Electronic Crime Scene Investigation: A Guide for First Responders, Second Edition

April 14, 2008

Chapter 4. Documenting the Scene

This chapter provides recommendations on documenting or creating a record of an electronic crime scene. The information provided in this guide is not intended to supersede or supplant applicable laws or agency policies.

Documentation of a crime scene creates a record for the investigation. It is important to accurately record the location of the scene; the scene itself; the state, power status, and condition of computers, storage media, wireless network devices, mobile phones, smart phones, PDAs, and other data storage devices; Internet and network access; and other electronic devices. The first responder should be aware that not all digital evidence may be in close proximity to the computer or other devices.

Officials may need to move a computer or another electronic device to find its serial numbers or other identifiers. Moving a computer or another electronic device while it is on may damage it or the digital evidence it contains. Computers and other electronic devices should not be moved until they are powered off. Additional documentation of the system and devices may be performed during the collection phase discussed in chapter 5.

The initial documentation of the scene should include a detailed record using video, photography, and notes and sketches to help recreate or convey the details of the scene later. All activity and processes on display screens should be fully documented.

Documentation of the scene should include the entire location, including the type, location, and position of computers, their components and peripheral equipment, and other electronic devices. The scene may expand to multiple locations; first responders should document all physical connections to and from the computers and other devices.

Record any network and wireless access points that may be present and capable of linking computers and other devices to each other and the Internet. The existence of network and wireless access points may indicate that additional evidence exists beyond the initial scene.

Some circumstances may not permit first responders to collect all electronic devices or components at a scene or location. Applicable laws, agency policies, or other factors may prohibit collecting some computer systems and other electronic devices and the information they contain; however, these devices should be included in the first responder’s documentation of the scene.

Date Created: April 9, 2008