July 1, 2004 To establish the policies and procedures of the Cyber Crimes Office.

  [ Administration ]  [ Personnel ]  [ General Operations ]  [ Field Operations ]  [ Criminal Investigations
[ Support Operations ]  [ Special Orders ]  [ Command Memo ]  [ Library ]  [ Search ]  [ Home ]

 

Atlanta Police Department

Policy Manual

 

 

 

 

 

 

 

 

 

Standard Operating

Procedure

 

Effective Date

October 1, 2011

 

APD.SOP.5050

Cyber Crimes

Applicable To:  All employees

Approval Authority:  Chief George N. Turner

Signature:  Signed by GNT

Date Signed:  10/4/11

 

Table of Content
 

1.          PURPOSE  PAGEREF _Toc307400863 \h 1

2.          POLICY  PAGEREF _Toc307400864 \h 1

3.          RESPONSIBILITIES  PAGEREF _Toc307400865 \h 1

4.          ACTION   PAGEREF _Toc307400866 \h 2

4.1           Recognizing Potential Evidence  PAGEREF _Toc307400867 \h 2

4.2           Requests for Assistance  PAGEREF _Toc307400868 \h 3

4.3           Operations  PAGEREF _Toc307400869 \h 3

4.4           Preparing for the Search and/or Seizure  PAGEREF _Toc307400870 \h 4

4.5           Conducting the Search and/or Seizure  PAGEREF _Toc307400871 \h 4

 

4.6           Other Electronic Storage Devices  PAGEREF _Toc307400872 \h 5

4.7           Transporting Computer-related Equipment PAGEREF _Toc307400873 \h 8

4.8           Forensic Analysis  PAGEREF _Toc307400874 \h 9

4.9           Electronic Evidence Storage  PAGEREF _Toc307400875 \h 9

4.10         Training  PAGEREF _Toc307400876 \h 10

4.11         Reporting  PAGEREF _Toc307400877 \h 10

5.          DEFINITIONS  PAGEREF _Toc307400878 \h 11

6.          CANCELLATIONS  PAGEREF _Toc307400879 \h 11

7.          REFERENCES  PAGEREF _Toc307400880 \h 11

 

1.               PURPOSE

 

To establish the policies and procedures of the Cyber Crimes Squad.

 

2.               POLICY

 

The Cyber Crimes Squad shall assist other units in the investigation of any crime that involves the use of computers, enhance investigations where computers are a factor in the crime, preserve the integrity of seized computer evidence, and provide expert testimony in court.

 

3.               RESPONSIBILITIES

 

3.1              The Cyber Crimes Squad exists to provide investigative and technical support to officers and investigators in the area of high technology crime (i.e. computer crime, computer media evidence, and major technology component theft).

 

3.2              The Special Enforcement Section commander shall be responsible for the procurement of technical forensic laboratory and investigative equipment needed by the Cyber Crimes Squad, and shall be responsible for the selection of unit members.

 

3.3              The Homeland Security Unit commander shall implement this directive.

 

3.4              Cyber Crimes Squad investigators shall be a liaison with the Federal Cyber Crimes Taskforce and provide support to Department investigations to include but not limited to the following: computer-related criminal investigations; child pornography; preparation of search warrants for electronic media; on-site support for the execution of search warrants; and initial review of electronic media in situations that are beyond the capabilities of the case investigator.

 

3.5              Employees shall follow this directive when coming into contact with computer-related crimes or evidence.

 

4.               ACTION

 

4.1              Recognizing Potential Evidence

 

4.1.1           Computer-related Evidence

 

1.    Computers and digital media are increasingly used in unlawful activities. The computer may be contraband, fruits of the crime, or a storage container holding evidence of the offense.

 

2.    Investigation of any criminal activity may produce electronic evidence. Computers and related evidence range from the mainframe computer, to the pocket-sized personal data assistant, External Drives, DVD, CD, or the smallest electronic chip device. Images, audio, text, and other data on these media are easily altered or destroyed.

 

3.    It is imperative that law enforcement officers recognize, protect, seize and search such devices in accordance with applicable statutes, policies and best practices.

 

4.1.2           Answering the following questions shall assist in determining the role of the computer in the crime:

 

1.    Is the computer contraband or fruits of a crime?

 

       For example:   Was the computer software or hardware stolen?

 

2.    Is the computer system a tool of the offense?

 

       For example:  Was the system actively used by the defendant to commit the offense? Were factitious IDs or other counterfeit documents prepared using the computer, scanner, and color printer?

