- If the computer is powered off, DO NOT turn it on.
- If the computer is powered on, DO NOT allow anyone other than the law enforcement to go near it. Some suspects may install destructive devices or programs that can be initiated by a simple button or keystroke. Don’t allow your suspect to destroy your evidence.
- Because TOR users are generally quite tech savvy, there is a potential threat that during the powering down process evidence destruction or encryption could occur. Let the experts decide on how to proceed. Most forensic experts prefer to examine the computer in a controlled laboratory environment.
Before doing anything to the computer, video tape, photograph, or sketch a diagram of the room’s layout including the location of the computer and all of the devices connected to it. Make sure you document what is currently being displayed on the screen if the device is on.
After the proper identification of all computers and attached devices, investigators must document all of the devices by model, serial number, as well as any other identifiable information. Look for the computer software and device manuals; examiners may find these items useful and they may contain passwords.
REMEMBER: THIS IS A GUIDE; ALWAYS FOLLOW YOUR AGENCY/CORPORATION RULES/REGULATIONS REGARDING DIGITAL EVIDENCE COLLECTION.
Equipment related to digital evidence items can include the following:
- External storage devices (CD drives, zip drives, external hard drives, etc.)
- Removable media
- Computer manuals
- Smaller computers like phones, notebooks, iPads, iPods, and digital cameras
- All related cables, power supplies, chargers
Below is a list of additional best practices to remember when collecting evidence.
- Utilize the right people for the right job. If you have a computer or digital specialist with you, assign that person to recover any digital evidence. They have been trained to recover and store evidence without losing data or changing data files.
- Always use latex gloves for handling devices for possible DNA. Place evidence tape over each port and drive on the device.
- Photograph the back of the computer and any devices connected to it. Make sure you sketch a diagram as well as label all the attached cables.
- Transport and store the digital evidence in any area free from moisture, magnets, radio transmitters, and other digitally destructive environments.