Computer Evidence Collection - Sections 1-10
SECTION 1: LEGAL AUTHORIZATION
↓
⚖️ VERIFY LEGAL AUTHORIZATION (THREE TYPES)
Type 1: Consent (written - mandatory)
Type 2: Warrant (judicial authority)
Type 3: Independent Expert Appointment
⛔ NO coercive activity without authorization
Type 1: Consent (written - mandatory)
Type 2: Warrant (judicial authority)
Type 3: Independent Expert Appointment
⛔ NO coercive activity without authorization
↓
SECTION 2: SCENE RESPONSE
↓
⚖️ CONTRADICTORY PROCESS - LEGAL REQUIREMENT
ALL on-site operations MUST follow contradictory process:
• Owner/legal representative MUST be present
• Witness(es) MUST be present throughout
• All operations in presence of all parties
• Ensures transparency and strengthens evidence
ALL on-site operations MUST follow contradictory process:
• Owner/legal representative MUST be present
• Witness(es) MUST be present throughout
• All operations in presence of all parties
• Ensures transparency and strengthens evidence
↓
📸 PHOTOGRAPH EVERYTHING
Before touching anything
Collect biological traces
Secure scene | Document all parties present
Before touching anything
Collect biological traces
Secure scene | Document all parties present
↓
⚖️ ALBANIAN LAW - ARTICLE 37
SELF-INCRIMINATING STATEMENTS
BEFORE ANY QUESTIONING:
IF person makes statement raising suspicion of guilt:
⚠️ IMMEDIATELY INTERRUPT questioning
⚠️ Issue MANDATORY warnings:
• "Investigation may be carried out against you"
• "You have the right to appoint a lawyer"
• "You have right to lawyer presence during questioning"
❌ Statements BEFORE warning = INADMISSIBLE
⚠️ IF lawyer requested: SUSPEND all questioning
Applies to ALL questions (technical questions included)
SELF-INCRIMINATING STATEMENTS
BEFORE ANY QUESTIONING:
IF person makes statement raising suspicion of guilt:
⚠️ IMMEDIATELY INTERRUPT questioning
⚠️ Issue MANDATORY warnings:
• "Investigation may be carried out against you"
• "You have the right to appoint a lawyer"
• "You have right to lawyer presence during questioning"
❌ Statements BEFORE warning = INADMISSIBLE
⚠️ IF lawyer requested: SUSPEND all questioning
Applies to ALL questions (technical questions included)
↓
SECTION 3: COMPUTER STATE ASSESSMENT
↓
Computer State: OFF, ON, or SLEEP?
OFF
↓
✓ DO NOT turn on
✓ Label cables
✓ Disconnect
✓ Seal device
✓ Transport to lab
✓ Label cables
✓ Disconnect
✓ Seal device
✓ Transport to lab
ON
↓
SECTION 4: RUNNING SYSTEM DECISION
↓
Check encryption:
BitLocker / VeraCrypt / FileVault / dmcrypt
BitLocker / VeraCrypt / FileVault / dmcrypt
↓
⚠️ CRITICAL DECISION POINT
Training and Equipment Check
Personnel trained + equipped?
Training and Equipment Check
Personnel trained + equipped?
↓
YES - Trained & Equipped
↓
SECTION 5: LIVE ACQUISITION
↓
Contradictory process:
Owner/witnesses present
Live acquisition:
• RAM capture
• Network connections
• Running processes
• FTK Imager ONLY
• E01 format mandatory
• Double hash (SHA-256 + SHA-1/MD5) and RFC3161 timestamp
• All parties sign copy report
Owner/witnesses present
Live acquisition:
• RAM capture
• Network connections
• Running processes
• FTK Imager ONLY
• E01 format mandatory
• Double hash (SHA-256 + SHA-1/MD5) and RFC3161 timestamp
• All parties sign copy report
NO - Not Trained/Equipped
↓
⛔ CALL SPECIALIST IMMEDIATELY
• Keep system running
• Do NOT attempt live acquisition
• Do NOT shut down if encryption
• Wait for trained expert
• Maintain contradictory process
• Keep system running
• Do NOT attempt live acquisition
• Do NOT shut down if encryption
• Wait for trained expert
• Maintain contradictory process
↓
SECTION 5B: IDENTIFICATION & SEIZURE
↓
• Label all cables and photograph
• Disconnect peripherals
• Exhibit labeling (make, model, serial)
• Package in cardboard (NOT plastic)
• Disconnect peripherals
• Exhibit labeling (make, model, serial)
• Package in cardboard (NOT plastic)
↓
SECTION 6: SEALING
↓
📦 SEALING (Contradictory process MANDATORY)
Show evidence to all parties:
• Owner/representative MUST be present
• Witness(es) MUST be present
• Show devices for recognition
• Document serial numbers
Seal in presence of ALL:
• Apply evidence seal while all observe
• ALL PARTIES MUST SIGN:
- Owner/representative
- Witness(es)
- Police officer
- Forensic expert
• Create sealed bag report with signatures
Show evidence to all parties:
• Owner/representative MUST be present
• Witness(es) MUST be present
• Show devices for recognition
• Document serial numbers
Seal in presence of ALL:
• Apply evidence seal while all observe
• ALL PARTIES MUST SIGN:
- Owner/representative
- Witness(es)
- Police officer
- Forensic expert
• Create sealed bag report with signatures
↓
SECTION 7: TRANSPORT & STORAGE
↓
• Protected from magnetic sources, moisture
• Secure transport with chain of custody
• Faraday bags for wireless devices
• Secure transport with chain of custody
• Faraday bags for wireless devices
↓
🔬 ARRIVE AT LABORATORY
↓
SECTION 9: LABORATORY IMAGING
↓
🔍 LABORATORY IMAGING
• Expert with court order under oath can open sealed bag
• Photograph seal opening
• Connect to write-blocker
• Calculate pre-image hash (double: SHA-256 + SHA-1/MD5) and RFC3161 timestamp
• Create E01 image (MANDATORY for evidence)
• E01 is READ-ONLY with embedded hash
• Verify E01 integrity immediately
⚠️ If SSD/Flash: Document TRIM occurred
(Technical modification, does NOT affect evidence validity)
• Expert with court order under oath can open sealed bag
• Photograph seal opening
• Connect to write-blocker
• Calculate pre-image hash (double: SHA-256 + SHA-1/MD5) and RFC3161 timestamp
• Create E01 image (MANDATORY for evidence)
• E01 is READ-ONLY with embedded hash
• Verify E01 integrity immediately
⚠️ If SSD/Flash: Document TRIM occurred
(Technical modification, does NOT affect evidence validity)
↓
E01 hash verification passed?