 

3.    Is the computer system only incidental to the offense, i.e., being used to store evidence of the offense?

 

For example:  Is a drug dealer maintaining trafficking records in the computer?

 

4.    Is the computer system both instrumental to the offense and a storage device for evidence?

 

For example:  Did the computer hacker use the computer to attack other systems and/or

to store stolen credit card information?

 

4.1.3           Once the computer’s role is understood, the following essential questions should be answered:

 

1.    Is there probable cause to seize hardware?

 

2.    Is there probable cause to seize software?

 

3.    Is there probable cause to seize data?

 

4.    Where shall the search be conducted?

 

a.    Is it practical to search the computer system on site or must the examination be conducted at a field office or lab?

 

b.    If law enforcement officers remove the system from the premises to conduct the search, must they return the computer system, or copies of the seized data, to its owner/user before trial?

 

c.    Considering the incredible storage capacities of computers, how shall experts search this data in an efficient and timely manner?

 

4.2              Requests for Assistance

 

4.2.1           During normal business hours, requests for assistance shall be routed to the Homeland Security Unit commander or his or her designee.

 

1.    Requests shall be handled according to priority, and Cyber Crimes Squad availability.  A response protocol shall be developed and followed by the Cyber Crimes Squad.

 

2.    The Homeland Security Unit shall provide after hours contact information for the Cyber Crimes Squad investigator to the Communications Section.  The unit commander or his or her designee must authorize compensatory time or overtime for after hours work by the Cyber Crime Squad.

 

4.2.2           Cyber Crimes Squad employees can provide telephone consultation and/or respond to the scene in situations where evidence-related computer equipment is powered on and such equipment involves standard operating systems.

 

4.2.3           The unit commander or his or her designee can authorize other responses, as warranted by circumstances. 
 

4.2.4           Cyber Crimes Squad members shall not usually respond to assist with routine seizures of computer evidence where systems are powered off and not networked.

 

4.3              Operations

 

4.3.1           When Cyber Crimes Squad members respond to scenes to assist with computer related evidence, they shall have final authority on the handling, collection, and preservation of such evidence.

 

4.3.2           When Cyber Crimes Squad investigators are not on the scene:

 

1.    Department employees are cautioned not­ to turn on computer equipment that is off, and not to disturb any equipment already on, except for powering it down properly. 

 

2.    Employees not familiar with procedures for the proper shutdown and powering off of computer equipment should confer with a Cyber Crimes Squad member before doing so.

 

3.    Employees should not attempt to view files, or operate software on any computer equipment that potentially contains criminal evidence.  Doing so may damage evidence, compromise the integrity of an investigation, and limit any digital evidence that can be forensically recovered.

 

4.3.3           Computer Equipment (CALEA 5th edition standard 83.2.5)

 

1.    Before handling or moving any equipment, officers shall contact an investigator.  Photograph or videotape the equipment in its original position, including any information displayed on any monitors or output devices.

 

2.    Do not remove any external memory devices, CD, DVD from any drives. All software, disks, external memory devices and manuals in the area of the equipment being recovered shall also be collected.

 

3.    Leave the non-networked equipment on and unplug the power source only from the back of the equipment. Once the power is disconnected, all wires and connections shall be labeled so that they can be reconnected later exactly as they were found.

 

4.4              Preparing for the Search and/or Seizure

 

4.4.1           Using evidence obtained from a computer in a legal proceeding requires:

 

 1.   Probable cause for the issuance of a warrant or an exception to the warrant requirement.

 

 2.   Caution: When encountering potential evidence that may be outside the scope of the existing warrant or legal authority, contact the Cyber Crimes Squad or the prosecutor, as an additional warrant may be necessary.

 

3.    Use of appropriate collection techniques, so as not to alter or destroy evidence.

 

4.    Forensic examination of the system completed by trained personnel in a speedy fashion, with expert testimony available at trial.

 

4.5              Conducting the Search and/or Seizure

 

4.5.1           Once the computer’s role is understood and legal requirements are fulfilled, secure the scene:

 

1.    Officer safety is paramount.

 

2.    Preserve the area for potential fingerprints.

 

3.    Immediately restrict access to computer(s).

 

4.    If a computer is determined to be evidence, the officer should immediately ascertain if a wireless router is present on the scene and if so any phone, cat 5, Ethernet or other data transfer cable should be removed from the router unless the target computer is part of a network that when disconnected would have detrimental effect on normal operating processes of a business.

