Electronic Crime Scene Investigation: A Guide for First Responders

Chapter 5. Evidence Collection

If the Computer is On

 

For practical purposes, removing the power supply when you seize a computer is generally the safest option. If evidence of a crime is visible on the computer display, however, you may need to request assistance from personnel who have experience in volatile data capture and preservation.

In the following situations, immediate disconnection of power is recommended:

  • Information or activity onscreen indicates that data is being deleted or overwritten.
  • There is indication that a destructive process is being performed on the computer’s data storage devices.
  • The system is powered on in a typical Microsoft® Windows® environment. Pulling the power from the back of the computer will preserve information about the last user to login and at what time the login occurred, most recently used documents, most recently used commands, and other valuable information.
 

In the following situations, immediate disconnection of power is NOT recommended:

  • Data of apparent evidentiary value is in plain view onscreen. The first responder should seek out personnel who have experience and training in capturing and preserving volatile data before proceeding.
  • Indications exist that any of the following are active or in use:
    • Chat rooms.
    • Open text documents.
    • Remote data storage.
    • Instant message windows.
    • Child pornography.
    • Contraband.
    • Financial documents.
    • Data encryption.
    • Obvious illegal activities.
 

For mainframe computers, servers, or a group of networked computers, the first responder should secure the scene and request assistance from personnel who have training in collecting digital evidence from large or complex computer systems.​

Date Created: April 9, 2008