Post on 20-Jul-2020
Digital & Social Media Evidence for Investigators
Sgt. Jason Lundquist – Waco Police Department Crimes Against Children Unit
jasonl@wacotx.gov
I AM NOT AN ATTORNEY
• Please consult your legal advisor or general counsel.
Goals
• The student will be able to identify how digital evidence can be important to any investigation and reasons to collect it.
• The student will understand basic collection methods for digital evidence.
• The student will learn resources available to aide in evidence collection from ISPs and social media.
Hypothetical Case
• Adult victim reports that last week at a conference here she believes she was sexually assaulted.
• Victim reports after a night of drinking she woke up in her hotel room and believes someone had sex with her.
• Victim’s last memory was drinking at a bar with a man she met there.
Hypothetical Case
• Only ID on the suspect is a phone number. Victim gives consent for analysis of her phone.
• Do you have a case?
Why collect & search digital evidence?
-Learn about suspect/victim/involved parties-Uncover additional offenses, establish culpability-Develop timelines, determine the truth
CORROBORATION
Why collect & search digital evidence?
Do most sexual assaults have physical evidence?
How can evidence be seized?
• Consent (can it be revoked?/explicit scope?)• Exigency • Probable Cause
-Seizure alone is not enough!!! However it was seized you MUST develop probable cause to search. You should also ask questions to narrow your search.
-*ASK*-How do you communicate? What did you see? When? Where? How?
Etc.
Can I just photograph it?
NOCOLLECT IT!
Best Practices for Collection
Get the Passcode/word-Have the owner write it down.-Have the owner disable it (Biometric).-Watch them open it (SW).
Cell Phones
Computers (Powered On)
• Checking for BitLocker and powering down
•
Computers (Powered On)• Volatile storage = triage
– Ram can contain mal-ware (exculpatory)
• Non –Volatile storage = Hard power down.
• Any device: Plugging things in BAD • Un-plugging: OK!
What is needed to search
What You Can Expect
• Cell Phones:
What You can Expect
• Computers:• Pictures• Internet History• Videos• User Data• E-Mails• Application Analysis
Where is my info?!?!?
• On the Device• In the Cloud
(with an ISP)• Encrypted
What is an ISP?
What do they have?
• Different ISPs have different content retention periods.
• Some keep content on their servers, some content is only kept on the user’s devices.
• WHAT COULD THEY HAVE????
Must identify ISP and unique user (UID)
“The victim’s mother told me that she had communicated with the suspect over the internet.”“The suspect communicated with the victim through text messages with an app such as facebook.”
IOS
Android
Snapchat
Kik
4th Amendment/ ECPA
• “The right of the people to be secure in their persons, houses, papers, and effects against unreasonable searches and seizures….
• Electronic Communications Privacy Act (1986)– Assortment of federal statutes related to electronic communications– 18 USC § 2702-2711– §2703: A governmental entity may require the disclosure by a provider of
electronic communication service of the contents of a wire or electronic communication, that is in electronic storage in an electronic communications system for one hundred and eighty days or less, only pursuant to a warrant issued using the procedures described in the Federal Rules of Criminal Procedure (or, in the case of a State court, issued using State warrant procedures) by a court of competent jurisdiction. A governmental entity may require the disclosure by a provider of electronic communications services of the contents of a wire or electronic communication that has been in electronic storage in an electronic communications system for more than one hundred and eighty days by the means available under subsection (b) of this section.
4th Amendment/ ECPA
• Remember that privacy issues regarding digital evidence are new and evolving.
• Bad case work generates bad case law. • 18 USC 2702 Prevents voluntary disclosure by an ISP.
• Compelling password? 5th Amend. Violation?– Not with biometric data
ECPA
• 4th Amendment challenges are complex• ECPA is broad and outdated• We are not talking about wiretapping or
surveillance. • ECPA allows for warrantless seizure of stored
communications after time. • It is always best to obtain a warrant when
possible.
