Tenevoy recommends - Computer Forensics - what happens (from the perspective of K) when they are working on you

[TENEVOY]

You must know - how it happens in their execution. Unless you're a schoolkid, of course.

Search tactics

When the evidence sought may be contained on computer media, the search should be conducted in accordance with the rules outlined below to ensure legality and evidentiary force. Computer media includes removable and non-removable magnetic disks, compact discs (CDs), DVDs, flash drives, optical discs, magnetic cards, digital tapes, and some others. Such media may be contained in personal computers, servers, communication equipment, handheld computers (PDAs), communicators, smartphones, mobile phones, digital cameras and camcorders, players, and other similar devices - all such equipment with built-in media is seized in its entirety.

Other types of equipment do not contain user-accessible computer media, so it is not necessary to seize or examine it. These include printers, scanners, fax machines, as well as keyboards, monitors, mice, joysticks, and speakers. It should be remembered that technology is rapidly evolving, and media accessible to the user may appear tomorrow as part of devices that do not have them today.

For example, in 2000, an audio player was not considered a computer media carrier, but today almost all audio players (MP3 players) are considered user portable drives. In the near future, manufacturers plan to equip all household appliances with built-in computers - refrigerators, air conditioners, coffee makers, washing machines, etc. A computer as part of household appliances will likely include a built-in or removable drive and a network interface for remote access.

So, let's start with the basic principles of handling information carriers and computer equipment during a search, and then describe in more detail the rules for conducting a search when such equipment is present.

Principles:

During the seizure of computer equipment, no information contained on the seized media should be altered. It is the responsibility of the investigation to prove that the computer information presented to the expert or the court has not been altered. Neither during the search nor during subsequent storage.

Access to information and its examination "on the spot" is permissible only in cases where it is impossible to seize the media and send it for examination. Such access should be carried out by a competent specialist who is able to understand and explain the meaning and consequences of their actions.

All actions with computer equipment must be documented so that an independent investigator can repeat them and obtain the same results.

General rules for seizing computer equipment during a search:

Take control of the premises where the equipment is installed, as well as the electrical panel. Do not allow anyone other than your specialist to touch the equipment and power devices. In extreme cases, if it is impossible to remove local personnel from the equipment, record all their actions. In those rare cases when there are grounds to believe that alert accomplices outside your control are aware of the search, disconnect the network connections of the computers as soon as possible. To do this, unplug the local network cables from the computers and disconnect the modems. In the few minutes it takes to photograph and prepare to turn off the equipment, an accomplice could potentially connect to the computer over the network and destroy significant information on it.

Do not turn on devices that are turned off.

Take a photo or video of the computer equipment. In extreme cases, you can draw a diagram. Pay attention to the cables - where each one is connected. It is also desirable to photograph the connection of the cables or label them for identification. All connected peripheral devices should be photographed and/or described in the protocol so that it is clear how everything was connected.

If the computer is turned on at the time of the search, take a photo or otherwise record the image on the monitor.

With a turned-on but "sleeping" computer, you can do two things: either turn it off immediately without touching it, as described below, or first activate it by moving the mouse slightly, photograph the contents of the screen, and then turn it off. The choice of option remains with the operation leader. When "waking up" or activating the computer, it may turn out that exiting the "sleep" mode or the screensaver* is password protected. In this case, the computer should be turned off using the method described below.

Find and collect sheets on which passwords, network addresses, and other data may be written - often such notes are found on the workstation, attached to the monitor, or hanging on the wall.

If the printer is printing something, wait for the printing to finish. Everything that is in the output tray of the printer is described and seized along with other computer media.

After that, the computers must be turned off. This must be done by a competent specialist. Do not allow local personnel or the owner of the seized equipment to do this, and do not accept their advice. If you do not have a specialist with you, turn off the desktop computer by unplugging the power cord from the computer case (not from the wall outlet). Turn off the laptop by unplugging the power cord and removing its battery without closing the lid.

