top of page
IAAI_Logo.png

Fire Scene Evidence Collection Guide

Electronic Devices

Computer

Detailed Procedure:

Computers contain electronic data that may provide a wealth of information of evidentiary value. Data can often be retrieved even from damaged or seemingly destroyed disks. Computer networks, especially in businesses, can be complex and may require on-site examination by experts. When possible, consult a computer forensics expert before beginning collection procedures.

IMPORTANT: Do not let anyone, especially the user, access the computer system. If someone is at the computer at the time of seizure, do not permit the user to touch the computer, keyboard, or mouse. Have the person immediately step away from the machine.

To collect a desktop or laptop computer:

  1. Be aware that the computer may also contain trace evidence, such as fingerprints. Therefore, handle the item as little as possible and only while wearing new, unused evidence collection gloves. Consult the laboratory to determine if fingerprint processing should be done in the field before collection or in the laboratory after collection.

  2. Photograph and document the computer in place, including any attached peripherals. Photograph all sides, showing all connections.

  3. If the computer is "off," do not turn it on. Proceed with collection.

  4. If the computer is on, photograph the screen. If the computer is on, but the monitor is off, turn on the monitor and then photograph the screen. If the screensaver is on, move the mouse or press the TAB key on the keyboard to deactivate the screensaver, then photograph the screen. You may click through already open application windows for photographing. Take detailed notes of every action you perform and note the time each action was performed. DO NOT PERFORM ANY OTHER PROCEDURES USING THE MOUSE OR KEYBOARD. Computer analysis is to be done by trained and qualified experts in a controlled setting.

  5. If the computer is on, do not turn the item off using the power button, as this action could enable the password or cause data loss. Instead, disconnect the power source by unplugging it at the connection to the wall and at the connection to the computer. Repeat this procedure for any connected and powered-on peripherals. Collect all power cords in addition to the device(s). If the computer is a laptop, pull the plug and remove the battery. If the battery is not accessible, press and hold the power button for 10 seconds or until the device powers off.

  6. Using a paperclip, or prior to shutting down, open each CD/DVD tray and verify its contents. Any discs found should be inventoried as separate items.

  7. Place evidence tape over the power connector and battery compartment and mark the tape with your initials.

  8. Prior to moving the computer, disconnect any peripherals, labeling the cabling as directed by department or laboratory policy. Consult the laboratory to determine what peripherals should also be collected.

  9. Collect all storage media, such as disks or cards, and place in an anti-static bag.

  10. Select a box of suitable size and secure the computer inside the box, ensuring that it will not move around or contact other surfaces. Avoid packaging items that may create static, such as plastic bags. If possible, the item should be placed in an anti-static bag or foam.

  11. Label the box with identifying information, including case number, date, exhibit number, a brief description, and your name.

  12. Seal the box with evidence tape. Initial and date the tape.

  13. Store the item in a secure location, keeping it away from sources of heat, magnets, static electricity, and electromagnetic energy, such as a two-way mobile radio. Such forces can damage or erase data stored in the device.

Laboratory testing of computers:

Laboratory examination will include processing for trace evidence (such as fingerprints) and electronic data analysis. The laboratory will typically search for hidden and protected files, restore deleted files, copy data from the hard drive(s), prepare forensic image copies of suspect media, and analyze data and files stored on the device.

In some cases, such as with complex computer systems or networked systems, a computer forensics specialist may have to conduct the examination on-scene. Consult your laboratory for guidance.

Sources:

Crime Scene and Evidence Collection Handbook. Bureau of Alcohol, Tobacco, Firearms and Explosives, 2005.

United States of America. Best Practices for Seizing Electronic Evidence v.3: A Pocket Guide for First Responders. U.S. Secret Service, 2007.

bottom of page