, ompete operatin sstems that faiitate the anonmit of the atiit arrie out exampe or, beause the are area obsoete an iffiut to fin toa o, the an be ith them usefu in the anasis phases ● ost useree printers o not ontain usefu information oeer, the an hae imite n the other han, it is aso ommon to fin storae sstems on externa har ries, hih throuh memor that an be anae in the aborator in exeptiona ases , ii or thernet onnetions are apabe of storin are amounts of ata 5.4. Laptops o to proee he same proess as for estop i be appie ith some speifiities a orensic iae hen seiin a aptop, onsier usin its on ba, inuin harer, abes an aessories ne thouh man eies hae a tab for rite boin, ou shou not trust that it ors an oes it ose, it i be seae usin a sstem that seures the entire assemb o turn off the aptop, first orret herefore, e i use our forensi equipment ith the appropriate boer, either remoe the batter if possibe an then remoe the poer abe harare or softare urrent aptops, espeia noteboo tpes, hae batteries an har ries interate into the s for externa har ries, it is possibe to extrat the interna is it ontains, to perform the opin omputer so it is not aas eas or possibe to remoe them e an fin aptops ith e proess iret on that eement his proeure requires the orresponin oumentation proess, tpe iss interate into the mainboar, in hih it i not be possibe to obtain a forensi op b both of the interna is an of the enosure that ontains it, as preious seen usin methos expaine in the preious setion an of these omputers require the use of speia toos, an to aoi amain them, responers shou be famiiar ith the isassemb proeures ne the eiene is onnete to the riteboer an the atter to the forensi station, a forensi imae an be mae ne of the soutions is to boot the omputer from a bootabe meia ith its on forensi operatin sstem, either from or ne the operatin sstem is boote usin oatie memor, here are preautions to tae ith these eies ometimes it is neessar to oate eiene of the arious utiities an be use to arr out eauation or, triae or aquisition of eiene use of externa eies on a omputer he use of the aboe mentione boers miht not be abe to record a device’s serial number that is registered in the operating systems; which may be vital to hep here are numerous prouts both ommeria an from freeopen soure softare us in a eie ith a memor his number is oete from the memor ontroer hip an is not ● httpsaineienet reore in the , an therefore in the forensi imae e aquire ● inux httpeftinuxnet valuation riae ● ata inux httpasrataomforensisoftaresmartinux ● inux httpsaioronoas n orer to aess the ontents of a memor eie to assess its reeane to the ase, it is essentia to use boers as note aboe, either b softare proie an aiate b referene aboratories hen one of these sstems is use, the pratitioner has to eep in min that the oriina eiene or b boers b firmare n ase of optia iss, ou an proee ith our exam usin a shou not be atere herefore, use prouts that ou are famiiar ith an hae been erifie to reaer that oes not ao ritin protet the interit of the oriina eies he toos an sstems mentione aboe are not enorse or promote b for further information in this respet, pease reie the isaimer on hrouh this prior examination, ou etermine hether or not the ma be interestin to the pae of these uieines inestiation eep in min that e an fin a are number of these tpes of eements urin the searh arrant an it is not effetie to op a the materia ithout preious eauatin it uness

there is an requirement to the ontrar in the as or proeures of our urisition

5.5. Storage media (memory cards, flash drives, external hard drives, optical discs, n ase of seiure of optia iss, the same ontainer in hih the are ept an be use, ensurin etc.) that it is ose an pae in a seae ba after bein ientifie b the eiene number f the appear here is a hue ariet of storae meia base on fash memories he are beomin smaer in iniiua, the are pae in a pasti ase that phsia protets them here the ientifiation of phsia sie but neertheess ith a reater ata storae apait e an fin memories of these the eiene is inorporate, seain them in an eiene oetion ba t is not aise to use tpes amoufae or interate into obets of the most arie shapes, so the speiaist ho ahesies iret on the iss t an ause reain errors hen eompensate or phsia amae ientifies these eements has to be famiiar ith the ifferent presentations them hen remoin the ahesies ermanent marers an be use to ientif them t is not aisabe to roup them ith rubber bans or fanes sine the amae the ens of the iss an an eae them unusabe

