I don't recall if anyone mentioned the DOJ's "Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations" page. http://www.usdoj.gov/criminal/cybercrime/searching.html Lots of USA relevant info there if you want a good read - very well referenced with regards to legal issues and case law. No technical how-to information however... Here's the index of the article you'll find if you follow the link to the secondary "Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations" web page http://www.usdoj.gov/criminal/cybercrime/searchmanual.htm : INTRODUCTION I. SEARCHING AND SEIZING COMPUTERS WITHOUT A WARRANT A. Introduction B. The Fourth Amendment's "Reasonable Expectation of Privacy" in Cases Involving Computers 1. General Principles 2. Reasonable Expectation of Privacy in Computers as Storage Devices 3. Reasonable Expectation of Privacy and Third-Party Possession 4. Private Searches C. Exceptions to the Warrant Requirement in Cases Involving Computers 1. Consent a) Scope of Consent b) Third-Party Consent c) Implied Consent 2. Exigent Circumstances 3. Plain View 4. Search Incident to a Lawful Arrest 5. Inventory Searches 6. Border Searches 7. International Issues D. Special Case: Workplace Searches 1. Private Sector Workplace Searches a) Reasonable Expectation of Privacy in Private-Sector Workplaces b) Consent in Private Sector-Workplaces c) Employer Searches in Private-Sector Workplaces 2. Public-Sector Workplace Searches a) Reasonable Expectation of Privacy in Public Workplaces b) "Reasonable" Workplace Searches Under O'Connor v. Ortega c) Consent in Public-Sector Workplaces II. SEARCHING AND SEIZING COMPUTERS WITH A WARRANT A. Introduction B. Planning the Search 1. Basic Strategies for Executing Computer Searches a) When Hardware Is Itself Contraband, Evidence, or an Instrumentality or Fruit of Crime b) When Hardware is Merely a Storage Device for Evidence of Crime 2. The Privacy Protection Act a) A Brief History of the Privacy Protection Act b) The Terms of the Privacy Protection Act c) Application of the PPA to Computer Searches and Seizures 3. Civil Liability Under the Electronic Communications Privacy Act 4. Considering the Need for Multiple Warrants in Network Searches 5. No-Knock Warrants 6. Sneak-and-Peek Warrants 7. Privileged Documents a) The Attorney General's Regulations Relating to Searches of Disinterested Lawyers, Physicians, and Clergymen b) Strategies for Reviewing Privileged Computer Files C. Drafting the Warrant and Affidavit Step 1: Accurately and Particularly Describe the Property to be Seized in the Warrant and/or Attachments to the Warrant Step 2: Establish Probable Cause in the Affidavit Step 3: In the Affidavit Supporting the Warrant, Include an Explanation of the Search Strategy (Such as the Need to Conduct an Off-site Search) as Well as the Practical and Legal Considerations That Will Govern the Execution of the Search D. Post-Seizure Issues 1. Searching Computers Already in Law Enforcement Custody 2. The Permissible Time Period For Examining Seized Computers 3. Rule 41(e) Motions for Return of Property III. THE ELECTRONIC COMMUNICATIONS PRIVACY ACT A. Introduction B. Providers of Electronic Communication Service vs. Remote Computing Service "Electronic communication service" "Electronic storage" "Remote computing service" C. Classifying Types of Information Held by Service Providers 1. Basic Subscriber Information Listed in 18 U.S.C. § 2703(c)(1)(C) 2. Records or Other Information Pertaining to a Customer or Subscriber 3. Contents D. Compelled Disclosure Under ECPA 1. Subpoena 2. Subpoena with Prior Notice to the Subscriber or Customer 3. Section 2703(d) Order 4. § 2703(d) Order with Prior Notice to the Subscriber or Customer 5. Search Warrant E. Voluntary Disclosure 1. Contents 2. Records Other than Contents F. Quick Reference Guide G. Working with Network Providers: Preservation of Evidence, Preventing Disclosure to Subjects, and