Title: Electronic Crime Scene Investigation: A Guide for First Responders
Series: NIJ Guide
Author: National Institute of Justice
Published: July 2001
Subject: Criminal investigation
98 pages
132 bytes
Figures, charts, forms, and tables are not included in this ASCII plain-text file.
To view this document in its entirety, download the Adobe Acrobat graphic file
available from this Web site or order a print copy from NCJRS at 800-851-
3420 (877-712-9279 For TTY users).
—————————
U.S. Department of Justice
Office of Justice Programs
National Institute of Justice
Electronic Crime Scene Investigation:
A Guide for First Responders
NIJ Guide
—————————
U.S. Department of Justice
Office of Justice Programs
810 Seventh Street N.W.
Washington, DC 20531
John Ashcroft
Attorney General
Office of Justice Programs
World Wide Web Site
https://www.ojp.usdoj.gov
National Institute of Justice
World Wide Web Site
https://www.ojp.usdoj.gov/nij
—————————
Electronic Crime Scene Investigation:
A Guide for First Responders
Written and Approved by the
Technical Working Group for
Electronic Crime Scene Investigation
July 2001
—————————
U.S. Department of Justice
Office of Justice Programs
National Institute of Justice
This document is not intended to create, does not create, and may not be relied
upon to create any rights, substantive or procedural, enforceable at law by any
party in any matter civil or criminal.
Opinions or points of view expressed in this document represent a consensus of
the authors and do not necessarily represent the official position or policies of
the U.S. Department of Justice. The products and manufacturers discussed in
this document are presented for informational purposes only and do not
constitute product approval or endorsement by the U.S. Department of Justice.
NCJ 187736
The National Institute of Justice is a component of the Office of Justice
Programs, which also includes the Bureau of Justice Assistance, the Bureau of
Justice Statistics, the Office of Juvenile Justice and Delinquency Prevention, and
the Office for Victims of Crime.
—————————
Foreword
The Internet, computer networks, and automated data systems present an
enormous new opportunity for committing criminal activity. Computers and
other electronic devices are being used increasingly to commit, enable, or
support crimes perpetrated against persons, organizations, or property.
Whether the crime involves attacks against computer systems, the information
they contain, or more traditional crimes such as murder, money laundering,
trafficking, or fraud, electronic evidence increasingly is involved. It is no
surprise that law enforcement and criminal justice officials are being
overwhelmed by the volume of investigations and prosecutions that involve
electronic evidence.
To assist State and local law enforcement agencies and prosecutorial offices
with the growing volume of electronic crime, a series of reference guides
regarding practices, procedures, and decisionmaking processes for investigating
electronic crime is being prepared by technical working groups of practitioners
and subject matter experts who are knowledgeable about electronic crime. The
practitioners and experts are from Federal, State, and local law enforcement
agencies; criminal justice agencies; offices of prosecutors and district attorneys
general; and academic, commercial, and professional organizations.
The series of guides will address the investigation process from the crime scene
first responder, to the laboratory, to the courtroom. Specifically, the series of
guides will address:
o Crime scene investigations by first responders.
o Examination of digital evidence.
o Investigative uses of technology.
o Investigating electronic technology crimes.
o Creating a digital evidence forensic unit.
o Courtroom presentation of digital evidence.
Due to the rapidly changing nature of electronic and computer technologies and
of electronic crime, efforts will be periodically undertaken to update the
information contained within each of the guides. The guides, and any
subsequent updates that are made to them, will be made available on the
National Institute of Justice’s World Wide Web site
(https://www.ojp.usdoj.gov/nij).
—————————
Technical Working Group for Electronic Crime Scene Investigation
The Technical Working Group for Electronic Crime Scene Investigation
(TWGECSI) was a multidisciplinary group of practitioners and subject matter
experts from across the United States and other nations. Each of the individual
participants is experienced in the intricacies involved with electronic evidence in
relation to recognition, documentation, collection, and packaging. To initiate the
working group, a planning panel composed of a limited number of participants
was selected to define the scope and breadth of the work. A series of guides
was proposed in which each guide will focus on a different aspect of the
discipline.
The panel chose crime scene investigation as the first topic for incorporation
into a guide.
Planning Panel
Susan Ballou
Program Manager for Forensic Sciences
Office of Law Enforcement Standards
National Institute of Standards and Technology
Gaithersburg, Maryland
Jaime Carazo
Special Agent
United States Secret Service
Electronic Crimes Branch
Washington, D.C.
Bill Crane
Assistant Director
Computer Crime Section
National White Collar Crime Center
Fairmont, West Virginia
Fred Demma
National Law Enforcement and Corrections Technology Center-Northeast
Rome, New York
Grant Gottfried
Special Projects
National Center for Forensic Science
Orlando, Florida
Sam Guttman
Assistant Inspector in Charge
Forensic and Technical Services
U.S. Postal Inspection Service
Dulles, Virginia
Jeffrey Herig
Special Agent
Florida Department of Law Enforcement
Florida Computer Crime Center
Tallahassee, Florida
Tim Hutchison
Sheriff
Knox County Sheriff’s Office
Knoxville, Tennessee
David Icove
Manager, Special Projects
U.S. TVA Police
Knoxville, Tennessee
Bob Jarzen
Sacramento County
Laboratory of Forensic Science
Sacramento, California
Tom Johnson
Dean
School of Public Safety and Professional Studies
University of New Haven
West Haven, Connecticut
Karen Matthews
DOE Computer Forensic Laboratory
Bolling AFB
Washington, D.C.
Mark Pollitt
Unit Chief
FBI-CART
Washington, D.C.
David Poole
Director
DoD Computer Forensics Laboratory
Linthicum, Maryland
Mary Riley
Price Waterhouse Coopers, LLP
Washington, D.C.
Kurt Schmid
Director
National HIDTA Program
Washington, D.C.
Howard A. Schmidt
Corporate Security Officer
Microsoft Corp.
Redmond, Washington
Raemarie Schmidt
Computer Crime Specialist
National White Collar Crime Center Computer Crime Section
Fairmont, West Virginia
Carl Selavka
Massachusetts State Police Crime Laboratory
Sudbury, Massachusetts
Steve Sepulveda
United States Secret Service
Washington, D.C.
Todd Shipley
Detective Sergeant
Reno Police Department
Financial/Computer Crimes Unit
Reno, Nevada
Chris Stippich
Computer Crime Specialist
Computer Crime Section
National White Collar Crime Center
Fairmont, West Virginia
Carrie Morgan Whitcomb
Director
National Center for Forensic Science
Orlando, Florida
Wayne Williams
Sr. Litigation Counsel
Computer Crime and Intellectual Property Section
Criminal Division
U.S. Department of Justice
Washington, D.C.
