Electronic Crime Scene Investigation: A Guide for First Responders, Second Edition

April 14, 2008

Chapter 3. Securing and Evaluating the Scene

Introduction

The first responder’s primary consideration should be officer safety and the safety of everyone at the crime scene. All actions and activities carried out at the scene should be in compliance with departmental policy as well as Federal, State, and local laws.

After securing the scene and all persons at the scene, the first responder should visually identify all potential evidence and ensure that the integrity of both the digital and traditional evidence is preserved. Digital evidence on computers and other electronic devices can be easily altered, deleted, or destroyed. First responders should document, photograph, and secure digital evidence as soon as possible at the scene.

When securing and evaluating the scene, the first responder should—

  • Follow departmental policy for securing crime scenes.
  • Immediately secure all electronic devices, including personal or portable devices.
  • Ensure that no unauthorized person has access to any electronic devices at the crime scene.
  • Refuse offers of help or technical assistance from any unauthorized persons.
  • Remove all persons from the crime scene or the immediate area from which evidence is to be collected.
  • Ensure that the condition of any electronic device is not altered.
  • STOP! Leave a computer or electronic device off if it is already turned off.

Components such as keyboard, mouse, removable storage media, and other items may hold latent evidence such as fingerprints, DNA, or other physical evidence that should be preserved. First responders should take the appropriate steps to ensure that physical evidence is not compromised during documentation.

If a computer is on or the power state cannot be determined, the first responder should—

  • Look and listen for indications that the computer is powered on. Listen for the sound of fans running, drives spinning, or check to see if light emitting diodes (LEDs) are on.
  • Check the display screen for signs that digital evidence is being destroyed. Words to look out for include "delete," "format," "remove," "copy," "move," "cut," or "wipe."
  • Look for indications that the computer is being accessed from a remote computer or device.
  • Look for signs of active or ongoing communications with other computers or users such as instant messaging windows or chat rooms.
  • Take note of all cameras or Web cameras (Web cams) and determine if they are active.

Developments in technology and the convergence of communications capabilities have linked even the most conventional devices and services to each other, to computers, and to the Internet. This rapidly changing environment makes it essential for the first responder to be aware of the potential digital evidence in telephones, digital video recorders, other household appliances, and motor vehicles.

Date Created: April 9, 2008