1. Have a warrant with proper language addressing the seizure of a computer. (Language that can be used as a guideline is available from the Cyber Crime Unit.)

2. Remove everyone from the area around the computer and data storage.

3. If the computer is not on, DO NOT turn it on. Turning the computer on may activate traps that cause data destruction.

4. If the computer is on, photograph the screen.

5. Disable the power at its source, i.e. wall outlet or UPS.

Depending upon the computer operating system involved, this usually involves pulling the plug or shutting down a net work computer using relevant operating system commands. However, consideration should be given to possible destructive processes that may be operating in the background. These can be resident in memory or available through a modem or network connection. Depending upon the operating system involved, a time delayed password protected screen saver may potentially kick in at any moment. This can complicate the shutdown of the computer. Generally, time is of the essence and the computer system should be shut down or powered down as quickly as possible.

6. Disable or disconnect the modem.

7. Disconnect the power to the printer at its source.

8. Place a diskette into each drive and cover with evidence tape.

9. Photograph connections of all equipment.

It is assumed that the computer system will be moved to a secure location where a proper chain of custody can be maintained and the processing of evidence can begin. Before dismantling the computer, it is important that pictures are taken of the computer from all angles to document the system hardware components and how they are connected. Computer evidence should ideally be processed in a computer hardware environment that is identical to the original hardware configuration.

10. Label all connections of all equipment so that the original computer configuration can be restored .

11. Photograph all labeled connectionsw and diagram them.

12. Photograph the area after the computer is removed.

13. Search area for passwords or other related information.

14. Seize all books, notes, manuals, software, disks, storage devices and items related to the system. Place all disks and storage devices into non-static conducting material (paper). Inventory items.

15. Interview all suspects that may have knowledge of the computer system for passwords, operational information and all related topics.

16. Transport the evidence. Do not place items next to any electromagnetic sources such as police radios.

17. Transport the Computer System to A Secure Location

All too often seized evidence computers are stored in less than secure locations. It is imperative that the subject computer is treated as evidence and it should be stored out of reach of curious computer users. All too often, individuals operate seized computers without knowing that they are destroying potential computer evidence and the chain of custody. Furthermore, a seized computer left unintended can easily be compromised. Evidence can be planted on it and crucial evidence can be intentionally destroyed. A lack of a proper chain of custody can 'make the day' for a savvy defence attorney. Lacking a proper chain of custody, how can you say that relevant evidence was not planted on the computer after the seizure? The answer is that you cannot. Do not leave the computer unattended unless it is locked in a secure location!

18. If BCI is requested to do the forensic examination of the computer system, a copy of the search warrant or consent form is required.

19. Make Bit Stream Backups of Hard Disks and Floppy Disks

The computer should not be operated and computer evidence should not be processed until bit stream backups have been made of all hard disk drives and floppy disks. All evidence processing should be done on a restored copy of the bit stream backup rather than on the original computer. The original evidence should be left untouched unless compelling circumstances exist. Preservation of computer evidence is vitally important. It is fragile and can easily be altered or destroyed. Often such alteration or destruction of data is irreversible. Bit stream backups are much like an insurance policy and they are essential for any serious computer evidence processing.

20. Mathematically Authenticate Data on All Storage Devices

You want to be able to prove that you did not alter any of the evidence after the computer came into your possession. Such proof will help you rebut allegations that you changed or altered the original evidence. Since 1989, law enforcement and military agencies have used a 32 bit mathematical process to do the authentication process. Mathematically, a 32 bit data validation is accurate to approximately one in 4.3 billion. However, given the speed of today's computers and the vast amount of storage capacity on today's computer hard disk drives, this level of accuracy is no longer accurate enough. A 32 bit CRC can easily be compromised. Therefore, it is suggested that the latest programs are used for this purpose.

21. Keep in mind, computers are evidence. Evidence must be maintained in its original state. When information is viewed on a computer, file dates may change. This may cause concern during judicial procedures. Traditional system backups and copies will not capture all information within a computer system, evidence can be lost. Please call the Cyber Crime Unit with any question or for assistance.

B i b l i o g r a p g y:

http://www.forensics-intl.com/evidguid.html