TWGECSI Members
Additional members were then incorporated into TWGECSI to provide a full
technical working group. The individuals listed below, along with those
participants on the planning panel, worked together to produce this guide for
electronic crime scene first responders.
Abigail Abraham
Assistant State’s Attorney
Cook County State’s Attorney’s Office
Chicago, Illinois
Keith Ackerman
Head of CID
Police HQ
Hampshire Constabulary
Winchester, Hants
United Kingdom
Michael Anderson
President
New Technologies, Inc
Gresham, Oregon
Bill Baugh
CEO
Savannah Technology Group
Savannah, Georgia
Randy Bishop
Special Agent in Charge
U.S. Department of Energy
Office of Inspector General
Technology Crime Section
Washington, D.C.
Steve Branigan
Vice President of Product Development
Lucent Technologies
Murray Hill, New Jersey
Paul Brown
CyberEvidence, Inc.
The Woodlands, Texas
Carleton Bryant
Staff Attorney
Knox County Sheriff’s Office
Knoxville, Tennessee
Christopher Bubb
Deputy Attorney General
New Jersey Division of Criminal Justice
Trenton, New Jersey
Don Buchwald
Project Engineer
National Law Enforcement and Corrections Technology Center-West
The Aerospace Corporation
Los Angeles, California
Cheri Carr
Computer Forensic Lab Chief
NASA Office of the Inspector General Network and Advanced Technology
Protections Office
Washington, D.C.
Nick Cartwright
Manager
Canadian Police Research Centre
Ottawa, Ontario
Canada
Ken Citarella
Chief
High Tech Crimes Bureau
Westchester County District Attorney
White Plains, New York
Chuck Coe
Director of Technical Services
NASA Office of the Inspector General
Network and Advanced Technology Protections Office
Washington, D.C.
Fred Cohen
Sandia National Laboratories
Cyber Defender Program
Livermore, California
Fred Cotton
Director of Training Services
SEARCH
The National Consortium for Justice Information and Statistics
Sacramento, California
Tony Crisp
Lieutenant
Maryville Police Department
Maryville, Tennessee
Mark Dale
New York State Police
Forensic Investigation Center
Albany, New York
Claude Davenport
Senior SA
United States Customs Service
Sterling, Virginia
David Davies
Photographic Examiner
Federal Bureau of Investigation
Washington, D.C.
Michael Donhauser
Maryland State Police
Columbia, Maryland
James Doyle
Sergeant
Detective Bureau
New York City Police Department
New York, New York
Michael Duncan
Sergeant
Royal Canadian Mounted Police
Economic Crime Branch
Technological Crime Section
Ottawa, Ontario
Canada
Jim Dunne
Group Supervisor
Drug Enforcement Agency
St. Louis, Missouri
Chris Duque
Detective
Honolulu Police Department
White Collar Crime Unit
Honolulu, Hawaii
Doug Elrick
Iowa DCI Crime Lab
Des Moines, Iowa
Paul French
Computer Forensics Lab Manager
New Technologies Armor, Inc.
Gresham, Oregon
Gerald Friesen
Electronic Search Coordinator
Industry Canada
Hull, Quebec
Canada
Pat Gilmore, CISSP
Director
Information Security
Atomic Tangerine
San Francisco, California
Gary Gordon
Professor
Economic Crime Programs
Utica College
WetStone Technologies
Utica, New York
Dan Henry
Chief Deputy
Marion County Sheriff’s Department
Ocala, Florida
Jeff Hormann
Special Agent In Charge
Computer Crime Resident Agency
U.S. Army CID
Ft. Belvoir, Virginia
Mary Horvath
Program Manager
FBI-CART
Washington, D.C.
Mel Joiner
Officer
Arizona Department of Public Safety
Phoenix, Arizona
Nigel Jones
Detective Sergeant
Computer Crime Unit
Police Headquarters
Kent County Constabulary
Maidstone, Kent
United Kingdom
Jamie Kerr
SGT/Project Manager
RCMP Headquarters
Training Directorate
Ottawa, Ontario
Canada
Alan Kestner
Assistant Attorney General
Wisconsin Department of Justice
Madison, Wisconsin
Phil Kiracofe
Sergeant
Tallahassee Police Department
Tallahassee, Florida
Roland Lascola
Program Manager
FBI-CART
Washington, D.C.
Barry Leese
Detective Sergeant
Maryland State Police
Computer Crimes Unit
Columbia, Maryland
Glenn Lewis
Computer Specialist
SEARCH
The National Consortium for Justice Information and Statistics
Sacramento, California
Chris Malinowski
Forensic Computer Investigation
University of New Haven
West Haven, Connecticut
Kevin Manson
Director
Cybercop.org
St. Simons Island, Georgia
Brenda Maples
Lieutenant
Memphis Police Department
Memphis, Tennessee
Tim McAuliffe
New York State Police
Forensic Investigation Center
Albany, New York
Michael McCartney
Investigator
New York State Attorney General’s Office
Criminal Prosecution Bureau Organized Crime Task Force
Buffalo, New York
Alan McDonald
SSA
Washington, D.C.
Mark Menz
SEARCH
The National Consortium for Justice Information and Statistics
Sacramento, California
Dave Merkel
AOL Investigations
Reston, Virginia
Bill Moylan
Detective
Nassau County PD
Computer Crime Section
Crimes Against Property Squad
Westbury, New York
Steve Nesbitt
Director of Operations
NASA Office of the Inspector General
Network and Advanced Technology Protections Office
Washington, D.C.
Glen Nick
Program Manager
U.S. Customs Service
Cyber Smuggling Center
Fairfax, Virginia
Robert O’Leary
Detective
New Jersey State Police
High Technology Crimes & Investigations Support Unit
West Trenton, New Jersey
Matt Parsons
Special Agent/Division Chief
Naval Criminal Investigative Service
Washington, D.C.
Mike Phelan
Chief
Computer Forensics Unit
DEA Special Testing and Research Lab
Lorton, Virginia
Henry R. Reeve
General Counsel/Deputy D.A.
Denver District Attorney’s Office
Denver, Colorado
Jim Riccardi, Jr.
Electronic Crime Specialist
National Law Enforcement and Corrections Technology Center-Northeast
Rome, New York
David Roberts
Deputy Executive Director
SEARCH
The National Consortium for Justice Information and Statistics
Sacramento, California
Leslie Russell
Forensic Science Service
Lambeth
London, England
United Kingdom
Greg Schmidt
Sr. Investigator
EDS-Investigations/Technical
Plano, Texas
George Sidor
Law Enforcement Security Consultant
Jaws Technologies Inc.
St. Albert, Alberta
Canada
William Spernow
CISSP
Research Director
Information Security Strategies Group
Gartner, Inc.
