August 31, 1997 By Michael R. Anderson
Caution should always be used in the shutdown and transport of the subject computer. To preserve the image on the screen, a quick photograph of the screen display may be appropriate. Then a decision has to be made as to whether or not the computer will be unplugged from the wall or shut down systematically based on the requirements of the operating system. Unfortunately, there is no correct answer, and there are risks in taking either course of action. Your decision will depend on the particular facts involved, the operating system involved, and your good judgment. Usually, networked computers should be shut down following normal shutdown procedures as dictated by the operating system involved. Usually, stand-alone computers can be unplugged as long as background processes are not active, e.g. disk defragmentation.
Issues Of Evidence
If at all possible, avoid running any programs on the subject computer. Doing so can create temporary files that may overwrite valuable evidence. Also, be careful using the keyboard to enter standard operating system commands. Even one wrong press of a key can trigger destructive memory resident programs that may have been planted on the computer.
Your initial and primary job is to preserve the computer evidence and to transport the computer to a safe location where a complete bit stream backup of all stored data areas can be made. You also want to ensure that the computer system can be reconfigured to match the configuration in which it was found. For this purpose, it is wise to take pictures of the complete computer system from all angles. Wires should be marked such that they can be easily reconnected. Also, the computer should be clearly marked as evidence and stored out of reach of inquiring co-workers. Chain of custody is as relevant when it comes to computers as any other form of evidence.
Law enforcement agencies have come under scrutiny in recent times regarding evidence issues. For this reason, it is important to do things right. Be sure to properly document the time, date and circumstances surrounding the actual seizure of the computer. This helps rebut the contention later on that the evidence on the computer was planted by the computer specialist. Every effort must be made to show that no one could have made changes to the information contained on a seized computer system. Without such assurances, countless hours of processing effort may prove to be wasted time and the case may be lost at trial.
If seizure of the computer is carried out when the system is attended, any individual attending the computer should be immediately removed from the vicinity. One press of a pre-arranged key combination can potentially destroy all evidence stored on a hard disk. A destructive process can be initiated in a heartbeat and the results can be disastrous. Consider using a
You may use or reference this story with attribution and a link to