Fiure iital cameras 5.6. Other devices (Digital cameras, GPS navigation systems, Dash Cameras, etc.) ata sources in these devices include

a ternal storage memory to wor with any other eternal storage device

b nternal memory a large part o the devices also have an integrated memory usually o limited capacity but which allows data to be stored and must be checed

he proposed procedure is as ollows

nce the device is located a picture in situ is taen he camera is documented with its general data by assigning an evidence number he serial number is important t is checed i it has an eternal storage media; i so it is etracted and documented orensic image o the card is acuired he camera should be turned on without a card and the internal memory should be checed

there is content it can be etracted

hrough the connection cable o the device to the maing an image ot all devices have that possibility nserting a new card and copying the data to the latter so that we get a logical copy the other options are not possible you can tae photographs o the content trying to show the interesting data related to the investigation t is checed in the camera settings date time and time one

ll elements are sealed together and mared as processed

the device is not going to be processed and simply seied proceed as ollows

ocument the euipment photography general data and situation o the inding possible locate discs with sotware and connection cables

ac everything i possible using the original boes in an identiied seal bag and with the number o evidence 5.7. IoT devices n addition to the traditional devices described above in recent years several devices have been deined as o or the nternet o hings hese devices can be very dierent rom each other in terms

o unctionality such as smartwatches smart s video surveillance devices and so on elow we will see some eamples o the most popular devices that could be ound in use by our suspect

Fiure iital cameras

5.6. Other devices (Digital cameras, GPS navigation systems, Dash Cameras, etc.) Fiure Smart atces ata sources in these devices include 5.7.1. Smartwatches a ternal storage memory to wor with any other eternal storage device smartwatch contains several unctionalities allowing you to do many things you normally do with b nternal memory a large part o the devices also have an integrated memory usually o limited your phone n act it is a peripheral; an etension o the screen o your smartphone that you have in capacity but which allows data to be stored and must be checed your pocet he smartwatch could be on the suspect and they are usually discreet they do not emit sounds but vibrate gently and they can be connected to an ihone or ndroid so you must be careul he proposed procedure is as ollows when looing or them here are many dierent martwatches on the maret; the most common nce the device is located a picture in situ is taen ones are pple atch iaomi ony martwatch onor and amsung ear he camera is documented with its general data by assigning an evidence number he serial epending on the case they may contain useul inormation or investigators but please eep in mind number is important that these devices usually have very limited storage capacity mostly related to contacts in the phone t is checed i it has an eternal storage media; i so it is etracted and documented boo inormation on sports habits etc orensic image o the card is acuired he camera should be turned on without a card and the internal memory should be checed sually they are euipped with luetooth connection but some o them can be euipped with a port so the investigator can usually acuire the content through the usual euipment almost the there is content it can be etracted same as on any ndroid smartphonetablet would be hrough the connection cable o the device to the maing an image ot all devices have you intend to seie a smartwatch it would be preerable to ollow the same indications already that possibility provided in the smartphone section nserting a new card and copying the data to the latter so that we get a logical copy the other options are not possible you can tae photographs o the content trying to show the interesting data related to the investigation t is checed in the camera settings date time and time one

ll elements are sealed together and mared as processed

the device is not going to be processed and simply seied proceed as ollows

ocument the euipment photography general data and situation o the inding possible locate discs with sotware and connection cables

ac everything i possible using the original boes in an identiied seal bag and with the number o evidence Fiure Smart 5.7. IoT devices 5.7.2. Smart TV n addition to the traditional devices described above in recent years several devices have been t is becoming popular to ind mart s with the capability to connect to the internet run apps or deined as o or the nternet o hings hese devices can be very dierent rom each other in terms play games ome are based on ndroid while some others are based on proprietary operating

systems he eact unctionality provided depends on the mae model peripherals attached or apps installed

rom the perspective o a digitalirst responder etracting the inormation rom these devices is a challenge as every etraction would be dierent depending on the actors listed beore as well as the current version o the operating system

ost o the mart s present vulnerabilities that can be eploited ossible etraction opportunities imply a modiication o irmware browser attacs networ attacs use o malicious apps or chip o

owever most o these etraction processes are not straightorward and reuire sophisticated euipment especially or chipo or comple networ structures that are incompatible with irst responders’ activity. Improper processes can “brick the device” and make further attempts impossible to etract inormation

s a general rule the rocess will include the ollowing steps

Possile evidence to be ound during the search and seiure

● onnected devices or screen mirroring synchroniation ● rowsing history ● sers o the installed applications aceboo ype witter, Netflix, Amazon…). However, passwords will not be easy to recover at this stage and might reuire urther processes at the igital orensic ab

