First Responder Handbook

TAX INVESTIGATIONS DEPARTMENT
FIRST RESPONDER HANDBOOK

TAX INVESTIGATIONS DEPARTMENT FIRST RESPONDER HANDBOOK
Table of Contents
Background..................................................................................................................................................................................... 2
Intended Audience for This Guide ......................................................................................................................................... 3
Handling Digital Evidence at the Scene ................................................................................................................................. 4
Chapter 1 ......................................................................................................................................................................................... 5
Electronic Devices: Types, Description, and Potential Evidence ........................................................................................ 5
1.1 Computer Systems ..................................................................................................................................................... 5
1.2 Storage Devices ........................................................................................................................................................... 7
1.3 Handheld Devices ...................................................................................................................................................... 9
1.4 Other Potential Sources of Digital Evidence ......................................................................................................... 10
1.5 Computer Networks ................................................................................................................................................ 11
Chapter 2 ....................................................................................................................................................................................... 12
2.1 Investigative Tools and Equipment ....................................................................................................................... 12
2.2 Tools and Materials for Collecting Digital Evidence ........................................................................................... 12
Chapter 3: Securing and Evaluating the Scene ........................................................................................................................ 13
3.1 Preliminary Interviews ............................................................................................................................................ 14
Chapter 4: Documenting the Scene............................................................................................................................................ 16
Chapter 5: Evidence Collection .................................................................................................................................................. 17
5.1 Computers, Components, and Devices ................................................................................................................. 17
5.1.1 If the Computer Is OFF................................................................................................................................... 19
5.1.2 If the Computer Is ON.................................................................................................................................... 20
5.2 Other Forms of Evidence ......................................................................................................................................... 21
5.3 Other Electronic and Peripheral Devices of Potential Evidential Value ........................................................... 21
5.4 Computers in a Business Environment ................................................................................................................. 22
Server Computers............................................................................................................................................................... 23
Chapter 6: Packaging, Transportation, and Storage of Digital Evidence ............................................................................. 23
6.1 Packaging Procedures .............................................................................................................................................. 23
6.2 Transportation Procedures ...................................................................................................................................... 24
6.3 Storage Procedures ................................................................................................................................................... 25
Chapter 7: Electronic Crime and Digital Evidence Considerations by Crime Category .................................................... 27
7.1 Computer Intrusion.................................................................................................................................................. 27
7.2 Counterfeiting ........................................................................................................................................................... 28
7.3 E-mail Threats, Harassment, and Stalking ............................................................................................................ 29
7.4 Online or Economic Fraud ...................................................................................................................................... 29
7.5 Telecommunication Fraud ...................................................................................................................................... 30
Background
This guide is intended to assist the URA staff and authorized personnel who may be responsible
for preserving an electronic crime scene and for identifying, collecting, and safeguarding digital
evidence. This guide is not and should not be treated as a policy or legal document. It is not all
inclusive but addresses the most common situations encountered with electronic crime scenes
and digital evidence.
All crime scenes are unique, and the judgment of the first responder, organizational policy, and
prevailing technology should all be considered when implementing the information in this guide.
First responders to electronic crime scenes should adjust their practices as circumstances
including level of experience, conditions, and available equipment may influence how incidents
are handled. The circumstances of individual crime scenes and the applicable local laws may
dictate actions or a particular course of actions other than those described in this guide. First
responders should be familiar with all the information in this guide and perform their duties and
responsibilities in relation to the Standard Operating Procedures (SOPs) as circumstances dictate.
When dealing with digital evidence, general forensic and procedural principles should be
applied:
▪ The process of collecting, securing, and transporting digital evidence should not change
the evidence.
▪ Digital evidence should be examined only by those trained specifically for that purpose.
▪ Everything done during the seizure, transportation, and storage of digital evidence
should be fully documented, preserved, and available for review

NOTE: Officer safety and the safety of others should remain the primary consideration of first responders. Nothing
in this guide is intended to be, or should be construed as being, a higher priority than officer safety or the safety of
others.
First responders must use caution when they seize electronic devices. Improperly accessing data
stored on electronic devices may violate existing laws. Guidance on authorisation to seize
electronic evidence is available in Section 41 of the Tax Procedures Code Act (TPCA), 2014 and
28 of the Computer Misuse Act (CMA), 2011. First responders may need to obtain additional legal
authority before they proceed with an enforcement action and consultation with Legal
department should be to ensure that they have proper legal authority to seize the digital evidence.
In addition to the legal ramifications of improperly accessing data that is stored on a computer,
first responders must understand that computer data and other digital evidence are fragile. In
situations where a first responder is not sure what course of action to take, expertise of a digital
forensic investigator should be sought before any action which might jeopardize the digital
evidence.
Intended Audience for This Guide
• Uganda Revenue Authority Forensic staff
• Digital Forensic practitioners
• Anyone who may encounter a crime scene that might involve digital evidence.
• Everyone who processes a crime scene that includes digital evidence.
• Everyone who supervises personnel who process such crime scenes.
• Everyone who manages an organization that processes such crime scenes
What Is Digital Evidence?
Digital evidence is information and data of value to an investigation that is stored on, received,
or transmitted by an electronic device. This evidence is acquired when data or electronic devices
are seized and secured for examination.
Digital evidence—
▪ Is latent, like fingerprints or DNA evidence.

