Fire Scene Evidence Collection Guide
External Data Storage Devices
External data storage devices are commonplace and contain electronic data that may be of evidentiary value. Any attempt to recover or analyze this data should not be attempted in the field. The device should be collected for examination by trained and qualified personnel. Do not attempt to attach the device to a computer and read it in an effort to access information. Instead, use the following collection procedure, or the procedure recommended by your laboratory or agency.
Be aware that data storage devices can have many forms, including traditional disk drives, small USB keys, and even devices made to look like something else, such as a pen that actually contains a USB drive.
To collect external data storage devices:
Do not allow the user or anyone else to operate the device.
Be aware that the item may also contain trace evidence, such as fingerprints. Therefore, handle the item as little as possible and only while wearing new, unused evidence collection gloves. Consult the laboratory to determine if fingerprint processing should be done in the field before collection or in the laboratory after collection.
Photograph and document the item in place, including any attached devices. Photograph all sides, showing all connections.
If the item is "off," do not turn it on. Proceed with collection.
If the item is on, do not turn the item off using the power button, as this action could enable the password or cause data loss. Instead, disconnect the power source by unplugging it at the connection to the wall and at the connection to the device. Collect all power cords in addition to the device(s).
Collect any portable storage media, such as disks or cards and place in an anti-static bag.
Select a box of suitable size and secure the device inside the box, ensuring that it will not roll around or contact other surfaces. Avoid packaging items that may create static, such as plastic bags. If possible, the item should be placed in an anti-static bag or foam.
Label the box with identifying information, including case number, date, exhibit number, a brief description, and your name.
Seal the box with evidence tape. Initial and date the tape.
Store the item in a secure location, keeping it away from sources of heat, static electricity, and electromagnetic energy, such as a two-way mobile radio. Such forces can damage or erase data stored in the device.
Laboratory testing of external data storage devices:
Laboratory examination will include processing for trace evidence (such as fingerprints) and electronic data analysis. The laboratory will typically search for hidden and protected files, restore deleted files, copy data from the hard drive(s), prepare mirror-image copies of suspect media, and analyze data and files stored on the device.
In some cases, such as with complex computer systems or networked systems, a computer forensics specialist may have to conduct the examination on-scene. Consult your laboratory for guidance.
Crime Scene and Evidence Collection Handbook. Bureau of Alcohol, Tobacco, Firearms and Explosives, 2005.
United States of America. Best Practices for Seizing Electronic Evidence v.3: A Pocket Guide for First Responders. U.S. Secret Service, 2007.