 

5.    Leave USB devices plugged in and conduct a soft shutdown on the computer, which is shutting down the computer under software control, without removing power from the system.

 

4.5.2           Stand-Alone Computer (non-network):

 

1.    Consult a Cyber Crimes Squad investigator.

 

2.    If investigator is not available:

 

a.    Photograph the screen, then disconnect all power sources; unplug from the wall and the back of the computer.

 

b.    Place evidence tape over each drive slot.

 

c.    Photograph, diagram and label the back of computer components with existing connections.

 

3.    Label all connectors and cable ends to allow reassembly as needed.

 

4.5.3           Networked Computers

 

1.    Consult a Cyber Crimes Squad investigator for further assistance; do not take action without Cyber Crimes Squad guidance.

 

2.    Pulling the plug could:

 

a.    Severely damage the system

 

b.    Disrupt legitimate business

 

c.    Create officer and Department liability

 

3.    All umbilical devices connected to the computer being recovered, such as mouse, printers, monitors, scanners, etc., should be recovered as well.

 

4.6              Other Electronic Storage Devices

 

Electronic devices may contain viable evidence associated with criminal activity. Unless an emergency exists, the device should not be accessed. Should it become necessary to access the device, all actions associated with the manipulation of the device should be noted, in order to document the chain of custody and ensure its admission in court.

 

4.6.1           Wireless Communication Devices – Cell Phones, Pads, and Tablets

 

1.    Potential Evidence Contained in Wireless Communication Devices:

 

a.    Numbers called

 

b.    Names and addresses

 

c.    Caller ID for incoming calls

 

d.    Other information contained in the memory of wireless telephones

 

e.    Phone/pager numbers

 

f.     PIN numbers

 

g.    Voice mail access numbers

 

h.    Voice mail password

 

i.     Debit card numbers

 

j.     Calling card numbers

 

k.    E-mail and Internet access information

 

l.     The on screen image may contain other valuable information

 

2.    On and Off Rule

 

a.    If the device is “ON”, do NOT turn it “OFF”

 

(1)   Turning it “OFF” could activate the lockout feature, do NOT power down prior to transport (take any power supply cords present).

 

(2)   Write down all information on display (photograph if possible).

 

(3)  Notify Cyber Crimes Squad personnel immediately, if you suspect critical information is on a phone that you did not turn off.  Cyber Crimes Squad personnel shall advise the requesting officer how to obtain the proper warrant or waivers, and shall attempt to recover the data from the phone prior to being turned into property.  The phone should be secured in a “faraday” bag, or placed in an area where it cannot receive radio signals until the phone is examined.

 

b.    If the device is “OFF”, leave it “OFF”

 

(1)   Turning it on could alter evidence on the device (same as computers).

 

(2)   Upon seizure get it to an expert as soon as possible or contact local service provider.

 

(3)   If an expert is unavailable, USE A DIFFERENT TELEPHONE and contact 1-800-LAWBUST (a 24 hour service provided by the wireless telephone industry).

 

(4)   Make every effort to locate any instruction manuals pertaining to device.

 

4.6.2           Facsimile Machines

 

1.    Potential Evidence contained in Fax machines:

 

a.    Speed dial list

 

b.    Stored faxes (incoming and outgoing)

 

c.    Fax transmission logs (incoming and outgoing)

 

d.    Header line

 

e.    Clock setting

 

2.    Best Practices – Fax Machines:

 

       If a fax machine is found “ON,” leave it "ON”.  Powering down may cause the loss of last number dialed and/or stored faxes.  Pull the plug directly from the wall. 

 

3.    Other Considerations:

 

a.    Record telephone line number fax is plugged into

 

b.    Header line should be the same as the phone line…user sets header line

 

c.    All manuals should be seized with equipment, if possible

 

4.6.3           Caller ID Devices

 

1.    Potential Evidence contained in Caller ID Devices:

 

a.    May contain telephone numbers from incoming telephone calls

 

b.    May contain subscriber information from incoming telephone calls

 

 

2.    Best Practices – Caller ID Devices:

 

a.    Interruption of the power supply to device may cause loss of data if not protected by internal battery back-up.

 

b.    Document all stored data prior to seizure or loss of data may occur.