▪ Crosses jurisdictional borders quickly and easily.
▪ Is easily altered, damaged, or destroyed.
▪ Can be time sensitive.
NOTE: First responders should remember that digital evidence may also contain physical evidence such as DNA,
fingerprints, or serology. Physical evidence should be preserved for appropriate examination.
Handling Digital Evidence at the Scene
Precautions should be taken in the collection, preservation, and transportation of digital
evidence. First responders may follow the steps listed below to guide their handling of digital
evidence at an electronic crime scene:
▪ Recognize, identify, seize, and secure all digital evidence at the scene.
▪ Document the entire scene and the specific location of the evidence found.
▪ Collect, label, and preserve the digital evidence.
▪ Package and transport digital evidence in a secure manner
Before collecting evidence at a crime scene, first responders should ensure that:
▪ Legal authority exists to seize evidence.
▪ The scene has been secured and documented.
▪ Appropriate personal protective equipment is used.
First responders without the proper training and skills should not attempt to
explore the contents of or to recover information from a computer or other
electronic device other than to record what is visible on the display screen. Do not
press any keys or click the mouse

Chapter 1
Electronic Devices: Types, Description, and Potential Evidence
Internally attached computer hard drives, external drives, and other electronic devices at a crime
scene may contain information that can be useful as evidence in a criminal investigation or
prosecution. The devices themselves and the information they contain may be used as digital
evidence. In this chapter, such devices will be identified, along with general information about
their evidential value.
Some devices require internal or external power to maintain stored information. For these
devices, the power must be maintained to preserve the information stored. For additional
information about maintaining power to these devices, please refer to chapter 3 of this handbook,
the device manufacturer’s website, or other reliable sources of information.
1.1 Computer Systems

Description: A computer system consists of hardware and software that process data and is
likely to include:
▪ A case that contains circuit boards, microprocessors, hard drive, memory, and interface
connections.
▪ A monitor or video display device.
▪ A keyboard.
▪ A mouse.
▪ Peripheral or externally connected drives, and components.
Computer systems can take many forms, such as laptops, desktops, tower computers, rack-
mounted systems, minicomputers, and mainframe computers. Additional components and
peripheral devices include modems, routers, printers, scanners, and docking stations. Many of
these are discussed further in this chapter.
Type of computer Illustration
Desktop Computer
Laptop Computer
Server Computers
Potential evidence: A computer system and its components can be valuable evidence in an
investigation. The hardware, software, documents, photos, image files, e-mail and attachments,
databases, financial information, Internet browsing history, chat logs, friend lists, event logs, data
stored on external devices, and identifying information associated with the computer system and
components are all potential evidence.
1.2 Storage Devices

Description: Storage devices vary in size and the way they store and retain data. First responders
must understand that, regardless of their size or type, these devices may contain information that
is valuable to an investigation or prosecution. The following storage devices may be digital
evidence:
▪ Hard drives. Hard drives are data storage devices that consist of an external circuit board;
external data and power connections; and internal magnetically charged glass, ceramic,
or metal platters that store data. First responders may also find hard drives at the scene
that are not connected to or installed on a computer. These loose hard drives may still
contain valuable evidence.
Types of Hard Drives
▪ External hard drives. Hard drives can also be installed in an external drive case. External
hard drives increase the computer’s data storage capacity and provide the user with
portable data. Generally, external hard drives require a power supply and a universal
serial bus (USB), FireWire, Ethernet, or wireless connection to a computer system.
Types of External Hard Drives
▪ Thumb drives. Thumb drives are small, lightweight, removable data storage devices with
USB connections. These devices, also referred to as flash drives, are easy to conceal and
transport. They can be found as part of, or disguised as, a wristwatch, a pocket-size multi
tool such as a Swiss Army knife, a keychain fob, or any number of common and unique
devices.
Types of thumb drives
▪ Memory cards. Memory cards are small data storage devices commonly used with digital
cameras, computers, mobile phones, digital music players, personal digital assistants
(PDAs), video game consoles, and handheld and other electronic devices.
Types of memory cards
Potential evidence: Storage devices such as hard drives, external hard drives, removable media,
thumb drives, and memory cards may contain information such as e-mail messages, Internet
browsing history, Internet chat logs and buddy lists, photographs, image files, databases,
financial records, and event logs that can be valuable evidence in an investigation or prosecution.
1.3 Handheld Devices

