Hi, I need to analyze any one of these policies as indicated in the Template. you can choose whichever you prefer. and it nee

Boulder Police Department General Order 207

Digital Evidence Capture and Storage Effective: August 18, 2015 Replaces: General Order 207, October 8, 2010 207-1 Definitions 207-2 Digital Evidence Capture 207-3 Digital Evidence Transfer and Archiving 207-4 Digital Evidence Processing, Duplication, and Sharing 207-5 Digital Evidence Obtained From Outside-Department Sources POLICY The department recognizes that digital evidence is an important component of criminal investigation and prosecution. Digital evidence may be captured by department members using various devices. It may consist of photographic images, audio recordings, video recordings and more. The guidelines in this general order primarily focus on digital evidence generated by department members, although 207-5 addresses digital evidence generated by the public. This General Order is not directed toward In-Car Cameras and Body- Worn Cameras. PROCEDURES 207-1 Definitions Archival Storage: Longer-term secure storage of digital evidence using a designated medium. This may be achieved by submission of the digital evidence to Property and Evidence, Records and Information Services (RIS), or a direct file transfer by the officer depending on specific procedures in place at the time. Capture Device: Any device capable of capturing digital evidence and which is commonly used and accepted for that purpose under contemporary law enforcement standards. This includes, but is not limited to,

cameras, phones, audio recorders, video recorders, and tablets. Digital Evidence: Any digitally recorded file with evidentiary value or value as a record of a crime or incident. This includes, but is not limited to, images, video files, audio files and data files. Disposable Storage Device: Any low-cost device capable of recording digital evidence and designed for a limited life span. They are typically easily and readily destructible. This includes, but is not limited to, CDs, DVDs and Blu-Ray discs. Photographic Images: Still images captured in digital format with a capture device. Removable Storage Device: A digital evidence storage medium designed to be connected to a capture device for the purposes of recording digital evidence. This includes, but is not limited to, SD cards, micro-SD cards, CF cards, USB-thumb drives, and external drives. Transfer: The act of moving or copying a digital evidence file from one storage medium to another.

GO207, page 2

207-2 Digital Evidence Capture Department members take photographic images when the visual documentation will assist the investigation or enhance the record of a crime or incident. The images should be of high quality and accurately represent the scene as it appeared at the time it was photographed. Photographic images may be captured using various capture devices. Some capture devices are preferred depending on the situation. A department member may capture scene video, audio and/or video and other digital evidence when he or she believes that the additional documentation will assist the investigation or enhance the record of a crime or incident. Scene video is not to be taken in lieu of still images. Photographic image documentation of relatively serious scenes is typically completed with a higher-quality, stand-alone digital camera. A. Capture Device Use

1. Removable storage devices and capture devices are provided by the department. Personally owned capture devices are not generally used to capture digital evidence. On rare occasions that personally owned capture devices are used, the following steps still apply.

2. The capture device is loaded with a blank, formatted removable storage device, or the digital evidence may be stored to the capture device’s internal memory if more appropriate.

3. Removable storage devices should

only contain evidence from one crime/incident. The devices are kept in the department member’s direct control until the digital evidence is submitted or transferred for archival storage.

4. In the report, the member documents the brand and model of the capture device used. The member also notes any transfer processes prior to the digital evidence being submitted for archival storage.

5. Captured digital evidence is not

deleted at any time prior to submission or transfer for archival storage.

207-3 Digital Evidence Transfer and Archiving

A. Digital evidence is submitted to Property and Evidence, RIS, or downloaded to archival storage by the member directly, depending on current processes. When a capture device or storage device is logged into Property and Evidence or submitted to RIS, the digital evidence may be transferred to archival storage by Property and Evidence Technicians or RIS employees, maintained on the submitted storage device or a combination thereof.

B. After digital evidence is successfully

transferred to archival storage, removable storage devices and capture devices may be cleaned, formatted and returned to service. Disposable storage devices may be destroyed.

C. If digital evidence is captured on a

member’s personally owned device, the digital evidence is cleaned from the device immediately after successful transfer to archival storage. Digital evidence is not to be copied to, or retained on, personally owned storage devices without permission from the Chief of Police or designee.