 

4.6.4           Smart Cards: A plastic card the size of a standard credit card that holds a microprocessor (chip) which is capable of storing monetary value and other information.  Smart Card technology is used in some wireless telephones and may be found with wireless devices (see Section 4.6.1)

 

1.    Potential Evidence contained in Smart Cards:

 

a.    Secure logon and authentication of users

 

b.    Storage of digital certificates, credentials and passwords

 

c.    Encryption of sensitive data

 

2.    Best Practices – Smart Cards:

 

a.    Contact a Cyber Crimes Squad investigator for further information.

 

b.    Use appropriate collection techniques so as not to alter or destroy evidence.

 

4.6.5           Tracing an Internet Email

 

1.    When an internet e-mail message is sent, the user typically controls only the recipient line(s) (To: and Bcc :), the Subject: line, and the message itself.

 

2.    E-mail software adds the rest of the header information as it is processed.

       Officers responding and collecting e-mail evidence shall collect the Internet e-mail Header information.  This information is vital to tracing e-mails.  If the responding officer isn’t sure how to collect this information, they should contact Cyber Crimes Squad investigators.

 

3.    Reading an email header:

 

Sample Email Header

-----Message header follows-----

(1) Return-path: <abottom@abcd.gov

(2) Received: from xyz.gov by abcd.gov id BB68238; Fri, 28 Dec 99 15:50:49 EST

(3) Received: from local host by abcd.gov id AA12345; Fri, 28 Dec 99 15:50:01 EST

(4) Message-Id: 9876654.AA12345@xyz.gov

(5) Date: Fri, 28 Dec 99 15:50:01 PST

(6) From: “A. Bottoms” <abottomabct.gov>

(7) To: Dave Smit dsmit@hij.com

(8) CC: Ganggang@klm.net, Danny K DK99999@aol.com

 

a.    Line (1) tells other computers who really sent the message, and where to send error messages (bounces and warnings).

 

b.    Lines (2) and (3) show the route the message took, from sending to delivery.

Each computer that receives this message adds the “received” field with its complete address and time stamp; this helps in tracking delivery problems.

 

c.    Line (4) is the Message-ID, a unique identifier for this specific message. This ID is logged, and can be traced through computers on the message route if there is a need to track the mail.

 

d.    Line (5) shows the date, time, and time zone when the message was sent.

 

e.    Line (6) tells the name and e-mail address of the message originator (the “sender”).

 

f.     Line (7) shows the name and e-mail address of the primary recipient; the address may either be for a mailing list, system-wide alias, or a personal username.

 

g.    Line (8) lists the names and e-mail addresses of the “courtesy copy” recipients of the message. There may be “Bcc.” Recipients as well; these “blind carbon copy” recipients get copies of the message, but their names and addresses are not visible in the headers.

 

4.7              Transporting Computer-related Equipment

 

4.7.1           If transporting is required, package components and transport/store components as fragile cargo.  Keep away from magnets, radio transmitters and otherwise hostile environments.

 

4.7.2           Do not transport any electronic equipment in the trunk of a vehicle that has any kind of Police radio; this can cause damage to the evidence.  It is best placed on the back seat.

 

4.7.3           Protect the equipment from the weather and transport it as soon as possible to Property Control.

 

4.7.4           Place all the diskettes and other electronic storage devices in a paper bag or leave them in their own holders.

 

4.8              Forensic Analysis

 

4.8.1           The forensic analysis of digital evidence is guided by the request of the submitting officer and the scope of the search warrant/waiver, where applicable.

 

1.    Analyzing digital media is for the recovery of both incriminating and exculpatory evidence.

 

2.    Examinations shall be conducted in an unbiased approach.

 

3.    Each analysis is different, and the methods used to recover evidence shall vary somewhat from case to case.

 

4.8.2           Forensic examinations of computer related media for digital evidence shall be conducted upon written request, utilizing the Computer Evidence Submission form (APD-353) and accompanied by the required documents (i.e. waivers, warrant affidavits, supplements, etc.).

 

1.    Computer analysis requests must be routed through the Homeland Security Unit commander.
 

2.    Examinations shall be scheduled in the order they are received, unless specific needs are articulated that require certain cases be handled before others.

 

4.8.3           Cyber Crimes Squad members shall coordinate with the Homeland Security Unit commander on conducting casework and forensic examinations.