Description: Handheld devices are portable data storage devices that provide communications,
digital photography, navigation systems, entertainment, data storage, and personal information
management.
Types of handheld devices
Potential evidence: Handheld devices such as mobile phones, smart phones, PDAs, digital
multimedia (audio and video) devices, pagers, digital cameras, and global positioning system
(GPS) receivers may contain software applications, data, and information such as documents, e-
mail messages, Internet browsing history, Internet chat logs and buddy lists, photographs, image
files, databases, and financial records that are valuable evidence in an investigation or
prosecution.
It is important to note that:
i. Data or digital evidence may be lost if power is not maintained.
ii. Data or digital evidence on some devices such as mobile or smart phones can
be overwritten or deleted while the device remains activated.
iii. Software is available for mobile and smart phones that can be activated
remotely to render the device unusable and make the data it contains
inaccessible if the phone is lost or stolen. This software can produce similar
results if activated on a device seized. First responders should take
precautions to prevent the loss of data on devices they seize as evidence.
1.4 Other Potential Sources of Digital Evidence
Description: First responders should be aware of and consider as potential evidence other
elements of the crime scene that are related to digital information, such as electronic devices,
equipment, software, hardware, or other technology that can function independently, in
conjunction with, or attached to computer systems. These items may be used to enhance the user’s
access of and expand the functionality of the computer system, the device itself, or other
equipment.
Video Recorders Gaming Consoles MP3 Players
Digital Cameras Digital Video Recorders Voice Recorders

Smart Speakers Smart Wearables Smart Televisions
Potential evidence: The device or item itself, its intended or actual use, its functions or
capabilities, and any settings or other information it may contain is potential evidence.
1.5 Computer Networks

Description: A computer network consists of two or more computers linked by data cables or by
wireless connections that share or are capable of sharing resources and data. A computer network
often includes printers, other peripheral devices, and data routing devices such as hubs, switches,
and routers.
Network Switch Network Router
Potential evidence: The networked computers and connected devices themselves may be
evidence that is useful to an investigation or prosecution. The data they contain may also be
valuable evidence and may include software, documents, photos, image files, e-mail messages
and attachments, databases, financial information, Internet browsing history, log files, event and
chat logs, buddy lists, and data stored on external devices. The device functions, capabilities, and
any identifying information associated with the computer system; components and connections,
including Internet protocol (IP) and local area network (LAN) addresses associated with the
computers and devices; broadcast settings; and media access card (MAC) or network interface
card (NIC) addresses may all be useful as evidence.
Chapter 2
2.1 Investigative Tools and Equipment
In most cases, items or devices containing digital evidence can be collected using standard seizure
tools and materials. First responders must use caution when collecting, packaging, or storing
digital devices to avoid altering, damaging, or destroying the digital evidence. Avoid using any
tools or materials that may produce or emit static electricity or a magnetic field as these may
damage or destroy the evidence.
Should the complexity of an electronic crime scene exceed the expertise of a first responder, the
first responder should request assistance from personnel with advanced equipment and training
in digital evidence collection.
2.2 Tools and Materials for Collecting Digital Evidence

In addition to tools for processing crime scenes in general, first responders should have the
following items in their digital evidence collection toolkit:
▪ Cameras (photo and video)
▪ Cardboard boxes
▪ Notepads
▪ Gloves
▪ Evidence inventory logs
▪ Evidence tape
▪ Paper evidence bags
▪ Evidence stickers, labels, or tags
▪ Crime scene tape
▪ Antistatic bags
▪ Permanent markers
▪ Nonmagnetic tools
Collection Tools
Chapter 3: Securing and Evaluating the Scene

