Welcome back to the computer forensics path of course four module three. In this module, we're going to talk about Search Warrants and Subpoenas. What is the role of the computer in the crime? Is the computer and evidence container? If it is, what information are we looking for and why do we think it is on the computer? We have to consider the nature of the crime that's under investigation. Is this an ongoing crime? Is this something that's going to take multiple warrants? And what type of computer system are we going to be looking at? Is this a stand alone PC? Is this going to be a network or is this going to be a server farm? I mean we need to consider the type of network before we get to the place we're going to search. Warrants. A warrant is defined as a legal document authorizing search and or seizure of property. He can also authorize the search for the rest of a person. In our case we're mainly talking about search and seizure of property warrants are issued upon the legal standard of probable cause. And again, this is going to be supported by a written document and so on to under oath. A search warrant will authorize the search of a place to look for evidence, contraband or stolen property to be used as evidence in a criminal case. How are we going to get this warrant? Well, we need to prepare our affidavit, which is our written document and we have to describe the place we're going to search, whether it's a home of business or wherever it may be. And we're going to describe the item that we're going to see, what type of items are we looking for. And you want to make sure when you do this, you include every possible item that you could be looking for, where this data could be stored. And then we need to provide probable cause to show that we believe that the item is that this location and that the evidence we're looking for is going to be found on these item. Of course you have to get the warrant signed by a judge. If you're talking about an ongoing investigation, you may want to ask of warrant because we may need to have multiple search warrants depending on the type of investigation we're doing. Another consideration is how are we going to time this? How are we going to time when we served the search warrant? We actually execute the warrant. Well that may differ from a business to a residence. If we're talking about a business we may want to go at the start of the work day. Some of the reasons could be because the business is open. The workforce is on duty. The people, we want to talk to are there. We're going to need some type of network administrator to be present to help us with this. The computers are running they're already up and running. We do have outside resources available. If we need to use them you may need to phone a friend and call somebody who has dealt with networks more than you. Like I said the IT administrators should be in there during the day. Yeah and it will allow us for maximum search time. This usually does not apply to law enforcement but in the private sector most people work set hours so if you go at the beginning of the work that you will maximize your search time. We also will have the presence of the suspect. The suspects should be there during the work day. And the reason we might want to do that is because we would want to find out his passwords and be able to interview the suspect. Now if we're talking about a residence, the timing may be different. If we go at the start of the workday, family members may or may not be home. We will have outside resources available. If we want the suspect there, there's sometimes you're not going to want the suspect there. But in a lot of cases you will because you want to try to get passwords and you want to interview the suspect. If there are children in the house, the timing of the school day may be important because you probably do not want them there. In some cases if they are the suspect, you do want them there. Sometimes teenagers commit internet crimes. So you really have to consider the type of search warrant you're serving if you're serving a narcotic search warrant and you're serving amount of residents. And a lot of times digital evidence is involved in narcotics. Those search warrants are usually served in the early morning hours because they are considered a high risk warrant. And you generally want to get people while they're sleeping. Is that how are we going to organize our search? We can't just go in willy nilly. You have to have a plan. It's very important. When we go in, are we going to have team assignments and we're going to have room assignments? We're going to label evidence. We're going to make sure we authenticate and organize in other words found the evidence and where they found it. And it can be organized by room by a person that found it. Or even by time it's going to depend on how you want to organize your search warrant. We do want to control the evidence. I highly recommend you have a designated person to record and intake the evidence and we are going to want to log all evidence as it is collected. What is our basis for the seizure? We no longer want to go into a house and take everything and we definitely don't want to go into a business and take everything. So what is our basis for our seizure? Is it outright contraband? Something that's legal to possess? And we want to make sure it's covered in the warrant. So those are the two reasons you would see something obvious. Contraband are covered in the warrant, reasons why you would want to use restraint on nazis, items, storage requirements may come into play. If you're dealing with the business, you're probably going to end up doing what we call