IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Computer Evidence Processing Step 1 -- Seizure of the Computer

A how-to for law enforcement officers on gathering computer evidence -- and avoiding common booby traps that can destroy evidence with the click of a mouse.

The rapid acceptance of computer technology by all segments of our society has created new and interesting challenges for law enforcement agencies and prosecuting attorneys. Computer evidence has become a fact of life for essentially all law enforcement agencies, and many are just beginning to explore their options with this new technology. Almost overnight, personal computers have changed the way the world does business.

Computers have also changed the world's view of evidence, because computers are used more and more as tools in the commission of "traditional" crimes. Embezzlements, theft, extortion and even murders are now committed with the aid of personal computers. This new technology twist in crime patterns has brought computer evidence to the forefront in law enforcement circles. Computer evidence concerns are not limited to computer crime specialists in the Federal Bureau of Investigation or United States Secret Service. Every law enforcement agency now has the potential of encountering computer evidence, and many are actively seeking training and information on the topic.

This article is intended to provide guidance and an awareness to law enforcement agencies that are just now beginning to explore the issues surrounding computer evidence. The article is not intended as a substitute for training. There is more than one way to skin a cat and this information is certainly not intended to be the only true way. However, the information should help law enforcement agencies get started in the right direction. It should also act as a refresher for those agencies that have experience in processing computer evidence.

Assume That Every Computer Has
Been Rigged To Destroy Evidence

Computer evidence, by its nature, is extremely fragile and is easily modified. This situation is complicated by the fact that potential evidence exists in places of which many law enforcement officers are unaware. To make matters worse, computers can easily be rigged by the crooks to destroy evidence. Some refer to personal computers as a law enforcement nightmare and a crook's dream. Because of its fragile nature, the first and most important step in dealing with computer evidence involves the preservation of the "electronic crime scene." No law enforcement professional would allow evidence to be disturbed or destroyed at a traditional crime scene. The same is true of computer evidence. However, because the nature of the evidence is different, the rules change a bit.

When it comes to computer evidence, paranoia is a good personality trait to have. Don't operate a suspect computer until a complete backup has been made of all storage devices. Normal computer backups won't do -- a full bit stream backup is necessary. In the bizarre world of computer evidence, you always must assume that things will go wrong. Once computer evidence has been destroyed or altered, it is unlikely that it can ever be reconstructed. What can go wrong surely will go wrong. Complete backups eliminate most of the potential problems.

Law enforcement officials normally seize computers during the execution of a search warrant. Depending on the circumstances and scope of the search warrant involved, all computer hardware, software and manuals should be taken for evaluation as potential evidence. Some prosecutors may view this as overly broad. However, the ability to process and examine the evidence may be directly tied to special hardware, software and/or written instructions contained in manuals. Because computer technology changes so quickly, it may be impossible to obtain similar or outdated hardware or instruction manuals from other sources. Printers, tape drives, optical drives, hardware and software manuals should not be left behind. Also, pay particular attention to possible passwords that may have been written down near the computer. Encrypted files can cause you serious grief, and finding a password scrawled on a desk or on a calendar can help make your case.

More and more, corporations and government agencies are involved with computer evidence pertaining to internal investigations and internal audits. The same law enforcement procedures should be followed by corporate computer specialists because it is usually unknown if criminal violations are involved. Following accepted computer evidence processing procedures will ensure the case meets the requirements for both civil and criminal trial purposes. Every case should be treated as though it will go to trial. However, some things are a bit different when it comes to corporations. In a corporate or government setting, the ability to 'seize' a computer and evaluate the data stored on the computer's hard disk drives and floppy diskettes may be ruled by corporate policy and privacy laws. For this reason, it is essential that corporate legal counsel be consulted before taking any steps to seize or process a corporate computer. In the absence of a corporate policy covering computer evidence and privacy issues, corporate computer specialists could be exposing themselves and the corporation to a potential lawsuit.

Shutdown Procedure

Caution should always be used in the shutdown and transport of the subject computer. To preserve the image on the screen, a quick photograph of the screen display may be appropriate. Then a decision has to be made as to whether or not the computer will be unplugged from the wall or shut down systematically based on the requirements of the operating system. Unfortunately, there is no correct answer, and there are risks in taking either course of action. Your decision will depend on the particular facts involved, the operating system involved, and your good judgment. Usually, networked computers should be shut down following normal shutdown procedures as dictated by the operating system involved. Usually, stand-alone computers can be unplugged as long as background processes are not active, e.g. disk defragmentation.

Issues Of Evidence

If at all possible, avoid running any programs on the subject computer. Doing so can create temporary files that may overwrite valuable evidence. Also, be careful using the keyboard to enter standard operating system commands. Even one wrong press of a key can trigger destructive memory resident programs that may have been planted on the computer.

Your initial and primary job is to preserve the computer evidence and to transport the computer to a safe location where a complete bit stream backup of all stored data areas can be made. You also want to ensure that the computer system can be reconfigured to match the configuration in which it was found. For this purpose, it is wise to take pictures of the complete computer system from all angles. Wires should be marked such that they can be easily reconnected. Also, the computer should be clearly marked as evidence and stored out of reach of inquiring co-workers. Chain of custody is as relevant when it comes to computers as any other form of evidence.

Law enforcement agencies have come under scrutiny in recent times regarding evidence issues. For this reason, it is important to do things right. Be sure to properly document the time, date and circumstances surrounding the actual seizure of the computer. This helps rebut the contention later on that the evidence on the computer was planted by the computer specialist. Every effort must be made to show that no one could have made changes to the information contained on a seized computer system. Without such assurances, countless hours of processing effort may prove to be wasted time and the case may be lost at trial.

If seizure of the computer is carried out when the system is attended, any individual attending the computer should be immediately removed from the vicinity. One press of a pre-arranged key combination can potentially destroy all evidence stored on a hard disk. A destructive process can be initiated in a heartbeat and the results can be disastrous. Consider using a subterfuge to remove the operator from the computer to eliminate the possibility of them destroying potential evidence. Raid planning is very important, and this is especially true if the probability of destructive processes exist.

Watch out for "burn boxes" at the raid site which might be rigged to incinerate floppy diskettes and zip disks. Also, avoid storing the computer components near the police car radio. The magnetic field created by the operating radio may be strong enough to destroy evidence. A word to the wise -- don't transport the seized computer in the trunk on top of the radio transmitter.

Michael R. Anderson, who retired from the IRS's Criminal Investigation Division in 1996, is internationally recognized in the fields of forensic computer science and artificial intelligence. Anderson pioneered the development of federal and international training courses that have evolved into the standards used by law enforcement agencies worldwide in the processing of computer evidence.

He also authored software applications used by law enforcement agencies in 16 countries to process evidence and to aid in the prevention of computer theft. He continues to provide software free of charge to law enforcement and the military. He is currently a consultant. P.O. Box 929 Gresham, OR 97030. E-mail: .

September Table of Contents