Fiure eices suc as maons co, pples Homeo are eamples o Smart Speakers

5.7.3. Home kits/Smart speakers ome its allow users to communicate with and control connected accessories in their home simply using an app ith the ome it ramewor you can provide a way to conigure accessories and create actions to control them

omeod is an audio device produced by pple that adapts to its location and delivers highidelity audio wherever it is playing ogether with pple usic and iri it creates a way to interact with music at home

ost o the mart s present vulnerabilities that can be eploited ossible etraction opportunities imply a modiication o irmware browser attacs networ attacs use o malicious apps or chip o

s a general rule the rocess will include the ollowing steps

● eview connections to ind connected s or networ connections ● hec with the manuacturer i the model has a wireless capability i the device is not connected in any way it might be dismissed ● eriy i the system is powered o or on standby ● se the user interace to eplore the device coniguration create a visual record o the investigator’s actions, preferable with video records ● ry to minimie the interaction by reading the manual beore testing Fiure Internet rotocol Cameras sen imae ata oer an I netork ● ecure pacing including remote and power cable 5.7.4. IP and concealed cameras Possile evidence to be ound during the search and seiure I cameras or concealed cameras are typically used for small scale monitoring and, unlike , these ● onnected devices or screen mirroring synchroniation devices might not have local storage capabilities. ost of the I cameras available only need a ii ● rowsing history connection to work. he user can watch the camera live stream from any device connected to the ● sers o the installed applications aceboo ype witter, Netflix, Amazon…). However, Internet. It also might be possible, if the user subscribed for a cloudstored package, to watch recorded passwords will not be easy to recover at this stage and might reuire urther processes at footage usually in a loop of the previous days). the igital orensic ab espite that, first responders must assure that such devices do not have a memory card usually a micro) for local storage.

irst responders must also be aware that cameras can be concealed almost everywhere from teddy bears to buttons in a acket.

Possile evidence to be found during the search and seizure

● or cloudstored data, it is important to obtain the online access credentials usually username and password or code). hose credentials might be stored in the camera itself or in computerssmartphones found with the suspect. Fiure eices suc as maons co, pples Homeo are eamples o Smart Speakers ● or localstored data, usually, only the memory card needs to be seized. However, due to the 5.7.3. Home kits/Smart speakers possibility of encryption, proprietary file systems or nondocumented settings, it is advisable ome its allow users to communicate with and control connected accessories in their home simply to seize the whole euipment. using an app ith the ome it ramewor you can provide a way to conigure accessories and create ● or liveonly data the camera only streams live footage not cloud or local storage), it is actions to control them advisable to seize it only if you have reasons to believe that it contains useful data for your case. omeod is an audio device produced by pple that adapts to its location and delivers highidelity ● or video forensic analysis, comparing previous footage with the camera found, the device audio wherever it is playing ogether with pple usic and iri it creates a way to interact with music must always be seized. at home

hen the seizure is necessary, ust disconnect it, document everything, take pictures of the device, label and pack it.

Fiure Ninteno, Sonys S Series, an icrosots BO are eamples o amin consoles it smart unctions 5.8. Gaming consoles he complexity of video game consoles is increasing in every new model. ost of them contain an internal hard drive that can be extracted and imaged following forensic procedures explained before. However, the heavy usage of encryption and use of special file types makes it extremely difficult to discern any information in a later analysis. n top of that, a good amount of the information generated would be stored in the gaming social platforms and never stored in the hard drive.

inally, it is important to consider that users from other locations might easily alter the information contained within these devices and remove potential evidence.