GO207, page 3

207-4 Digital Evidence Duplication, Processing, and Sharing A. If a department member or other authorized

law enforcement agency requests copies of digital evidence, the request is completed in writing or via email. The request serves as a record to assist in tracking the distribution of digital evidence. Digital evidence files sent via email will be considered on a case by case basis.

B. Techniques, such as cropping, contrast

adjustments, dodging and/or burning, unsharpen/mask and color balance are acceptable enhancements and are synonymous with darkroom techniques used with film. Specific digital techniques, including resizing (with or without interpolation), may be utilized to improve the image quality and accommodate the processed image’s printed size when images are processed.

C. It is acceptable to scan negatives and other

analog images, thus creating a digital file which can be stored to archival storage and processed. The negatives are retained as the original images.

D. Any member who enhances digital

evidence for any reason must document the enhancements in a report and submit or transfer a copy of the enhanced evidence to for archival storage according to current processes.

E. If an independent lab is used to process or

enhance a digital file, then specific documentation of the changes is not required. The business or lab name must be recorded as having processed the files.

F. Digital evidence is not shared among

department members, or outside of the department, except as is necessary for legitimate law enforcement purposes, official records releases or official press

releases. Digital evidence is not posted on personal social media sites or internet sites.

207-5 Digital Evidence Obtained From Outside-Department Sources If a citizen captures digital evidence and provides the police department access to that evidence, the digital evidence is submitted to Property and Evidence, RIS, or downloaded to archival storage by a department member directly, depending on current department processes. When the evidence is received by Property and Evidence or RIS it may be transferred or copied to archival storage. Removable storage devices or disposable storage devices used to transfer the digital evidence to Property and Evidence or RIS may be maintained by those units or disposed of depending on current processes. Storage devices owned by members of the public should not be cleaned or reformatted after files are transferred to archival storage. These devices should first be offered back to the owner while the digital evidence remains intact.

1 Computer Forensic Investigation 19.3.12

GENERAL ORDERS LA CROSSE POLICE DEPARTMENT

DATE STAMPED

09.27.2012

CHAPTER

XIX

ORDER NUMBER

19.3.12 TITLE

Computer Forensic Investigation

REVIEW DATE WORD CODE COMP FORENSIC

TOTAL PAGES

4

I. Purpose and Policy.

The purpose of this policy is to provide guidelines for performing investigative analysis of all computers.

The La Crosse Police Department will utilize computer forensics to enhance the investigative analysis of all computers and related media allowing for a more detailed investigative base through computer forensics and to preserve the integrity of seized computer evidence.

II. Procedure A. Investigative analysis of computers and peripheral equipment includes, but is not

limited to:

1. The use of computers to facilitate a crime such as embezzlement, forgery, fraud, extortion, or grand larceny.

2. The use of computers to commit a crime such as illegal duplication, or video and sound recording duplication.

3. Crimes committed utilizing the internet, on-line service or e-mail such as harassment, schemes to defraud, credit card theft, identity theft, crimes against children, stalking, or distribution of child pornography.

4. Any crime such as computer intrusion, computer tampering, theft of intellectual property, online sexual solicitation or dissemination of pornography to minor for the purpose of luring minors.

5. Crimes involving the use of wireless communication devices such as cell phones and other devices capable of wireless communication.

B. The Computer Forensics Lab will perform investigative analysis of all computers in any case where evidence or information pertinent to an investigation may be stored on a computer or other electronic media.

C. The Computer Forensics Lab will provide technical assistance and guidance for members of the La Crosse Police Department in the proper safeguarding and collection of evidence stored in electronic form.

D. The computer Forensics Lab will assist outside agencies in Investigating Computer Crime with the approval from the Captain or Lieutenant of the Investigative Services Bureau. The outside agency will be responsible for providing materials required for the exam such as hard drives, disks for archiving, signed consent forms, and/or search warrant copies.

III. Physical Security and Inventory Control in Computer Forensics Lab A. The Computer Forensics Lab will be housed in a locked room separated from the rest

of the Investigative Services Bureau. This room shall be designated “Computer Forensics.” This room is inside a secured Police Department building that has restricted access.

2 Computer Forensic Investigation 19.3.12

B. The Computer Forensics Lab will process digital evidence. To secure against unauthorized access, the room shall be secured at all times and only the Forensic Examiners shall have unescorted access to the lab. Any other personnel entering the Computer Forensics Lab must be accompanied by the Computer Forensics Unit personnel.

