OPERATIONAL ORDERS > SOO 08-06 Digital Evidence > Flashcards
SOO 08-06 Digital Evidence Flashcards
The purpose of this order is to establish the procedures for the collection and processing of computers, computer peripherals, and related audiovisual or digital media/devices that has, or is suspected of having information of interest or evidentiary value. Agency personnel involved in the investigative process will be trained and updated in examination techniques, editing, and ensuring authenticity to ensure the data remains intact and secure. This order supports the Sheriff’s Office
Core Value of “_______ _______” and “________ ________”.
“Community Focused” and “Always Improving.”
______- An imitation or representation of a person or thing, drawn, painted, photographed, etc.
IMAGE
________ - an image that is stored in numerical form.
DIGITAL IMAGE
________- A reproduction of information contained in a primary or original image.
COPY IMAGE
________- An accurate and complete replica of an original image, irrespective of media.
DUPLICATE IMAGE
________ - Refers to the first instance in which an image is recorded onto any image that is a separate, identifiable object or objects.
PRIMARY IMAGE
________ - An output image (See Image Processing).
PROCESSED IMAGE
________ - Any image subjected to processing.
WORKING IMAGE
_______ - Long-term storage of an image.
ARCHIVING
________- The process of recording an image.
CAPTURE
________ - A device used in the recording of an image.
CAPTURE DEVICE
________ - The structure by which data is organized in a file.
FILE FORMAT
________- The extraction of information from an image beyond that which is readily apparent through visual examination.
IMAGE ANALYSIS
________- Any process intended to improve the visual appearance of an image.
IMAGE ENHANCEMENT
________ - The means by which an image is presented for examination or observation.
IMAGE OUTPUT
________ - Any activity which transforms an input image into an output image.
IMAGE PROCESSING
________- The act of moving images from one location to another.
IMAGE TRANSMISSION
__________ - A record of steps used in the processing of an image.
IMAGE PROCESSING LOG
________ - A process by which personnel identify an image as being an accurate representation.
IMAGE VERIFICATION
________ - Any media or device on which an image is temporarily stored for transfer to permanent or archival storage.
INTERMEDIATE STORAGE
________ - The file format of the primary image
NATIVE FILE FORMAT
________ - The act of preserving an image.
STORAGE
_______ - a disk used to save/stored computerized data.
DISK
________ - a unique data/information storage card in some digital cameras utilized to record/save digital images.
MEMORY CARD
___ - compact disk utilized for the storing of digital information.
CD
________– a device (desktop, tower, rack mounted unit, handheld, or laptop type) containing the memory, processor, and storage devices that processes, compiles,
and stores information.
Computer
________ – Input (i.e. mouse, keyboard, web camera, scanner, etc.) or output (i.e. Printer, display screens, and plotters).
Computer Peripherals
________ – devices which can store, display, or manipulate data (i.e. MP3 players, memory stick, external hard drives, digital cameras, cell phone cameras, etc.).
Digital devices
Officers and detectives assigned digital cameras will be responsible for the equipment to be utilized. Only agency devices/digital cameras are authorized to be utilized by personnel for the procedure of documenting _______/______ during an investigation.
information / evidence
Agency members will follow the listed procedures when taking of photos/images:
- The first digital image/photograph taken should document the date, time, case report number, the location, and the victim’s name (when applicable).
To do this, take a picture of the Crime Scene Information Card. If the victim’s address is different from the scene location, make sure both addresses are on the card. - No image captured during an investigation shall be deleted for any reason; including, but not limited to, lack of quality, content or available memory.
- Subject matter should range from the general to specific.
a. Take overall photographs of the entire scene to show its relationship to the surrounding areas.
b. Take mid-range photographs to show the relationship of the evidence in the scene.
c. Take close-up photographs of evidence for comparison. - When photographing persons:
a. Identification photographs - full frontal, facial, and back view (when applicable) for identification.
b. Mid-range photographs to show injuries and other body parts.
c. Close-up photography with and without scale in regards to scars, marks, tattoos and injuries. - Document in the electronic Evidence Report the following information.
a. Number of photographs taken; and
b. What is being depicted in the photographs.
- Submission and documentation of images
a. Copy all images from memory card into folders named by the cases CCR# (06-1234567).
b. Copy all folders for the day’s cases onto a CD, for temporary storage / transfer to photo lab. The images on this CD must be viewed to ensure that the images were transferred. After image transfer is successfully verified, the compact flash card will be re-formatted in the camera.
c. Place the CD in the plastic CD storage case.
d. On the CD label write:
(1) The date the images were taken;
(2) The CCR#’s contained on that CD; and
(3) The photographer that took the photographs
e. On the CD write:
(1) The date the images were taken; and
(2) The photographer that made the disk.
f. Seal the CD in the case with evidence tape and initial the seal.
g. Crime Scene Unit detectives will place the CD in the locked film drawer at the Crime Scene Unit office at the end of that day’s shift.
h. Detectives and officers from other units will submit the CD as evidence into the Property and Evidence Facility.
i. The disks will be picked up by a Photo Lab technician and taken to the Photo Lab.
j. Personnel within the Photo Lab will input the photographs into the Digital Crime Scene software for storage
k. No original images will leave the Photo Lab without approval of the Photo Lab supervisor or Crime Scene Unit Commander.
l. After the downloading procedure is completed, the CD shall be destroyed by shredding.