Suwanee, Georgia
Ronald Stevens
Senior Investigator
New York State Police
Forensic Investigation Center
Albany, New York
Gail Thackeray
Special Counsel-Technology Crimes
Arizona Attorney General’s Office
Phoenix, Arizona
Dwight Van de Vate
Chief Deputy
Knox County Sheriff’s Office
Knoxville, Tennessee
Jay Verhorevoort
Lieutenant
Davenport Police Department
Davenport, Iowa
Richard Vorder Bruegge
Photographic Examiner
Federal Bureau of Investigation
Washington, D.C.
Robert B. Wallace
U.S. Department of Energy
Germantown, Maryland
Craig Wilson
Detective Sergeant
Computer Crime Unit
Police Headquarters
Kent County Constabulary
Maidstone, Kent
United Kingdom
Brian Zwit
Chief Counsel (former)
Environment, Science, and Technology
National Association of Attorneys General
Washington, D.C.
Chronology
In May 1998, the National Cybercrime Training Partnership (NCTP), the
Office of Law Enforcement Standards (OLES), and the National Institute of
Justice (NIJ) collaborated on possible resources that could be implemented to
counter electronic crime. Continuing meetings generated a desire to formulate
one set of protocols that would address the process of electronic evidence from
the crime scene through court presentations. NIJ selected the technical working
group process as the way to achieve this goal but with the intent to create a
publication flexible enough to allow implementation with any State and local law
enforcement policy. Using its «template for technical working groups,» NIJ
established the Technical Working Group for Electronic Crime Scene
Investigation (TWGECSI) to identify, define, and establish basic criteria to
assist agencies with electronic investigations and prosecutions.
In January 1999, planning panel members met at the National Institute of
Standards and Technology (NIST) in Gaithersburg, Maryland, to review the
fast-paced arena of electronic crime and prepare the scope, intent, and
objectives of the project. During this meeting, the scope was determined to be
too vast for incorporation into one guide. Thus evolved a plan for several
guides, each targeting separate issues. Crime scene investigation was selected
as the topic for the first guide.
The initial meeting of the full TWGECSI took place March 1999 at NIST.
After outlining tasks in a general meeting, the group separated into subgroups to
draft the context of the chapters as identified by the planning panel. These
chapters were Electronic Devices: Types and Potential Evidence; Investigative
Tools and Equipment; Securing and Evaluating the Scene; Documenting the
Scene; Evidence Collection; Packaging, Transportation, and Storage; and
Forensic Examination by Crime Category. The volume of work involved in
preparing the text of these chapters required additional TWGECSI meetings.
The planning panel did not convene again until May 2000. Due to the amount of
time that had transpired between meetings, the planning panel reviewed the
draft content and compared it with changes that had occurred in the electronic
crime environment. These revisions to the draft were then sent to the full
TWGECSI in anticipation of the next meeting. The full TWGECSI met again at
NIST in August 2000, and through 2 days of intense discussion, edited most of
the draft to represent the current status of electronic crime investigation. With a
few more sections requiring attention, the planning panel met in Seattle,
Washington, during September 2000 to continue the editing process. These
final changes, the glossary, and appendixes were then critiqued and voted on by
the whole TWGECSI during the final meeting in November 2000 at NIST.
The final draft was then sent for content and editorial review to more than 80
organizations having expertise and knowledge in the electronic crime
environment. The returned comments were evaluated and incorporated into the
document when possible. The first chapter, Electronic Devices: Types and
Potential Evidence, incorporates photographic representations of highlighted
terms as a visual associative guide. At the end of the document are appendixes
containing a glossary, legal resources, technical resources, training resources,
and references, followed by a list of the organizations to which a draft copy of
the document was sent.
—————————
Acknowledgments
The National Institute of Justice (NIJ) wishes to thank the members of the
Technical Working Group for Electronic Crime Scene Investigation
(TWGECSI) for their tireless dedication. There was a constant turnover of
individuals involved, mainly as a result of job commitments and career changes.
This dynamic environment resulted in a total of 94 individuals supplying their
knowledge and expertise to the creation of the guide. All participants were
keenly aware of the constant changes occurring in the field of electronics and
strove to update information during each respective meeting. This demonstrated
the strong desire of the working group to produce a guide that could be flexible
and serve as a backbone for future efforts to upgrade the guide. In addition,
NIJ offers a sincere thank you to each agency and organization represented by
the working group members. The work loss to each agency during the absence
of key personnel is evidence of management’s commitment and understanding
of the importance of standardization in forensic science.
NIJ also wishes to thank Kathleen Higgins, Director, and Susan Ballou,
Program Manager, of the Office of Law Enforcement Standards, for providing
management and guidance in bringing the project to completion.
NIJ would like to express appreciation for the input and support that Dr. David
G. Boyd, Director of NIJ’s Office of Science and Technology (OS&T), and
Trent DePersia, Dr. Ray Downs, Dr. Richard Rau, Saralyn Borrowman, Amon
Young, and James McNeil, all of OS&T, gave the meetings and the document.
A special thanks is extended to Aspen Systems Corporation, specifically to
Michele Coppola, the assigned editor, for her patience and skill in dealing with
instantaneous transcription.
In addition, NIJ wishes to thank the law enforcement agencies, academic
institutions, and commercial organizations worldwide that supplied contact
information, reference materials, and editorial suggestions. Particular thanks
goes to Michael R. Anderson, President of New Technologies, Inc., for
contacting agencies knowledgeable in electronic evidence for inclusion in the
appendix on technical resources.
—————————
Contents
Foreword
Technical Working Group for Electronic Crime Scene Investigation
Acknowledgments
Overview
–The Law Enforcement Response to Electronic Evidence
–The Latent Nature of Electronic Evidence
–The Forensic Process
Introduction
–Who Is the Intended Audience for This Guide?
–What is Electronic Evidence?
–How Is Electronic Evidence Handled at the Crime Scene?
–Is Your Agency Prepared to Handle Electronic Evidence?