C. All computer forensic equipment that are assigned to the Computer Forensics Unit shall be stored inside the digital evidence processing facility at all times when not being used for off-site analysis.

IV.Electronic Security in the Computer Forensics Lab A. Any computer system that is used to store evidence (defined as recovered files

and/or “images” obtained from digital evidence sources that are relevant to any criminal case) shall not have an active Internet connection or connection to the City of La Crosse’s Intranet while the system contains evidence files.

1. While the system contains evidence files, any modem connection will be physically disconnected by physically removing the telephone line and/or network cable from the systems CPU.

2. The systems connections may be reconnected only after the evidence files have been copied to archival media (CD-R/DVD-R) and properly deleted and all free space on the storage system wiped using a properly configured hard drive wiping utility program or have been stored in such a way that the files can be verified after the system/software updates have been completed (Encase EO files, etc.). This is due to the understanding that large amounts of data being located on machines require server size storage on systems that require routine software updates but can still protect the integrity of the files contained in them due to the operating software being updated and the actual evidence files not being altered.

3. Evidence file archive copies shall be kept physically separated from any computer system while not in use. Archive copies may not be kept inside any CD tray on any system. They may not be copied to any other computer system unless needed to restore an evidence image or case file.

4. When a case investigation has been completed, the archive copies of evidence files shall be placed in the property division.

V. Digital Evidence Integrity A. It is the responsibility of the case Investigator to ensure that digital evidence

submitted was properly seized. The Computer Forensics Unit will not process digital evidence seized outside the scope of the policy and procedures developed and utilized for criminal investigation.

1. When requested, the Computer Forensics Unit will assist any case agent with the proper drafting and execution of search warrants or consensual searches for digital evidence to ensure that the evidence is properly seized.

2. The Physical seizure of evidence from any crime scene can be conducted by any peace officer following the current guidelines for seizing electronic evidence. The Computer Forensics Unit will conduct training in the proper seizure procedures as requested as necessary. All standard procedures regarding evidence handling apply.

3. Any digital evidence and/or computers seized shall be transported to the Computer Forensics Lab as soon as practical.

4. La Crosse Police Department officers assigned to the Computer Forensics Unit shall follow all proper procedures regarding the processing of digital evidence as taught by the National White Collar Crime Center courses, IACIS and/or vendor specific software training, including but not limited to:

3 Computer Forensic Investigation 19.3.12

a. Proper MD5 or other accepted hashing of digital evidence to ensure image integrity as compared to its original form. The MD5 hash value shall be included in any final written report on the examination.

b. Storing all images of the suspect media on a partition or system that, prior to acquiring any images has been properly wiped using a media wiping utility.

c. Writing a final report that identifies the case number, identifies the media imaged, includes the MD5 hash values, and includes references to the files that were found to contain information of evidentiary value.

d. When requested, the digital evidence-processing officer will provide copies of any files of evidentiary value to the case Investigator on removable media for off-site analysis. The case Investigator is responsible for the proper handling of any copies so provided.

e. The Computer Forensics Unit will not normally conduct an “investigation” of the digital media submitted for processing, unless a request has been approved by the Investigative Services Bureau Captain or Lieutenant. All data recovered shall be submitted to the case Investigator for analysis.

f. The computer forensics examiner shall make all efforts to accomplish the following during the examination of the seized system and media:

1. Ensure the original media and data are maintained in their original, unaltered state.

2. Ensure no unauthorized writes are made to the media by viruses, the operating system, write-back applications, or by other inadvertent means.

3. Recover and access deleted files, hidden data, password- protected files and encrypted files.

4. Examine unallocated and slack space for relevant data. 5. Provide a report of findings to the case Investigator. 6. Maintain the integrity of the evidence files by following proper

electronic evidence recovery and storage procedures.

5. It shall be the policy of the Computer Forensics Unit that it will not make hard copies of any pornography, unless specifically requested to do so by the Prosecuting Attorney’s Office. All such evidentiary files shall be turned over to the case agent on electronic media, such as CD-R. The case agent shall then be responsible for ensuring that proper disposition of said evidence. All such media and reports will be marked as OBSCENE MATERIAL to avoid exposing anyone to the images who is not aware of the contents of the investigation.