The first responder’s primary consideration should be officer safety and the safety of everyone
at the crime scene. All actions and activities carried out at the scene should be in compliance
with departmental policy as well as the prevailing national and international laws.
After securing the scene and all persons at the scene, the first responder should visually identify
all potential evidence and ensure that the integrity of both the digital and traditional evidence is
preserved. Digital evidence on computers and other electronic devices can be easily altered,
deleted, or destroyed. First responders should document, photograph, and secure digital
evidence as soon as possible at the scene.
When securing and evaluating the scene, the first responder should:
▪ Follow departmental policy for securing crime scenes.
▪ Immediately secure all electronic devices, including personal or portable devices.
▪ Ensure that no unauthorized person has access to any electronic devices at the
crime scene.
▪ Refuse offers of help or technical assistance from any unauthorized persons.
▪ Remove all persons from the crime scene or the immediate area from which
evidence is to be collected.
▪ Ensure that the condition of any electronic device is not altered.
Leave a computer or electronic device off if it is already turned off (do not
attempt to turn it on).
Components such as keyboard, mouse, removable storage media, and other items
may hold latent evidence such as fingerprints, DNA, or other physical evidence that
should be preserved depending on the case being investigated. First responders
should take the appropriate steps to ensure that physical evidence is not
compromised during documentation.

If a computer is on or the power state cannot be determined, the first responder

should:
▪ Look and listen for indications that the computer is powered on. Listen for the
sound of fans running, drives spinning, or check to see if light emitting diodes
(LEDs) are on.
▪ Check the display screen for signs that digital evidence is being destroyed. Words
to look out for include “delete,” format,” “remove,” “copy,” “move,” “cut,” or
“wipe.”
▪ Look for indications that the computer is being accessed from a remote computer
or device.
▪ Look for signs of active or ongoing communications with other computers or

users such as instant messaging windows or chat rooms.
▪ Take note of all cameras or Web cameras (Web cams) and determine if they are
active.
Developments in technology and the convergence of communications capabilities

have linked even the most conventional devices and services to each other, to
computers, and to the internet. This rapidly changing environment makes it essential
for the first responder to be aware of the potential digital evidence in mobile phones,
digital video recorders, other household appliances, and motor vehicles.
3.1 Preliminary Interviews

First responders should separate and identify all adult persons of interest at the crime scene
and record their location at the time of entry onto the scene.
No one should be allowed access to any computer or electronic device.
Within the parameters of the lab policies and applicable laws, first responders
should obtain as much information from these individuals as possible, including:
▪ Names of all users of the computers and devices
▪ All computer and internet user information
▪ All login names and user account names
▪ Purpose and uses of computers and devices
▪ All passwords
▪ Any automated applications in use

▪ Type of internet access
▪ Any offsite storage
▪ Internet service provider
▪ Installed software documentation
▪ All e-mail accounts
▪ Security provisions in use
▪ Web mail account information
▪ Data access restrictions in place
▪ All instant message screen names
▪ All destructive devices or software in use
▪ Instagram, Facebook, or other online social networking website account
information
▪ Any other relevant information

Chapter 4: Documenting the Scene

This chapter provides recommendations on documenting or creating a record
of an electronic crime scene. The information provided in this guide is not
intended to supersede or supplant applicable laws or laboratory policies.
▪ Documentation of a crime scene creates a record for the investigation. It is important to

accurately record the location of the scene; the scene itself; the state including power
status, and condition of computers, storage media, wireless network devices, mobile
phones, smart phones, PDAs, and other data storage devices; Internet and network
access; and other electronic devices. The first responder should be aware that not all
digital evidence may be in close proximity to the computer or other devices.
▪ A computer or another electronic device may need to be moved to find the serial
numbers or other identifiers. Caution should be taken as moving the device on may
damage it or the digital evidence it contains. Additional documentation of the system
and devices may be performed during the collection phase discussed in chapter 5.
▪ The initial documentation of the scene should include a detailed record using video or
photography, and notes and sketches to help recreate or convey the details of the scene
later. All activity and processes on display screens should be fully documented.
▪ Documentation of the scene should include the entire location, including the type,
location, and position of computers, their components and peripheral equipment, and
other electronic devices. The scene may expand to multiple locations; first responders
should document all physical connections to and from the computers and other devices.
▪ Record any network and wireless access points that may be present and capable of
linking computers and other devices to each other and the internet. The existence of
network and wireless access points may indicate that additional evidence exists beyond
the initial scene.
▪ Some circumstances may not permit first responders to collect all electronic devices or
components at a scene or location. Applicable laws, IG policies, or other factors may
prohibit collecting some computer systems and other electronic devices and the
information they contain; however, these devices should be included in the first
responder’s documentation of the scene.
Chapter 5: Evidence Collection