Chapter 1. Electronic Devices: Types and Potential Evidence
–Computer Systems
–Components
–Access Control Devices
–Answering Machines
–Digital Cameras
–Handheld Devices (Personal Digital Assistants [PDAs], Electronic
Organizers)
–Hard Drives
–Memory Cards
–Modems
–Network Components
–Pagers
–Printers
–Removable Storage Devices and Media
–Scanners
–Telephones
–Miscellaneous Electronic Items
Chapter 2. Investigative Tools and Equipment
–Tool Kit
Chapter 3. Securing and Evaluating the Scene
Chapter 4. Documenting the Scene
Chapter 5. Evidence Collection
–Nonelectronic Evidence
–Stand-Alone and Laptop Computer Evidence
–Computers in a Complex Environment
–Other Electronic Devices and Peripheral Evidence
Chapter 6. Packaging, Transportation, and Storage
Chapter 7. Forensic Examination by Crime Category
–Auction Fraud (Online)
–Child Exploitation/Abuse
–Computer Intrusion
–Death Investigation
–Domestic Violence
–Economic Fraud (Including Online Fraud, Counterfeiting)
–E-Mail Threats/Harassment/Stalking
–Extortion
–Gambling
–Identity Theft
–Narcotics
–Prostitution
–Software Piracy
–Telecommunications Fraud
Appendix A. Glossary
Appendix B. Legal Resources List
Appendix C. Technical Resources List
Appendix D. Training Resources List
Appendix E. References
Appendix F. List of Organizations
—————————
Overview
Computers and other electronic devices are present in every aspect of modern
life. At one time, a single computer filled an entire room; today, a computer can
fit in the palm of your hand. The same technological advances that have helped
law enforcement are being exploited by criminals.
Computers can be used to commit crime, can contain evidence of crime, and
can even be targets of crime. Understanding the role and nature of electronic
evidence that might be found, how to process a crime scene containing potential
electronic evidence, and how an agency might respond to such situations are
crucial issues. This guide represents the collected experience of the law
enforcement community, academia, and the private sector in the recognition,
collection, and preservation of electronic evidence in a variety of crime scenes.
The Law Enforcement Response to Electronic Evidence
The law enforcement response to electronic evidence requires that officers,
investigators, forensic examiners, and managers all play a role. This document
serves as a guide for the first responder. A first responder may be responsible
for the recognition, collection, preservation, transportation, and/or storage of
electronic evidence. In today’s world, this can include almost everyone in the
law enforcement profession. Officers may encounter electronic devices during
their day-to-day duties. Investigators may direct the collection of electronic
evidence, or may perform the collection themselves. Forensic examiners may
provide assistance at crime scenes and will perform examinations on the
evidence. Managers have the responsibility of ensuring that personnel under
their direction are adequately trained and equipped to properly handle
electronic evidence.
Each responder must understand the fragile nature of electronic evidence and
the principles and procedures associated with its collection and preservation.
Actions that have the potential to alter, damage, or destroy original evidence
may be closely scrutinized by the courts.
Procedures should be in effect that promote electronic crime scene
investigation. Managers should determine who will provide particular levels of
services and how these services will be funded. Personnel should be provided
with initial and ongoing technical training. Oftentimes, certain cases will demand
a higher level of expertise, training, or equipment, and managers should have a
plan in place regarding how to respond to these cases. The demand for
responses to electronic evidence is expected to increase for the foreseeable
future. Such services require that dedicated resources be allocated for these
purposes.
The Latent Nature of Electronic Evidence
Electronic evidence is information and data of investigative value that is stored
on or transmitted by an electronic device. As such, electronic evidence is latent
evidence in the same sense that fingerprints or DNA (deoxyribonucleic acid)
evidence are latent. In its natural state, we cannot «see» what is contained in the
physical object that holds our evidence. Equipment and software are required
to make the evidence visible. Testimony may be required to explain the
examination process and any process limitations.
Electronic evidence is, by its very nature, fragile. It can be altered, damaged, or
destroyed by improper handling or improper examination. For this reason,
special precautions should be taken to document, collect, preserve, and
examine this type of evidence. Failure to do so may render it unusable or lead
to an inaccurate conclusion. This guide suggests methods that will help preserve
the integrity of such evidence.
The Forensic Process
The nature of electronic evidence is such that it poses special challenges for its
admissibility in court. To meet these challenges, follow proper forensic
procedures. These procedures include, but are not limited to, four phases:
collection, examination, analysis, and reporting. Although this guide
concentrates on the collection phase, the nature of the other three phases and
what happens in each are also important to understand.
The collection phase involves the search for, recognition of, collection of, and
documentation of electronic evidence. The collection phase can involve
real-time and stored information that may be lost unless precautions are taken
at the scene.
The examination process helps to make the evidence visible and explain its
origin and significance. This process should accomplish several things. First, it
should document the content and state of the evidence in its totality. Such
documentation allows all parties to discover what is contained in the evidence.
Included in this process is the search for information that may be hidden or
obscured. Once all the information is visible, the process of data reduction can
begin, thereby separating the «wheat» from the «chaff.» Given the tremendous
amount of information that can be stored on computer storage media, this part
of the examination is critical.
Analysis differs from examination in that it looks at the product of the
examination for its significance and probative value to the case. Examination is a
technical review that is the province of the forensic practitioner, while analysis is
performed by the investigative team. In some agencies, the same person or
group will perform both these roles.
A written report that outlines the examination process and the pertinent data
recovered completes an examination. Examination notes must be preserved for
discovery or testimony purposes. An examiner may need to testify about not
only the conduct of the examination but also the validity of the procedure and
his or her qualifications to conduct the examination.
—————————
Introduction
This guide is intended for use by law enforcement and other responders who
have the responsibility for protecting an electronic crime scene and for the
recognition, collection, and preservation of electronic evidence. It is not
all-inclusive. Rather, it deals with the most common situations encountered with
electronic evidence. Technology is advancing at such a rapid rate that the
suggestions in this guide must be examined through the prism of current
technology and the practices adjusted as appropriate. It is recognized that all
crime scenes are unique and the judgment of the first responder/investigator
should be given deference in the implementation of this guide. Furthermore,
those responsible officers or support personnel with special training should also
adjust their practices as the circumstances (including their level of experience,
conditions, and available equipment) warrant. This publication is not intended to
address forensic analysis. Circumstances of individual cases and Federal, State,
and local laws/rules may require actions other than those described in this
guide.
When dealing with electronic evidence, general forensic and procedural
principles should be applied:
o Actions taken to secure and collect electronic evidence should not change
that evidence.
o Persons conducting examination of electronic evidence should be trained for
the purpose.
o Activity relating to the seizure, examination, storage, or –transfer of
electronic evidence should be fully documented, –preserved, and available for
review.
Who Is the Intended Audience for This Guide?
o Anyone encountering a crime scene that might contain electronic evidence.
o Anyone processing a crime scene that involves electronic evidence.
o Anyone supervising someone who processes such a crime scene.
o Anyone managing an organization that processes such a crime scene.
Without having the necessary skills and training, no responder should attempt to
explore the contents or recover data from a computer (e.g., do not touch the
keyboard or click the mouse) or other electronic device other than to record
what is visible on its display.
What Is Electronic Evidence?
Electronic evidence is information and data of investigative value that is stored
on or transmitted by an electronic device. Such evidence is acquired when data
or physical items are collected and stored for examination purposes.