Texas Statutes
• Code of Criminal Procedure Ch. 18.21• -Allows for search warrant to be issued for
stored communications out of state. • -SW shall be executed not later than the 11th
day after date of issuance. • -Execution equals return.
3 steps to obtaining evidence
• Identify the account(s)• Preserve the information 18 USC § 2703 F
– 90days+90days
• Siezure/Gag (NDO)
3 types of data
• Basic Subscriber Info: Subpoena• Transactional Data: Court Order• Content: Search Warrant
Search Warrant
• Affidavit must allege a specific offense. • Must describe place to be searched.
– Specific address for custodian of record.
• Must describe things to be seized.– DUMP for date range. BSI, Photos, Videos,
Messages, IP Logs, Devices, Usernames, -Avoid “Any and All” language when possible.
-Reference specifics
Non-Disclosure Order
• USC 18 § 2705/Texas CCP 18.21 § 8 “Preclusion of Notification”
• Reason to believe that notification of the existence of the (process):– Endangering the life or physical safety of AN individual.– Flight from prosecution.– Destruction of or tampering with evidence.– Intimidation of potential witness.– Otherwise seriously jeopardizing an investigation or unduly delaying
trial.
Where do I go?
Search.org ISP list
LE Guides/Portals
It’s 2018
Common Pitfalls• Don’t get frustrated!
-They may not respond. They won’t tell you why they kick it. They want it their way.
• Use their preferred method of communication-No fax/mail/certified service LOL!
• $PECIFY HOW YOU WANT YOUR RETURN!!!
-Consider cost. “Archive contents onto flash, magnetic, or optical storage media and deliver via common parcel post or archive into a common file format and deliver by email.
• Check, double check and check again. • ASK QUESTIONS, BE REASONABLE, DEVELOP CONTACTS!
International
• Certain ISP’s are outside of the US. • Kik, Non-US Twitter accounts.
• Content data will require an MLAT through the US Department of State.
Business Record!!!
Quick Review
• 3 types of data:– BSI – Transactional– Content
Steps to obtaining data:IdentifyPreserveSeizure
Examples….
Examples….
• The Runaway– March 2016, 16 yo repeat runaway from Temple is
found at the Motel 6 in Waco with 2 adults and one other juvenile.
– Mother of the 16yo called patrol to report she saw her daughter at the motel on a facebook live video.
Examples….
• Stautory– Mom brings her 15yo to the hospital after her
daughter told her she met a 20yo man at the playground, went to his house, and they had sex.
– Victim tells officers she communicated with the suspect on facebook messenger.
– Victim had a SANE exam, SW executed on the suspect’s residence (crime scene).
– SW executed on 2 facebook accounts.
-Pleaded Guilty
Examples….
• Injury– 2yo presents at the hospital with a dislocated
shoulder.– Child was injured at daycare.– Daycare owner (well respected in the community)
said the child was fighting with another toddler.– Daycare had a Vivint CCTV Security system.
Examples….
• Injury• Footage is stored In the • “cloud” aka ISP. • SW executed on Vivint• Daycare owner and employee seen abusing
numerous children. Both arrested.
Digital Officer Safety
• Types of accounts:– “search”/”burner”/UC/Professional (age brackets)– Personal – Personal accounts should NEVER be accessed from
the same device!-Do you have real people as friends?-IP Logs
-LOCK DOWN YOUR PERSONAL ACCOUNTS!
Digital Officer Safety
How do we find people?
Cool Resources/Practicum
• Types of facebook searches:• Graph-• URL• Google (cached data)• Forgot account
Cool Resources/Practicum
Cool Resources/Practicum
Cool Resources/Practicum
Cool Resources/Practicum
Hypothetical Case
• Do you have a case?• Suspect and victim ID’d on facebook. • Victim stopped all activity at midnight.• Victim took Uber to hotel. $312 charge. • Suspect says he last saw victim when he put
her in the Uber. Refuses search of his phone.• FB SW reveals messages with IP addresses.
Cool Resources/Practicum
Questions?