About FCL
Why Choose us
When should you use us?
FCL Staff
FCL Certifications
Case Studies
 
Services Provided
FCL Services
Password Recovery
File Encryption Cracking
Digital photograph recovery
 
Other Information
Confidentiality
Terms & Fees
Brochure by Email
Brochure by Mail
Contact us
Home
 
 
 
 
 
 
 
 

Seizing Digital Evidence

If you have to seize a computer, it is essential that the seizure is performed properly. If you can ensure that you have expert assistance, but if that is not available the following guidelines should help.

These are a summary of the ACPO guidelines. Read the full document if you can, it is available here.

Step 1 - What do I do with the computer?

  • Don’t let the suspect or anyone else touch the computer;
  • Photograph (if you can) or draw a sketch map of the computer and how it is connected;
  • Record what is on screen if the computer is switched on and the screen displays is on;
  • If the screen appears blank – move the mouse to see if there is a screen saver and if so continue as below – if the screen restores record what is on the screen as above;
  • If the computer is switched on pull the power by removing the power lead from the equipment – not at the wall end;
  • If the computer is switched off when you arrive – then leave it switched off;
  • Remove batteries from portable PCs;
  • With PDAs ensure that the cradle and chargers are taken and that the PDA is kept charged until it is examined by a forensic data recovery expert – this may require charging i.e. connecting it to the mains;
  • Record the computer configuration for peripherals and cables (label the components and cable or similar);
  • Record whether the computer is connected to a telephone/modem or network.

Step 2 -  What to take?

In a word – EVERYTHING!

  • Computer;
  • Power Supply – this is ESSENTIAL if the computer is a notebook or laptop;
  • External hard disks;
  • Dongles;
  • Modems;
  • Digital cameras;
  • Floppy disks;
  • CDS and DVDs – all of them;
  • Backup tapes;
  • Jazz Disks;
  • Memory cards;
  • Thumb drives;
  • Zip disks;
  • Any other external device that is or could be connected to the computer;
  • Paperwork & Post-It notes (passwords are often written down nearby.


 Step 3 - Other things to consider

  • Mobile phones;
  • Pagers;
  • Answering machines;
  • Fax machines;
  • Dictating machines;
  • PDAs and other personal organisers.
     

Step 4 - What to ask the suspect

  • Keys – Some computer cases have physical key locks;
  • Passwords for the computer;
  • Email addresses in use and passwords for them.
     

Don’t be tempted to investigate it yourself – get expert help. If you try to investigate it yourself you will more than likely prejudice any evidence found.
 

Whilst this is a summary – it is recommended that the full ACPO Guidelines are consulted as well as obtaining expert assistance at the seizure.
 
 
Misc information
ACPO guidelines
Seizing Evidence
Law enforcement Contact Details
Choosing a Forensic Expert
Forensic Tools
 
 
 
 
 
 
 
 
 
 
 
 
 
 
   
© 2004 Forensic Computing Ltd.. All rights reserved. - Legal Notice - Website Statistics