Electronic evidence:
o Is often latent in the same sense as fingerprints or DNA evidence.
o Can transcend borders with ease and speed.
o Is fragile and can be easily altered, damaged, or destroyed.
o Is sometimes time-sensitive.
How Is Electronic Evidence Handled at the Crime Scene?
Precautions must be taken in the collection, preservation, and examination of
electronic evidence.
Handling electronic evidence at the crime scene normally consists of the
following steps:
o Recognition and identification of the evidence.
o Documentation of the crime scene.
o Collection and preservation of the evidence.
o Packaging and transportation of the evidence.
The information in this document assumes that:
o The necessary legal authority to search for and seize the suspected evidence
has been obtained.
o The crime scene has been secured and documented (photographically and/or
by sketch or notes).
o Crime scene protective equipment (gloves, etc.) is being used as necessary.
Note: First responders should use caution when seizing electronic devices. The
improper access of data stored in electronic devices may violate provisions of
certain Federal laws, including the Electronic Communications Privacy Act.
Additional legal process may be necessary. Please consult your local
prosecutor before accessing stored data on a device. Because of the fragile
nature of electronic evidence, examination should be done by appropriate
personnel.
Is Your Agency Prepared to Handle Electronic Evidence?
This document recommends that every agency identify local computer experts
before they are needed. These experts should be «on call» for situations that are
beyond the technical expertise of the first responder or department. (Similar
services are in place for toxic waste emergencies.) It is also recommended that
investigative plans be developed in compliance with departmental policy and
Federal, State, and local laws. In particular, under the Privacy Protection Act,
with certain exceptions, it is unlawful for an agent to search for or seize certain
materials possessed by a person reasonably believed to have a purpose of
disseminating information to the public. For example, seizure of First
Amendment materials such as drafts of newsletters or Web pages may
implicate the Privacy Protection Act.
This document may help in:
o Assessing resources.
o Developing procedures.
o Assigning roles and tasks.
o Considering officer safety.
o Identifying and documenting equipment and supplies to bring to the scene.
—————————
Chapter 1. Electronic Devices: Types and Potential Evidence
Electronic evidence can be found in many of the new types of electronic
devices available to today’s consumers. This chapter displays a wide variety of
the types of electronic devices commonly encountered in crime scenes,
provides a general description of each type of device, and describes its
common uses. In addition, it presents the potential evidence that may be found
in each type of equipment.
Many electronic devices contain memory that requires continuous power to
maintain the information, such as a battery or AC power. Data can be easily
lost by unplugging the power source or allowing the battery to discharge. (Note:
After determining the mode of collection, collect and store the power supply
adaptor or cable, if present, with the recovered device.)
Computer Systems
Description: A computer system typically consists of a main base unit,
sometimes called a central processing unit (CPU), data storage devices, a
monitor, keyboard, and mouse. It may be a standalone or it may be connected
to a network. There are many types of computer systems such as laptops,
desktops, tower systems, modular rack-mounted systems, minicomputers, and
mainframe computers. Additional components include modems, printers,
scanners, docking stations, and external data storage devices. For example, a
desktop is a computer system consisting of a case, motherboard, CPU, and
data storage, with an external keyboard and mouse.
Primary Uses: For all types of computing functions and information storage,
including word processing, calculations, communications, and graphics.
Potential Evidence: Evidence is most commonly found in files that are stored on
hard drives and storage devices and media. Examples are:
User-Created Files
User-created files may contain important evidence of criminal activity such as
address books and database files that may prove criminal association, still or
moving pictures that may be evidence of pedophile activity, and
communications between criminals such as by e-mail or letters. Also, drug deal
lists may often be found in spreadsheets.
o Address books.
o Audio/video files.
o Calendars.
o Database files.
o Documents or text files.
o E-mail files.
o Image/graphics files.
o Internet bookmarks/favorites.
o Spreadsheet files.
User-Protected Files
Users have the opportunity to hide evidence in a variety of forms. For example,
they may encrypt or password-protect data that are important to them. They
may also hide files on a hard disk or within other files or deliberately hide
incriminating evidence files under an innocuous name.
o Compressed files.
o Encrypted files.
o Hidden files.
o Misnamed files.
o Password-protected files.
o Steganography.
Evidence can also be found in files and other data areas created as a routine
function of the computer’s operating system. In many cases, the user is not
aware that data are being written to these areas. Passwords, Internet activity,
and temporary backup files are examples of data that can often be recovered
and examined.
Note: There are components of files that may have evidentiary value including
the date and time of creation, modification, deletion, access, user name or
identification, and file attributes. Even turning the system on can modify some of
this information.
Computer-Created Files
o Backup files.
o Configuration files.
o Cookies.
o Hidden files.
o History files.
o Log files.
o Printer spool files.
o Swap files.
o System files.
o Temporary files.
Other Data Areas
o Bad clusters.
o Computer date, time, and password.
o Deleted files.
o Free space.
o Hidden partitions.
o Lost clusters.
o Metadata.
o Other partitions.
o Reserved areas.
o Slack space.
o Software registration information.
o System areas.
o Unallocated space.
Components
Central Processing Units (CPUs)
Description: Often called the «chip,» it is a microprocessor located inside the
computer. The microprocessor is located in the main computer box on a
printed circuit board with other electronic components.
Primary Uses: Performs all arithmetic and logical functions in the computer.
Controls the operation of the computer.
Potential Evidence: The device itself may be evidence of component theft,
counterfeiting, or remarking.
Memory
Description: Removable circuit board(s) inside the computer. Information
stored here is usually not retained when the computer is powered down.
Primary Uses: Stores user’s programs and data while computer is in operation.
Potential Evidence: The device itself may be evidence of component theft,
counterfeiting, or remarking.
Access Control Devices
Smart Cards, Dongles, Biometric Scanners
Description: A smart card is a small handheld device that contains a
microprocessor that is capable of storing a monetary value, encryption key or
authentication information (password), digital certificate, or other information. A
dongle is a small device that plugs into a computer port that contains types of
information similar to information on a smart card. A biometric scanner is a
device connected to a computer system that recognizes physical characteristics
of an individual (e.g., fingerprint, voice, retina).
Primary Uses: Provides access control to computers or programs or functions
as an encryption key.
Potential Evidence: Identification/authentication information of the card and the
user, level of access, configurations, permissions, and the device itself.
Answering Machines
Description: An electronic device that is part of a telephone or connected
between a telephone and the landline connection. Some models use a magnetic
tape or tapes, while others use an electronic (digital) recording system.
Primary Uses: Records voice messages from callers when the called party is
unavailable or chooses not to answer a telephone call. Usually plays a message
from the called party before recording the message.
Note: Since batteries have a limited life, data could be lost if they fail.
Therefore, appropriate personnel (e.g., evidence custodian, lab chief, forensic
examiner) should be informed that a device powered by batteries is in need of
immediate attention.