7. Printing and distribution of images will be handled in the following manner:
a. Images will be printed on an as-needed basis for trial and on-going investigations. Emphasis will be placed on electronic transfer/ digital image transmission of duplicate images whenever possible. All duplicate images will be copied in an unaltered native file format as that of the original.
b. Another approved method of distributing duplicate images will be copying the images from the Digital Crime Scene Software to a CD. A case journal entry will be made every time photographs from that case are exported. This journal entry will document for whom the
images were exported.
- Working with images
a. No alterations or obliteration of primary images will be allowed.
b. Only duplicate images of the primary images will be transmitted. Processing to improve the image quality will be limited to those used with traditional negative based processing:
(1) Sharpen focus;
(2) Correct contrast/brightness;
(3) Correct color balance; and/or
(4) Enlarge the image or part of it
c. Manipulation, and the actual altering of properties of the image, will only be performed on a copy of the original. This may involve, but is not limited to:
(1) Sharpness enhancement;
(2) Removal/addition of objects/features; and
(3) Use of images in court displays.
d. Under no circumstances will a corrected or manipulated image be substituted for the original/primary image. All processed images will be saved as a separate file. They may be permanently stored in the Digital Crime Scene software with the original images, but will be specified as a copy and will not be saved in the native camera format.
e. If any manipulations are made on a copy of a photograph, the alterations must be documented.
f. A record detailing the following must be recorded.
(1) What program was utilized to publish the pictures;
(2) The date and time the pictures were published;
(3) What digital processing procedures were used to publish the photographs/images; and
(4) Any enhancements or other alterations to the
photograph/images made during the publishing should be recorded in the report along with an explanation of why an enhancement was conducted.
g. Under no circumstances will a corrected image be substituted for the original. All processed images will be saved in a separate file.
h. Images from sex crime cases will only be viewed by the Crime Scene Detective, Special Assault or Investigations supervisors as applicable assigned to each individual case. Anyone else is prohibited from viewing the images unless express permission is obtained from the unit commander. On the ET card, the victim’s name will be omitted and the CCR# will be used as the case identifier in sex crimes cases.
The first digital image/photograph taken should document the date, time, case report number, the location, and the victim’s name (when applicable). To do this, take a picture of the _______________. If the victim’s address is different from the scene location, make sure both addresses are on the card.
Crime Scene Information Card
Take ________ photographs to show the relationship of the evidence in the scene.
Take ______ photographs of evidence for comparison.
mid-range
close-up
When photographing persons:
a. _______ photographs - full frontal, facial, and back view (when applicable) for identification.
Identification
When photographing persons:
_______ photographs to show injuries and other body parts.
Mid-range
When photographing persons:
_______ photography with and without scale in regards to scars, marks, tattoos and injuries.
Close-up
Copy all images from memory card into folders named by the cases ________.
CCR# (06-1234567).
On the CD label write:
(1) The date the images were taken;
(2) The CCR#’s contained on that CD; and
(3) The photographer that took the photographs
On the CD write:
(1) The date the images were taken; and
(2) The photographer that made the disk.
No original images will leave the Photo Lab without approval of the Photo Lab supervisor or Crime Scene Unit ________.
Commander.
Printing and distribution of images will be handled in the following manner:
a. Images will be printed on an as-needed basis for trial and on-going investigations. Emphasis will be placed on electronic transfer/ digital image transmission of duplicate images whenever possible. All duplicate images will be copied in an unaltered native file format as that of the original.
b. Another approved method of distributing duplicate images will be copying the images from the Digital Crime Scene Software to a CD. A case journal entry will be made every time photographs from that case are exported. This journal entry will document for whom the
images were exported.
Only duplicate images of the primary images will be transmitted. Processing to improve the image quality will be limited to those used with traditional negative based processing:
(1) Sharpen focus;
(2) Correct contrast/brightness;
(3) Correct color balance; and/or
(4) Enlarge the image or part of it
Manipulation, and the actual altering of properties of the image, will only be performed on a copy of the original. This may involve, but is not limited to:
(1) Sharpness enhancement;
(2) Removal/addition of objects/features; and
(3) Use of images in court displays.
