{<script>$('body').removeClass().addClass('skull')</script>
(set: $takenotes to 0)
(set: $speakwiththeofficer to 0)
(set: $shakethemouse to 0)
(set: $shakethemousewithpower to 0)
(set: $typeonthekeyboard to 0)
(set: $pulltheplug to 0)
(set: $shutdownnormally to 0)
(set: $pressthepowerbutton to 0)
(set: $searchrooma to 0)
(set: $savedocument to 0)
(set: $deletechanges to 0)
(set: $typeonthekeyboardwithpower to 0)
(set: $approachcellphone to 0)
(set: $searchremainderofroom to 0)
(set: $searchcomputer to 0)
(set: $pullbattery to 0)
(set: $cellphonepowerdown to 0)
(set: $tablet to 0)
(set: $USB to 0)
(set: $checknetwork to 0)
(set: $checkwifi to 0)
(set: $checkpassword to 0)
(set: $paperbag to 0)
(set: $plasticbag to 0)
(set: $faradaybag to 0)
(set: $disablewifi to 0)
(set: $disablepassword to 0)
(set: $airplanemode to 0)
(set: $computerwipe to 0)
(set: $turniton to 0)
(set: $guesspassword to 1)
}On June 11, you receive a call from your local police department. There's been a serious crime reported, and they need your assistance yet again. A man has been accused of murdering his wife in cold blood. The officer relays information to you that states that the suspect and his wife lived with a roommate, with whom the man believed his wife was having an affair. They will have more to tell you at the scene.
A crime of passion. Digital evidence would most certainly be involved.
Before you leave your lab to go to the scene, you prepare your "jump bag" with equipment that you may need, anticipating what you might encounter as best you can.
[[Head to the scene->...]]{<script>$('body').removeClass().addClass('house')</script>
}After gathering the equipment you need, you travel to the scene, arrive, and find a simple house. Nothing too fancy, but not the kind of house where an average person would suspect a crime like this would occur.
You observe your surroundings to get your bearings. An officer is nearby shuffling paperwork. He is clearly the one who is responsible for securing the scene. To his left is the entrance of the house. You grab your equipment and step forward to....
[[Enter the house]]
[[Speak with the Officer]]
[[Take notes]]{<script>$('body').removeClass().addClass('hallway')</script>
}You enter through the front door and begin your investigation. Upon entering the house, you decide to head straight to the couple's bedroom, as this may be the area in which you are most likely to find relevant evidence.
(if: $takenotes is 1)[
You make a note of your actions.
]
You enter the house and come to a hallway with two doors: one on the right and one on the left. You aren't sure which room to enter, and there's no one around to ask for assistance.
(if: $speakwiththeofficer is not 0)[
Thinking back, you remember what the officer told you earlier: the room to the left belongs to the suspect, the room to the right belongs to the roommate. Only the suspect is included in the search warrant.
]
You choose to...
[[Enter the right door]]
[[Enter the left door]]
{<script>$('body').removeClass().addClass('officer')</script>
(set: $speakwiththeofficer to 1)
}You approach the officer and ask him a few questions to gain more information about the case. He gives you a copy of the search warrant, which will advise you as to what is or is not allowed to be examined during your search. The validity of the evidence you gather hinges on your ability to follow what is laid out in the search warrant.
Upon reading the warrant, a few things catch your eye:
1. You are looking for digital evidence, belonging to only the suspect or the deceased.
2. You are looking for digital evidence located in common areas or areas belonging to only the suspect or the deceased.
After thoroughly reading the search warrant, you...
[[Speak further to the officer]]
[[Enter the house]]
(if: $takenotes is 0)[ [[Take notes]]]{<script>$('body').removeClass('house').addClass('notes')</script>
(set: $takenotes to 1)
}You note some initial details about the scene to help you remember in case you end up having to testify to your actions in court.
You make sure to write down:
-the time you arrived at the scene
-the equipment you brought with you
-the address where you are located
<span style="color: red;">''Since you realize the importance of note-taking, you make sure to consistently take notes throughout the case. These notes will include where you go, what you do, and the evidence that you choose to collect.''</span>
After making your initial notes, you...