The first responder must have proper authority—such as plain view observation, consent, or a
court order—to search for and collect evidence at an electronic crime scene. Section 28 of the
CMA, 2011 clearly spells out persons authorized to seize electronic evidence. The first responder
must therefore be able to identify the authority under which he or she may seize evidence and
should follow agency guidelines, consult a superior, or contact a prosecutor if a question of
appropriate authority arises.
Digital evidence must be handled carefully to preserve the integrity of the physical device as well
as the data it contains. Some digital evidence requires special collection, packaging, and
transportation techniques. Data can be damaged or altered by electromagnetic fields such as those
generated by static electricity, magnets, radio transmitters, and other devices. Communication
devices such as mobile phones, smart phones, PDAs, and pagers should be secured and
prevented from receiving or transmitting data once they are identified and collected as evidence.
NOTE: If data encryption is in use on a computer, data storage device, or other electronic device
and it is improperly powered off during digital evidence collection, the data it contains may
become inaccessible.
5.1 Computers, Components, and Devices

To prevent the alteration of digital evidence during collection, first responders should first—
▪ Document any activity on the computer, components, or devices
▪ Confirm the power state of the computer. Check for flashing lights, running fans, and
other sounds that indicate the computer or electronic device is powered on. If the power
state cannot be determined from these indicators, observe the monitor to determine if it is
on, off, or in sleep mode.
Assess the Situation: It’s your judgement call

After identifying the computer’s power status, follow the steps listed below for the situation
most like your own:
Situation 1: The monitor is on. It displays a program, application, work product, picture, e-
mail, or Internet site on the screen.
1. Photograph the screen and record the information displayed.
2. Proceed to section 5.1.2 “If the Computer Is ON”.

Situation 2: The monitor is on and a screen saver or picture is visible.
1. Move the mouse slightly without pressing any buttons or rotating the wheel. Note any
onscreen activity that causes the display to change to a login screen, work product, or other
visible display.
Situation 3: The monitor is on; however, the display is blank as if the monitor is off.
1. Move the mouse slightly without pressing any buttons or rotating the wheel. The display will
change from a blank screen to a login screen, work product, or other visible display. Note the
change in the display.
Situation 4a: The monitor is powered off. The display is blank.
3. If the monitor’s power switch is in the off position, turn the monitor on. The display changes
from a blank screen to a login screen, work product, or other visible display. Note the change
in the display.
4. Photograph the screen and the information displayed.
Situation 4b: The monitor is powered off. The display is blank.
1. If the monitor’s power switch is in the off position, turn the monitor on. The display does not
change; it remains blank. Note that no change in the display occurs.
2. Photograph the blank screen.
3. Proceed to section 5.1.1 “If the Computer Is OFF”
Situation 5: The monitor is on. The display is blank.
1. Move the mouse slightly without pressing any buttons or rotating the wheel; wait for a
response.
2. If the display does not change and the screen remains blank, confirm that power is being
supplied to the monitor. If the display remains blank, check the computer case for active
lights, listen for fans spinning or other indications that the computer is on.
3. If the screen remains blank and the computer case gives no indication that the system is
powered on, proceed to section 5.1.1 “If the Computer Is OFF”.
5.1.1 If the Computer Is OFF

For desktop, tower, and minicomputers follow these steps:
1. Document, photograph, and sketch all wires, cables, and other devices connected to the
computer.
2. Uniquely label the power supply cord and all cables, wires, or USB drives attached to the
computer as well as the corresponding connection each cord, cable, wire, or USB drive
occupies on the computer.
3. Photograph the uniquely labeled cords, cables, wires, and USB drives and the corresponding
labeled connections.
4. Remove and secure the power supply cord from the back of the computer and from the wall
outlet, power strip, or battery backup device.
5. Disconnect and secure all cables, wires, and USB drives from the computer and document the
device or equipment connected at the opposite end.
6. Place tape over the floppy disk slot, if present.
7. Make sure that the CD or DVD drive trays are retracted into place; note whether these drive
trays are empty, contain disks, or are unchecked; and tape the drive slot closed to prevent it
from opening.
8. Place tape over the power switch.
9. Record the make, model, serial numbers, and any user-applied markings or identifiers.
10. Record or log the computer and all its cords, cables, wires, devices, and components according
to the SOPs.
11. Package all evidence collected following the lab SOPs to prevent damage or alteration during
transportation and storage.
For laptop computers follow these steps:
1. Document, photograph, and sketch all wires, cables, and devices connected to the laptop
computer.
2. Uniquely label all wires, cables, and devices connected to the laptop computer as well as the
connection they occupied.
3. Photograph the uniquely labeled cords, cables, wires, and devices connected to the laptop
computer and the corresponding labeled connections they occupied.
4. Remove and secure the power supply and all batteries from the laptop computer.
5. Disconnect and secure all cables, wires, and USB drives from the computer and document
the equipment or device connected at the opposite end.
6. Place tape over the floppy disk slot, if present.
7. Make sure that the CD or DVD drive trays are retracted into place, if present; note whether
these drive trays are empty, contain disks, or are unchecked; and tape the drive slot closed
to prevent it from opening.
8. Place tape over the power switch.
9. Record the make, model, serial numbers, and any user-applied markings or identifiers.
10. Record or log the computer and all its cords, cables, wires, devices, and components
according to SOPs.
11. Package all evidence collected following the SOPs to prevent damage or alteration during
transportation and storage.
5.1.2 If the Computer Is ON