Potential Evidence: Answering machines can store voice messages and, in some
cases, time and date information about when the message was left. They may
also contain other voice recordings.
o Caller identification information.
o Deleted messages.
o Last number called.
o Memo.
o Phone numbers and names.
o Tapes.
Digital Cameras
Description: Camera, digital recording device for images and video, with related
storage media and conversion hardware capable of transferring images and
video to computer media.
Primary Uses: Digital cameras capture images and/or video in a digital format
that is easily transferred to computer storage media for viewing and/or editing.
Potential Evidence:
o Images.
o Removable cartridges.
o Sound.
o Time and date stamp.
o Video.
Handheld Devices (Personal Digital Assistants [PDAs], Electronic Organizers)
Description: A personal digital assistant (PDA) is a small device that can include
computing, telephone/fax, paging, networking, and other features. It is typically
used as a personal organizer. A handheld computer approaches the full
functionality of a desktop computer system. Some do not contain disk drives,
but may contain PC card slots that can hold a modem, hard drive, or other
device. They usually include the ability to synchronize their data with other
computer systems, most commonly by a connection in a cradle (see photo). If a
cradle is present, attempt to locate the associated handheld device.
Primary Uses: Handheld computing, storage, and communication devices
capable of storage of information.
Note: Since batteries have a limited life, data could be lost if they fail.
Therefore, appropriate personnel (e.g., evidence custodian, lab chief, forensic
examiner) should be informed that a device powered by batteries is in need of
immediate attention.
Potential Evidence:
o Address book.
o Appointment calendars/information.
o Documents.
o E-mail.
o Handwriting.
o Password.
o Phone book.
o Text messages.
o Voice messages.
Hard Drives
Description: A sealed box containing rigid platters (disks) coated with a
substance capable of storing data magnetically. Can be encountered in the case
of a PC as well as externally in a standalone case.
Primary Uses: Storage of information such as computer programs, text,
pictures, video, multimedia files, etc.
Potential Evidence: See potential evidence under computer systems.
Memory Cards
Description: Removable electronic storage devices, which do not lose the
information when power is removed from the card. It may even be possible to
recover erased images from memory cards. Memory cards can store hundreds
of images in a credit card-size module. Used in a variety of devices, including
computers, digital cameras, and PDAs. Examples are memory sticks, smart
cards, flash memory, and flash cards.
Primary Uses: Provides additional, removable methods of storing and
transporting information.
Potential Evidence: See potential evidence under computer systems.
Modems
Description: Modems, internal and external (analog, DSL, ISDN, cable),
wireless modems, PC cards.
Primary Uses: A modem is used to facilitate electronic communication by
allowing the computer to access other computers and/or networks via a
telephone line, wireless, or other communications medium.
Network Components
Local Area Network (LAN) Card or Network Interface Card (NIC)
Note: These components are indicative of a computer network. See discussion
on network system evidence in chapter 5 before handling the computer system
or any connected devices.
Description: Network cards, associated cables. Network cards also can be
wireless.
Primary Uses: A LAN/NIC card is used to connect computers. Cards allow
for the exchange of information and resource sharing.
Potential Evidence: The device itself, MAC (media access control) access
address.
Routers, Hubs, and Switches
Description: These electronic devices are used in networked computer systems.
Routers, switches, and hubs provide a means of connecting different computers
or networks. They can frequently be recognized by the presence of multiple
cable connections.
Primary Uses: Equipment used to distribute and facilitate the distribution of data
through networks.
Potential Evidence: The devices themselves. Also, for routers, configuration
files.
Servers
Description: A server is a computer that provides some service for other
computers connected to it via a network. Any computer, including a laptop, can
be configured as a server.
Primary Uses: Provides shared resources such as e-mail, file storage, Web
page services, and print services for a network.
Potential Evidence: See potential evidence under computer systems.
Network Cables and Connectors
Description: Network cables can be different colors, thicknesses, and shapes
and have different connectors, depending on the components they are
connected to.
Primary Uses: Connects components of a computer network.
Potential Evidence: The devices themselves.
Pagers
Description: A handheld, portable electronic device that can contain volatile
evidence (telephone numbers, voice mail, e-mail). Cell phones and personal
digital assistants also can be used as paging devices.
Primary Uses: For sending and receiving electronic messages, numeric (phone
numbers, etc.) and alphanumeric (text, often including e-mail).
Note: Since batteries have a limited life, data could be lost if they fail.
Therefore, appropriate personnel (e.g., evidence custodian, lab chief, forensic
examiner) should be informed that a device powered by batteries is in need of
immediate attention.
Potential Evidence:
o Address information.
o E-mail.
o Phone numbers.
o Text messages.
o Voice messages.
Printers
Description: One of a variety of printing systems, including thermal, laser, inkjet,
and impact, connected to the computer via a cable (serial, parallel, universal
serial bus (USB), firewire) or accessed via an infrared port. Some printers
contain a memory buffer, allowing them to receive and store multiple page
documents while they are printing. Some models may also contain a hard drive.
Primary Uses: Print text, images, etc., from the computer to paper.
Potential Evidence: Printers may maintain usage logs, time and date information,
and, if attached to a network, they may store network identity information. In
addition, unique characteristics may allow for identification of a printer.
o Documents.
o Hard drive.
o Ink cartridges.
o Network identity/information.
o Superimposed images on the roller.
o Time and date stamp.
o User usage log.
Removable Storage Devices and Media
Description: Media used to store electrical, magnetic, or digital information
(e.g., floppy disks, CDs, DVDs, cartridges, tape).
Primary Uses: Portable devices that can store computer programs, text,
pictures, video, multimedia files, etc.
New types of storage devices and media come on the market frequently; these
are a few examples of how they appear.
Potential Evidence: See potential evidence under computer systems.
Scanners
Description: An optical device connected to a computer, which passes a
document past a scanning device (or vice versa) and sends it to the computer
as a file.
Primary Uses: Converts documents, pictures, etc., to electronic files, which can
then be viewed, manipulated, or transmitted on a computer.
Potential Evidence: The device itself may be evidence. Having the capability to
scan may help prove illegal activity (e.g., child pornography, check fraud,
counterfeiting, identity theft). In addition, imperfections such as marks on the
glass may allow for unique identification of a scanner used to process
documents.
Telephones
Description: A handset either by itself (as with cell phones), or a remote base
station (cordless), or connected directly to the landline system. Draws power
from an internal battery, electrical plug-in, or directly from the telephone
system.
Primary Uses: Two-way communication from one instrument to another, using
land lines, radio transmission, cellular systems, or a combination. Phones are
capable of storing information.
Note: Since batteries have a limited life, data could be lost if they fail.
