Digital Forensic Evidence Preservation

Computer Forensics: First Response for Forensic Evidence Preservation

Securing the Scene

Investigator Safety is the first priority; Preserve the area for traditional physical evidence (fingerprints, etc.); Quarantine the computer and sources of digital evidence, and restrict ALL access to any computer(s) and digital media..

If the computer is OFF, DO NOT TURN IT ON.

Never attempt to turn on a computer without proper training and tools or destruction of evidence will occur.

If the computer is ON “seek the assistance of a trained computer specialist.” If the computer system is networked or used for business purposes a computer specialist should be consulted before disconnecting. Improper procedures may result in damage to the system, disruptions of legitimate businesses, and create liability on the part of the investigator or officer.

Photograph and document the scene

When photographing, make sure that all sides of the computer are photographed, especially any connections.

DO NOT turn off using the power switch

If the computer is a Windows or Macintosh. (non-Unix, Linux, or Server), disconnect the power cord from the BACK of the computer. DO NOT turn off using the power switch; this will change critical data. Suspects may have wired the power switch to destroy data.

Place evidence tape over all drives slots and the case housing

Label each cable at both ends. Making sure that full reassembly is possible.

Package and Handeling

Package equipment in protective cases. Use anti-static bags and protect from any magnetic fields. DO NOT transport near radios or electronic equipment.

Always look for other forms of cyberevidence:

  • Electronic Organizers
  • Cellular phones
  • Pagers
  • Facsimile Machines
  • Caller ID Devices
  • Smart Cards
    • Storage medium:
    • Floppies
    • Tapes; Compact Discs
    • Hard Disks
    • Removable media

Reference from