Taking custody of computers at a scene or incident.

Introduction

Sometimes, it becomes necessary to take control of a device which has been used by a suspect - or which is, itself, suspected of involvement in some unwanted activity or incident. It may be necessary to act quickly, so this guide gives a simple procedure which can be followed by first responders who need to take immediate action.

Note: This is general guidance, and designed to meet the minimum requirements of various standards and good practice guides. It may not always be completely appropriate and, if time permits, it is wise to consult an expert to produce a plan for seizure which will maximise the quantity of potential digital evidence which can be recovered whilst minimising disruption to other parties. This is particularly important if servers are to be handled as their seizure may cause disruption to business.

At all scenes, move everyone away from the equipment to be considered for seizure, especially any suspect(s) - remove the risk that they could tamper with the device before it is under control. Even the smallest hint that someone or something has changed the data in some unknown way could be enough to render it useless. (See our case studies for an example of this happening.)

Desktop and Server computers

General procedure

1. If the device is off - leave it switched off. Don't be tempted to "have a quick look" - this will cause changes to the device which may render evidence unusable.
2. If the device is switched on, identify the point at which power is connected to the device itself (e.g. the socket on the rear).
3. Record the state and condition of the device, including details of anything visible on screens or display, any connected cables and any obviously associated devices (e.g. printers, removable storage devices etc.). Give as much detail as possible - full descriptions are preferable to guesses about which applications are running. Photographs of screens and displays can capture this quickly and accurately. Sketches may be easier to produce than written notes.
4. If a screensaver is running, leave it alone. Attempting to disable a screensaver may trigger unwanted activity in the device.
5. If the device is obviously in the middle of completing a task (e.g. printing a document, writing to CD/DVD/Bluray etc.), allow it to finish.
6. Kill power to the system by pulling the power lead from the device. This avoids problems which can be caused by Uninterruptible Power Supplies (UPS) which are capable of signalling loss of power and triggering unwanted activities on the device.
7. Laptops/notebooks/netbooks contain an internal UPS in the form of a battery. Prior to removing the power cord, either remove the battery or close the lid to cause the device to sleep or hibernate. Make a note of the actions taken and ensure that this information is available to the examiner. If the machine is in a sleep or hibernate state, ensure that it is sent for examination quickly and that it is clearly labelled as a machine which is using battery power.
8. Label cables and sockets to which they are attached (e.g. by using numbered sticky labels or pieces of masking tape on each socket and cable). Note these connections in contemporaneous notes. Photographs and sketches can be a big help here too.
9. Note any identifying marks (serial numbers, licence stickers etc.).
10. Package the device and associated cables in tamper-evidence packaging, completing continuity labels or records, and entering details into the evidence log. Ensure that any associated external power supplies are packaged with the device if at all possible. Ensure that identifying marks are visible through the packaging wherever possible.

If you need further help or advice on this, or any other topic in forensic science, please contact n-gate ltd. now.