Cable Act Issues 1. Preservation of Evidence under 18 U.S.C. § 2703(f) 2. Orders Not to Disclose the Existence of a Warrant, Subpoena, or Court Order 3. Possible Conflicts with the Cable Act, 47 U.S.C. § 551 H. Remedies 1. Suppression 2. Civil Actions IV. ELECTRONIC SURVEILLANCE IN COMMUNICATIONS NETWORKS A. Introduction B. The Pen/Trap Statute, 18 U.S.C. §§ 3121-27 C. The Wiretap Statute, Title III, 18 U.S.C. §§ 2510-22 1. Introduction: The General Prohibition 2. Key Phrases "Wire communication" "Electronic communication" "Intercept" 3. Exceptions to Title III a) Interception Authorized by a Title III Order, 18 U.S.C. § 2518 b) Consent of a Party to the Communication, 18 U.S.C. § 2511(2)(c)-(d) c) The Provider Exception, 18 U.S.C. § 2511(2)(a)(i) d) The Extension Telephone Exception, 18 U.S.C. § 2510(5)(a) e) The 'Inadvertently Obtained Criminal Evidence' Exception 18 U.S.C. § 2511(3)(b)(iv) f) The 'Accessible to the Public' Exception,18 U.S.C. § 2511(2)(g)(i) D. Remedies For Violations of Title III and the Pen/Trap Statute 1. Suppression Remedies a) Statutory Suppression Remedies b) Constitutional Suppression Remedies 2. Defenses to Civil and Criminal Actions a) Good-Faith Defense b) Qualified Immunity V. EVIDENCE A. Introduction B. Authentication 1. Authenticity and the Alteration of Computer Records 2. Establishing the Reliability of Computer Programs 3. Identifying the Author of Computer-Stored Records C. Hearsay 1. Inapplicability of the Hearsay Rules to Computer-Generated Records 2. Applicability of the Hearsay Rules to Computer-Stored Records D. Other Issues 1. The Best Evidence Rule 2. Computer Printouts as "Summaries" VI. APPENDICES Appendix A: Sample Network Banner Language Appendix B: Sample 18 U.S.C. § 2703(d) Application and Order Appendix C: Sample Language for Preservation Request Letters under 18 U.S.C. § 2703(f) Appendix D: Sample Pen Register /Trap and Trace Application and Order Appendix E: Sample Subpoena Language Appendix F: Sample Language for Search Warrants and Accompanying Affidavits to Search and Seize Computers Appendix G: Sample Letter for Provider Monitoring ************************************* Eric R. Rowe - A.C.F.Sc. Computer Systems Coordinator School of Nursing - UBC (604) 822-7439 ************************************* --- "Mike S. Medintz" <medintzat_private> wrote: > What would you recommend for some reading and > training in the field? > > I'm no computer specialist: Most of my training thus > far has actually been in > a completely different field. However, I do run > linux and have some idea of > how to make it do what I want. What I need, though, > is something that goes > deeper than _Running Linux_ or _Computer Crime_ by > Icove, Seger, and > VonStorch. > > What I'd especially like, are some "best practices" > guides. For anything and > everything, really. If you have them, though, for > DOS attacks and for seizing > computers and accessories, those would be especially > valuable. Even a guide > to what questions I should be asking and what I > should be seizing. > > Any suggestions? Any organizations that I should > consider joining? Any > classes I should take (bearing in mind that they'll > have to come out of my > own pocket)? > > My main priority, as an officer, is to be able to > take the report and collect > the evidence in a way that'll actually do some good. > The academy didn't get > into this stuff in much detail :) > > Mike S. Medintz <medintzat_private> > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS > analyzer service. > For more information on this free incident handling, > management > and tracking system please see: > http://aris.securityfocus.com > > > __________________________________________________ Do You Yahoo!? NEW from Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month. http://geocities.yahoo.com/ps/info1 ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Oct 04 2001 - 17:36:38 PDT