Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... •...

72
Digital & Social Media Evidence for Investigators

Transcript of Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... •...

Page 1: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

Digital & Social Media Evidence for Investigators

Page 2: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

Sgt. Jason Lundquist – Waco Police Department Crimes Against Children Unit

[email protected]

Page 3: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

I AM NOT AN ATTORNEY

• Please consult your legal advisor or general counsel.

Page 4: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

Goals

• The student will be able to identify how digital evidence can be important to any investigation and reasons to collect it.

• The student will understand basic collection methods for digital evidence.

• The student will learn resources available to aide in evidence collection from ISPs and social media.

Page 5: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

Hypothetical Case

• Adult victim reports that last week at a conference here she believes she was sexually assaulted.

• Victim reports after a night of drinking she woke up in her hotel room and believes someone had sex with her.

• Victim’s last memory was drinking at a bar with a man she met there.

Page 6: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

Hypothetical Case

• Only ID on the suspect is a phone number. Victim gives consent for analysis of her phone.

• Do you have a case?

Page 7: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

Why collect & search digital evidence?

-Learn about suspect/victim/involved parties-Uncover additional offenses, establish culpability-Develop timelines, determine the truth

CORROBORATION

Page 8: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

Why collect & search digital evidence?

Do most sexual assaults have physical evidence?

Page 9: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

How can evidence be seized?

• Consent (can it be revoked?/explicit scope?)• Exigency • Probable Cause

-Seizure alone is not enough!!! However it was seized you MUST develop probable cause to search. You should also ask questions to narrow your search.

-*ASK*-How do you communicate? What did you see? When? Where? How?

Etc.

Page 10: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

Can I just photograph it?

NOCOLLECT IT!

Page 11: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

Best Practices for Collection

Page 12: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

Get the Passcode/word-Have the owner write it down.-Have the owner disable it (Biometric).-Watch them open it (SW).

Page 13: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

Cell Phones

Page 14: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

Computers (Powered On)

• Checking for BitLocker and powering down

Page 15: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

Computers (Powered On)• Volatile storage = triage

– Ram can contain mal-ware (exculpatory)

• Non –Volatile storage = Hard power down.

• Any device: Plugging things in BAD • Un-plugging: OK!

Page 16: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

What is needed to search

Page 17: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

What You Can Expect

• Cell Phones:

Page 18: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

What You can Expect

• Computers:• Pictures• Internet History• Videos• User Data• E-Mails• Application Analysis

Page 19: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

Where is my info?!?!?

• On the Device• In the Cloud

(with an ISP)• Encrypted

Page 20: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

What is an ISP?

Page 21: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

What do they have?

• Different ISPs have different content retention periods.

• Some keep content on their servers, some content is only kept on the user’s devices.

• WHAT COULD THEY HAVE????

Page 22: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US
Page 23: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

Must identify ISP and unique user (UID)

“The victim’s mother told me that she had communicated with the suspect over the internet.”“The suspect communicated with the victim through text messages with an app such as facebook.”

Page 24: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US
Page 25: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US
Page 26: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US
Page 27: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US
Page 28: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

IOS

Page 29: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

Android

Page 30: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

Snapchat

Page 31: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

Instagram

Page 32: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

Kik

Page 33: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

4th Amendment/ ECPA

• “The right of the people to be secure in their persons, houses, papers, and effects against unreasonable searches and seizures….

• Electronic Communications Privacy Act (1986)– Assortment of federal statutes related to electronic communications– 18 USC § 2702-2711– §2703: A governmental entity may require the disclosure by a provider of

electronic communication service of the contents of a wire or electronic communication, that is in electronic storage in an electronic communications system for one hundred and eighty days or less, only pursuant to a warrant issued using the procedures described in the Federal Rules of Criminal Procedure (or, in the case of a State court, issued using State warrant procedures) by a court of competent jurisdiction. A governmental entity may require the disclosure by a provider of electronic communications services of the contents of a wire or electronic communication that has been in electronic storage in an electronic communications system for more than one hundred and eighty days by the means available under subsection (b) of this section.

Page 34: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

4th Amendment/ ECPA

• Remember that privacy issues regarding digital evidence are new and evolving.

• Bad case work generates bad case law. • 18 USC 2702 Prevents voluntary disclosure by an ISP.

• Compelling password? 5th Amend. Violation?– Not with biometric data

Page 35: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

ECPA

• 4th Amendment challenges are complex• ECPA is broad and outdated• We are not talking about wiretapping or

surveillance. • ECPA allows for warrantless seizure of stored

communications after time. • It is always best to obtain a warrant when

possible.

Page 36: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

Texas Statutes

• Code of Criminal Procedure Ch. 18.21• -Allows for search warrant to be issued for

stored communications out of state. • -SW shall be executed not later than the 11th

day after date of issuance. • -Execution equals return.