For practical purposes, removing the power supply when you seize a computer is
generally the safest option. If evidence of a crime is visible on the computer display,
however, you may need to request assistance from personnel who have experience
in volatile data capture and preservation.
In the following situations, immediate disconnection of power is recommended:
▪ Information or activity onscreen indicates that data is being deleted or

overwritten.
▪ There is indication that a destructive process is being performed on the
computer’s data storage devices.
In the following situations, immediate disconnection of power is NOT
recommended:
▪ Data of apparent evidentiary value is in plain view onscreen. The first

responder should seek out personnel who have experience and training in
capturing and preserving volatile data before proceeding.
▪ Indications exist that any of the following are active or in use:

o Social media Chat sessions
o Open text documents
o Remote data storage
o Cloud services
o Instant message windows
o Child pornography
o Contraband
o Financial documents
o Data encryption
o Obvious illegal activities
For mainframe computers, servers, or a group of networked computers, the first

responder should secure the scene and request assistance from personnel who have
training in collecting digital evidence from large or complex computer systems.
5.2 Other Forms of Evidence
Be alert to the crime scene environment. Look out for pieces of paper with possible passwords,
handwritten notes, blank pads of paper with impressions from prior writings, hardware and
software manuals, calendars, literature, and text or graphic material printed from the computer
that may reveal information relevant to the investigation. These forms of evidence also should be
documented and preserved in compliance with departmental policies.
5.3 Other Electronic and Peripheral Devices of Potential Evidential

Value
Electronic devices such as those listed below may contain information of evidentiary value to an
investigation. Except in emergency situations, such devices should not be operated and the
information they might contain should not be accessed directly. If a situation warrants accessing
these devices and the information they contain immediately, all actions taken should be
thoroughly documented. Data may be lost if a device is not properly handled or its data properly
accessed.
The following are examples of electronic devices, components, and peripherals that first
responders may need to collect as digital evidence:
▪ Audio recorders
▪ GPS accessories
▪ Copy machines
▪ Mobile Phones
▪ Hard drive duplicators
▪ Smart Printers
▪ Multifunction machines (printer, scanner, copier, and fax)
▪ Wireless access points
▪ Videocassette recorders (VCRs)
▪ Personal Computer Memory Card International Association (PCMCIA) cards
▪ Smart handheld devices

Special handling may be required to preserve the integrity and evidentiary value
of these electronic devices. First responders should secure the devices and request
assistance from personnel who have advanced training in collecting digital
evidence.
NOTE: When collecting electronic devices, components, and peripherals such as those
listed above, remember to collect the power supplies, cables, and adapters for those devices
as well.
5.4 Computers in a Business Environment

Business environments frequently have complicated configurations of multiple computers
networked to each other, to a common server, to network devices, or a combination of these.
Securing a scene and collecting digital evidence in these environments may pose challenges to
the first responder. Improperly shutting down a system may result in lost data, lost evidence, and
potential civil liability.
The first responder may find a similar environment in residential locations, particularly when a
business is operated from the home.
In some instances, the first responder may encounter unfamiliar operating systems or unique
hardware and software configurations that require specific shutdown procedures. Such
circumstances are beyond the scope of this guide.
Server Computers
Illustration of complex server systems that hold all network information
Chapter 6: Packaging, Transportation, and Storage of