a live collection and we'll talk about more through out this path. Talk about that more because you're not going to be able to seize a businesses computers due to the effect it's going to have on the business. You're going to go into some places and you're not going to be able to shut down their servers because you'd be in a lot of trouble if the server wouldn't come back online. You may be liable in that case because there is another way to do a live collection. And obviously you do not seize items not covered in the warrant unless they are obvious contraband evidence. The preservation of evidence is of the utmost importance. We need to preserve the evidence. That's the most important thing. Evidence is defined as information or things introduced in court to prove or disprove an allegation. Exculpatory evidence and this is something we want to be aware of. This evidence that tends to exonerate the accused in a criminal case. You cannot overlook or not include exculpatory evidence in your reports. That would be an ethics problem. Electronic evidence that is sort of a misnomer because evidence is evidence, whether it's electronic or physical evidence, it is still considered evidence and the same rules apply a trial. You must remember that the evidence first and foremost must be admissible or it's of no use to you and it must be persuasive. We do have some special issues with electronic evidence because it can be easily altered, created or erased and deleted information is an issue we have with electronic evidence and we're going to talk about recovering deleted information helped us path authentication. We have to prove that the thing is what it's supposed to be and that's due to the testimony of witnesses and distinctive characteristics. We have to be able to authenticate that evidence. You have to be able to say who found it, where they found it when they found it and show what it actually is email accounts. To get this content of an email account. You will need a search and seizure warrant. You can request that the owner of the account be delayed notification for up to 90 days. And if you need longer than that, you can apply for an extension for an additional 90 days. This is all done through the courts. And the reason you would ask for a delay of notification is destruction of evidence if the account user finds out that you've asked for the contents of their email account, they may delete it. They could intimidate other witnesses in the case and it could be an ongoing investigation where you're going to need multiple warrants. Record types are generally divided into three categories. We have the basic subscriber information that's generally the building address, name and credit card information or billing information of the person who is paying for the account. We have something called call detail records. And these show the calls to and from they may show internet log on internet log off where the account was originated. The originating IP address. Those are called detailed records and content of the account. The actual emails, the actual content of that particular account. Basic subscriber information can be obtained through subpoenas or warrants. And it will usually give you the name, address, phone number, billing records, what type of services they have and how long they've had this particular service call detail records. They're not content and they're not basic subscriber information. They're going to give you a call history, cell tower locations like I said, they will also give you some IP addresses. Usually if you're dealing with something that was connected to wireless, you will get account creation IP and you get uploads IP addresses, download IP addresses and periodic log on addresses. And this is obtained through a search and seizure warrant. So it's a kind of a level up from the basic subscriber information. Wiretaps, were talking about wiretaps were going back to the Electronic Commission Communications Privacy Act of 1986 and this applies to wiretaps a real time interception of communication. It protects the parties of the communication. You would need to have some type of legal process, court order for wiretapping. If you wiretap and you don't have this court order or if you intercept real time electronic communications without a court order, you're committing a felony. So just make sure you have your legal process and make sure it covers this real time interception are four steps to success. We want to assemble a team. We want to have a case agent. We want to have some type of legal counsel involved in this. You want to talk to your prosecutors. You want to talk to the person that is going to be doing the technical expertise on scene. The person that's going to be maybe previewing the computers, actually seizing the electronic evidence properly. You want to have a technical expert and you want to have this team assembled well in advance of what you intend to execute a search warrant. You want to learn as much as possible about the computer systems that you're going to be searching before you divide your plan or draft your warrant okay? You want to plan for the search. You want to know as much as you can about the physical location and about the computers. And you want to make a plan based on that information. Then you will need to draft your warrant or legal documentation. You wore your subpoena. You're going to describe the location of the search and you're going to describe the property to be seized. You're going to do all this accurately. This concludes course for of our computers forensics path. In our next course, course five where you're going to cover the investigative process.