{(if: $speakwiththeofficer is 2)[ [[Talk to the officer one final time]]]
(elseif: $speakwiththeofficer is 1)[ [[Speak further to the officer]]]
(else:)[ [[Speak with the Officer]]]
}
[[Enter the house]]{<script>$('body').removeClass().addClass('officer')</script>
(set: $speakwiththeofficer to 2)
}You decide to ask the officer a few more questions. He reiterates that the roommate is not included in the search warrant and that his belongings are off limits as far as this investigation is concerned. This extends to the roommate's room, which he tells you is the one on the right side of the hallway.
The officer states that he needs to get back to work and resumes shuffling his papers and monitoring the scene.
You decide to...
[[Enter the house]]
[[Talk to the officer one final time]]
(if: $takenotes is 0)[ [[Take notes]]]{<script>$('body').removeClass().addClass('rightroom')</script>
}You enter the right door and see a standard looking bedroom. You take a brief inventory of the furniture in the room: a bed, a dresser, and a nightstand.
Thinking back on what you know about the case so far, you decide to...
[[Search this room ->Search Room A]]
[[Go back to the hallway]]{<script>$('body').removeClass().addClass('suspectroom')</script>
}You enter the door on the left and see what appears to be a bedroom that doubles as a home office. What immediately draws your attention is the desk in the corner. There is a desktop computer sitting on top, complete with a monitor and a separate computer tower. There is a cell phone attached to its charger next to the computer. It looks like you found the suspect's room.
After surveying the room, you decide to...
(if: $searchcomputer is 0)[ [[Approach the computer]]]
(if: $approachcellphone is 0)[ [[Approach the cell phone]]]
(if: $searchremainderofroom is 0)[ [[Search the remainder of the room]]]
[[Leave the room]]{<script>$('body').removeClass().addClass('computeroff')</script>
}After approaching the computer, you notice a blinking green light on the tower. However, the screen to the monitor is black, and no lights are visible.
(if: $takenotes is 1)[
You make a note of the condition of the machine at the time you arrived.
]
You decide to...
(if: $pressthepowerbutton is 0)[ [[Press the power button on the monitor]]]
(if: $shakethemouse is 0)[ [[Shake the mouse]]]
(if: $typeonthekeyboard is 0)[ [[Type on the keyboard]]]
(if: $pulltheplug is 0)[ [[Pull the plug from the tower ->Pull the plug]]]{<script>$('body').removeClass().addClass('phonecharging')</script>
(set: $approachcellphone to 1)}From what you can tell just by looking at it, the cell phone is a smart phone. It is currently plugged in to a charger through a wall outlet. The screen is on and does not appear to be locked. You are not sure if it is like this all the time or if it has been configured by the user to remain unlocked only while charging.
(if: $takenotes is 1)[
You make a note of the condition of the phone at the time you arrived.
]
After briefly examining the condition of the device, you make the decision to...
[[Pull the plug and remove the battery ->Pull the plug and the battery]]
[[Pull the plug and shutdown the phone normally ->Pull the plug and shutdown normally]]
[[Access the settings on the phone ->Access settings of the phone]]
[[Collect it as is]]{<script>$('body').removeClass().addClass('hallway')</script>}{}You return to the hallway to think back on what you have learned about the case.
(if: $searchrooma is 0)[
In the hallway, there is a door behind you, from which you have just exited, and a door across from you, which you have yet to enter.
You decide to..
[[Enter the right door]]
[[Reenter the room you just left to continue your search ->Enter the left door]]]
(elseif: $searchrooma is 1)[ You have already thoroughly searched the other bedroom, leaving behind no items of interest. The only location left for you to search is the room you have just left.
You turn around and [[reenter the room you just left to continue your search. ->Enter the left door]]]{<script>$('body').removeClass().addClass('officer')</script>
}The officer tells you that he has a job to do at the scene too, and if you are going to keep asking questions and keep him from his work, you might as well just go home. Turns out that another of his duties is to monitor who is allowed in and out of the scene.
Embarrassed, head down, you are forced to leave the scene. Congratulations, you now have to go back to the office and explain why you were kicked out of a crime scene before you even set foot in it.
THE END
[[Go Back and Try Again? ->Speak further to the officer]]{<script>$('body').removeClass().addClass('hallway')</script>}{}You return to the hallway to think back on what you have learned about the case.
