Many investigators are not computer savvy. However, they’re often charged with seizing computer equipment when serving search warrants. Therefore, they do the best they can while trying to maintain the integrity of the evidence contained in those devices. Sure, there are better methods available, but this is basically what’s been taught over the years:
1. Do not interact with a live computer system.
2. If the screen is dark, or an active screensaver is displayed, move the mouse (record the time the mouse was moved) and record any information on the screen. The best method of recording the information is to photograph it. No room for human error in a photograph.
3. Never, ever touch the keyboard.
4. Search the surrounding area for notes that may contain passwords, or other pertinent information.
5. Search for external hard drives and hard drive enclosures.
6. Search for thumbdrives.
7. Collect all devices that attach to the computer (USB, etc.).
8. Collect all computer parts and equipment that may be lying around the home or business.
9. Collect all written material in and around the computer area (other areas of the home or business may also contain material).
10. Pull the plug on the computers. This can be tricky since many problems could occur when the device is improperly shut down. But, sometimes pulling the plug is the best solution to the problem at hand. Seize the device and transport to the lab for proper examination by the experts.
Mary – The normal shutdown process, or simply turning off the computer, can cause files to be overwritten on the hard drive. Unplugging the machine will usually (hopefully) prevent that from happening.
Terry – Good luck on everything. Believe it or not, we’re getting ready for another move.
Why can’t you turn it off before you pull the plug?
As always, great stuff. I haven’t been around as much lately–moving and getting ready for a book release have eaten up so much of my time, but I do pop in regularly. Looking forward to the WPA in September.