Agency members shall adhere to the following safe camera handling protocol:
- Do not drop. The camera may malfunction if subjected to strong shocks or vibration. Should the camera malfunction in any case, a replacement camera in working order will be utilized.
- Keep dry. This product is not waterproof, and may malfunction if immersed in water or exposed to high levels of humidity. Rusting of the internal mechanism can cause irreparable damage.
- Avoid sudden changes in temperature. Sudden changes in temperature, such as occur when entering or leaving a heated building on a cold day, can cause condensation inside the device. To prevent condensation, place the device in a carrying case or a plastic bag before exposing it to sudden changes in temperature.
- Keep away from strong magnetic fields. Do not use or store this device near equipment that generates strong electromagnetic radiation or magnetic fields. Strong static charges or the magnetic fields produced by equipment
such as radio transmitters could interfere with the monitor; damage data stored on the memory card, or affect the product’s internal circuitry. - Do not leave the lens pointed at the sun or another light source for an extended period. Intense light may cause the image sensor to deteriorate or produce a white blur effect in photographs.
- Do not touch the shutter curtain. The shutter curtain is extremely thin and easily damaged. Under no circumstances should you exert pressure on the
curtain, poke it with cleaning tools, or subject it to powerful air currents from a blower. These actions could scratch, deform, or tear the curtain. - Handle all moving parts with care. Do not apply force to the battery chamber, card-slot, or connector covers. These parts are especially susceptible to damage.
- Do not apply pressure to the monitor; this could cause damage or malfunction. Dust or lint on the monitor can be removed with compressed air.
- Do not unplug the product or remove the battery while the product is on, or while images are being recorded or deleted. Forcibly cutting power to the product in these circumstances could result in loss of data or in damage to
product memory or internal circuitry. To prevent an accidental interruption of power, avoid carrying the product from one location to another while the AC adapter is connected. - Never leave the camera body open with no lens or lens cover in place.
The camera should be cleaned following the listed protocol:
- When cleaning the camera body, use a blower to remove dust and lint, then wipe gently with a soft, dry cloth. After using the camera at the beach or seaside, wipe off any sand or salt using a cloth lightly dampened with pure water and then dry the camera thoroughly. In rare instances, static electricity produced by a brush or cloth may cause the LCD displays to light up or
darken. This does not indicate a malfunction, and the display will shortly return to normal. - When cleaning the lens and mirror, remember that these elements are easily damaged. Dust and lint should be gently removed with a blower. When using an aerosol blower, keep the can vertical (tilting the can could result in liquid being sprayed on the mirror). If a fingerprint or other stain gets on the lens, apply a small amount of lens cleaner to a soft cloth and wipe the lens carefully.
Agency digital cameras will be stored in the following manner:
- To prevent mold or mildew, store the camera in a dry, well-ventilated area. If the camera will not be used for long periods, remove the battery to prevent leakage and store the camera in a plastic bag containing a desiccant. Do not, however, store the camera case in a plastic bag, as this may cause the material to deteriorate. Note that desiccant gradually loses its capacity to absorb moisture and should be replaced at regular intervals.
- Do not store the camera with naphtha or camphor mothballs, close to equipment that produces strong magnetic fields, or in areas subject to extremes of temperature, for example near a space heater or in a closed vehicle on a hot day.
- Do not store the camera where it will be exposed to temperatures above 50° / 122 °F (for example, near a space heater or in a closed vehicle on a hot day) or below –10 °C (14 °F). If assigned to the day or early evening shift,
attempt to park your vehicle in a shaded location, or take the camera inside if you are going to be detained for a period of time. This includes the days you are on leave. Do not store the camera in areas that are subjected to
humidity of over 60% upon leaving the facility.
Officers encountering computers or digital devices must meet the same standards of _________ and __________ prior to securing any computer or digital
device for further investigation.
reasonable suspicion and probable cause
If an officer or detective comes into contact with any computer or digital device which is of interest (an allegation has been made), or the computer or digital device may have evidence [child pornography or evidence of a crime], he should seek consent to search the computer or digital device utilizing ______________ Form (Consent to Search Computer(s), Computer Peripherals & Related Audiovisual or Digital Media/Devices) from the owner or authorized agent of
the device.
Consent to Search
Computer Form P-0527
If the owner or agent of the computer or digital device gives written consent to search via Consent to Search Computer Form P-0527 and allows the computer or
digital device to be taken to the Property and Evidence Facility for further processing or investigation, the officer or detective should:
- In the case of a business or government-owned computer, the officer should allow an agent of the business or government entity (but not the subject or
suspect) to shut down the computer so as not to disturb any specific settings or functionality in the business or government entity’s network:
a. In this situation, the officer should first try to verify the computer is not critical to the operation of the business or government entity prior to having the computer shut down.
b. The officer should document and note in his report how the computer was shut down.