Digital Evidence
Digital evidence, and the computers or electronic devices on which it

is stored, is fragile and sensitive to extreme temperatures, humidity,
physical shock, static electricity, and magnetic fields.
The first responder should take precautions when documenting,

photographing, packaging, transporting, and storing digital evidence
to avoid altering, damaging, or destroying the data.
6.1 Packaging Procedures
All actions related to the identification, collection, packaging, transportation, and storage
of digital evidence should be thoroughly documented. When packing digital evidence
for transportation, the first responder should:
▪ Ensure that all digital evidence collected is properly documented, labeled, marked,
photographed, video recorded or sketched, and inventoried before it is packaged.
All connections and connected devices should be labeled for easy reconfiguration
of the system later.
▪ Only paper bags and envelopes, cardboard boxes, and antistatic containers should
be used for packaging digital evidence. Plastic materials should not be used when
collecting digital evidence because plastic can produce or convey static electricity
and allow humidity and condensation to develop, which may damage or destroy
the evidence.
▪ Ensure that all digital evidence is packaged in a manner that will prevent it from
being bent, scratched, or otherwise deformed.
▪ Label all containers used to package and store digital evidence clearly and
properly.
▪ Leave cellular, mobile, or smart phone(s) in the power state (on or off) in which
they were found.
▪ Collect all power supplies and adapters for all electronic devices seized.
Package mobile or smart phone(s) in signal-blocking material such as

faraday isolation bags, radio frequency-shielding material, or
aluminum foil to prevent data messages from being sent or received by
the devices. (First responders should be aware that if inappropriately
packaged, or removed from shielded packaging, the device may be able
to send and receive data messages if in range of a communication signal)
6.2 Transportation Procedures
When transporting digital evidence, the first responder should:
▪ Avoid keeping digital evidence in a vehicle for prolonged periods of time. Heat,
cold, and humidity can damage or destroy digital evidence.
▪ Ensure that computers and electronic devices are packaged and secured during
transportation to prevent damage from shock and vibration.
▪ Document the transportation of the digital evidence and maintain the chain of
custody on all evidence transported.
Keep digital evidence away from magnetic fields such as those produced by
radio transmitters, speaker magnets, and magnetic mount emergency lights.
Other potential hazards that the first responder should be aware of include
seats heaters and any device or material that can produce static electricity.
6.3 Storage Procedures
When storing digital evidence, the first responder should:
▪ Ensure that the digital evidence is inventoried in accordance with the laboratory
policies.
▪ Ensure that the digital evidence is stored in a secure, climate-controlled
environment or a location that is not subject to extreme temperature or humidity.
▪ Ensure that the digital evidence is not exposed to magnetic fields, moisture, dust,
vibration, or any other elements that may damage or destroy it.
If more than one computer is seized as evidence, all computers, cables, and devices
connected to them should be properly labeled to facilitate reassembly if necessary. In this
example, the computer is designated as computer A. All connections and cables are
marked with an “A” and a unique number.
Subsequently seized computers can be labeled in alphabetical order. The corresponding

connections and cables can be labeled with the letter designation for the computer and a
unique number to ensure proper reassembly.
NOTE: Potentially valuable digital evidence including dates, times, and system configuration settings
may be lost due to prolonged storage if the batteries or power source that preserve this information fails.
Where applicable, inform the evidence custodian and the forensic examiner that electronic devices are
battery powered and require prompt attention to preserve the data stored in them.
Example: Computer A
Label computer, all cables, and corresponding

connections.
Chapter 7: Electronic Crime and Digital Evidence

Considerations by Crime Category
The lists of electronic crime and digital evidence considerations presented in this chapter are not
exhaustive but are intended to assist a first responder identify sources of potentially valuable
digital evidence by crime category. Depending on the complexity of the scene and the situation,
the first responder may need to request more advanced technical assistance.
In some circumstances, trace, latent, or biological evidence such as fingerprints or DNA that may
be important to the investigation may be present on computers and their components or on other
electronic devices. First responders should follow standard operating procedures for collecting
such evidence. Any destructive processes associated with recovering or analyzing trace, latent,
biological, or other evidence should be postponed until after the digital evidence has been
recovered for examination and analysis.
To assist in the forensic examination, the first responder should document the following
information when possible:
▪ A summary of the case.
▪ Passwords to digital evidence seized.
▪ Investigation point-of-contact information.
▪ Preliminary reports and documents.
▪ Keyword lists.
▪ Suspected criminal activity.
▪ Suspect information including nicknames.
7.1 Computer Intrusion

Potential digital evidence in computer intrusion investigations includes:
▪ Computers
▪ Network devices, routers, switches
▪ Handheld mobile devices
▪ Antennas
▪ Removable media
▪ External data storage devices
▪ Web camera(s)
▪ Wireless network equipment
▪ Lists of contacts and address books
▪ Lists of internet protocol addresses
▪ Lists or records of computer intrusion software
▪ Records of internet chat sessions
▪ Printed e-mail, notes, and letters
▪ Printed computer program code
▪ Executable programs
▪ Lists of computers accessed
▪ Notes or records of internet activity
▪ Usernames and passwords
7.2 Counterfeiting
Potential digital evidence in counterfeiting investigations includes:
▪ Computers
▪ PDAs or address books
▪ Information regarding internet activity
▪ Information regarding cheques, currency, and money orders
▪ Removable media and external data storage devices
▪ Credit card magnetic strip reader
▪ Online banking software
▪ Calendar(s)
▪ Reproductions of signatures
▪ Customer information or credit card data
▪ False identification
▪ False financial transaction forms
▪ Information regarding financial records
▪ Printouts of databases
7.3 E-mail Threats, Harassment, and Stalking