YES - Verified
↓
✓ E01 integrity confirmed
✓ Hash embedded in E01 is valid
✓ Create working E01 copy
✓ Never analyze original E01
✓ Begin forensic analysis
✓ Hash embedded in E01 is valid
✓ Create working E01 copy
✓ Never analyze original E01
✓ Begin forensic analysis
NO - Failed
↓
⛔ E01 FILE CORRUPTED
(NOT original evidence problem)
What this means:
• E01 file corruption (storage/transfer)
• NOT a problem with original evidence
Actions:
1. Check E01 storage media
2. Restore E01 from backup if available
3. If no backup: Report to prosecutor
4. Evidence may be inadmissible
⛔ DO NOT attempt to re-image
(E01 hash failure = file corruption, NOT source problem)
(NOT original evidence problem)
What this means:
• E01 file corruption (storage/transfer)
• NOT a problem with original evidence
Actions:
1. Check E01 storage media
2. Restore E01 from backup if available
3. If no backup: Report to prosecutor
4. Evidence may be inadmissible
⛔ DO NOT attempt to re-image
(E01 hash failure = file corruption, NOT source problem)
↓
SECTION 10: FORENSIC ANALYSIS & REPORTING
↓
• Verify E01 hash before analysis
• Perform forensic analysis (see detailed SOP)
• Maintain expert neutrality
• Report ALL findings (incriminating + exculpatory)
• Generate technical report
• Peer review
• Reseal evidence
• Perform forensic analysis (see detailed SOP)
• Maintain expert neutrality
• Report ALL findings (incriminating + exculpatory)
• Generate technical report
• Peer review
• Reseal evidence
↓
✓ ANALYSIS COMPLETE
Submit findings to court
Submit findings to court
⚖️ Critical Legal Requirements (Sections 1-10)
- Section 1 - Legal Authorization: Consent (written), warrant, or expert appointment REQUIRED
- Section 2 - Contradictory Process: Owner/witnesses MUST be present during on-site operations (search, live acquisition, sealing)
- Section 2 - Article 37 (Albanian Law): IF person makes self-incriminating statement, IMMEDIATELY interrupt, warn of rights (lawyer), suspend if requested. Statements BEFORE warning = INADMISSIBLE
- Section 4 - Training Check: Live acquisition ONLY by trained personnel with proper tools (FTK Imager or equivalent)
- Section 5 - On-Site Copying: FTK Imager mandatory, E01 format mandatory, contradictory process mandatory
- Section 6 - Sealing: ALL parties MUST sign (owner, witnesses, police, expert) in contradictory process
- Section 9 - E01 Format: Mandatory for evidence (READ-ONLY, embedded hash, cannot be modified)
- Section 9 - Double Hash: SHA-256 (primary) + SHA-1/MD5 (secondary) - both documented and RFC3161 timestamp
- Section 9 - SSD/Flash: TRIM modifications MUST be documented (technical, unavoidable, does NOT affect validity)
- Section 9 - Hash Verification: E01 hash failure = FILE corruption (storage/transfer), NOT source problem
- Section 9 - Hash Failure Response: Restore from backup OR report to court - DO NOT re-image
- Section 10 - Expert Neutrality: Report ALL findings (incriminating + exculpatory)
⚠️ Evidence May Be Inadmissible If:
- ❌ Section 1: No legal authorization (consent/warrant/expert appointment)
- ❌ Section 2: Contradictory process violated (owner/witnesses not present during on-site operations)
- ❌ Section 2 - Article 37: Self-incriminating statements used without proper warning, OR questioning continued after lawyer requested
- ❌ Section 4: Live acquisition attempted by untrained personnel without proper tools
- ❌ Section 5: On-site copying NOT using forensic tools (used Windows copy, xcopy, etc.)
- ❌ Section 5: On-site copying NOT in E01 format
- ❌ Section 5: On-site copy report NOT signed by all parties
- ❌ Section 6: Sealing NOT done with all parties present and signing
- ❌ Section 7: Chain of custody broken
- ❌ Section 9: Evidence NOT imaged in E01 format
- ❌ Section 9: SSD/Flash TRIM modifications not disclosed in report
- ❌ Section 9: E01 hash failure and evidence "re-imaged" without contradictory process
- ❌ Section 10: Expert not independent/neutral
- ❌ Section 10: Expert only reported incriminating evidence (not exculpatory)