Electronic Crime Scene Investigation: A Guide for First Responders, Second Edition

April 14, 2008

Chapter 5. Evidence Collection

If the Computer is OFF

For desktop, tower, and minicomputers follow these steps:

  1. Document, photograph, and sketch all wires, cables, and other devices connected to the computer.
  2. Uniquely label the power supply cord and all cables, wires, or USB drives attached to the computer as well as the corresponding connection each cord, cable, wire, or USB drive occupies on the computer.
  3. Photograph the uniquely labeled cords, cables, wires, and USB drives and the corresponding labeled connections.
  4. Remove and secure the power supply cord from the back of the computer and from the wall outlet, power strip, or battery backup device.
  5. Disconnect and secure all cables, wires, and USB drives from the computer and document the device or equipment connected at the opposite end.
  6. Place tape over the floppy disk slot, if present.
  7. Make sure that the CD or DVD drive trays are retracted into place; note whether these drive trays are empty, contain disks, or are unchecked; and tape the drive slot closed to prevent it from opening.
  8. Place tape over the power switch.
  9. Record the make, model, serial numbers, and any user-applied markings or identifiers.
  10. Record or log the computer and all its cords, cables, wires, devices, and components according to agency procedures.
  11. Package all evidence collected following agency procedures to prevent damage or alteration during transportation and storage.

For laptop computers follow these steps:

  1. Document, photograph, and sketch all wires, cables, and devices connected to the laptop computer.
  2. Uniquely label all wires, cables, and devices connected to the laptop computer as well as the connection they occupied.
  3. Photograph the uniquely labeled cords, cables, wires, and devices connected to the laptop computer and the corresponding labeled connections they occupied.
  4. Remove and secure the power supply and all batteries from the laptop computer.
  5. Disconnect and secure all cables, wires, and USB drives from the computer and document the equipment or device connected at the opposite end.
  6. Place tape over the floppy disk slot, if present.
  7. Make sure that the CD or DVD drive trays are retracted into place; note whether these drive trays are empty, contain disks, or are unchecked; and tape the drive slot closed to prevent it from opening.
  8. Place tape over the power switch.
  9. Record the make, model, serial numbers, and any user-applied markings or identifiers.
  10. Record or log the computer and all its cords, cables, wires, devices, and components according to agency procedures.
  11. Package all evidence collected following agency procedures to prevent damage or alteration during transportation and storage.
Date Created: April 9, 2008