Potential digital evidence in e-mail threats, harassment, and stalking investigations includes:
▪ Computers
▪ PDAs and address books
▪ Telephone records
▪ Diaries or records of surveillance
▪ Evidence of victim background research
▪ E-mail, notes, and letters
▪ Financial or asset records
▪ Printed photos or images
▪ Legal documents
▪ Printed maps
7.4 Online or Economic Fraud
Potential digital evidence in online or economic fraud investigations includes:

▪ Computers
▪ Removable media
▪ Mobile communication devices
▪ Online auction sites and account data
▪ Databases
▪ PDAs, address books, and contact lists
▪ Calendars or journals
▪ Financial asset records
▪ Accounting or recordkeeping software
▪ Printed photos and image files
▪ Records or notes of chat sessions

▪ Customer credit information
▪ Online banking information
▪ List(s) of credit card numbers
▪ Telephone numbers and call logs
▪ Credit card magnetic strip reader
▪ Credit card statements or bills
▪ Printers, copiers, and scanners
7.5 Telecommunication Fraud
Potential digital evidence in telecommunication fraud investigations includes:

▪ Computers
▪ Removable media
▪ Phone programming software and cables
▪ Multiple mobile phones
▪ Subscriber identity module (SIM) card reader
▪ Hacker boxes and cables
▪ Lists of customer database records
▪ Stolen telephones
▪ Financial asset records
▪ Telephone programming manuals
▪ Erasable programmable read-only memory (EPROM) burner

First Responder Handbook

Uploaded by

Copyright:

Available Formats

First Responder Handbook

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

First Responder Handbook

Uploaded by

Copyright:

Available Formats

TAX INVESTIGATIONS DEPARTMENT

FIRST RESPONDER HANDBOOK

and digital evidence.

responsibilities in relation to the Standard Operating Procedures (SOPs) as circumstances dictate.

should be fully documented, preserved, and available for review

Intended Audience for This Guide

• Uganda Revenue Authority Forensic staff

• Digital Forensic practitioners

• Everyone who processes a crime scene that includes digital evidence.

• Everyone who supervises personnel who process such crime scenes.

• Everyone who manages an organization that processes such crime scenes

What Is Digital Evidence?

▪ Is latent, like fingerprints or DNA evidence.

Handling Digital Evidence at the Scene

Precautions should be taken in the collection, preservation, and transportation of digital

evidence at an electronic crime scene:

▪ Collect, label, and preserve the digital evidence.

▪ Package and transport digital evidence in a secure manner

▪ Legal authority exists to seize evidence.

▪ The scene has been secured and documented.

▪ Appropriate personal protective equipment is used.

explore the contents of or to recover information from a computer or other

press any keys or click the mouse

1.1 Computer Systems

▪ A monitor or video display device.

▪ Peripheral or externally connected drives, and components.

Type of computer Illustration

1.2 Storage Devices

Types of Hard Drives

Types of External Hard Drives

Types of thumb drives

Types of memory cards

1.3 Handheld Devices

Types of handheld devices

It is important to note that:

i. Data or digital evidence may be lost if power is not maintained.

Video Recorders Gaming Consoles MP3 Players

Digital Cameras Digital Video Recorders Voice Recorders

Smart Speakers Smart Wearables Smart Televisions

1.5 Computer Networks

Network Switch Network Router

2.2 Tools and Materials for Collecting Digital Evidence

Chapter 3: Securing and Evaluating the Scene

evidence as soon as possible at the scene.

▪ Follow departmental policy for securing crime scenes.

▪ Immediately secure all electronic devices, including personal or portable devices.

▪ Refuse offers of help or technical assistance from any unauthorized persons.

▪ Ensure that the condition of any electronic device is not altered.

attempt to turn it on).

should be preserved depending on the case being investigated. First responders

compromised during documentation.

If a computer is on or the power state cannot be determined, the first responder

▪ Look for signs of active or ongoing communications with other computers or

Developments in technology and the convergence of communications capabilities

3.1 Preliminary Interviews

No one should be allowed access to any computer or electronic device.

▪ Names of all users of the computers and devices

▪ All computer and internet user information

▪ All login names and user account names