Tel: +44 (0) 2380 511622 Emergency Tel: +44 (0) 2380 510533
Support Email:
Home
Services
Information
Expert Witness
Procedures
> Equipment Seizure
About Us
Contact
Clients
Free Downloads
FAQs
Digifor - leading the way Digifor - Computer Forensics Science Digifor - Computer Forensics Science
Digifor - Computer Forensics Science  

INFORMATION: TAKING POSSESSION OF EQUIPMENT FOR COMPUTER INVESTIGATION
Before taking possession (or 'seizing') computers, mobile phones, CDs, floppy disks or any other such equipment that is to be submitted for forensic examination, it is vital that you consult with a member of the DigiFor forensic department. We will advise you as to how this work must be carried out.

Failing to comply with proper procedures means that valuable evidence may be rendered inadmissible. It also means that time, effort and money may be wasted and an unsatisfactory outcome may result.

The following general guidelines are useful to note:

Ensure that you gain control of the premises and the occupants.
Do not allow anyone to touch the computers or equipment.
Do not under any circumstances power on the computer or equipment.
Make sure that the computer or equipment is switched off. NOTE: A computer may be in stand-by mode and may be accessed remotely, allowing the alteration or deletion of files.
Remove the battery from laptop computers.
Laptops may power on by simply opening the lid.
Unplug the power and other devices from sockets. NOTE: For all desktop computers, remove the power supply by pulling out the end attached to the computer and not the end attached to the socket.
Photograph the scene and all of the components in situ, ensuring that the picture depicts the layout of the equipment, floppy disks and other storage media. Ensure that the picture is date and time stamped.
Photograph the information that may be displayed on the screen.
Ensure that all items are secured so that a reconstruction will be possible at a later date.
Search the area for diaries, notebooks or pieces of paper for passwords.
Ask the user if there are any passwords and, if these are given, record them accurately.
If a computer is connected to or is part of a network, consult with a member of the DigiFor forensic department.
Do not take advice from the owner/user of the computer.
A typical list of items for seizure:

Main computer unit: this is usually the box to which the monitor and keyboard are attached.
Monitor, keyboard and mouse.
Connectivity leads.
Power supply units and leads.
Hard disks not fitted inside or connected to the computer.
External hard drives and other external devices.
Dongles: i.e. small connectors plugged into the back of the machine.
Modem or signalling equipment.
Wireless network cards.
PCMCIA cards: communication cards used with laptops.
Digital cameras and web cams.
Floppy disks.
Back up tapes.
Jaz/zip drives.
CDs, DVDs.
Memory sticks and memory cards.
Manuals of computer software.
Transportation:

When equipment is transported, it should be handled with care, securely packed and placed in an upright position to prevent physical shocks. Equipment must be kept away from magnetic sources (heated car seats and windows, loudspeakers and hand held radios). Loose hard disks or floppy disks should be placed in anti-static bags.

Comment:

The essential concern when acquiring equipment is not to change the evidence on the hard disk so that an image can be produced that represents its exact state when it was seized. Only a competent person who understands the implications of his or her actions and is able to fully explain them in a court of law should be involved. If you are in any doubt, please contact the DigiFor forensic department.
Site Credits Sitemap Terms & Conditions ©2005 DigiFor Limited