Michael Turner
Inventory: 128 GB hardware-encrypted USB drive (AES-256, label “E-23”); compact 9×19 mm semi-automatic pistol, serial X123456, one magazine with seven rounds; folding lockpick set (8 tools); paper bundle: 12 handwritten pages with timeline entries dated 03/12–04/02, six 4×6 photographic prints, ledger with 18 transaction lines; emergency cash USD 320 (mixed denominations); compact first-aid kit (bandages, antiseptic wipes, one hemostatic dressing); multi-tool (110 mm); single-use smoke canister model SC-12. External dimensions approximately 38×28×6 cm; total weight ~1.7 kg.
Immediate handling: Wear nitrile gloves and photograph contents in place with a scale; record firearm serial numbers and capture high-resolution images of the USB label and any visible markings; bag each item separately with evidence tags and unique IDs. Do not connect the encrypted drive to any networked device; image the drive on an air-gapped workstation, compute and record hash values, then forward images to a certified digital forensics lab. Deliver the firearm to a ballistics examiner for safe handling and test-firing; preserve paper materials in acid-free sleeves.
Next steps: Log chain-of-custody entries immediately and store items in secured evidence storage with controlled temperature; consult counsel before opening sealed notes or acting on handwritten intelligence; ensure only certified personnel handle ammunition or the weapon. Cross-reference ledger entries and photo timestamps with incident records; extract metadata from the imaged drive (creation/modification timestamps) and include all observations in a formal incident report for investigative and legal review.
Inventory and forensic protocol for Robin’s carrying case
Preserve every object individually: photograph each piece at 600 DPI with a color chart and metric scale, assign a unique evidence ID (ISO 8601 timestamped), record handler name and exact time, place into numbered polypropylene evidence bags and seal with tamper-evident tape.
Documented contents observed on inspection: sealed envelope with red wax impression bearing a single-letter cipher; passport (country redacted, data page present; issuance 12-APR-2015, expiry 11-APR-2025); small leather wallet containing three receipts dated 2019-08-14 (merchant codes 03-95482, 07-12011), one train ticket stub with printed coordinates 40.7128°N, 74.0060°W; SD card (SanDisk Ultra, 64 GB, model SDSDXXY); Polaroid print showing waterfront skyline with handwritten timestamp 2012-05-04 21:13 on verso; key stamped “412”; hotel magnetic keycard with hotel code HLT-274; folded letter on 80 g/m² paper with blue gel ink and four-line cursive note; penknife (closed, no blade extended).
Digital media protocol: image all storage devices bit-for-bit using a hardware write-blocker (e.g., Tableau series or Atola Insight), generate MD5 and SHA-256 hashes for original and images, preserve raw and E01 formats; extract metadata with ExifTool, inspect file system structures with Autopsy or X-Ways, attempt carving with PhotoRec, and log recovered timestamps with timezone offsets. Capture volatile data only if device is powered and live analysis is justified; otherwise maintain power-off state.
Document and paper analysis: record paper weight, watermark presence and fiber composition; compare ink samples via thin-layer chromatography and Raman spectroscopy; inspect under UV (365 nm) and IR to reveal erasures or latent additions; characterize adhesive residues with FTIR; perform handwriting comparison using ACE-V methodology against known exemplars, noting slant angles, pen pressure traces and letterforms quantitatively.
Trace evidence and biological sampling: swab high-touch surfaces for touch DNA using nylon-flocked swabs and extract with validated kits (QIAamp Investigator or equivalent), quantify by qPCR and, if yield permits, proceed to STR profiling in an accredited lab; collect residue swabs for LC-MS/MS screening for controlled substances or explosive markers; lift latent prints using cyanoacrylate fuming followed by fluorescent powder when appropriate.
Physical inspection techniques for concealed compartments: X-ray radiography for dense packing, micro-CT when fine internal structure needs resolution, and controlled disassembly with documentation at each step; check seams and lining using backlighting and fiber-optic inspection. Record serial numbers on all hardware and submit any engraved identifiers to databases.
Storage and handling requirements: maintain paper and photographic materials at 18 ±2 °C and 40 ±5% relative humidity in dark storage; use buffered acid-free folders and polyester sleeves for photographs; keep electronics separated in anti-static containers at 15–20 °C; avoid magnetic fields and prolonged handling; restrict access to authorized personnel and update chain-of-custody log with every transfer.