(if: $speakwiththeofficer is not 0)[(if: $searchrooma is 0)[
The search warrant did not include the roommate's belongings. Good thing you left the room prior to collecting any items as evidence, or you could have jeopardized the whole case.
]]
In the hallway, there is a door behind you, from which you have just exited, and a door across from you, which you have yet to enter.
You decide to..
[[Enter the left door]]
[[Turn around and reenter the right door ->Search Room A]]{<script>$('body').removeClass().addClass('rightroom')</script>
}{(if: $searchrooma is 1)[ There is nothing else in the room to collect, so you [[go back to the hallway ->Go back to the hallway]]]
}(else:)[ While looking around, you notice a desk in the corner that seems to house a laptop computer and a number of software and hardware manuals. It appears as though there is little else in this room of interest.
You decide to...
[[Examine the laptop further]]
[[Go back to the hallway]]]{<script>$('body').removeClass().addClass('rightroom')</script>
(set: $searchremainderofroom to 1)}You remember your training, during which you have learned that an individual does not always leave all of their equipment and technology in plain sight. You decide then that it is appropriate to search the remainder of the room, in case a smaller device is hidden out of plain sight.
Several minutes pass...
After some time, you locate a tablet in a lower dresser drawer and a USB drive at the bottom of a trash can.
You decide to first examine the...
[[Tablet]]
[[USB Drive]]{<script>$('body').removeClass().addClass('ipadoff')</script>
(set: $tablet to 1)}The tablet appears to be a standard iPad. It is currently off. You do not know whether or not this is because the battery is dead or because it was safely powered off.
You decide to...
[[Try to power it on ->Turn it on]]
[[Leave it off and collect it as is]]{<script>$('body').removeClass().addClass('USB')</script>
(set: $USB to 1)}The flash drive has a small storage capacity, only 2 GB from what you can tell. The fact that it seemed to be hidden makes you think that there could be some relevant data on it.
You know you will want to examine it in the lab, but maybe first you should check its contents. The only computer you have access to is the suspect's computer.
You decide to...
[[Plug it into the suspect's computer to view its contents ->Plug into the computer to check what is on it]]
[[Collect without examining]]{<script>$('body').removeClass().addClass('screensaver')</script>}(set: $pressthepowerbutton to 1)The monitor powers on and displays what appears to be the screensaver of the computer. It is clear that the computer is on, meaning data that was last accessed by the user could be visible, if only the screensaver was not active.
(if: $takenotes is 1)[You make a note of what you have done to the computer.
]
Knowing what you know about computers and screensavers, you decide to...
(if: $shakethemousewithpower is 0)[ [[Move the mouse around ->Jiggle the mouse now]]]
(if: $typeonthekeyboardwithpower is 0)[ [[Hit a few keys ->Type on the keyboard2]]]
(if: $pulltheplug is 0)[ [[Pull the plug from the tower ->Pull the plug]]]{<script>$('body').removeClass().addClass('shakemouse')</script>
(set: $shakethemouse to 1)} You gently bump the mouse to see if the motion will register on the computer, bypassing the screensaver without worrying about whether or not any button clicks or key presses would alter data in any potentially running programs.
Nothing happens.
Your next step is to...
(if: $pressthepowerbutton is 0)[ [[Press the power button on the monitor]]]
(if: $typeonthekeyboard is 0)[ [[Hit a few keys on the keyboard ->Type on the keyboard]]]
(if: $pulltheplug is 0)[ [[Pull the plug]]]{<script>$('body').removeClass().addClass('keyboard')</script>
(set: $typeonthekeyboard to 1)}
You try to type a few words on the keyboard to see if anything occurs on the screen.
Nothing happens.
Your next option is to...
(if: $shakethemouse is 0)[
[[Shake the mouse]]](if: $pressthepowerbutton is 0)[
[[Press the power button on the monitor]]](if: $pulltheplug is 0)[
[[Pull the plug]]]{<script>$('body').removeClass().addClass('pullplug')</script>
(set: $searchcomputer to 1)(set: $pulltheplug to 1)
}You pull the plug from the back of the computer and seize the entire tower.
(if: $takenotes is 1)[ You make a note of what you have done to the computer, and at what time. You make sure to include in your notes a chain of custody and an Item number for the new piece of evidence.
