NCJ Number
188591
Journal
White Paper Volume: 15 Issue: 2 Dated: March/April 2001 Pages: 31-33,44
Date Published
2001
Length
4 pages
Annotation
This article describes procedures for processing the scene of a computer-related crime.
Abstract
The entire computer work station, office, or residence should be secured and protected to maintain the integrity of the crime scene. Consider wearing surgical gloves prior to touching anything within the office or work station. Under no circumstances should anyone be allowed to remove items or to touch the computer, including shutting it down or exiting from active programs or files; however, if self-destructing software is in use, this rule changes. Backup media storage devices should be identified and secured. This is particularly important when dealing with large corporations or government offices that often overwrite the drives within their e-mail servers on a daily basis due to the high volume of e-mail traffic. Once the crime scene has been secured, it should not be left unattended or unlocked until the fraud examiners have documented the area and collected the evidence. If possible, conduct initial interviews with personnel at the scene prior to searching for evidence; they may help find pertinent material before it is altered. Prior to collecting any evidence, fraud examiners should photograph the scene to depict its original condition. The area should be searched in a circular motion, with the CPU being at the center of the circle. Shutting down and seizing an operational CPU may present the greatest challenge. This article explains steps in obtaining evidence from the computer.