Computer Forensic Investigation    Computer Forensics Training Information

1. Securing the Scene -- Investigator Safety is the first priority; Preserve the area for traditional physical evidence (fingerprints, etc.); Quarantine the computer and sources of digital evidence, and restrict ALL access to any computer(s) and digital media.
   
2. If the computer is OFF, DO NOT TURN IT ON.
   Never attempt to turn on a computer without proper training and tools or destruction of evidence will occur.
   
3. If the computer is ON “seek the assistance of a trained computer specialist.” If the computer system is networked or used for business purposes a computer specialist should be consulted before disconnecting. Improper procedures may result in damage to the system, disruptions of legitimate businesses, and create liability on the part of the investigator or officer.
   
4. Photograph and document the scene. When photographing, make sure that all sides of the computer are photographed, especially any connections.
   
5. If the computer is a Windows or Macintosh. (non-Unix, Linux, or Server), disconnect the power cord from the BACK of the computer. DO NOT turn off using the power switch; this will change critical data. Suspects may have wired the power switch to destroy data.
   
6. Place evidence tape over all drives slots and the case housing.
   
7. Label each cable at both ends. Making sure that full reassembly is possible.
   
8. Package equipment in protective cases. Use anti-static bags and protect from any magnetic fields. DO NOT transport near radios or electronic equipment.

Always look for other forms of cyberevidence: Electronic Organizers; Cellular phones, Pagers; Facsimile Machines; Caller ID Devices; Smart Cards; Storage medium: Floppies; Tapes; Compact Discs; Hard Disks; and Removable media.