]
After dismantling the computer tower and packing it in a cardboard box for easy transport, you check your surroundings again. The cell phone is sitting on the desk next to you, but there are still many more places in the room where evidence could exist.
(if: $approachcellphone is 0)[ [[Approach the cell phone]]]
(if: $searchremainderofroom is 0)[ [[Search the remainder of the room]]]
[[End your investigation]]<script>$('body').removeClass().addClass('suicidenote')</script>
(set: $shakethemousewithpower to 1)
You gently bump the mouse to see if the computer registers the motion and bypasses the screensaver without worrying about whether or not any button clicks or key presses would alter data in any potentially running programs.
It works.
The screensaver disappears. There is a document on the screen. From looking it over, the contents appear to be consistent with a typed suicide note.
(if: $typeonthekeyboard is 1)[
...Except for how it ends. Because you typed on the keyboard, there is now a short string of random numbers and letters at the bottom of the document. You have altered some of the evidence on this computer.
]
(if: $takenotes is 1)[ You make a note of what you have done to the computer and what you observed as a result.
]
Based off of this information, you decide to...
[[Save the document, then power down the computer ->Save the document to the computer as is]]
[[Pull the plug from the tower ->Do not save the document because you changed it]]
(if: $typeonthekeyboard is 1)[ [[Save the document to the computer after deleting what you added]] ]<script>$('body').removeClass().addClass('suicidenote2')</script>
(set: $typeonthekeyboardwithpower to 1)
You hit a few keys on the keyboard and the screensaver disappears. There is a document on the screen. From looking it over, the contents appear to be consistent with a typed suicide note.
...Except for how it ends. Because you typed on the keyboard, there is now a short string of random numbers and letters at the bottom of the document. You have altered some of the evidence on this computer.
(if: $takenotes is 1)[
You make a note of what you have done to the computer and what happened to the document as a result. You may have altered some evidence, but the transparency will help you in court.
]
Based on your actions and what you are able to ascertain from the contents of the document, you decide to...
[[Save the document to the computer as is]]
[[Save the document to the computer after deleting what you added]]
[[Do not save the document because you changed it]]<script>$('body').removeClass().addClass('save')</script>
(set: $savedocument to 1)
You hit the "Save" icon on the toolbar of the word processing program, preserving the open document in the active user's "Documents" folder.
(if: $takenotes is 1)[
You make a note of where and when you have saved the file.
]
No other data appears to be present and in an active state on the machine. At this point, you are ready to collect the computer as evidence. You conclude that the best way to do this is to...
[[Shut down normally]]
[[Pull the plug]]{<script>$('body').removeClass().addClass('save')</script>
(set: $deletechanges to 1)
}Embarrassment over what you accidently did sets in, so you quickly delete the text that you changed in the document before hitting the "Save" icon on the toolbar of the word processing program, preserving the open document in the active user's "Documents" folder. You already altered the text, so what would be the harm in altering it some more?
(if: $takenotes is 1)[
You make a note of what you have done to the computer and what happened to the document as a result. You may have altered some evidence, but hopefully your transparency will help you should you have to testify.
]
No other data appears to be present and in an active state on the machine. At this point, you are ready to collect the computer as evidence. You conclude that the best way to do this is to...
[[Shut down normally]]
[[Pull the plug]]{<script>$('body').removeClass().addClass('savechanges')</script>
}You make the choice to not save the document.
No other data appears to be present and in an active state on the machine. At this point, you are ready to collect the computer as evidence. You conclude that the best way to do this is to...
[[Pull the plug]]
[[Shut down normally]]{<script>$('body').removeClass().addClass('shutdown')</script>
(set: $searchcomputer to 1)(set: $shutdownnormally to 1)
}You navigate to the Start Menu and proceed to shut down the computer normally.
(if: $takenotes is 1)[
You make a note of what you have done to the computer, and at what time. You make sure to start a chain of custody for and assign an Item number to the new piece of evidence.
]
After dismantling the computer tower and packing it in a cardboard box for easy transport, you check your surroundings again. (if: $approachcellphone is 0)[The cell phone is sitting on the desk next to you.](if: $searchremainderofroom is 0)[ Also, there stil may be evidence located in other places within the room.]
You decide your next step will be to...