Possile evidence to be found during the search and seizure

● efine periods on which the video console was used for gaming. ● rowsing history. ● Illicit files stored on ideo console media. ● Application passwords. ● ser Accounts.

hen the seizure is necessary, ust disconnect it, document everything, take pictures of the device, label and pack it.

Fiure rones, also knon as s nmanne erial eicles 5.9. Drones rones also referred as unmanned aerial vehicle A), unmanned aerial system A), small unmanned aerial system sA) or remotely piloted aircraft system A) can be used for a variety of operations, ranging from aerial photography and videos to transporting goods from one place to another. herefore, the aim of carrying out digital forensics on drones and associated euipment is to identify flight paths, user data, and associated pictures and videos contained within the devices that will assist in understanding the drone and its usage.

A drone usually consists of the following two types of components

❖ Pysical oonents he physical components which make up the body and flight mechanisms can be broken down into the following categories

Fiure Ninteno, Sonys S Series, an icrosots BO are eamples o amin consoles it smart unctions  rone ody he core fuselage of the A used to house all other components. 5.8. Gaming consoles  lit ontroller sed to control flight. his device will stabilize the drone and he complexity of video game consoles is increasing in every new model. ost of them contain an generally accept navigation input from a radio control device. In more sophisticated internal hard drive that can be extracted and imaged following forensic procedures explained before. systems the flight controller can both be controlled remotely in realtime and be pre However, the heavy usage of encryption and use of special file types makes it extremely difficult to programmed for autonomous flight. discern any information in a later analysis. n top of that, a good amount of the information generated  otors otorsProellersins and eed ontrollers hese component parts would be stored in the gaming social platforms and never stored in the hard drive. combined provide the lift and propulsion for the A. ifferent designs exist, for example, specializing in increased speed or flight duration. inally, it is important to consider that users from other locations might easily alter the information  Protective asin his protection securely encases the motors and propellers the contained within these devices and remove potential evidence. most vulnerable component of any drone) to prevent collision and loss of control and Possile evidence to be found during the search and seizure subseuent damage to the system.  P eceiver Not essential in all drones, but common in the leading solutions. his ● efine periods on which the video console was used for gaming. component is used to effectively manage A position, return to home functionally, ● rowsing history. and autonomous flight routes. ● Illicit files stored on ideo console media.  adio eceiver sed to receive control input signals receivedgathered from the ● Application passwords. groundbased transmitter. ● ser Accounts.  ransitter ransmits manual input from the operator on the ground to the drone.  L Lits ome drones come euipped with lights usually green and red) which can be used to aid the pilot of the orientation of the drone, and help other airspace users to identify the drone.

❖ oftare All drones include an application or software that is used to control the system when it is operational. here is now a huge selection of opensource flight control and ground control applications available online that can be freely downloaded and easily modified to perform any number of tasks. he maority of drones come with companion mobile

applications to either pilot the drone or view the camera feed and location of the drone overlaid on a map.

ronescontrollers are usually presented with two distinct media storage types that reuire separate handling techniues, as in the following summary

● eory ards hese can be examined as a computer hard disk. oth logical and physical extraction can be conducted on these cards, as long as the forensic tools support this feature. he examiner has to access the card, extract the data, and then put it back into the device before switching it on. ome devices store data in the memory card, and if it detects that the card is not available, it could cause data loss from the dronecontroller. If time and resources allow, a bittobit clone of the memory card should be created and that clone inserted into the handset. ● nternal eory his reuires dronemobile compatible manufacturerforensic tools. ome devices are supported by forensic tools for physical extraction. he forensic tools will boot the device in a particular way and conduct physical extraction without making any changes or alterations to the user data on the device.

As a general rule the technical process will include the following steps

● If on, take pictures of the controller’s display then turn off the drone and its components. ● Isolate the drone from satellites and other devices to ensure that iiNetwork signals are not picked up. ● Identify the make and model of the drone. ● earch the drone for any external storage media, i.e. ards. ● hotograph and label the status of the drone and its components. ● ecurely pack all of the components.