2. Ensure the owner or agent of the computer understands that the computer will be removed from the premise to be searched;
- As applicable, unplug the power cord from the back of the computer (not from the power strip or the wall) to shut the computer down if it is not already turned off; or turn off the digital device. The officer should not attempt to
manipulate or change any settings except for shutting down the computer as described. - Unplug the accessory cables and take only the computer box. In the case where the computer was used in a crime and probable cause exists, other peripherals (i.e., printer, web camera, etc.) should be taken as evidence; and
- If possible, the officer should attempt to obtain a written statement and gather any relevant account passwords and user names from the complainant.
If the owner or agent of the computer or digital device gives written consent to search via Consent to Search Computer Form P-0527 on site or be interviewed but
does not allow the computer or digital device to be taken to the Property and Evidence Facility for further processing, the officer or detective should:
a. Notify the officer’s supervisor and have the officer’s supervisor notify a detective of the pertinent unit to determine a course of action (respond to the scene or notification and consultation only).
b. Follow evidence protection procedures as outlined in Operational Order 08.01, Evidence Protection to ensure the security of the computer or digital device and not allow the computer or digital device to be disturbed.
c. In the case of a business or government computer, officers should coordinate their efforts with a detective from the appropriate unit to prevent the business or government agency from being critically impaired in the case the computer is vital to the operation of the business or government agency.
d. If a detective from the appropriate unit responds, and further investigation reveals probable cause to detain the computer for further investigation, seize the computer and place it into the Property and Evidence Facility as
evidence.
e. After consulting and coordinating with a detective of the appropriate unit, and the detective does not respond to the scene, seize the computer or digital device if probable cause exists.
If the owner or agent of the computer or digital device (of a personally-owned computer) refuses to give consent to a search of the computer or digital device, and no probable cause exists, the officer should complete an _________ and route it to the appropriate unit. If reasonable suspicion has been established and exigent circumstances exist to prevent the destruction of evidence, a detective of the appropriate unit should be notified, and the computer or digital device should
be seized.
Information Report
Officers should not attempt to interview subjects or suspects for crimes related to computer evidence, unless the criminal investigation relating to the computer or
digital device or media is an MCI “_” ________.
“A” patrol responsibility.
Officers should take all printouts, digital media (compact discs, DVDs, or floppy discs) and any pertinent computer hardware or digital devices offered by the complainant, subject/suspect, or agent and place them in the Property and Evidence Facility after completing an Information Report. Care should be taken to ensure any seized item does not come close to any strong _________. Any photographs, printouts, and digital media should not be handled, but should be preserved for latent print examination [if they were possibly handled by a subject/suspect] by placing them in an ______.
magnetic fields
envelope
After a computer, digital media, or digital device has been taken from the owner or agent, the officer should complete an Information Report (unless a General
Offense/Incident Report has been completed for a related incident), document the situation that made the computer or digital device of possible evidentiary interest and document and how the computer was secured and shut down, if applicable, and route the report to the appropriate unit. If an Information Report is completed, the officer should not attempt to follow-up the case, unless the officer coordinates his efforts with the detective from the appropriate unit and has approval from an _____ _____ or above.
Assistant Chief
Examples of situations (not all inclusive) which require routing to specific units may include:
- Fraudulent prescriptions: routed to the Narcotics/Prescription Fraud Unit;
- Forged notes, bills, or other monetary documents: routed to the Economic Crimes Unit;
- An actual known and identified victim of a sex crime: routed to the Special Assault Unit;
- Threats or plots to murder: routed to the Intelligence Unit;
- Internet Crimes against Children – unidentified victim (photographs) of a victim of sexual assault; sexual solicitation of children via computer; sending harmful material to a child; transmission or possession of child pornography; and manufacture of child pornography: routed to the Vice Unit;
- Hate crimes: routed to the Intelligence Unit; and
- And other information may be routed to other detective units based on allegations or probable cause revealed by investigation.
Officers should take the computer or digital device and any other information given by the complainant and place it into the Property and Evidence Facility so further investigation can be completed. The computer or digital device should be wholly enclosed and sealed in a large bag or box, and a ____ should be placed for the
appropriate detective unit.
HOLD
For misdemeanor crimes or for crimes that fall within patrol follow-up responsibilities, officers should coordinate with the most appropriate unit for further guidance to complete his investigation. If forensic examination will be required for prosecution of the case, the computer, digital device, or digital media should be taken to ____ for processing.
FDLE
All investigations related to computers or digital media/devices should be conducted within the legally proven procedures of the training of digital forensics software, FDLE, and FBI guidelines for ______ and ______ Computers and Obtaining Electronic Evidence in Criminal Investigations
(http://www.usdoj.gov/criminal/cybercrime/searching.html).
Searching and Seizing