(if: $approachcellphone is 0)[ [[Approach the cell phone]]]
(if: $searchremainderofroom is 0)[ [[Search the remainder of the room]]]
[[End your investigation]]{<script>$('body').removeClass().addClass('skull')</script>}Gathering all of the evidence that you have collected, you make your way back to your van.
(if: $takenotes is 1)[
You make sure to write down:
-the time you leave the the scene
-the condition of the equipment you brought with you
-the evidence that you gathered while at the scene
]
You gently place all of the evidence securely in the back, making sure to strap it down tightly so that nothing becomes damaged during transport.
At this point, it is up to you to conduct a thorough analysis of all evidence that you have collected, exhausting all your available capabilities, as that is your duty not only to the victim, but to the suspect as well.
Let's take a look at some of the tools and techniques that you might use to conduct your analysis...
[[After many weeks of work, and months of waiting after, the time has come for you to testify... ->End Results]]{<script>$('body').removeClass().addClass('batteryout')</script>
(set: $pullbattery to 1)}You pull the phone and its charger out of the outlet, disconnect the phone from its charger, and proceed to remove the battery from the back of the phone. Hopefully there will be no password on the device, because otherwise you will not be able to get back into the phone to alter settings necessary to extract data.
(if: $takenotes is 1)[
You make a note of what occurred and at what time. You make sure to include in your notes a chain of custody and an Item number for the new piece of evidence.
]
Next, you prepare the necessary materials to package the dismantled phone as [[evidence. ->Collection]]{<script>$('body').removeClass().addClass('poweroff')</script>
(set: $cellphonepowerdown to 1)}You pull the phone out of the plug and proceed to initiate a normal shutdown of the phone. Hopefully there is no password on the device, because otherwise you will not be able to get back into the phone to alter settings necessary to extract data.
(if: $takenotes is 1)[
You make a note of what occurred and at what time. You make sure to include in your notes a chain of custody and an Item number for the new piece of evidence.
]
Next, you prepare the necessary materials to package the powered-down phone as [[evidence. ->Collection]]{<script>$('body').removeClass().addClass('settings')</script>}Since the phone is currently unlocked, you decide to access the settings menu. You know that some settings may affect your ability to extract data from the phone, so you wonder if you should take the opportunity now while the device remains unlocked to adjust the needed settings. But should you really be altering evidence?
After much thought, you first decide to...
(if: $checkwifi is 0)[ [[Check Wi-Fi]]]
(if: $checkpassword is 0)[ [[Check Password]]]
(if: $checknetwork is 0)[ [[Check phone network connectivity]]]
[[Collect without changing anything]]{<script>$('body').removeClass().addClass('phonecharging')</script>
(set: $collectasis to 1)}You pull the phone and the plug from the wall and proceed to package the phone as evidence.
You hope that the battery doesn't die during transport before you can get back to the lab to perform a data dump, but if you move fast enough, it might be okay.
Next, you prepare the necessary materials to package the powered-down phone as [[evidence. ->Collection]]{(if: $pullbattery is 1)[ <script>$('body').removeClass().addClass('batteryout')</script>]
(if: $cellphonepowerdown is 1)[ <script>$('body').removeClass().addClass('poweroff')</script>]
(if: $collectasis is 1)[
<script>$('body').removeClass().addClass('phonecharging')</script>]
}You examine your options for materials with which to package the cell phone. You have with you paper, plastic, and a Faraday bag.
The paper bag is easiest to write on for identification purposes.
The plastic bag is most convenient, as you can easily see what it contains.
The Faraday bag can provide shielding that can prevent a signal from accessing the device while it is on.
After thinking about it, you choose to collect the phone in the...
[[Paper bag]]
[[Plastic Bag]]
[[Faraday bag]]{<script>$('body').removeClass().addClass('paper')</script>
(set: $paperbag to 1)}You decide to package the cell phone in a paper bag. You tape up the openings and make sure to write a description of the contents on the outside.
(if: $takenotes is 1)[ You make a note of a chain of custody and an Item number for the new piece of evidence.
]
At this point, you decide to...
(if: $searchcomputer is 0)[ [[Approach the computer]]]
(if: $searchremainderofroom is 0)[ [[Search the remainder of the room]]]
[[End your investigation]]{<script>$('body').removeClass().addClass('faraday')</script>
(set: $faradaybag to 1)}You package the cell phone in a Faraday bag. This will prevent a network signal from reaching the phone, which could cause data to be changed or even allow the phone to be remotely wiped.