Possile evidence to be found during the search and seizure

● pdate history ● iagnostic logs ● egistered email accounts ● aired devices ● ultimedia files ● lighttelematics logs ● rone media thumbnail caches ● ap artefacts such as geocoordinates, waypoints, and home locations ● Drone specific software such as manufacturers’ drone management software ● mails that show new registration of drones or update notifications from the manufacturer ● files that contain telematics, diagnostics or coordinates.

or a more detailed information in this area, please refer to “INTERPOL Framework for Responding to a rone Incident – or irst esponders and igital orensics ractitioners.”

ronescontrollers are usually presented with two distinct media storage types that reuire separate handling techniues, as in the following summary

As a general rule the technical process will include the following steps

● If on, take pictures of the controller’s display then turn off the drone and its components.

● Isolate the drone from satellites and other devices to ensure that iiNetwork signals are not picked up. Fiure 7 CC Cameras ein use or sureillance purposes ● Identify the make and model of the drone. 5.10. CCTV ● earch the drone for any external storage media, i.e. ards. losedcircuit teleision T, also known as ideo sureillance, is the use of ideo cameras to ● hotograph and label the status of the drone and its components. transmit a signal to a specific place, on a limited set of monitors. It differs from roadcast teleision in ● ecurely pack all of the components. that the signal is not openly transmitted, though it may employ pointtopoint PP, pointto Possile evidence to be found during the search and seizure multipoint PP, or mesh wired or wireless links. Though almost all ideo cameras fit this definition, the term is most often applied to those used for sureillance in areas that may need monitoring such ● pdate history as anks, stores, and other areas where security is needed. ● iagnostic logs ● egistered email accounts T security system consists of different components. These include ● aired devices ● aera used for ideo sureillance and acts as the input deice to the system T ● ultimedia files onitor. This deice receies signals and reproduces pictures or ideos captured y the T ● lighttelematics logs camera. ● rone media thumbnail caches ● ain Poer uly the primary electrical supply unit. ● ap artefacts such as geocoordinates, waypoints, and home locations ● acu Poer uly optional ackup power supply comes in handy in case of a power ● Drone specific software such as manufacturers’ drone management software outage ● mails that show new registration of drones or update notifications from the manufacturer ● ales these are used to connect seeral T cameras to one ideo recorder, ideo switcher ● files that contain telematics, diagnostics or coordinates. for T monitor, also modern T systems may utilie iFi networks to transmit the or a more detailed information in this area, please refer to “INTERPOL Framework for Responding pictures to a central point. to a rone Incident – or irst esponders and igital orensics ractitioners.” ● ideo ecorder transforms and records signals sent y a T camera in the form of a ideo that is generally stored on a hard drie and may e deleted automatically depending on the deice settings. ● ideo itcer switches the ideo mode etween different T cameras.

s a general rule the technical rocess will include the following steps

● heck time and date set on the ideo recorder and report if they differ from the current ones

● Take pictures of the screens ● hut the recorder down to aoid data to e oerwritten ● Disconnect cales ● Identify make and model ● Photograph and lael all the components ● ecurely pack eerything.

sually, T system components are proprietary, therefore it is adised to seie eery part of the T system, in order to aoid issues during the analysis phase.

Remote monitoring may also e applied to T systems and may also hae alert systems in place to warn the user if the systems sense moement. This should e considered when approaching a crime scene as the suspect may e alertednotified if police approach a scene that is eing monitored y T camera systems such as RIN etc. Therefore, when eamining the T system you should also consider the registered users who hae remote access to the T system.

Fiure 8 irtual asset eices, use or storin inormation aout cryptocurrencies an oter irtual currencies

5.11. Virtual assets devices First responders need to e aware of the different ways to access, store and transfer irtual assets. To allow the proper seiure of a cryptocurrency, and if permitted y the laws of the urisdiction and the terms of the releant udicial or other authoriation, law enforcement needs to transfer the funds from the suspect’s wallet to an official and secured wallet controlled by the seizing agency.

