When the Device Is The Evidence. E-mail
As you read this article, you are no doubt surrounded by various technological devices, be they your iPhone, netbook, Kindle, or MDT. You rely on these devices everyday for communication with others; sometimes as far away as the other side of the world, or as close as your partner in the next patrol car.

Sure, you're familiar with how to work these devices and are completely comfortable texting and emailing, but what happens when you're dispatched to a call where the electronic device is the crime scene?

The first step is to determine what you have. Officers should be able to identify all potential sources of electronic evidence, from something as obvious as a computer to something as innocuous as the Micro SD card within a cellphone.

Officers should be familiar with portable USB drives, (aka "thumb drives") and understand that these devices are easily hidden and can be disguised as something else, such as a pen or even a Zippo-style lighter.

Once potential sources of evidence have been identified, it is imperative that they are handled properly to ensure that the digital evidence the devices contain is not altered or destroyed.
For example, an officer handling a cellphone that may contain evidence may alter that evidence if they begin navigating through menus, text messages, or images before a proper forensic analysis has been conducted. If a cellphone is a simple phone used for calls and text messages, simply turn it off before labeling it and securing it as evidence.

If it is a smart phone such as a Blackberry or iPhone, the device should be left on if it's on, and off if it's off.

If it is on, it should be secured in a signal-blocking container ("Faraday Cage") and brought to the digital forensics lab as soon as possible. If there is no "Faraday Cage" or bag available, a empty paint can or multiple layers of aluminum foil may serve as a substitute.

It is always a good practice to seize any corresponding power cables for cellphones.

If the evidence is stored on a computer, and the computer is off, leave it off. Document all connections with photographs before labeling and securing it.

If the computer is on, the officer should try to determine the operating system that the machine is using, and photograph the screen in detail to show what programs are operating and to document the system date and time.

In most cases, from this point the computer should be brought down by disconnecting the power cable from the rear of the machine.

If a laptop, unplug then remove the battery.
The key points to remember are to not make any changes to the evidence by running any programs or opening any files.

Remember that this is just a guideline, and there is no one perfect method. And of course, always follow your department procedures for securing digital evidence.

Jim Schwab is a police officer in Belmont, Massachusetts and has been investigating high-tech crime since 2002. He currently holds EnCase and AccessData certifications and is assigned to the NEMLEC Regional Computer Crime Unit.


Add this page to your favorite Social Bookmarking websites
Digg! Reddit! Del.icio.us! Mixx! Google! Live! Facebook! StumbleUpon! TwitThis