(if: $takenotes is 1)[ You make a note of a chain of custody and an Item number for the new piece of evidence.
]
With that completed, you decide to now...
(if: $searchcomputer is 0)[ [[Approach the computer]]]
(if: $searchremainderofroom is 0)[ [[Search the remainder of the room]]]
[[End your investigation]]{<script>$('body').removeClass().addClass('plastic')</script>
(set: $plasticbag to 1)}
You choose to package the cell phone in the plastic bag. You zip it up and finish with that quite quickly.
(if: $takenotes is 1)[ You make a note of a chain of custody and an Item number for the new piece of evidence.]
At this point, you decide to...
(if: $searchcomputer is 0)[ [[Approach the computer]]]
(if: $searchremainderofroom is 0)[ [[Search the remainder of the room]]]
[[End your investigation]]{<script>$('body').removeClass().addClass('settings')</script>
(set: $checkwifi to 1)}You decide to check the wi-fi capabilities of the phone.
The phone is not currently connected to a Wi-Fi network, but the setting to allow automatic connection to any wi-fi network is enabled.
Knowing this, you decide to...
[[Disable Wi-Fi]]
[[Go back to the settings menu without changing anything ->Access settings of the phone]]
[[Collect the phone as it currently is ->Collect without changing anything]]
{<script>$('body').removeClass().addClass('settings')</script>
(set: $checkpassword to 1)}You decide to check whether or not a password is enabled on the phone.
You notice that the lock screen is disabled when the device is plugged in and charging, but that the lock screen enables on battery power and that there is a password that is set.
You decide to...
[[Turn the password off and disable sleep mode ->Disable password/Prevent sleep]]
[[Go back to the main settings menu and leave the password settings alone ->Access settings of the phone]]
[[Prepare to collect the device without altering anything ->Collect without changing anything]]{<script>$('body').removeClass().addClass('settings')</script>
(set: $checknetwork to 1)}The phone displays four bars in the corner, signaling that it is connected to the cellular network. Data can be sent or received from this phone at any time due to this status.
With this in mind, you decide to...
[[Enable Airplane mode ->Airplane mode]]
[[Go back to the settings menu of the phone ->Access settings of the phone]]
[[Power off the phone ->Collect without changing anything]]{<script>$('body').removeClass().addClass('settings')</script>}After briefly examining the condition of the device, you make the decision not to change this setting after all. You want to try to maintain the integrity of the evidence by altering the device as little as possible.
At this point, you are prepared to collect the device and choose to...
[[Pull the plug and remove the battery ->Pull the plug and the battery]]
[[Pull the plug and shutdown the phone normally ->Pull the plug and shutdown normally]]{<script>$('body').removeClass().addClass('settings')</script>
(set: $disablewifi to 1)}You disable the Wi-Fi on the phone. This will prevent the phone from connecting to a network during transport or later when the device is prepared for data extraction. You know this is important to prevent both data from changing and possible remote access to the phone.
(if: $takenotes is 1)[ You make a note of the setting you changed on the device and at what time.
]
Your next step is to...
[[Go back to the settings menu ->Access settings of the phone]]
[[Finish altering settings and collect the device ->Collect without changing anything]]{<script>$('body').removeClass().addClass('settings')</script>
(set: $disablepassword to 1)}You decide to disable the password and the lock screen. This will allow you to access the phone easier in the future in order to alter necessary settings when you prepare to conduct a data extraction of the phone, which is important in order to have success in your analysis.
(if: $takenotes is 1)[ You make a note of the setting you changed on the device and at what time.
]
At this point, you decide to...
[[Go back to the main settings menu ->Access settings of the phone]]
[[Prepare to collect the cell phone without altering any additional settings ->Collect without changing anything]]{<script>$('body').removeClass().addClass('settings')</script>
(set: $airplanemode to 1)}You decide to place the phone into airplane mode. Airplane mode will isolate the device from the cellular network and prevent data from being transferred either to or from the phone. Remote wipes or other unintentional changes to data on the phone will not be a concern as long as the phone remains in this state of isolation.
With this taken care of, you decide to next...