Recommended next steps: prioritize digital imaging and sealing of sealed envelope for forensic chemistry; forward prioritized items to ISO/IEC 17025-accredited laboratories for digital, document and chemical analyses; retain high-resolution copies and hashed images in secure evidence repository and cross-reference transaction IDs, coordinates and timestamps against bank records, travel manifests and public datasets for corroboration.
Documents present and dates confirming the timeline
Answer: primary paperwork consists of a signed will dated 2018-03-14, a notarized instruction letter dated 2018-03-16, bank withdrawal slip and ATM log showing 2018-03-15 09:42:17 (UTC), printed calendar PDF with file-creation metadata 2018-03-12T08:15:03Z, two boarding passes for flight XY123 dated 2018-03-17 (boarding time 15:20 local), and a passport page bearing an entry stamp 2018-03-17 16:03 (local immigration stamp).
Corroboration details: the will carries witness signatures and a county clerk stamp with docket number and filing date 2018-03-14; the notarized letter includes the notary seal number and electronic register entry 2018-03-16; the bank slip lists transaction ID 9A7-312-20180315 and the ATM log shows matching terminal ID and timestamp; the calendar PDF preserves XMP metadata (CreateDate: 2018-03-12T08:15:03Z, ModifyDate: 2018-03-12T08:15:03Z); airline PNR retrieval returns reserved time 2018-03-17 12:04 and boarding pass barcode decode confirms flight and seat; immigration entry record in national database matches passport number and stamp time 2018-03-17 16:03.
Verification steps: obtain certified copies from the county clerk for the will and notarized letter; request a bank-certified printout and ATM log export for transaction ID 9A7-312-20180315; pull airline PNR and E-Ticket receipts from carrier archives for XY123; submit a request to immigration for entry/exit log tied to passport number; extract PDF metadata with exiftool (example: exiftool -CreateDate -ModifyDate file.pdf) and preserve original checksums (sha256) for each file.
Field-handling recommendations: seal originals in numbered evidence bags and log each transfer with date/time and signer; protect paper from weather during transport with a waterproof cover and a best premium umbrella; collect ancillary timestamps such as hotel invoices and CCTV stills that match 2018-03-15–2018-03-17. Additional property-maintenance logs (mowing, service visits) may include date-stamped receipts useful as external corroboration; coordinate with grounds teams and request service records – many providers use equipment logs and invoices (example: entries tied to use of a best cordless push lawn mower) that show service dates and technician signatures.
Immediate action: secure certified copies for dates 2018-03-12 through 2018-03-17, export all electronic metadata with preserved checksums, retrieve airline and immigration records, and compile a side-by-side chart of timestamps (file metadata, bank logs, airline PNR, immigration stamp, CCTV) to produce a single, date-ordered timeline for analysis.
Which electronic devices and removable media require immediate imaging?
Image immediately: any powered-on computer (capture volatile memory before shutdown), mobile device with an active unlocked session, external storage currently connected or recently used, removable cards and USB thumb drives, network-attached storage with attached drives, live virtual machines and hypervisor hosts, CCTV DVR/NVR units with removable disks, and hardware tokens or smart cards in-use.
Priority list
- Laptops and desktops (powered on) – capture RAM first, then perform a bit-for-bit disk image while documenting running processes and network connections.
- Servers and workstations hosting critical services – preserve memory, active VM instances, open files, and mounted network shares.
- Smartphones and tablets (unlocked or on-screen) – obtain full filesystem and logical backups; export application data, call/SMS logs, and session tokens.
- External hard drives and SSDs – use hardware write blockers for physical acquisition; image entire device including recovery and hidden partitions.
- USB flash drives and removable cards (SD/microSD/CF) – image immediately to prevent file tampering or wear-induced data loss.
- NAS units and RAID arrays – capture member disks or controller metadata; document RAID configuration and take snapshots where supported.
- Live virtual machines and hypervisors – snapshot memory and disk files (VMDK/VHDX) and export hypervisor logs.
- CCTV DVR/NVR and removable surveillance drives – clone internal drives and export video files with timestamps and device identifiers.
- Encrypted volumes or devices with full-disk encryption (unlocked) – capture RAM and image filesystem while keys are resident.
- Hardware authentication devices, smart cards, and IoT endpoints with removable storage – preserve tokens, configuration files, and storage media.
Acquisition checklist
- Document device identifiers: make, model, serial numbers, MAC addresses, battery/power state, and visible ports; photograph screens showing active sessions or error messages.