Furthermore, first responders need to ear in mind that an accomplice might hae a copy of the information needed to transfer the funds to a wallet not controlled y the law enforcement agency. Thus, as soon as the cryptocurrencies are securely transferred, the etter.

ryptocurrency wallets come in different shapes and forms files in a computerphone, hardware deices, R codes or een a seuence of words written in a piece of paper or memoried y the suspect. During a police search, first responders might face

● esto allets itcoin ore, rmory, Electrum, asai, ither, etc. ● oile allets ycelium, Edge, RD, Trust, etc. ● nline allets ito, T.com, oin.pace, lockchain.com, etc. ● ardare allets ito, oldcard, eepey, Ledger, Treor, etc. ● Paer allets addresses generated y itaddress.org, segwitaddress.org, etc.

● Take pictures of the screens ● rain allets seed list of words which store all the information needed to restore the wallet. ● hut the recorder down to aoid data to e oerwritten egardless of the wallet type the crucial information that first responders need to access is the ● Disconnect cales unencryted Private ey which will allow the transactions to be properly signed and the funds ● Identify make and model transferred. ● Photograph and lael all the components ● ecurely pack eerything. n most cases howeer the riate ey is protected or it might not be stored locally. hus first responders should also see for sually, T system components are proprietary, therefore it is adised to seie eery part of the T system, in order to aoid issues during the analysis phase. ● Passords used to encrypt the priate ey ● Ps to access hardware wallets or phones Remote monitoring may also e applied to T systems and may also hae alert systems in place to ● redentials username and password for online wallets warn the user if the systems sense moement. This should e considered when approaching a crime ● codes that can store the full priate ey scene as the suspect may e alertednotified if police approach a scene that is eing monitored y ● eeds the seuence of words typically or more used to recreate the priate ey. T camera systems such as RIN etc. Therefore, when eamining the T system you should also consider the registered users who hae remote access to the T system. or the most popular cryptocurrency itcoin priate eys are bit numbers that can be represented in many different ways. allet mport ormat is the most common type and the

eys start with or L. n encrypted priate ey starts with P.

or eample the same riate ey can be represented as

● Base8 allet Import Format caracters ase8, starts it a 5JoBSup7GzCohqzfCdU3FQmuQM8KLCu3TTKiTAtbzmWywJfzTni ● Base8 allet Import Format Compresse caracters ase8, starts it a or L1Yq7N6vhZV79HFVcKxLvbwCJ3qHumWhqmBbxWemTyVLJHfaUjTc ● riate ey BI8 ncrypte Format 8 caracters ase8, starts it passor as 6PYLTEjqt2huN6zgG8Gc2Sdifh33tcDLoJMXXqdK52YrQWXa3fD8az9Za7 irst responders must also be able to identify a Pulic ey or simply ddress which is the possible

destination of a transfer or payment. or eample itcoins ddresses can start with or c Fiure 8 irtual asset eices, use or storin inormation aout cryptocurrencies an oter irtual currencies ● ormat 1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2 ● ormat 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy 5.11. Virtual assets devices ● ech ormat bc1qar0srrr7xfkvy5l643lydnw9re59gtzzwf5mdq First responders need to e aware of the different ways to access, store and transfer irtual assets. To ome eamples of what first responders might find during a search warrant allow the proper seiure of a cryptocurrency, and if permitted y the laws of the urisdiction and the terms of the releant udicial or other authoriation, law enforcement needs to transfer the funds from the suspect’s wallet to an official and secured wallet controlled by the seizing agency.

● esto allets itcoin ore, rmory, Electrum, asai, ither, etc. ● oile allets ycelium, Edge, RD, Trust, etc. Fiure 9 aper allets ● nline allets ito, T.com, oin.pace, lockchain.com, etc. ● ardare allets ito, oldcard, eepey, Ledger, Treor, etc. ● Paer allets addresses generated y itaddress.org, segwitaddress.org, etc. ther eamples of cryptocurrencies include thereum itcoin ash itecoin onero and cash.

