The purpose of this white paper is to teach you how to seize a computer from a crime scene. The techniques that you learn can also be used in non-criminal cases. For example, perhaps your job is to seize a computer from an employee who engaged in activities that go against the policies of your company. In either situation, it is imperative that you proceed with care to avoid tainting any evidence residing on the computer.
You have probably watched crime scene investigation programs on TV and know about the risk of tainting evidence. When detectives enter a crime scene, they don't touch anything unless they are wearing gloves. With computers, things get a bit trickier. You need to protect the data on the computer, not just the physical hardware.
Data on computers is volatile. It changes easily. Simply clicking the mouse in the wrong place could close a window, erasing evidence of what the user was doing. Shutting down a system could activate a script written by the suspect that deletes all the suspect's incriminating files. This white paper will teach you the proper procedures to follow to avoid any problems.
Data on computers is also latent. It's not obvious or visible. In fact, sometimes computer users think they have deleted the data and that it's gone from the computer's hard drive. It may not be gone. Even deleted files can often be recovered.
You may know about latent evidence from all those TV crime dramas. Blood, for example, can often be latent. Fluorescence spectroscopy can be used to make the blood visible. Computer forensics is just as amazing. It can reveal seemingly invisible data. However, for this to be possible, the investigator who seizes the computer from a crime scene must be very careful not to destroy data.
When seizing hardware, you will tag it with an evidence tag that documents the date and time, your name, the case number, where you found the item, other facts relevant to the case, and other information depending on the policies and procedures of your investigation team. After you tag the evidence, you will then bag the evidence and give it to an evidence custodian. Some experts call this process "bagging and tagging."
NOTE: An evidence custodian is an individual who is in charge of documenting, transporting, and storing all evidence. The evidence custodian ensures that evidence is safely transported to an evidence locker, a locked repository for items related to pending cases. Most police departments have employees who are designated as evidence custodians. If this is a civil case, you should still appoint one person to be the evidence custodian.
In civil cases, the organization's policies and procedures must be carefully followed. Corporations often have incident response plans that you should follow. Even with civil cases, keep in mind that federal and state laws related to search and seizure may come into play. The case may become a legal matter, especially if it's related to fraud, security breaches, or privacy infringements. In both criminal and civil cases, evidence must be:
Evaluate the scene for any danger to yourself and co-workers. If necessary, be sure to get medical treatment for any injured people. You may also be working with police investigators who will arrest suspects and escort them off the premises. Once these important necessities are dealt with, clear the scene of superfluous people and then walk around the crime scene to get an idea of its scope. Mark the perimeter of the scene with crime-scene tape and post a guard if that is appropriate.
Your next step should be to recognize computer evidence. Computer technology shows up in all sorts of places these days. Evaluate the scene for possible places that digital evidence can reside, including:
Next, using a digital camera, document the scene by taking photos of:
NOTE: If you're dealing with servers or other high-end computers that are necessary for a business to keep running, you might not be allowed to pull the power cable, but for the purpose of this discussion, assume you're working with lower-end equipment and that you have the legal justification and paperwork (search warrant) to disable and seize the computer.
If a computer is turned off, leave it off. Never boot (or reboot) a computer that you are seizing. If the computer is on, depending on the facts of the case, you may want to carefully gather some volatile evidence in RAM, but as soon as possible, pull the power cable. Be sure to jot down in your journal (or digital voice recorder) whether the computer was on.
Don't use the computer. Stories abound of computer evidence being thrown out in court because the investigators at the crime scene got bored and played games on the computers. Save your games till later when you're home on your own computer!
Pull the power cable from the computer and then pull the cable from the wall socket. Adhere a sticky, colored label to the end of the cable. Use the same color for a label that you attach to the interface from which you pulled the cable. This color-coding will make reassembly back at your forensics lab easier. Sure, figuring out the right place to insert the power cable might sound easy, but you will follow this same process for networking and phone cables, which aren't so obvious. (If you're color blind, consider writing matching numbers on the labels.)
Next, using masking tape, tape over the power receptacle on the back of the computer. The idea here is to make it harder for someone to put the cable back and restart the computer and possibly taint the evidence. The other goal is to cover yourself. As a computer forensics investigator, you should do whatever it takes to avoid a computer being tampered with. Should any questions come up, you want to be able to state unequivocally that you followed standard operating procedures and the rules regarding chain of custody.
Bag the power cable in an evidence bag along with an evidence tag. The evidence tag should document the date and time, the case number, your name, the location where the cable was found, and other information depending on the policies and procedures of your investigation team.
If the computer is a laptop and it remains on after you pull the power cable, then it has a working battery. Find the power button and turn off the power. Then open the computer and remove the battery. Bag the laptop battery with an evidence tag. The computer should no longer be on after you do this, which is a good thing. Laptop computers can often communicate wirelessly. The computer might have been engaged in hacking into other computers, or the suspect might have still been communicating with the laptop, perhaps deleting incriminating files.