- For powered-on systems: capture volatile memory with winpmem, LiME or vendor tools before powering down; record running processes, network connections, mounted volumes and logged-in users.
- Use hardware write blockers or forensic duplicators for physical media; create bit-for-bit images (dd, dc3dd, Guymager, FTK Imager) and capture all partitions including unallocated space and HPA/DCO where applicable.
- Compute and record hash values (SHA-256 plus MD5 or SHA-1 for legacy workflows) for each original device and each image; store hashes separately from images.
- When imaging encrypted devices that are unlocked, prioritize memory capture and live filesystem image; if device is powered off and encrypted, preserve device state and recover keys via credential sources rather than forcing decryption on scene.
- For mobile devices: attempt logical backup (ADB for Android, iTunes/backup for iOS) and a physical dump if tools and legal authority permit; preserve SIM cards and removable storage separately.
- Handle SSDs with TRIM awareness; if suspect data recovery is required, avoid operations that trigger garbage collection and document firmware/firmware versions.
- For networked storage: isolate network paths if feasible, export configuration files, and acquire individual drives rather than relying only on NAS GUI-level backups.
- Label media and maintain chain-of-custody records at each transfer; seal images and originals with tamper-evident evidence labels.
- Verify each image immediately after acquisition by re-hashing and comparing to recorded values; log tool versions, command-line parameters, timestamps, and operator identity.
Which receipts and payment cards reveal recent purchases or locations?
Secure all paper receipts and payment cards from the bag immediately: segregate fuel, transit, parking, ATM, point-of-sale and courier receipts; place cards in RFID-blocking evidence sleeves and photograph each item before packaging.
Priority receipt types: fuel/gas station slips (pump number, pump transaction ID), transit and toll receipts (entry/exit station IDs, timestamps), parking and garage tickets (bay, ticket ID), taxi/ride‑hail printouts (pickup/dropoff GPS, driver ID, trip ID), merchant POS receipts (register, cashier, terminal ID), ATM withdrawal slips (ATM ID, location), delivery/courier proof-of-delivery (tracking number, recipient address), online order printouts and gift-card receipts (order ID, email or phone on file).
Key fields to extract and record from each receipt: merchant name, street address, phone number, merchant ID/MID, terminal ID/serial, merchant category code (MCC), transaction date and local time (plus timezone), transaction amount, authorization/approval code, transaction reference number, barcode/QR contents, cashier/register identifier, loyalty or account numbers printed on the slip.
Card handling and metadata capture: photograph front and back at high resolution showing last four digits, expiry, issuer name and signature panel; log card type (credit/debit/prepaid), BIN (first six if visible), presence of chip/contactless, and any cardholder name. Place contactless-capable media into a Faraday or RFID bag to prevent further remote transactions. Do not attempt test swipes or chip reads on scene.
Evidence to request from financial and merchant channels via legal process: acquirer/issuer transaction records including full timestamp (UTC and local), terminal geolocation or merchant address, terminal IP or merchant gateway ID, full authorization trace (auth code, retrieval reference), card token or PAN truncation, MCC, acquirer reference number, and settlement batch details. For mobile-wallet transactions ask for token metadata (device account identifier, token PAN reference, provisioning date) and push-notification timestamps.
Transit and transport card specifics: extract journey logs (station entry/exit IDs, device reader IDs, timestamps, fare deducted, balance before/after), ride-hail trip records (GPS route, pickup/drop coordinates, estimated distance, fare, driver and vehicle identifiers), and car-share unlock/return timestamps with vehicle plate and GPS breadcrumbs where available.
Preservation steps for paper and digital receipts: scan paper receipts at 600 dpi in color and save lossless (TIFF/PNG); photograph receipts on a neutral background with a scale and evidence tag visible; store originals flat in light‑sealed envelopes to reduce thermal fading; export mobile and email receipts with full headers and timestamps; capture any embedded QR/barcode images as separate high-resolution files.
Chain-of-custody and documentation: tag each receipt/card with unique evidence ID, record exact seizure time, handler, and source location in the log, and attach a short description of what fields were photographed or redacted. Prioritize retrieval of merchant CCTV and POS logs that correlate with the receipt timestamps and terminal IDs.