[[Access settings of the phone]]
[[Collect without changing anything]]{<script>$('body').removeClass().addClass('drivewipe')</script>(set: $computerwipe to 1)}You decide to plug the USB drive into the suspect's computer to view its contents. The suspect must have been the one using the flash drive, so why not plug it into his computer to view the files as he was viewing it?
(if: $pulltheplug is 1)[
You hook up the suspect's computer once more to have an environment in which to view the contents of the flash drive.
]
(elseif: $shutdownnormally is 1)[
You hook up the suspect's computer once more to have an environment in which to view the contents of the flash drive.
]
After plugging in the USB flash drive, you notice a program begin to boot up. The program begins to run on the computer and appears to be wiping data from the machine. You quickly pull the plug to try to stop the program and save some amount of data, but the damage has been done. You won't know just how much until you examine the computer within your lab, however.
(if: $takenotes is 1)[
You make a note of what occurred to the computer, and at what time. You make sure to include in your notes a chain of custody and an Item number for the flash drive.
]
Discouraged by what just occurred, you consider your remaining options and choose to...
(if: $approachcellphone is 0)[ [[Examine the cell phone ->Approach the cell phone]]]
(if: $searchcomputer is 0)[ [[Examine the computer ->Approach the computer]]]
(if: $tablet is 0)[ [[Examine the tablet ->Tablet]]]
[[End your investigation]]
{<script>$('body').removeClass().addClass('usbevidence')</script>}You package and collect the USB flash drive to take with you to the lab for further examination. There is nothing else you can safely do with the device while at the scene, so you realize saving any analysis until later will be the best option.(if: $takenotes is 1)[ You make a note of a chain of custody and an Item number for the new piece of evidence.]
There is still more to do at the scene, so you decide your next step will be to...
(if: $approachcellphone is 0)[ [[Examine the cell phone ->Approach the cell phone]]]
(if: $searchcomputer is 0)[ [[Examine the computer ->Approach the computer]]]
(if: $tablet is 0)[ [[Examine the tablet ->Tablet]]]
[[End your investigation]]{<script>$('body').removeClass().addClass('password')</script>
(set: $turniton to 1)}You hold the power button down to try to turn the tablet on.
It powers on, and it appears to be locked with a standard 4-digit PIN.
You don't know what the passcode is, and you don't know for sure how the user configured the lock settings of this particular tablet.
Knowing this, you decide to...
[[Try to guess a password]]
[[Turn the tablet off and collect it ->Leave it off and collect it as is]]{<script>$('body').removeClass().addClass('ipadoff')</script>
(set: $tablet to 1)}(if: $turniton is 0)[Since the tablet is already off, you do not want to power it on and risk data being unintentionally altered or wiped.
](if: $turniton is 1)[You leave the tablet on and package it up to take with you to the lab. Hopefully you will be able to extract some data from it.
](if: $takenotes is 1)[ You make a chain of custody and create an Item number for the new piece of evidence.
]
With the tablet taken care of for now, you decide to...
(if: $approachcellphone is 0)[ [[Examine the cell phone ->Approach the cell phone]]]
(if: $searchcomputer is 0)[ [[Examine the computer ->Approach the computer]]]
(if: $USB is 0)[ [[Examine the USB flash drive ->USB Drive]]]
[[End your investigation]]{<script>$('body').removeClass().addClass('court')</script>}After many months, and with many cases since, the prosecution has subpoenad you as an expert witness. The time has come for you to testify to your findings and what you collected during your investigation. What decisions you made will affect the quality and validity of your subsequent testimony...
{<script>$('body').removeClass().addClass('ipaddisabled')</script>
(set: $guesspassword to 1)}You type in a random password just to see what will happen.
Unfortunately, the password was wrong.
Also, it looks as though this wasn't the first time an incorrect password has been entered into the tablet, because the iPad has now permanently locked you out of it. Even if you are able to find out the password in the future, it won't do you any good. You will not be able to extract any data from this device.
(if: $takenotes is 1)[ You make a note of what occurred, and at what time. You make sure to include in your notes a chain of custody and an Item number for the new piece of evidence.
]
Despite this unfortunate turn of events, you still decide to [[collect the tablet as evidence->Leave it off and collect it as is]]{<script>$('body').removeClass().addClass('laptop')</script>} You examine the exterior of the laptop. There are no lights signifying that the laptop is powered on. You lift the screen to the laptop and place your finger on the touchpad. No response; you safely conclude that the laptop is not on. You can easily collect the laptop as is, if you so choose, and examine it further when you get back to the lab.