 

Sometimes you can mistake a powered-on computer for a powered-off one. During hibernation, the screen goes dark, and some computer functions pause. LED lights may dim or change color. However, a powered-on computer, even in a "sleeping" state, always has a power indicator lit on the system unit. Conversely, all indicators on the system unit are off when the computer is powered off, although the monitor indicator may be lit. More details on shutting down can be found in the "How to Shut Down?" section of the "Short-lived Data" chapter.

Equipment is sealed to prevent both physical access to the case and power connection. This fact is reflected in the protocol.

Confiscated equipment is packed according to its fragility and sensitivity to external influences. Hard disk drives (HDDs) are particularly sensitive to vibration; mechanical damage (e.g., during transportation in the trunk) leads to complete data loss.

Interview all users for passwords. Try to learn all known passwords from each employee (more precisely, login-password pairs) related to the confiscated equipment. Passwords should not be perceived orally. They should be written down character by character, paying attention to the alphabet and case of each character, and verified with the source. Passwords can be written down on a piece of paper without being included in the interrogation protocol or explanation. Their probative value does not decrease from this.

Computer information related to the case and other digital traces of criminal activity may be contained in a variety of digital devices and media. During a search, try to identify all such devices and media, quickly determine if they may contain relevant information, and seize them if they may. The involvement of a specialist is required to detect such media or devices.

In case a specialist is not available, the following illustrations depict the most common devices capable of containing computer information. Below are recommendations for handling some types of computer equipment. They should be followed only in the absence of a technical specialist in your group. The specialist must know how to handle each specific model of equipment to preserve the information unchanged. In the presence of a specialist, follow his instructions.

Notebook (laptop, portable computer)

If the notebook is turned on at the start of the search, the first step is to photograph or otherwise document the contents of the screen, as mentioned above. To turn off the notebook, it is not enough to unplug the power cord; in this case, the notebook will switch to battery power. To disconnect power, the battery must be removed. At the same time, the notebook lid should not be closed or folded. When folded, the hibernation function is usually activated, which means changes are made to the information on the disk, violating the above principles. Handheld computer (PDA) This class includes: PDA, PDA (Personal Digital Assistant), palmtop, pocket PC, organizers, smartphones, communicators, electronic diaries [51, 84, 93]. The feature of this class of computers is that a significant part of user data is stored in them in RAM, energy-dependent memory. When power is turned off, all such information is irretrievably lost. The "off" state of the handheld actually means non-shutdown, but rather "sleep" or hibernation mode. In this case, electricity is only consumed to maintain RAM. In this state, it can be stored for several days, depending on the current state of the battery. If the handheld is turned on (active) at the start of the search, the first step is to photograph or otherwise document the contents of the screen, as mentioned above. When the screen is inactive, it automatically goes dark, and the handheld goes into hibernation mode after a few minutes. After taking the photo, you can manually turn it off with the "power" button, if available. Do not touch the handheld screen, as it is sensitive; each touch to the screen is perceived as a command. The battery cannot be removed from the handheld. Together with it, the cradle (stand with power and connection device) or another charging device must be removed. The handheld can be stored on its own, without charging, for a short time, usually a few days. The storage duration depends on the initial condition of the battery. After it is depleted, the contents of the RAM will be lost. It is better not to risk it and transfer the computer to an expert as soon as possible after removal. And before such a transfer, if possible, keep it inserted in the cradle so that the battery does not run out. A handheld can be stored in the cradle (which, of course, must be connected to the power grid) indefinitely. However, storing it in the cradle is incompatible with sealing the computer. The search (confiscation, personal search) protocol should include approximately the following: "During the inspection and confiscation of the handheld computer, its buttons were not pressed, the screen was not touched, the battery or removable media were not removed. The handheld computer in hibernation (sleep) mode was packed and sealed to prevent access to its control elements (buttons, screen)

 

Flash Drives

Flash memory drives are produced as standalone devices as well as part of other devices such as MP3 players or digital cameras. The shape and size of devices with flash drives are also quite diverse. Most often, these drives are equipped with a USB interface, which is how they can be recognized.

