CSRT Training Notes January 26, 2010

CSRT Training Notes Jan 26th, 2010 District 1 Conference Room

High Tech Crimes unit Presented by Det. Kristl Pohl

Recognizing and Seizing Electronic Evidence. This is a “Bag & Tag” type class for basic investigators
Currently there is no communication with other computer forensic investigators of other law enforcement
agencies. Vancouver P.D. has a Computer Forensics Lab, they have a better turn around time than
most. Currently WSP High Tech Lab has a one year turn around. Seattle P.D. is about a year and Federal
Labs are about the same.

Search Warrant: (Request a template for wording for a warrant from the High tech Unit)
 Read and see if it includes the following:
 Hardware –equipment used to view, manufacture or reproduce
 Software/Data- Floppies/CD’s/DVD’s zip disks/external HDD’s/removable devices
 Manuals-accounting programs, unusual software, specific programs used in the crime, etc.
 All digital information, software and equipment - to view the data/images, as well.

If a person is writing a book, or doing research for a business, etc. the agency could be fined if the author
of the work is denied access to it, so providing a cloned copy of the hard drive is important.

Cell phones, MP3 players , USB drives, Password Manager devices, memory cards. Depending on the
crime, but usually take any device with storage capacity. Fax machines: lose memory if unplugged-take
pictures of the LCD display, gaming devices: Xbox, etc., digital camera (still & video).

Removing the Evidence

 Secure scene immediately-Do not allow suspect to computer
 Isolate phone lines and network access- Data can be accessed remotely
 If computer is off do not turn it on.
 If computer is on. Take picture of display.

Laptop: Same rules apply. See if the computer is on, move mouse-take picture of the display.
Desktop PC do not take power cords.
Cell Phones: they an internal memory and SIM card.
 May contain numbers called, phone books, last calls, caller ID, Names & addresses, phone
number, pictures, video’s, SMS (text messages), voice
 If on-take power & data cables remove battery prevent contact with the network
 If it is off, leave off: take power & data cables remove the battery prevent contact with the network
 RUSH case – if phone is on, put in paint can and rush to High Tech Unit.

Encryption- Bit Locker – not able to access data. No real decryption software available.
Lock &Key icon -in the system tray Try to find the Key somewhere in the area. Otherwise leave
computer on and ask for consult from High tech Unit. Bitlocker Drive Encrytion is unbreakable.
Included with the ltimate and Enterprise edition of Vista and Windows 7 operating systems. They require
the use of a Thumbdrive key. Most people have their password written somewhere.

Photograph area where the computer is used.

Photo & Video: Overall scene
High tech Unit uses a specific camera for Computer evidence: Overall, of the screen after wiggling the
mouse. Photograph cord connections-document with photographs. Also connection to outlets (power,
phone, cables, etc)

Label each connection and cable as it is removed (make notes) e.g. 1A power, 1B Ethernet, 1C USB
For packaging the evidence items use anti-static bags, no plastic bags, otherwise use paper. Items from
the same area can be packaged together e.g. CD’s adjacent to the PC.

Page 1 of 3
CSRT Training Notes January 26, 2010

Servers (Business- not home network) are a different situation, do not unplug. Consult a specialist, they
have an FBI specialist who can come to your scene to assist or consult.

For Business computers, the High Tech Unit will clone the original drive and give the Business the cloned
drive. WSP High Tech Unit will take the original drive.

Special Problems Encountered:

Fire: usually only affects the exterior of the system unit The HDD data is usually recoverable
Water: Dry out and can recover. The U.S. Secret Service in Arizona have capability to recover from
damaged drives.

Do not browse through the computer to look for notes or possible evidence
The High Tech Unit will not examine it, because browsing will change access times of files, etc.

Processing Vehicles Presenter: Ron Wojciechowski at Ronald.wojciechowski@wsp.wa.gov

Paint removal tools for collection: Use scalpels with curved blades, Dual saw to cut out sections &
controls. To remove panels: a long screw driver with a long shank for prying and two hack saw blades
with duct tape wrapped on one end to use as handles - to cut screws holding the panels incase they don’t
come out in the usual way.

Things to consider: Abraded clear coat and the base metal shows through so it looks like a white paint
smear when it is not. Let the accident work for you.

Collect control samples. Collect samples from the same section. Like if the hood then take control paint
from the hood, cut out if need be. If the sample is weathered then take controls from weathered areas
and protected areas [this allows for Paint Data Query (PDQ)use] Different sections of the car are painted
differently, e.g. bumper, fender, roof, hood, mirror housing, etc.

For Hit and Run cases : Fibers, hairs, clothing can be expected to be found on car parts e.g. bumper,
hood, under carriage.
Look down on the ground around the car. Pick up anything that resembles car part. Recover broken
glass.
On the investigative question of “who was driving?” Collect floor mats (roll in butcher paper and then
package into large sack, collect the bottom of the dash, door panels (especially the driver side-in high
speed collision the friction from the suspects pant leg abrades the panel’s surface and melts it. The plastic
melts to the pant fibers.

For car seats, pick fiber, tape lifts are good, and vacuum (are ok for a clean car not on an old car). Carpet
samples (2”x1” section)- front, rear, trunk, rear window sill.
Also take everybody’s outer clothing and footwear.
Use tweezers/forceps, use white paper for dark fibers and use dark paper for light fibers. Post-it
notepaper will work (folded). Do each tape lift separately, and put on clear plastic.

Tire Impressions
Photography (FUSS) - Tripod is essential
 Filll the frame
 Use a scale
 Side light
 Several shots

Soil: Conclusions can range: on at time of the accident, off at time of accident, inconclusive
Remove large lumps (as one piece and put in box- want to see if layering, and section to examine) and
protect. Take about ½ cup in front of the impression or a rut, use Air-Dry bags. Additional areas to collect
from are under wheel wells.

Page 2 of 3
CSRT Training Notes January 26, 2010

Piece matching – collect everything that might be associated, paint, plastic parts, glass, etc.

Glass - Findings: could be the same, not the same, inconclusive, could not determine.

Tire Impression
Fabric Impression
Fibers
Paint - Paint Data Query (PDQ): Clear, Base coat, Primer 1, Primer2
Lamp filaments: Were the headlights “on” or “off” at the time the filament broke. These items will need to
be hand delivered to the Spokane Lab (currently they have the only scientists with the expertise to do the
analysis).

Fabric impression and Fiber Transfer

Example: vinyl smeared on “T”-Shirt, looks like snot. Dye on smear (on the shirt) match dye of door
panel. This means that the person was driving at the time of a high speed collision.

Seat belt cut or torn- look at the ends of the fibers.

Air Bags: Sometime the airbag seam impression of the drivers shirt. Talc and starches on the air bags
which will transfer.
Needle slap of speedometer to gauge- cloe-up photographs and cut out instrument panel.

Page 3 of 3