Therefore, appropriate personnel (e.g., evidence custodian, lab chief, forensic
examiner) should be informed that a device powered by batteries is in need of
immediate attention.
Potential Evidence: Many telephones can store names, phone numbers, and
caller identification information. Additionally, some cellular telephones can store
appointment information, receive electronic mail and pages, and may act as a
voice recorder.
o Appointment calendars/information.
o Caller identification information.
o Electronic serial number.
o E-mail.
o Memo.
o Password.
o Phone book.
o Text messages.
o Voice mail.
o Web browsers.
Miscellaneous Electronic Items
There are many additional types of electronic equipment that are too numerous
to be listed that might be found at a crime scene. However, there are many
nontraditional devices that can be an excellent source of investigative
information and/or evidence. Examples are credit card skimmers, cell phone
cloning equipment, caller ID boxes, audio recorders, and Web TV. Fax
machines, copiers, and multifunction machines may have internal storage
devices and may contain information of evidentiary value.
REMINDER: The search of this type of evidence may require a search
warrant. See note in the Introduction, page 7.
Copiers
Some copiers maintain user access records and history of copies made.
Copiers with the scan once/print many feature allow documents to be scanned
once into memory, and then printed later.
Potential Evidence:
o Documents.
o Time and date stamp.
o User usage log.
Credit Card Skimmers
Credit card skimmers are used to read information contained on the magnetic
stripe on plastic cards.
Potential Evidence: Cardholder information contained on the tracks of the
magnetic stripe includes:
o Card expiration date.
o Credit card numbers.
o User’s address.
o User’s name.
Digital Watches
There are several types of digital watches available that can function as pagers
that store digital messages. They may store additional information such as
address books, appointment calendars, e-mail, and notes. Some also have the
capability of synchronizing information with computers.
Potential Evidence:
o Address book.
o Appointment calendars.
o E-mail.
o Notes.
o Phone numbers.
Facsimile Machines
Facsimile (fax) machines can store preprogrammed phone numbers and a
history of transmitted and received documents. In addition, some contain
memory allowing multiple-page faxes to be scanned in and sent at a later time
as well as allowing incoming faxes to be held in memory and printed later.
Some may store hundreds of pages of incoming and/or outgoing faxes.
Potential Evidence:
o Documents.
o Film cartridge.
o Phone numbers.
o Send/receive log.
Global Positioning Systems (GPS)
Global Positioning Systems can provide information on previous travel via
destination information, way points, and routes. Some automatically store the
previous destinations and include travel logs.
Potential Evidence:
o Home.
o Previous destinations.
o Travel logs.
o Way point coordinates.
o Way point name.
—————————
Chapter 2. Investigative Tools and Equipment
Principle: Special tools and equipment may be required to collect electronic
evidence. Experience has shown that advances in technology may dictate
changes in the tools and equipment required.
Policy: There should be access to the tools and equipment necessary to
document, disconnect, remove, package, and transport electronic evidence.
Procedure: Preparations should be made to acquire the equipment required to
collect electronic evidence. The needed tools and equipment are dictated by
each aspect of the process: documentation, collection, packaging, and
transportation.
Tool Kit
Departments should have general crime scene processing tools (e.g., cameras,
notepads, sketchpads, evidence forms, crime scene tape, markers). The
following are additional items that may be useful at an electronic crime scene.
Documentation Tools
o Cable tags.
o Indelible felt tip markers.
o Stick-on labels.
Disassembly and Removal Tools
A variety of nonmagnetic sizes and types of:
o Flat-blade and Philips-type screwdrivers.
o Hex-nut drivers.
o Needle-nose pliers.
o Secure-bit drivers.
o Small tweezers.
o Specialized screwdrivers (manufacturer-specific, e.g., Compaq, Macintosh).
o Standard pliers.
o Star-type nut drivers.
o Wire cutters.
Package and Transport Supplies
o Antistatic bags.
o Antistatic bubble wrap.
o Cable ties.
o Evidence bags.
o Evidence tape.
o Packing materials (avoid materials that can produce static electricity such as
styrofoam or styrofoam peanuts).
o Packing tape.
o Sturdy boxes of various sizes.
Other Items
Items that also should be included within a department’s tool kit are:
o Gloves.
o Hand truck.
o Large rubber bands.
o List of contact telephone numbers for assistance.
o Magnifying glass.
o Printer paper.
o Seizure disk.
o Small flashlight.
o Unused floppy diskettes (3 « and 5 1/4 inch).
—————————
Chapter 3. Securing and Evaluating the Scene
Principle: The first responder should take steps to ensure the safety of all
persons at the scene and to protect the integrity of all evidence, both traditional
and electronic.
Policy: All activities should be in compliance with departmental policy and
Federal, State, and local laws. (Additional resources are referenced in
appendix B.)
Procedure: After securing the scene and all persons on the scene, the first
responder should visually identify potential evidence, both conventional
(physical) and electronic, and determine if perishable evidence exists. The first
responder should evaluate the scene and formulate a search plan.
Secure and evaluate the scene:
o Follow jurisdictional policy for securing the crime scene. This would include
ensuring that all persons are removed from the immediate area from which
evidence is to be collected. At this point in the investigation do not alter the
condition of any electronic devices: If it is off, leave it off. If it is on, leave it on.
o Protect perishable data physically and electronically. Perishable data may be
found on pagers, caller ID boxes, electronic organizers, cell phones, and other
similar devices. The first responder should always keep in mind that any device
containing perishable data should be immediately secured, documented, and/or
photographed.
o Identify telephone lines attached to devices such as modems and caller ID
boxes. Document, disconnect, and label each telephone line from the wall
rather than the device, when possible. There may also be other communications
lines present for LAN/ethernet connections. Consult appropriate
personnel/agency in these cases.
Keyboards, the computer mouse, diskettes, CDs, or other components may
have latent fingerprints or other physical evidence that should be preserved.
Chemicals used in processing latent prints can damage equipment and data.
Therefore, latent prints should be collected after electronic evidence recovery is
complete.
Conduct preliminary interviews:
o Separate and identify all persons (witnesses, subjects, or others) at the scene
and record their location at time of entry.
o Consistent with departmental policy and applicable law, obtain from these
individuals information such as:
–Owners and/or users of electronic devices found at the scene, as well as
passwords (see below), user names, and Internet service provider.
–Passwords. Any passwords required to access the system, software, or data.
(An individual may have multiple passwords, e.g., BIOS, system login, network
or ISP, application files, encryption pass phrase, e-mail, access token,
scheduler, or contact list.)
–Purpose of the system.
–Any unique security schemes or destructive devices.
–Any offsite data storage.
–Any documentation explaining the hardware or software installed on the
system.
