Seizing Digital Evidence
If you have to seize a computer, it is essential that the seizure is performed properly. If you can ensure that you have expert assistance, but if that is not available the following guidelines should help.
Step 1 - What do I do with the computer?
- Don’t let the suspect or anyone else touch the computer;
- Photograph (if you can) or draw a sketch map of the computer and how it is connected;
- Record what is on screen if the computer is switched on and the screen displays is on;
- If the screen appears blank – move the mouse to see if there is a screen saver and if so continue as below – if the screen restores record what is on the screen as above;
- If the computer is switched on pull the power by removing the power lead from the equipment – not at the wall end;
- If the computer is switched off when you arrive – then leave it switched off;
- Remove batteries from portable PCs;
- With PDAs ensure that the cradle and chargers are taken and that the PDA is kept charged until it is examined by a forensic data recovery expert – this may require charging i.e. connecting it to the mains;
- Record the computer configuration for peripherals and cables (label the components and cable or similar);
- Record whether the computer is connected to a telephone/modem or network.
Step 2 - What to take?
In a word – EVERYTHING!
- Computer;
- Power Supply – this is ESSENTIAL if the computer is a notebook or laptop;
- External hard disks;
- Dongles;
- Modems;
- Digital cameras;
- Floppy disks;
- CDS and DVDs – all of them;
- Backup tapes;
- Jazz Disks;
- Memory cards;
- Thumb drives;
- Zip disks;
- Any other external device that is or could be connected to the computer;
- Paperwork & Post-It notes (passwords are often written down nearby.
Step 3 - Other things to consider
- Mobile phones;
- Pagers;
- Answering machines;
- Fax machines;
- Dictating machines;
- PDAs and other personal organisers.
Step 4 - What to ask the suspect
- Keys – Some computer cases have physical key locks;
- Passwords for the computer;
- Email addresses in use and passwords for them.
Don’t be tempted to investigate it yourself – get expert help. If you try to investigate it yourself you will more than likely prejudice any evidence found.
Whilst this is a summary – it is recommended that the full ACPO Guidelines are consulted as well as obtaining expert assistance at the seizure. |