6. The Computer Forensics Unit’s resources and personnel may be requested to assist with administrative investigations and shall assist the Chief of Police and the City of La Crosse’s Information Technology Department as necessary. It should be noted that any computer owned by the city of La Crosse may be seized without a search warrant and examined freely, as users have no reasonable expectation of privacy. Participation in any such investigation will be kept confidential by the forensic examiner and handled with the same amount of professionalism expected in any non-administrative case.

4 Computer Forensic Investigation 19.3.12

VI.Personnel Availability A. The Computer Forensics Unit is available for 24 hour call out to respond to felony

crime scenes and seize and/or process digital evidence when requested by a field or other Investigative Supervisor. 1. A Field Services Supervisor will contact the Investigative Bureau Captain or

Lieutenant, who will determine the necessity of sending out a Computer Forensics Examiner trained in computer forensics.

2. If adequate direction can be given over the phone, the field personnel may be directed to seize the equipment and turn it in as evidence to the property division.

3. The Computer Forensics Unit will pick up the evidence for processing when applicable.

VII. Training

A. Training is defined as successfully completing the National White Collar Crime Center’s Basic Data Recovery and Analysis school and/or the Guidance Software Basic Encase Examiner School. Training can also include other nationally accredited computer forensics training programs, such as IACIS or the various computer crime courses available through the Federal Government.

B. The Computer Forensics Unit will develop and deliver training for the department in emerging areas of high technology crime.

VIII. Inspections A. Random and unannounced inspections are conducted at the discretion of the Chief

of Police, Assistant Chief of Police, or the Investigative Captain. Inspections are to ensure the integrity of property, procedures, cleanliness, and inventory of the Computer Forensics Lab and equipment.

Ronald J. Tischer Chief of Police

GENERAL ORDER NUMBER:

4072 R-1 DURHAM POLICE DEPARTMENT

DURHAM, NC

SEIZURE OF COMPUTER EQUIPMENT

Effective Date: 07/25/2003 Revision Dates: R-1 12/05/2003

INTRODUCTION The purpose of this general order is to develop a basic understanding of key technical and legal factors regarding searching and seizing electronic storage devices and media.

SCOPE OF THE PROBLEM As computers and related storage and communication devices proliferate in our society, so does the use of those devices in conducting criminal activities. Technology is employed by criminals as a means of communication, a tool for theft and extortion, and a repository to hide incriminating evidence or contraband materials. Law enforcement officers must possess up-to-date knowledge and equipment to effectively investigate today’s criminal activity. The law enforcement community is challenged by the task of identifying, investigating and prosecuting individuals and organizations that use these and other emerging technologies to support their illicit operations.

RECOGNIZING POTENTIAL EVIDENCE Computers and digital media are increasingly involved in unlawful activities. The computer may be contraband, fruits of the crime, a tool of the offense, or a storage container holding evidence of the offense. Investigation of any criminal activity may produce electronic evidence. Computers and related evidence may include:

• Mainframe computer (room-sized computer)

• Minicomputer (AS/400, etc.)

• Microcomputer (desktop PC, laptop, notebook, Mac, etc.)

• Microcomputer peripheral devices (scanners, external disk drives, etc.)

• Personal data assistant (“PDAs” – Palm Pilot, etc.)

• Cellular telephones and pagers (with or without PDA-type features)

• Digital cameras, portable audio players, digital recorders

• Floppy diskettes, hard drives, CD-ROMs, DVDs, ZIP disks, etc. (magnetic or optical media)

• Static RAM devices (USB “Jumpdrives,” memory sticks, compact flash drives, etc. – these may be contained in other devices, such as digital cameras or PDAs, or may be stand-alone.)

• Fax machines; pagers; telephones with memories etc. February 2016 743

Note that this list of devices and media is by no means exhaustive. Every day, new products are coming out that have capabilities to capture and store data that can become evidence.

Images, audio, text and other data on these devices and media are easily altered or destroyed. It is imperative that law enforcement officers recognize, protect, seize and search such devices in accordance with applicable statutes, policies and best practices and guidelines.

Answers to the following questions will better determine the role of the computer in the crime:

• Is the computer contraband or fruits of a crime? For example, was the computer software or hardware stolen?

• Is the computer system a tool of the offense? For example, was the system actively used by the defendant to commit the offense? Were fake IDs or other counterfeit documents prepared using the computer, scanner, and color printer?

