NCJ Number
205197
Journal
Law Enforcement Technology Volume: 31 Issue: 4 Dated: April 2004 Pages: 28,30,34
Date Published
April 2004
Length
6 pages
Annotation
Drawing upon the "Electronic Crime Scene Investigation: A Guide for First Responders," published by the National Institute of Justice (July 2001), this article presents guidelines for the collection of electronic evidence by first responders.
Abstract
Computer forensics investigation consists of four phases: collection, examination, analysis, and reporting. This article focuses on the collection phase, which involves the search for and the recognition, collection, and documentation of electronic evidence. This phase is usually conducted by the first responder. First responders should first ensure that they have the legal authority to search and seize the evidence. One of the tasks in handling electronic evidence at the crime scene typically consists of securing and evaluating the crime scene. In performing this task, the basic rules of evidence collection still apply. After securing the scene, a first responder should visually identify potential evidence, both conventional and electronic, and then determine whether perishable evidence exists; evaluate the scene and formulate a search plan; attempt to determine the identity of the owners and/or users of the electronic devices found at the scene; and also, determine any passwords and user names and identify the Internet service provider. This article outlines 12 steps for preserving computer evidence. Another major task of the first responder is to document the scene, which involves creating an accurate record of the location and condition of computers, storage media, and any other electronic devices. Evidence collection will begin after the scene has been secured and documented. Consideration should be given to protecting data that may be susceptible to damage or alteration from sources such as static electricity, magnets, radio transmitters, and other devices. The article also provides guidelines for packaging, transportation, and storage of electronic evidence. Since computer networks require special handling, it is important that they be recognized and identified. Indications of a network include the existence of multiple computers, cables and connectors between computers and central devices, and information provided by informants or individuals at the scene.