Page 37: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

3 steps to obtaining evidence

• Identify the account(s)• Preserve the information 18 USC § 2703 F

– 90days+90days

• Siezure/Gag (NDO)

Page 38: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

3 types of data

• Basic Subscriber Info: Subpoena• Transactional Data: Court Order• Content: Search Warrant

Page 39: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US
Page 40: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

Search Warrant

• Affidavit must allege a specific offense. • Must describe place to be searched.

– Specific address for custodian of record.

• Must describe things to be seized.– DUMP for date range. BSI, Photos, Videos,

Messages, IP Logs, Devices, Usernames, -Avoid “Any and All” language when possible.

-Reference specifics

Page 41: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

Non-Disclosure Order

• USC 18 § 2705/Texas CCP 18.21 § 8 “Preclusion of Notification”

• Reason to believe that notification of the existence of the (process):– Endangering the life or physical safety of AN individual.– Flight from prosecution.– Destruction of or tampering with evidence.– Intimidation of potential witness.– Otherwise seriously jeopardizing an investigation or unduly delaying

trial.

Page 42: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US
Page 43: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

Where do I go?

Page 44: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

Search.org ISP list

Page 45: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

LE Guides/Portals

Page 46: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US
Page 47: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

It’s 2018

Page 48: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

Common Pitfalls• Don’t get frustrated!

-They may not respond. They won’t tell you why they kick it. They want it their way.

• Use their preferred method of communication-No fax/mail/certified service LOL!

• $PECIFY HOW YOU WANT YOUR RETURN!!!

-Consider cost. “Archive contents onto flash, magnetic, or optical storage media and deliver via common parcel post or archive into a common file format and deliver by email.

• Check, double check and check again. • ASK QUESTIONS, BE REASONABLE, DEVELOP CONTACTS!

Page 49: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

International

• Certain ISP’s are outside of the US. • Kik, Non-US Twitter accounts.

• Content data will require an MLAT through the US Department of State.

Page 50: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

Business Record!!!

Page 51: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

Quick Review

• 3 types of data:– BSI – Transactional– Content

Steps to obtaining data:IdentifyPreserveSeizure

Page 52: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

Examples….

Page 53: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

Examples….

• The Runaway– March 2016, 16 yo repeat runaway from Temple is

found at the Motel 6 in Waco with 2 adults and one other juvenile.

– Mother of the 16yo called patrol to report she saw her daughter at the motel on a facebook live video.

Page 54: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US
Page 55: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US
Page 56: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US
Page 57: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

Examples….

• Stautory– Mom brings her 15yo to the hospital after her

daughter told her she met a 20yo man at the playground, went to his house, and they had sex.

– Victim tells officers she communicated with the suspect on facebook messenger.

– Victim had a SANE exam, SW executed on the suspect’s residence (crime scene).

– SW executed on 2 facebook accounts.

Page 58: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US
Page 59: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

-Pleaded Guilty

Page 60: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

Examples….

• Injury– 2yo presents at the hospital with a dislocated

shoulder.– Child was injured at daycare.– Daycare owner (well respected in the community)

said the child was fighting with another toddler.– Daycare had a Vivint CCTV Security system.

Page 61: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

Examples….

• Injury• Footage is stored In the • “cloud” aka ISP. • SW executed on Vivint• Daycare owner and employee seen abusing

numerous children. Both arrested.

Page 62: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

Digital Officer Safety

• Types of accounts:– “search”/”burner”/UC/Professional (age brackets)– Personal – Personal accounts should NEVER be accessed from

the same device!-Do you have real people as friends?-IP Logs

-LOCK DOWN YOUR PERSONAL ACCOUNTS!

Page 63: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

Digital Officer Safety

Page 64: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

How do we find people?

Page 65: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

Cool Resources/Practicum

• Types of facebook searches:• Graph-• URL• Google (cached data)• Forgot account

Page 66: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

Cool Resources/Practicum

Page 67: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

Cool Resources/Practicum

Page 68: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

Cool Resources/Practicum

Page 69: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

Cool Resources/Practicum

Page 70: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

Hypothetical Case

• Do you have a case?• Suspect and victim ID’d on facebook. • Victim stopped all activity at midnight.• Victim took Uber to hotel. $312 charge. • Suspect says he last saw victim when he put

her in the Uber. Refuses search of his phone.• FB SW reveals messages with IP addresses.

Page 71: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

Cool Resources/Practicum

Page 72: Digital & Social Media Evidence for Investigators · Android. Snapchat. Instagram. Kik. ... • Kik, Non-US Twitter accounts. • Content data will require an MLAT through the US

Questions?