Remove any floppy disks, tapes, CDs, or DVDs that are still in the computer. Set the floppy disks to read-only. This avoids any perception that data was changed. To set a floppy disk to read-only, find the notch at the top-right corner and make sure that it is open. A mnemonic for remembering that open means read-only is that both "open" and "only" start with the letter O. Tag the floppy disk with an evidence tag and put it in an evidence bag.
Insert a dummy, plastic floppy disk in the computer's floppy-disk slot to protect the slot and make it hard for someone to use. A dummy, plastic floppy disk can't store data; it's literally just plastic. But it comes in handy for maintaining that all-important chain of custody and proving that data wasn't copied onto the hard drive from the floppy drive after the computer was seized. The dummy disk also protects the floppy disk drive while the computer is being transported to the evidence locker back at headquarters.
NOTE: Issues related to floppy disks are becoming somewhat irrelevant, as so many computers don't ship with a floppy disk drive anymore. But don't assume that you won't need to know about floppy drives during your computer forensics career. All sorts of old equipment shows up at crime scenes.
Disconnect any monitors (computer screens). Generally, tower (desktop) computers include at least one monitor that is connected to the back of the computer via a video cable and a power cable. The monitor gets power from the computer. Disconnect, label, and bag and tag the cables (unless they are permanently attached to the monitor, which is often the case). Label the interface on the computer where you disconnected the cable with a label of a matching color. Tag the monitor and set it aside. It will probably be too big to bag. Be sure to disconnect and tag all monitors. It's becoming common for people to use multiple monitors with their computers, so be sure to check for more than one monitor.
Next remove any phone or networking cables. Label, tie, and bag each cable. Include an evidence tag with the cable in its bag. On the computer, label the interface from which the cable was removed with a label of the same color that you used on the cable. This color-coding will ensure correct reassembly later. When analyzing the evidence, you may want to put the computer and its peripherals back exactly the way you found them. Color-coding your labels will help with this.
If the networking cables lead to networking equipment that's within the perimeter of the crime scene, check your search warrant or corporate policies regarding seizing this equipment. Generally, it would be permissible to seize a local hub, switch, or low-end home router. Don't seize a high-end router that runs the entire company, however, unless you know what you're doing and your search warrant allows this.
If your search warrant allows this, then also collect, bag, and tag extra devices that are near the computer, including cell phones, PDAs, answering machines, digital cameras, GPS units, etc. Place wireless devices in Faraday bags. A Faraday bag disables wireless communications. You want to make sure that the suspect doesn't call his or her phone and wipe it out, or worse yet, use the phone to set off a bomb. (Bomb-sniffing dogs have hopefully checked the scene, but just in case, don't let suspects communicate with their wireless phones, laptops, or PDAs.)
NOTE: A Faraday bag is a container made of woven copper, nickel, and silver that keeps a phone or other wireless device from sending or receiving data. The bag is named after Michael Faraday, (1791-1867), an English physicist who was an expert on electromagnetism.
Collect and bag and tag any printouts and computer documentation, if the search warrant or incident response plan permits this. Printouts are often a treasure trove of information about what a suspect was up to.
Printouts and documentation also sometimes include a suspect's password. You probably know people who write their passwords down on papers near their computers. Criminals often do this too. Knowing the password may come in handy when accessing the suspect's files during your analysis of the computer evidence, especially if the files are encrypted and you need the suspect's password to decrypt them.
Be sure the search warrant covers collecting paperwork. The last thing you want is for your analysis of a suspect's files to be thrown out in court because you illegally seized the paperwork that documented the password.
Pack up all the computer evidence that you have gathered, being careful with sticky labels and smaller bags that are easy to drop. When transporting the evidence back to the evidence locker at your headquarters, be sure to keep it away from any magnetic sources such as radio transmitters in police cars.
Always maintain a chain of custody. Keep the computer evidence in your possession at all times. Don't stop at the local arcade on the way back to headquarters from the crime scene, and don't use the computers or cell phones that you seized. Save your game playing for later on your own home computer.
This white paper introduced legal concepts such as "chain of custody" and then provided advice on evaluating, securing, and documenting a crime scene. The paper then focused on the details of pulling the power plug and other cables from a computer, labeling the cables, and packing the evidence with bags and tags.
As computers become even more important in everyone's work, including criminals' work, information technology and law enforcement representatives will often find the need to respond to a situation where computers must be seized. Learning how to properly seize a computer is a good first step in preparing yourself for the new world where computers and crime are intrinsically linked.
Computer Technology Investigators Northwest
Internet Crime Complaint Center
The PC Guide
Computer Forensics Jeopardy
Copyright ©Priscilla Oppenheimer.
Hosted byOpen Door Networks.