(if: $speaktotheofficer is not 0)[
You remember what you learned about the case from the officer you spoke to at the beginning. The search warrant did not include the roommate's belongings.
]
You decide to..
[[Collect the laptop]]
[[Go back to the hallway]]{<script>$('body').removeClass().addClass('collectlaptop')</script>
(set: $searchrooma to 1)}You package up the laptop to take with you for further examination at the lab, since it would be too difficult to examine it while you are still there at the scene.
(if: $takenotes is 1)[
Since you have been taking notes, you start a chain of custody and assign an Item number for the new piece of evidence.
]
There is nothing else in the room to collect, so you [[go back to the hallway. ->Go back to the hallway]]{<script>$('body').removeClass().addClass('court')</script>}(if: $takenotes is not 0)[You were able to refer back to your notes whenever you were questioned about what occurred. Despite it being quite a long time since you conducted the investigation, you memory remains fresh because of your detailed notes. You also created a chain of custody for each item upon collection, so the defense is not able to find fault with the integrity of the evidence.
]
(if: $takenotes is 0)[Since you did not take any notes, you are forced to answer many of the questions you are asked with "I don't recall" or "I'm not sure". Also, since no chain of custody was established for any items, the defense questions you heavily on the integrity of the evidence to try to instill doubt in the fact that you maintained control of the evidence throughout your entire examination.
]
The defense begins by questioning you about whether or not you were provided a search warrantin this case. You answer that you were. The defense asks if you were aware that the search warrant only covered the suspect's room and that the roommate was not included. You respond by saying "Yes".
(if:$searchrooma is not 0)[The defense follows up your response by questioning as to why you seized evidence from the roommate's room if you fully understood the search warrant. You do not have a response for this. (if:$speakwiththeofficer is not 0)[An officer at the scene even reiterated this point to you.](if:$speakwiththeofficer is 0)[The defense asks if there was anyone at the scene you could have asked to get more clarification if you were confused. You remember the officer at the scene, and say there was, but you do not have a good answer as to why you did not speak to him.]Because you ignored the terms of the search warrant and violated the roommate's privacy, it is entirely possible that the case will be thrown out.]
(if:$searchrooma is 0)[You continue to explain that you chose to not examine the roommate's belongings because you wanted to follow the search warrant. (if:$speakwiththeofficer is not 0)[You even sought out additional information from an officer at the scene to ensure you were operating within the scope of the warrant.] Your actions ensured the validity of the evidence that you did end up collecting.]
[[The defense nexts asks you about the computer ->Computer Decision Points]]{<script>$('body').removeClass().addClass('court')</script>}When questioned about the computer, the defense begins by questioning you about how you seized the evidence. The defense asks if the coputer was on at the time of its seizure. You state "Yes".
(if: $typeonthekeyboard is not 0)[You mention typing on the keyboard to wake the computer from sleep mode. The defense asks if this could have changed any data on the computer. You respond honestly by saying "Yes."
(if:$deletechanges is 0)[The defense questions you about what specifically was changed. Because you saved the document in question with the changes you made, you can easily point out what was altered. Your honesty and transparency reassures the court that no evidence tampering is being concealed.]
(if:$deletechanges is not 0)[The defense questions you about what specifically was changed. You do not have an answer for him because you deleted the changes prior to saving the document. This lack of transparency calls into question the validity rest of your examination and what else could have been changed and potentially hidden.]]
(if:$pulltheplug is not 0)[You state that to seize the computer, you pulled the plug from the back of the computer tower. When asked why, you explain that data can be changed during the normal shutdown process, so to prevent this, you pulled the plug from the back of the tower. This is a good way to preserve additional data.]
(if:$pulltheplug is 0)[You are asked about how you powered down the computer prior to seizing it. When you mention that you ran the normal shutdown procedures, you are asked if data can be changed during this process. You respond by saying yes, certain timestamps for files canbe altered during the standard shutdown process. This is not the most forensically valid way to gather evidence from a running computer for this very reason.]
[[The defense moves on to the cell phone ->Cell phone decision points]]{<script>$('body').removeClass().addClass('court')</script>}The defense begins by asking you