—————————
Chapter 4. Documenting the Scene
Principle: Documentation of the scene creates a permanent historical record of
the scene. Documentation is an ongoing process throughout the investigation. It
is important to accurately record the location and condition of computers,
storage media, other electronic devices, and conventional evidence.
Policy: Documentation of the scene should be created and maintained in
compliance with departmental policy and Federal, State, and local laws.
Procedure: The scene should be documented in detail.
Initial documentation of the physical scene:
o Observe and document the physical scene, such as the position of the mouse
and the location of components relative to each other (e.g., a mouse on the left
side of the computer may indicate a left-handed user).
o Document the condition and location of the computer system, including
power status of the computer (on, off, or in sleep mode). Most computers have
status lights that indicate the computer is on. Likewise, if fan noise is heard, the
system is probably on. Furthermore, if the computer system is warm, that may
also indicate that it is on or was recently turned off.
o Identify and document related electronic components that will not be
collected.
o Photograph the entire scene to create a visual record as noted by the first
responder. The complete room should be recorded with 360 degrees of
coverage, when possible.
o Photograph the front of the computer as well as the monitor screen and other
components. Also take written notes on what appears on the monitor screen.
Active programs may require videotaping or more extensive documentation of
monitor screen activity.
Note: Movement of a computer system while the system is running may cause
changes to system data. Therefore, the system should not be moved until it has
been safely powered down as described in chapter 5.
o Additional documentation of the system will be performed during the
collection phase.
—————————
Chapter 5. Evidence Collection
REMINDER: The search for and collection of evidence at an electronic crime
scene may require a search warrant. See note in the Introduction, page 7.
Principle: Computer evidence, like all other evidence, must be handled carefully
and in a manner that preserves its evidentiary value. This relates not just to the
physical integrity of an item or device, but also to the electronic data it contains.
Certain types of computer evidence, therefore, require special collection,
packaging, and transportation. Consideration should be given to protect data
that may be susceptible to damage or alteration from electromagnetic fields
such as those generated by static electricity, magnets, radio transmitters, and
other devices.
Policy: Electronic evidence should be collected according to departmental
guidelines. In the absence of departmental guidelines outlining procedures for
electronic evidence collection, the following procedures are suggested.
Note: Prior to collection of evidence, it is assumed that locating and
documenting has been done as described in chapters 3 and 4. Recognize that
other types of evidence such as trace, biological, or latent prints may exist.
Follow your agency’s protocol regarding evidence collection. Destructive
techniques (e.g., use of fingerprint processing chemicals) should be postponed
until after electronic evidence recovery is done.
Nonelectronic Evidence
Recovery of nonelectronic evidence can be crucial in the investigation of
electronic crime. Proper care should be taken to ensure that such evidence is
recovered and preserved. Items relevant to subsequent examination of
electronic evidence may exist in other forms (e.g., written passwords and other
handwritten notes, blank pads of paper with indented writing, hardware and
software manuals, calendars, literature, text or graphical computer printouts,
and photographs) and should be secured and preserved for future analysis.
These items frequently are in close proximity to the computer or related
hardware items. All evidence should be identified, secured, and preserved in
compliance with departmental policies.
Stand-Alone and Laptop Computer Evidence
CAUTION: Multiple computers may indicate a computer network. Likewise,
computers located at businesses are often networked. In these situations,
specialized knowledge about the system is required to effectively recover
evidence and reduce your potential for civil liability. When a computer network
is encountered, contact the forensic computer expert in your department or
outside consultant identified by your department for assistance. Computer
systems in a complex environment are addressed later in this chapter.
A «stand-alone» personal computer is a computer not connected to a network
or other computer. Stand-alones may be desktop machines or laptops.
Laptops incorporate a computer, monitor, keyboard, and mouse into a single
portable unit. Laptops differ from other computers in that they can be powered
by electricity or a battery source. Therefore, they require the removal of the
battery in addition to stand-alone power-down procedures.
If the computer is on, document existing conditions and call your expert or
consultant. If an expert or consultant is not available, continue with the following
procedure:
Procedure:
After securing the scene per chapter 3, read all steps below before taking any
action (or evidentiary data may be altered).
a. Record in notes all actions you take and any changes that you observe in the
monitor, computer, printer, or other peripherals that result from your actions.
b. Observe the monitor and determine if it is on, off, or in sleep mode. Then
decide which of the following situations applies and follow the steps for that
situation.
Situation 1: Monitor is on and work product and/or desktop is visible.
1. Photograph screen and record information displayed.
2. Proceed to step c.
Situation 2: Monitor is on and screen is blank (sleep mode) or screen saver
(picture) is visible.
1. Move the mouse slightly (without pushing buttons). The screen should
change and show work product or request a password.
2. If mouse movement does not cause a change in the screen, DO NOT
perform any other keystrokes or mouse operations.
3. Photograph the screen and record the information displayed.
4. Proceed to step c.
Situation 3: Monitor is off.
1. Make a note of «off» status.
2. Turn the monitor on, then determine if the monitor status is as described in
either situation 1 or 2 above and follow those steps.
c. Regardless of the power state of the computer (on, off, or sleep mode),
remove the power source cable from the computer-NOT from the wall outlet.
If dealing with a laptop, in addition to removing the power cord, remove the
battery pack. The battery is removed to prevent any power to the system.
Some laptops have a second battery in the multipurpose bay instead of a floppy
drive or CD drive. Check for this possibility and remove that battery as well.
d. Check for outside connectivity (e.g., telephone modem, cable, ISDN, DSL).
If a telephone connection is present, attempt to identify the telephone number.
e. To avoid damage to potential evidence, remove any floppy disks that are
present, package the disk separately, and label the package. If available, insert
either a seizure disk or a blank floppy disk. Do NOT remove CDs or touch the
CD drive.
f. Place tape over all the drive slots and over the power connector.
g. Record make, model, and serial numbers.
h. Photograph and diagram the connections of the computer and the
corresponding cables.
i. Label all connectors and cable ends (including connections to peripheral
devices) to allow for exact reassembly at a later time. Label unused connection
ports as «unused.» Identify laptop computer docking stations in an effort to
identify other storage media.
j. Record or log evidence according to departmental procedures.
k. If transport is required, package the components as fragile cargo (see
chapter 6).
Computers in a Complex Environment
Business environments frequently have multiple computers connected to each
other, to a central server, or both. Securing and processing a crime scene
where the computer systems are networked poses special problems, as
improper shutdown may destroy data. This can result in loss of evidence and
potential severe civil liability. When investigating criminal activity in a known
business environment, the presence of a computer network should be planned
for in advance, if possible, and appropriate expert assistance obtained. It
should be noted that computer networks can also be found in a home
environment and the same concerns exist.
The possibility of various operating systems and complex hardware
configurations requiring