34712257.pdf

\n\n--- Page 1 ---\n\nGAINESVILLE POLICE DEPARTMENT GENERAL ORDER TITLE ACCREDITATION Digital Evidence Procedures CALEA 1.2.4; 83.2.1.a.b.c.d; 83.2.5 PRIOR REVISIONS PROPONENT UNIT 5/6/10, 3/8/12 Criminal Investigations Bureau ATTACHMENT: -Cell Phone Collection Procedures Guide NUMBER ISSUE DATE REVISION DATE TOTAL PAGES 83.3 03/23/01 12/18/2019 11 I. PURPOSE: The purpose of this policy is to establish guidelines for the collection of devices containing digital evidence in order to reduce the likelihood of loss of data integrity. II. POLICY: When seizing items (computers, cell phones, mobile devices, thumb drives, etc.) which may store digital data of evidentiary value, every effort will be made to preserve the data on the device and protect its integrity as evidence. Regarding computers, when possible, a Digital Forensic Examiner should seize or instruct in the seizure of the device to be analyzed in an off-site examination. III. DEFINITIONS: A. Digital Forensic Examiner: A person who is specially trained and certified in the recovery of digital evidence from electronic media to include: 1. computers, 2. computer networks, 3. cellular phones and 4. other mobile and electronic devices. B. Computer Forensics: 1. The analysis of data processing equipment with the use of specialized techniques for recovery, authentication, and analysis of electronic data when a case involves issues relating to rebuilding of computer usage, examination of residual data, authentication of data by technical analysis or explanation of technical features of data and computer procedure. 2. Digital Forensic Examiners determine if the equipment has been used for illegal, unauthorized, or unusual activities. It can also include monitoring a network for the same purpose. (e.g., typically a home computer, laptop, server, or office workstation).\n\n--- Page 2 ---\n\nGAINESVILLE POLICE DEPARTMENT i. Preview: An expedient on-site method of viewing a computer’s storage media, which does not create a forensically sound image of the target drive and depending on the utilized method, may alter date/time stamps. All previews must be documented in a case report and include the time and method used. ii. Examination: An off-site systematic analysis of the target media, including the creation of a forensic image of the target media verified by an MD5 or SHA1 hash. The examination extracts relevant files and partially overwritten files through the use of specialized software and hardware. C. Forensic Image: A 100% accurate, bit-by-bit copy representation of data on a hard disk or other digital media item. The image can be in the form of an evidence file, which contains all the information on the examined disk or other storage mediums with additional data used to verify the image integrity. D. Digital media: Any physical device on which data is stored electronically. E. Acquisition: The process of obtaining a copy of digital media evidence in a forensically sound manner. F. Digital Evidence: Information or data that is contained within any form of magnetic or digital media device in the form of binary code. Digital evidence is found in, but not limited to, hard drives, floppy disks, zip disks, Jaz disks, flash memory cards, magnetic tape, cellular phones, personal data assistants, routers, flash drives and any memory developed for the storage of electronic data or information. G. Internet Crimes Against Children Task Force (ICAC): The ICAC Unit under the Criminal Investigations Division investigates the technology-facilitated exploitation of children, to include, but not limited to, the electronic transfer, possession, and production of child sexual abuse videos and images, NCMEC CyberTips, and online enticement of minors and performs forensic examinations of items of digital evidence as needed. IV. PROCEDURE: A. Duties and Responsibilities 1. Digital Forensic Examiner: i. The Digital Forensic Examiners operate under the direct supervision of their squad supervisor. The Digital Forensic Examiner will conduct computer forensic examinations on criminal cases and provide courtroom testimony. ii. The Digital Forensic Examiner must hold advanced forensic training certifications as determined by the CID Commander. iii. Digital Forensic Examiners may participate in joint investigations and task forces, including undercover computer and/or online investigations, with other local, state, or federal law enforcement agencies. 2\n\n--- Page 3 ---\n\nGAINESVILLE POLICE DEPARTMENT a Digital Forensic Examiners will forward any request for a computer forensic examination or other assistance from another unit or law enforcement agency to their squad supervisor for approval. b In an emergency or after hours, established Criminal Investigations Bureau call-out procedures will be followed. c Felony cases that require immediate information due to safety concerns (e.g., Missing Person Foul Play), seriousness of the crime, or an identified suspect who has not been located will receive priority. iv. The Digital Forensic Examiner will determine if any electronic/computer evidence can be recovered by: a Conducting a thorough interview with the lead detective or case agent to determine the location of the electronic storage device to be examined and what type of information they are trying to find. b Reviewing all reports in the case file which led to the seizure and ensuring proper guidelines were followed. c Following the Gainesville Police Department (GPD) written directives regarding electronic evidence handling. d Examining the electronic evidence for possible involvement in other cases. v. Upon the conclusion of a full forensic examination, the Digital Forensic Examiner will complete a Forensic Examination Report, and notify the lead detective. B. Requesting a Digital Forensic Examination 1. All requests for digital examinations must be submitted via the Magnet Atlas website. i. A user name and password is required and may be obtained from the DFE. When computers are submitted for analysis, the case agent or detective must provide specific information on what is being searched for (file type, keyword list, etc.) to the Digital Forensic Examiner. ii. All digital media seized or obtained for examination must be accompanied by a written consent form or a search warrant (to include affidavit). Written documentation must be provided before any digital examination search is conducted. It is important to note that consent to access a mobile device is not valid if the device’s passcode is not provided. [CALEA 1.2.4]. 2. All digital media devices which will be maintained as evidence must first be submitted to GPD Property & Evidence Facility or the GACDTF/SID Evidence and assigned a property number. The item(s) will then be checked out for examination. Items that do 3\n\n--- Page 4 ---\n\nGAINESVILLE POLICE DEPARTMENT not have a property number will not be accepted. This does not apply in situations where exigent circumstances are present. 3. The Digital Forensic Examiner will retrieve evidence (devices) from the GPD Property & Evidence Facility or the GACDTF/SID Evidence and return it to them when the item is no longer needed for examination. Checked out items of evidence not being actively worked on but still needed by the examiner shall be secured in a temporary evidence locker and the key retained by the examiner. 4. The Digital Forensic Examiner will provide examination reports to the assigned Detective/Officer. Detectives/Officers will be responsible for submitting these reports into GPD Property and Evidence or the GACDTF/SID Evidence. C. Evidence Collection and Examination 1. If an officer/detective comes into contact with any digital media device which meets probable cause standards or the device may contain evidence, they should first seek consent to search by completing the applicable consent to search form, and have the form signed by the owner or authorized agent of the device. 2. The consent form should be r