Highfill - 392 - Policies and Procedures - Investigative Procedures Flashcards Preview

392 Computer Forensic Investigations (CFI) > Highfill - 392 - Policies and Procedures - Investigative Procedures > Flashcards

Flashcards in Highfill - 392 - Policies and Procedures - Investigative Procedures Deck (26)
Loading flashcards...
1

If an officer/detective comes into contact with any digital media device which meets ___________ standards or the device may contain evidence, they should first seek
____________ by completing a ___________, and have the form signed by the owner or the authorized agent of the device.

probable cause
consent to search
Consent to Search Computer(s), Computer Peripherals, & Related Audiovisual or Digital Media/Devices Form (P-0527)

2

Form P-0527 should be _______________ and stored in the ___________.

Note that consent to search ______ valid if the PIN or password to the device is not provided.

retained as evidence
Property and Evidence Facility
is not

3

Regardless of computer knowledge or technical aptitude, an officer/detective __________ search through any digital device or request a complainant, victim, or suspect to search any device acting as an agent of the Jacksonville Sheriff’s Office (JSO). Any search done in this manner could render the evidence ________ in court.

should not
inadmissible

4

Any ___________ who searches through a digital device (scrolling through cell phone image gallery, searching computer internet history, etc.) will __________ in an Incident or Supplement Report.

officer/detective
document the actions taken

5

If Consent to Search Form (P-0527) cannot be obtained, and there exists exigency
and/or facts are known to indicate a crime has been committed using the digital device, __________. A _________ can be obtained later to conduct an examination of the device.

seize the device
search warrant

6

An officer/detective attempting to obtain a search warrant should consult with a ________________ to ensure that a properly structured and worded search warrant is drafted.

Digital Forensic Examiner

7

An officer/detective should ________ inform the owner/agent of a digital device to remove or delete any item(s) from a digital device.

NOT

8

If data, image, or digital evidence is ___________ on a computer or mobile device
screen, the officer/detective should if possible _____________ of what is in plain
view, without manipulating the digital device and consult a digital forensic examiner.

in plain view
take a photograph

9

An officer/detective not assigned to the Computer Forensic Investigations Unit ________
guess or otherwise make __________ to enter the unknown password of a locked
device.

will not
blind attempts

10

Blindly attempting to enter a device may ________ or ________ the device, without warning, and cause permanent evidence destruction that could have been otherwise obtained during
a forensic analysis.

permanently disable
wipe

11

If the digital device is OFF, ____________.

leave it OFF

12

If the digital device is ON, document _________, _______, and _______, without imputing
data into the device.

open screens,
time,
and dates

13

If the digital device is ON, _______ or _________ into the device.
Exception:
There may be times when this cannot be avoided. If this happens, document ________
used and document ______ this step was necessary.

do NOT type
input anything
every step
why

14

An officer/detective should NOT ______ or _______ any type of software or hardware (i.e., flash/thumb drives, external hard drives, etc.).

remove
install

15

When collecting a desktop computer: if it is ON, _________ and simply unplug the power cord from the back of the computer.

*** However, if the computer is on and there is an articulable belief that hard drive(s) are encrypted, ____________ the computer.

Instead, consult with the on-call digital forensic examiner. Encryption may be an issue if the subject of the investigation displays computer knowledge that exceeds that of an average user.

leave it ON
do NOT unplug or power off

16

When collecting a laptop computer: if it is ON, __________ and ____________ first,
then the power cord. Upon removal, do NOT reinsert the battery to prevent accidental
start-up. The same policy concerning encryption applies.

leave it ON
remove the battery

17

Cellular phones and mobile devices (eReaders, tablets, GPS, etc.) should be collected in
the same manner as laptops. Remove the _________ from the device and do ____ reinsert
it. This will prevent remote wipe and GPS tracking by the device owner.

battery
NOT

18

Cellular phones and mobile devices considering that powering off the device
may require __________ when powered back on, it is imperative to obtain the password
before turning the device off.

a password

19

Cell phone and mobile devices: If removing the battery is ________; turn off the device and wrap it in at least ____ layers of aluminum foil. Note, however, that doing so while the device is powered on will quickly drain the battery and could cause damage due to overheating.

not possible
four

20

To prevent evidence tampering and destruction of digital evidence, _________ search through it. Scrolling through __________, __________, and _________ can modify metadata that is vital to the investigation and cannot be unchanged.

do not
messages, images and other files

21

If a seized/obtained device may need a password to gain entry, the _______ receiving the device shall ask the possessor/owner of the device for the ____________.

officer/detective
password

22

An officer/detective should document the name of the individual who provided the information about a seized device even if the password is ________.

unknown or refused

23

If a device's password is a ________, document the pattern and have it confirmed by the possessor/owner of the device.

swipe pattern

24

Investigations involving computers or any other related device where individuals have user profiles (user accounts), require the investigating officer/detective to obtain all of the user _______ and ________ used on the device.

profile names
passwords

25

When computers are submitted for analysis, the case agent or detective must submit a searchable _________ to the digital forensic examiner conducting the analysis.

keyword list

26

Forensic examinations can have extensive processing times that are subject to change without notice, and owners/agents of electronic devices should NOT be given __________ on the completion of the examination.

specific time frames