Such drives do not lose data when there is no power supply, so they can be stored for a long time. When removed, they should be sealed to prevent access to the USB port and control buttons (if any). It is possible to make a copy of a flash drive on the spot. How to do this is described in the section "Computer-technical examination." However, there is usually no need for such copying, as the flash drive is removed anyway when there are grounds to believe that it may contain significant information for the case. Then it is sent for examination. Making a copy on the spot is logical in cases when there is no time to wait for the results of the examination and you need to quickly get information to continue the investigation. In such cases, a specialist makes a copy of the drive on the spot, the drive itself is sealed, removed, and set aside for examination, while its copy is examined to obtain unofficial but urgent information.

Mobile Phones

Before considering the seized mobile phone as a carrier of computer information, it is necessary to decide whether it is necessary to obtain physical evidence from it - fingerprints, traces of drugs, and so on. It should be remembered that some methods of removing fingerprints can render the phone unusable. In most cases, when seized, the mobile phone should be turned off to prevent the loss of existing data due to incoming calls and SMS messages. The battery should not be removed. However, in some cases, the operation leader may decide that monitoring incoming calls is more important. In this case, the phone should be left on and charged as needed. A turned-off phone is packed in rigid packaging and sealed to prevent access to its control organs. This is noted in the protocol. When turning off the phone, there is no need to worry about the PIN code to access the data on the SIM card of the phone. The communication operator can provide the PUK (PIN unlock key) at any time, and with its help, access to the SIM card can be obtained. There is quite a lot of technical literature on field and laboratory research of information from mobile phones.

Modems

Some modems store user information - network settings or provider phone numbers. If there is no specialist who can indicate which specific model of modem is present here - with memory or without - then the modem should be disconnected from the power supply, sealed, and removed.

Tenevoy recommends - be more serious and study forensic science. Remember - on the other side of life's realities, there are professionally trained people. Yield to them in at least something - and they will devour you.

[komrade1]

Yeah, it's all true! You're awesome for looking out for us! I've been following you for a while now! Let me add a bit from myself - hardly anyone follows the instructions. Two weeks ago, I tagged along on a search with a cop friend. There, this guy they were after immediately refused to cooperate. The surrounding SWAT guys hit him once in the kidneys, morally crushed him, but the dude didn't give in and did the right thing! The most important thing is to say that you don't know anything or just keep quiet. We didn't extract any info from him, just bundled everything up, taped it with a seal, and took it to the department for examination. From my experience in such situations, I've concluded that if they ever come busting into your house, start smashing the HDD and SSD right away. Even if they find something against you, just say you found it in the hallway and brought it home. The burden of proof is on them, not you. And that's the key! Many cases got dismissed (I'm not saying this as a cop, but as someone who hangs out with them a lot). They all follow a stick system, and it's easier for them to crack a simpler case than to deal with something complex. So always use at least TOR, and make sure to keep compromising info on TrueCrypt. That's just a small part you need to take care of; the rest is situational and unique to each case. And a couple more tips - before diving into shady stuff, first, save all important info on a disk or flash drive, then format the HDD with a special program (search for it online) that erases everything thoroughly (they can recover info that was just moved to the trash and deleted, especially text files). Always use your phone and laptop separately from personal matters; it won't be difficult for them to link SIM cards, phone IMEI, and computer MAC addresses, and that will be evidence for the court. If you're going down this path, invest 100-200$ in a laptop and phone that you won't regret if you get caught or end up behind bars for a couple of years. You can always sell them if it doesn't work out, even at a loss of a few hundred, but if it does, the reward won't make you wait long!

[TENEVOY]

You're the man! Great additions there. Totally agree - you can tell you're the real deal!

Whoever you are, your advice is spot on. I've had my fair share of heart-to-heart chats with these characters myself. They're the same people, just on the other side of the law, but their mindset is 90% identical - "how to survive, earn, feed yourself/family, and just live decently."

That's how it is.