 

1.    In-Lab forensic examinations of computer media shall be performed as time allows or on overtime, as appropriate.

 

2.    The Cyber Crimes Squad equipment shall be kept secure and in a locked location.

 

3.    For access to any Computer Crime Lab facilities in the Special Enforcement Section, non-APD members must be escorted by the SES commander, Homeland Security Unit commander, or a Cyber Crimes Squad member.

 

4.8.4           When conducting analyses of computers and/or digital media, the Cyber Crimes Squad shall follow generally accepted forensic examination practices as employed by federal, state, and local law enforcement agencies across the United States.

 

4.9              Electronic Evidence Storage

 

4.9.1           Due to the fragile nature of computerized electronics, evidence must be stored properly. 

 

4.9.2           The Property Control Unit shall maintain a storage area for all electronic evidence that is air-conditioned/heated, and has humidity control.

 

1.    Electronic evidence should be stored at 50-68 degrees Fahrenheit and 25 – 40% relative humidity

 

2.    The storage area must also be shielded from magnetic fields.  Electric motors, car and home speakers contain magnets and should be stored far away from all electronic evidence.  City transmitting radio equipment, i.e. antennas, microwave, transmitters, must also be kept away from electronic evidence.  Plastic and metal shelving can carry static and magnetic fields, and should be avoided.

 

3.    This storage area should include areas for plugging in electronic devices that may require power to maintain the evidence.  These power receptacles should be backed up by UPS systems (battery backup) and protected against electrical power spikes and surges.  
 

4.9.3           Images of electronic evidence

 

1.    All images (copies) of electronic evidence shall be handled in the same manner as original electronic evidence.

 

a.    All accesses to the image (copy) of the electronic evidence shall be logged.

 

b.    A copy of the access log shall be maintained for a period of 10 years, or longer if the case has not reached its final conclusion.

 

2.    All images (copies) of original evidence shall be stored for 180 days after the case is turned over to the District Attorney’s office.

 

3.    If the District Attorney requires the images (copies) to be maintained longer than the 180 days, they should be required to provide storage space for the images (copies) and they shall be turned over to the District Attorney’s office for storage.

 

4.9.4           Original electronic evidence should be maintained until the case is adjudicated following the current property control guidelines.  Since some electronic evidence may be in fact contraband (i.e. Child Pornography), or personnel information covered by the HIPPA, NO electronic evidence shall be released to the public, unless ordered by the court, without it being securely wiped (erased) to Department of Defense Standards.  Original evidence returned to the original owner shall not automatically be wiped (erased), unless it contained contraband (i.e., Child Pornography,) or unless ordered by the court.

 

4.10            Training

 

4.10.1         The Cyber Crimes Squad shall seek training opportunities to maintain skills and knowledge.

 

4.10.2         The Cyber Crimes Squad shall be knowledgeable of statutes, case law, and guidelines (state and federal) pertaining to computer crime and digital evidence.

 

4.10.3         Department members shall confer with the Cyber Crimes Squad on situations where they are not clear on legal or procedural issues, especially when an investigation may involve electronic communications (e-mail seizure, publishing – online or otherwise, etc.).

 

4.11            Reporting

 

4.11.1         Cyber Crimes Squad members shall follow the general Department protocols for any investigative reports they prepare.

 

4.11.2         Forensic analysis reports generated by Cyber Crimes Squad investigators shall be prepared according to established Unit protocols.

 

4.11.3         The Criminal Investigation Division supervisors shall forward copies of any incident reports or completed investigations involving the use of a computer.

 

4.11.4         The Criminal Investigation Division supervisors shall also forward copies of cases involving any retail, commercial or government entities and any cases involving a loss (greater than $10,000) of computer equipment.

 

1.    If the evidence is retained for investigation by Cyber Crimes Squad investigators, a copy shall be sent to the Cyber Crimes Squad.

 

2.    This process shall aid in tracking instances of computer-involved crime.

 

3.    The Cyber Crimes Squad shall maintain statistics on computer-related crimes, regardless of what unit actually investigates the case.

 

5.               DEFINITIONS

 

5.1              Faraday bag:  A container that blocks radio frequencies.

 

5.2              Image:  Copies of electronic evidence.

 

5.3              Network Computer: A computer system that operates exclusively via a network connection. It boots off the network, but runs its applications locally, using its own CPU and memory.

 

6.               CANCELLATIONS

 

APD.SOP.5050 Cyber Crimes, effective April 1, 2007

 

7.               REFERENCES

 

Electronic Crime Scene Investigation:  A guide for first responders

 

CALEA Standards:  83.2.5