Fiure Harare allets, use to store inormation aout crypto assets

Fiure ample o a esktop allet

estop wallets

Fiure lectrum, a esktop allet

Fiure Harare allets, use to store inormation aout crypto assets

Fiure ample o a esktop allet

estop wallets

Fiure ample o a moile allet use or storin cryptocurrency inormation

Fiure Brain allets see

n important consideration that must be taen into account depending on your legal system is what to do with the transferred irtual asset echange into fiat money as soon as possible or eep it in the official wallet until there is a final sentence.

inally do not forget to document all the steps taen including the transaction fees the alue of the bitcoin in local currency and echanges eentually used. lso it can be useful to add screenshots of the transaction using for eample www.walleteplorer.com.

or further details please refer to your local legislation. uidelines lie the PL uidelines on arnet and rytocurrencies for ountererroris Practitioners may also be useful to refer for further bacground on irtual assets.

5.12 Automotive Vehicles

odern ehicles hae two systems that could contain data that may be pertinent to an inestigation. here are

elematics etwor – his includes arious lectronic ontrol nits that monitor the ehicles

state and apply user input to moe the ehicle such as acceleration braing and steering. hese s Fiure Brain allets see contain ehicle eent data that may assist an inestigation in locating historical routes the car has taen or in the way it is drien.

nfotainment ystems – hese systems proide multimedia entertainment such as music radio broadcasts and streamed or locally stored ideos to the ehicle occupants as well as allow a connected eperience to the internet or a connected phone. f a user connects a phone to the system then data from the phone such as address boo instant messages and calls will be stored within the infotainment system. his information may be recoered when the deice connected to the system and to erify any eent data recorded from the connected deice.

nfotainment and telematics systems present uniue challenges to law enforcement due to differences in hardware designs and manufacturers limited information on the underlying software and proprietary operating systems encrypted media associated with igital ights anagement and rapid changes in technology. cuisition options may be limited by hardware and software aailable to facilitate data etraction. isual eamination of an actie screensystem may be reuired if other techniues are unsuccessful. aminers should be aware that the ehicles digital systems are lie any other digital deicesystem and therefore must be handled appropriately to preent data destruction. modernday ehicle will contain multiple computers andor networs and conseuently the eaminer should tae reasonable measures to isolate the car from wireless networs ii cellular luetooth etc..

Fiure Brain allets see s always draw power from a ehicles battery een while the ignition switch is in the off position. any s lie the infotainment and telematics systems utilize critical components such as an unloc eent or doors openingclosing as cues to enter lowpower mode or start the powerup procedure. inimizing the number and duration of power cycles helps presere olatile data stored on s. rocessing a ehicle for physical eidence may cause additional power cycles resulting in the loss of releant olatile data from the s. o mitigate this ris document the onscreen data and properly shut down the ehicle to allow the s to correctly power down before processing physical eidence latent prints etc.

   

vidence andlin

    

 eicle yste nforation  nstalled lication ata  onnected evices  aviation ata  evice nforation  eicle vents

   5.13 Shipborne Equipment 

information in this area, please refer to “INRO uielines or First Responers iital Forensics vidence andlin on Siporne uipment”    rplane rather than to a vessel’s wheelhouse. vessel’s onboard equipment including brands, series, models and serial numbers. This is crucial and  

 eicle yste nforation  nstalled lication ata  onnected evices  aviation ata  evice nforation  eicle vents

23). It is the readers’ responsibility to ensure they have the most current version of the document.

uient Location ye of data

I Transponders ridge

cho ounder ridge

lectronic hart isplay and ridge, aptain quarters, av Information ystem I) oom mergency ositioning Indicator ridge, ridge ings, lying adio eacon I) bridge ystem ridge

ridge

ong ange Tracing and ridge Identification ystem IT) essel onitoring ystem ) ridge, ly ridge

ridge

igital elective alling ) ridge, captain cabin, navigation room atphone ridge, captain cabin, navigation room