Personal items linking subject to contacts and locations
Key physical identifiers
Driver’s licenses and national ID cards: record full name, date of birth, current address, ID number, issuing state/country and visible holograms; copy front and back, photograph at high resolution and transcribe numbers and address exactly. Passports: capture passport number, nationality, entry/exit stamps and any visa annotations that indicate recent travel. Employee or campus badges: note employer/department, badge ID, expiration and any access codes or printed building names. Business cards and appointment cards: extract phone numbers, emails, office addresses and scheduled dates; match names and numbers against contact lists and corporate directories. Physical photographs: inspect backs for handwritten notes, dates, locations, studio stamps or printed event names; scan faces for reverse-image search and compare clothing, landmarks or signage visible in images. Keys and key fobs: photograph both sides, log stamped codes, branded key heads, remote fob logos and attached tags; capture any serial or part numbers that link to vehicle models, locker systems or building access. Membership, loyalty and transit passes: record membership numbers and issuing organization to identify frequented venues or residences. Vehicle registration or insurance cards: transcribe VIN, plate number, registered owner and address for cross-reference with property and parking records.
Handling, documentation and follow-up actions
Secure each item in a separate evidence bag, label with unique ID and location found, and photograph in situ before movement. Use gloves and magnetic-free trays for metal objects; for keys include close-up images of cuts and tag engravings, then consult a locksmith or keycode database to identify compatible lock types. For printed photos perform high-resolution scanning and run reverse-image searches plus facial-recognition comparisons against open-source social profiles and public databases. Extract textual data from IDs and cards using OCR, then verify addresses against property tax, utility and corporate records. For any phone numbers or emails, perform open-source lookups and cross-reference with call logs or messages if devices are later forensically imaged. Note handwriting on notes or photo backs and submit samples for comparison with other seized documents. When transporting bulky or numerous items, place them in a secure carrier such as a best work and travel leather tote and maintain chain-of-custody documentation. Preserve original items; avoid altering surfaces or removing attached tags; if opening sealed containers is required, document the seal and obtain authorization first.
Items posing data security or privacy risk and containment steps
Immediately isolate any physical medium containing authentication secrets or personally identifiable information; secure in tamper-evident packaging and log custody before further handling.
High-risk item categories and quick actions
Handwritten credentials, printed export files, and seed phrases: photograph in place, place each page in a separate evidence sleeve, log identifier, and restrict access to a single investigator for transcription or redaction.
Paper copies showing national identifiers (SSNs, passport numbers), full account numbers, or medical records: seal, inventory, and arrange secure shredding or forensic scanning under controlled conditions once retention rules are applied.
Authentication tokens on physical media (USB private keys, paper backups of MFA codes, hardware token serials): remove from general access, record serials, retain for chain-of-custody, and coordinate immediate credential revocation with access owners.
Mail, delivery labels, appointment slips containing addresses and contact details: tag as potential location intelligence, digitize with redaction, and provide copies to response team for geolocation analysis while preserving originals.
Containment checklist
| Item type | Risk indicators | Immediate containment action |
|---|---|---|
| Handwritten passwords / post-it notes | Plain-text credentials, site names, partial usernames | Photograph, sleeve individual pages, notify IT to rotate those credentials, record who accessed the material |
| Printed key material (private keys, PEM files) | PEM/header/footer markers, long base64 blocks, filename labels | Isolate in static-proof evidence bag, log serials, coordinate key revocation with security team |
| Paper wallets / seed phrases | 12–24 word lists, crypto brand names, QR codes | Do not scan with phone; photograph under supervision, secure physical storage, notify incident lead to freeze associated accounts |
| Access badges / smartcards / SIMs | Corporate badge IDs, EMV chips, SIM ICCID printed | Detach and bag individually, note identifiers, arrange suspension of badge/SIM and reissue |
| Printed spreadsheets, contact lists | Columns with DOB, phone, email, employer | Digitize with field redaction, inform data-protection officer of scope, notify affected individuals per policy |
| Receipts or invoices with billing info | Card BIN, last four digits, merchant locations, timestamps | Retain copies for timeline correlation, alert finance for potential fraud monitoring, redact and store originals |
| Physical backups (burned discs, unlabeled drives) | Labels missing, handwritten tags, adhesive notes | Quarantine in anti-static bag, label with unique ID, defer imaging to forensic team and prevent power-up |
| QR codes, printed tokens, recovery emails | One-time codes, deep links, redirecting URLs | Capture high-resolution image, maintain offline copy, revoke exposed tokens and update related credentials |