• Is the computer system incidental to the offense, i.e., being used to store evidence of the offense? For example, is a drug dealer maintaining his trafficking records in his computer?

• Is the computer system both instrumental to the offense and a storage device for evidence? For example, did the computer hacker use her computer to attack other systems and also use it to store stolen credit card information?

Once the computer’s role is understood, the following essential questions should be answered:

• Is there probable cause to seize hardware?

• Is there probable cause to seize software?

• Is there probable cause to seize data?

• Where will this search be conducted?

• If law enforcement officers remove the system from the premises to conduct the search, must they return the computer system, or copies of the seized data, to its owner/user before trial?

PREPARING FOR THE SEARCH AND/OR SEIZURE Using evidence obtained from a computer in a legal proceeding requires:

• Probable cause for issuance of a warrant or an exception to the warrant requirement. Caution: If you encounter potential evidence that may be outside the scope of your existing warrant

or legal authority, contact the Police Attorneys’ Office, as an additional warrant may be necessary.

• Use of appropriate collection techniques so as not to alter or destroy evidence.

• Forensic examination of the system completed by trained personnel in a speedy fashion, with expert testimony available at trial.

CONDUCTING THE SEARCH AND/OR SEIZURE Once the computer’s role is understood, and all legal requirements are fulfilled:

• Secure The Scene: o Officer safety is paramount. o Preserve area for potential fingerprints.

February 2016 744

o Immediately restrict access to computer(s). Do not let any suspects or other unauthorized people touch any of the equipment for any reason. Do not follow any advice from the suspect on how to deal with the equipment.

o Isolate from telephone lines, and wired or wireless network connections. (Because data on the computer can be accessed remotely.)

• If the computer is “OFF,” DO NOT TURN IT “ON.” Be aware that some laptop computers will power on when the lid is opened.

• Consult the EIS Computer Forensic Specialist or a Computer Specialist from the SBI.

If at all possible, officers seizing computer equipment should have the EIS Computer Forensic Specialist or a Computer Specialist from the SBI on site. If a Specialist is not available, and it is imperative to seize the computer equipment immediately, the following procedures shall be followed:

• Make sure that an officer is detailed to take detailed notes about each step taken during the seizure of the equipment. Videotaping the seizure is another good way to document this.

• If the computer is on, these additional steps must be completed: o Do not touch the mouse or keyboard. o Photograph the screen. o Disconnect all power sources by unplugging them directly from the back of the computer.

(This is to prevent an uninterruptible power supply from activating and possibly causing loss of evidence. Also, this will preserve any temporary files, which may be the only evidence that can be obtained from a crafty offender’s computer.)

o Allow the equipment to cool down before removing it.

• Photograph and/or diagram and label back of computer components with existing connections.

• Record serial numbers on all pieces of equipment that have them.

• Search the area for any documents, including sticky notes, etc, that may contain passwords, web addresses, or IP addresses. (Note: An IP (internet protocol) address will likely look like 192.168.1.1 or something similar.)

• Consider asking the owner or user for any passwords for the computer equipment, or for websites, etc.

• Place evidence tape over: o The slot of every disk drive, CD-ROM drive, DVD drive, ZIP drive, or other media opening;

and o The power connector on the computer.

• Laptop computers should have their battery removed, if possible.

• Label all connectors/cable ends to allow reassembly as needed. This would mean that if a plug goes in a socket, they should both be labeled with a numbered piece of tape, so that the computer can be hooked up exactly as it was when it was seized. (i.e. label the first cord and socket 1, the next cord and socket 2, etc.)

• Package components and transport /store components as if they are fragile cargo.

• Keep all computer equipment away from magnets, radio transmitters, and otherwise hostile environments. The best place to transport a computer in a police car is to place it on the back seat floorboard.

• The following items will need to be seized in most instances of seizing a microcomputer: o CPU box (Main box)

February 2016 745

o Monitor o Keyboard o Mouse o All wires, cords, and cables o All external devices, such as modems, drives, etc. o “Dongles,” which are small devices normally plugged in to a printer (LPT or parallel) port. o

Collepals.com Plagiarism Free Papers

Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.

Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS

Why Hire Collepals.com writers to do your paper?

Quality- We are experienced and have access to ample research materials.

We write plagiarism Free Content

Confidential- We never share or sell your personal information to third parties.

Support-Chat with us today! We are always waiting to answer all your questions.