Fiure amples o Siporne euipment it ata an teir location

uient Location ye of data REFERENCES I Transponders ridge cho ounder ridge est Practices for oile evice vidence ollection Preservation lectronic hart isplay and ridge, aptain quarters, av andlin and cuisition Information ystem I) oom S Best ractices or oile eice ience Collection reseration, Hanlin, an mergency ositioning Indicator ridge, ridge ings, lying cuisition ersion Septemer 7, is ocument inclues a coer pae it te S adio eacon I) bridge isclaimer ystem ridge isclaier ridge s a condition to the use of this document and the information contained therein, the ong ange Tracing and ridge requests notification by email before or contemporaneous to the introduction of this document, or Identification ystem IT) any portion thereof, as a mared ehibit offered for or moved into evidence in any udicial, essel onitoring ystem ) ridge, ly ridge administrative, legislative or adudicatory hearing or other proceeding including discovery proceedings) in the nited tates or any oreign country. uch notification shall include ) the formal ridge name of the proceeding, including docet number or similar identifier 2) the name and location of igital elective alling ) ridge, captain cabin, navigation the body conducting the hearing or proceeding 3) subsequent to the use of this document in a formal room proceeding please notify as to its use and outcome ) the name, mailing address if available) atphone ridge, captain cabin, navigation and contact information of the party offering or moving the document into evidence. otifications room should be sent to secretaryswgde.org.

Fiure amples o Siporne euipment it ata an teir location It is the reader’s responsibility to ensure they have the most current version of this document. It is recommended that previous versions be archived.

edistriution Policy grants permission for redistribution and use of all publicly posted documents created by , provided that the following conditions are met

. edistribution of documents or parts of documents must retain the cover page containing

the disclaimer.

2. either the name of nor the names of contributors may be used to endorse or promote products derived from its documents.

3. ny reference or quote from a document must include the version number or create date) of the document and mention if the document is in a draft status.

est Practices for eicle nfotainent and eleatics ystes S Best ractices or eicle Inotainment an elematics Systems ersion une , is ocument inclues a coer pae it te S isclaimer

isclaier s a condition to the use of this document and the information contained therein the reuests notification by email before or contemporaneous to the introduction of this document or any portion thereof as a mared ehibit offered for or moved into evidence in any udicial administrative leislative or adudicatory hearin or other proceedin includin discovery proceedins in the nited tates or any orein country. uch notification shall include he formal name of the proceedin includin docet number or similar identifier the name and location of the body conductin the hearin or proceedin subseuent to the use of this document in a formal proceedin please notify as to its use and outcome the name mailin address if available and contact information of the party offerin or movin the document into evidence. otifications should be sent to secretarysde.or.

It is the reader’s responsibility to ensure they have the most current version of this document. It is recommended that previous versions be archived.

edistriution Policy

rants permission for redistribution and use of all publicly posted documents created by provided that the folloin conditions are met

. edistribution of documents or parts of documents must retain the cover pae containin the disclaimer.

. either the name of nor the names of contributors may be used to endorse or promote products derived from its documents.

. ny reference or uote from a document must include the version number or create date of the document and mention if the document is in a draft status.

est Practices for eicle nfotainent and eleatics ystes S Best ractices or eicle Inotainment an elematics Systems ersion une , is ocument inclues a coer pae it te S isclaimer

It is the reader’s responsibility to ensure they have the most current version of this document. It is recommended that previous versions be archived.

edistriution Policy

rants permission for redistribution and use of all publicly posted documents created by provided that the folloin conditions are met

. edistribution of documents or parts of documents must retain the cover pae containin the disclaimer.

. either the name of nor the names of contributors may be used to endorse or promote products derived from its documents.

. ny reference or uote from a document must include the version number or create date of the document and mention if the document is in a draft status.

ABOUT INTERPOL

INTERPOL is the world’s largest international police organization. Our role is to assist law enforcement agencies in our 194 member countries to combat all forms of transnational crime. We work to help police across the world meet the growing challenges of crime in the 21st century by providing a high-tech infrastructure of technical and operational support. Our services include targeted training, expert investigative support, specialized databases and secure police communications channels.

OUR VISION:

“CONNECTING POLICE FOR A SAFER WORLD”

Our vision is that of a world where each and every law enforcement professional will be able through INTERPOL to securely communicate, share and access vital police information whenever and wherever needed, ensuring the safety of the world’s citizens. We constantly provide and promote innovative and cutting-edge solutions to global challenges in policing and security.

WWW.INTERPOL.INT INTERPOL_HQ @INTERPOL_HQ INTERPOLHQ INTERPOLHQ