NCJ Number
216074
Date Published
2006
Length
12 pages
Annotation
This report describes a methodology for the law enforcement collection of volatile data or evidence from a running computer.
Abstract
The collection of data from a running computer can be of substantial use in the investigation of various criminal activities. The current legal restriction of this type of investigation has yet to be determined. However, what can be controlled by law enforcement is the proper implementation of a process by which to collect this evidence consistent with existing legal authority and generally accepted practice. Volatile data is evidence that should be collected at a crime scene. With training in proper collection techniques and an understanding of its value, this evidence can be successfully collected. This document offers a technical and legal introduction for the law enforcement community in the collection of evidence from a running computer. A running computer is defined as a computer that is already “powered on” when encountered at a crime scene. The traditional or historical method in the search and seizure of computers at a crime scene is to simply unplug the computer and book it into evidence. This may cause evidence to be lost or destroyed. The ability to obtain crucial evidence from a running computer containing potentially volatile data is essential. Additional training in volatile evidence collection methods becomes imperative to an investigator developing the skills necessary to collect evidence traditionally overlooked. Methodological steps are offered for investigators to follow at a crime scene that allows volatile evidence to be collected in a manner consistent with principles of evidence preservation and collection and the law. Lastly, an overview is presented on the legal consideration of live analysis and the collection of evidence from a running computer. Law enforcement officers using live system analysis in a case need to be prepared to establish the skills and knowledge of the investigator, as well as the validity of the tools used. References