301564

ORANGE COUNTY SHERIFF'S OFFICE GENERAL ORDER Effective Date: April 6, 2023  Amends - GO 13.1.0 ( January 12, 2015 ) Number: 13.1.0 Distribution: All Sworn Personnel Review Month: April Reviewing Authority: CID / Investigative Services Subject: Digital Evidence This order consists of the following: 1. Purpose 2. Policy 3. Definitions 4. Procedures 1. Purpose The purpose of this policy is to facilitate evidence data recovery and the identification, investigation, and prosecution of persons who use electron ic devices in the furtherance of criminal activity. 2. Policy It is the policy of the agency that during investigations only personnel who are trained in digital evidence seizure and forensics will forensically process computers, cellular phones, tablets, recording devices and other various types of media for the evidence contained therein. 3. Definitions A. Electronic Device - a device that is used for audio, video, text communication or any other type of computer or computer like instrument. The following are examples of commonly encountered devices: cellular phone, tablet, smartphone, camera, video recorder, gaming console, electronic watch, smart television, modem, and Wi -Fi router. A. Computer System - computer monitor, CPU, I/O device, communication device, data storage device or peripherals configured to work together as a unit or cabled together externally. B. Digital Forensic Detective - a sworn member of the agency who has successfully completed the Certified Forensic Computer Examiner process of the International Association of Computer Investigative Specialists. C. Digital Forensic Investigator – a non -sworn member of the agency who has successfully completed the Certified Forensic Computer Examiner process of the International Association of Computer Inves tigative Specialists. D. Network - any two or more computer systems connected together that can communicate with each other and share resources. 13.1.0, Page 2 of 4 E. Operating System – a program that controls and manages the hardware and other software on a digital device. Exam ples of this are Microsoft Windows , Apple’s macOS, Google Chrome OS, and various Unix and Linux distribution lists. Smartphones generally utilize either Apple’s iOS or Goggle’s Android systems. F. Recording Device - CD ROM , CDR, DVD , USB drive, tape drive, z ip drive, jazz drive, magneto -optical drive, hard drive or any other mechanical, electrical, optical or combination device used to store data. G. Recording Media - Any tape, disk or other type of digital media used to store data. 4. Procedures A. This policy will apply only in those cases where data residing on computer systems, cellular phones, tablets, recording devices, and other media are being sought as evidence in an investigation. Computers seized by agency personnel as evidence, e.g., related to burglary, and retail theft, will be treated in accordance with GO 10.1. 1, and will not normally require the services of the digital forensics personnel . B. Personnel who have been trained in the use o f the CelleBrite Universal Forensic Extraction Device may elect to use it for the extraction of data from mobile devices, such as cell phones. Consideration should be made based upon the nature of the offense and the data sought before choosing this optio n. C. Recovering video from video surveillance systems is not a forensic function and personnel are encouraged to recover this data on scene. Personnel needing assistance with video surveillance systems can contact the Electronic Surveillance Support Team f or advice. In the event ESST is unavailable, personnel may contact a Digital Forensics Investigator for assistance. Personnel are encouraged to have a USB drive available to ease the collection of data. D. No agency member except those under the direction of a computer forensic investigator shall power off, disconnect, power on, or access a computer system, cellular device, tablet, recording device or recording media that is to be seized. E. When it is determined that a computer is to be seized and proce ssed, agency personnel shall contact their immediate supervisor. The supervisor requesting a computer seizure shall determine the type of case involved and immediately notify the supervisor of one of the following units. 1. Professional Standards – If an age ncy employee is involved in the incident. 2. Digital Forensic Unit – Any other incident involving a computer /electronic device that does not meet the aforementioned guidelines. 3. The supervisor of the unit providing assistance with a computer seizure shall assign a digital forensic investigator or detective to assist the requesting unit. a. The agency digital forensic detective/ investigator shall assist in the seizure of the target system and media. b. Whenever possible, the agency digital forensic detective/ investi gator 13.1.0, Page 3 of 4 shall process seized systems, devices, and media for evidence. c. The computer forensic investigator shall inform the case detective when the nature of the equipment or media seized exceeds the available resources to process it. F. Intelligence about the computer system or network to be seized can be critical to the success of any computer seizure. Whenever possible, the case detective should attempt to obtain information on the type of system to be seized, the operating system, and if the suspect is usin g any encryption or passwords. This information will be provided to the member doing the seizure as soon as possible. When a