[komrade1]

Yeah, 99% of them stayed the same, still drinking and smoking, just mostly scamming suckers. After the army and getting an economics education, most of them turned to shady dealings. They've often tried to rope me in, especially when it came to car scams or insurance fraud, even before Sberbank tightened up security. But I always told them it would come back around, karma and all that. I didn't want to deceive women with kids, the elderly, or the less fortunate, knowing that the banks would kick them to the curb after their claim ended up in their department

[TENEVOY]

Yeah, some jerk quickly shut it down. I'll re-upload it now, but honestly, they might start deleting it because it's either those Tenevoy haters or unhappy Kashniks (hypothetically, though it's nonsense). Just as I got settled, someone deleted my Rghost link.

[Antoha]

As an old friend used to say: "A sincere confession may lessen the punishment, but it extends the time behind bars"

[ReshaR]

I store all the information and work from my laptop with a custom modem. A couple of months ago, I attached an explosive device with a 10-second timer to my laptop, bought it from the Chinese. I live on the 10th floor, so if anything happens, I press the activation button and throw the laptop out the window. I've already conducted an experiment, and the blast force is enough to melt the laptop into smithereens. Dear forum members, be careful and watch yourselves, and the article will pass you by.

[Anigilator]

You can install the system on a very small flash drive (for convenience) and lock it for writing. All information should be loaded into the RAM and modified there (yes, unfortunately, without saving, or with cloud access, without trace of access).

As a result, if you shut down the computer with the flash drive, everything will be clean. Crystal clear.

P.S. I think it's clear that the information on the flash drive in its written form should not be compromising.

[TENEVOY]

 

I trust programs like Veracrypt and Truecrypt - and there are also some serious crypto monsters out there, nonetheless - you always need resources for a "rainy day." Not everyone needs them, of course. But when you're making money, substantial money, and not always through legal means - whether you like it or not, you strive for maximum security.

[Anigilator]

And here's an interesting thought. If everything is fine offline. There are no traces on the computer or any other related devices.

But online they found something (VPN leaked, encryption exposed, etc.). Would this be enough for an article?

[Цімбор]

For the article, you need to connect the evidence found online - with you and your random number generator. Otherwise, if you have everything "sewn up" and you're sure your trump card is unbeatable, they might even come knocking with a warrant. They'll check your devices, apologize, and leave, leaving dirty marks on your Persian carpet, thinking, "Now the boss will chew me out for calling in the task force for nothing. I won't be getting any stars on my epaulets for cracking the cybercrime of the 21st century

[Goodbad]

Guys, what do you think about devices of this type, where a hard drive is mounted on sleds under the device? When you press a button, all data is destroyed using a magnetic field. (not an advertisement) What are your thoughts on this?

[Kos81011]

[DonPablo]

Great job, guys!!! And here I am, stuck like a dummy, and now I'm sitting here!!! My advice: always work alone, and if you really need a partner, choose them very carefully!!!!! And DON'T TRUST ANYONE!!!!!

[Svirid1978]

Can anyone kindly advise, if there's a password on a laptop and at the time when some shady guys showed up, the computer was turned off, how can they officially extract information? After all, accessing the system implies making changes to the information, which means breaking the password. What to do in such a case?

[DonPablo]

Most likely, they'll just ignore your arguments and then easily manipulate all the search documents "within the bounds of the law" with a snap of their fingers! So, make sure they don't get the laptop intact (microwave, fire, and so on). Just if they find the necessary information in your car, it will be difficult to prove that you're not "the deer

[Sun]

In that case, you buy a small 32-gigabyte SD card (whatever you like), create partitions there with TrueCrypt, and work with it. Got it? Swallowed or broken 

[Pantryman]

Yes, this is important to know both for forensic experts and for ordinary people. Very often, people who have nothing to do with crimes get drawn into responsibility..

[HelloKitty]

Nah, that's nonsense. People who have nothing to do with crimes in the IT sphere will never be implicated, not in a million years. You can read up on it for general knowledge, sure, it won't hurt. But if you're not involved in anything like that, there's no need to take what's written seriously either.

[Guest]

I had my house searched by the FBI for computer cases, and none of the above was followed, the technical expert was some cretin who clearly doesn't know anything about computers, not to mention computers