Seizing the Evidence with Computer Forensic
The Legal Aspects of Computer Forensic Evidence
Computer forensic experts today have to conform with many rules and regulations if the evidence
they uncover is to be acceptable to the courts. The initial step to obtain computer forensic evidence
is securing a search warrant to seize the suspect system. This warrant must include wording allowing
the investigators to seize not only the computer, but also any peripherals thought to be connected
with the crime. A suspected counterfeiter, for instance, may have used his computer, a scanner, and
a printer to produce his counterfeit documents, in which case all three items would need to be seized
to provide evidence.
If it is thought that evidence is contained in emails, this also should
specifically mentioned in the search warrant. Email is a sensitive
area as it can be considered personal, so solid justification is needed
before a suspects email is allowed to be searched.
A warrant also needs to be clear about the searching of network and
file servers, whether backup media is included, and if hardware,
software, and peripherals can be removed to another location to conduct the search.
In all circumstances, data not connected to the crime must not be touched. Doctors, lawyers, and
clergy store documents on their PCs and much of this information is confidential. While the
computer forensic expert needs to uncover evidence, care must be exercised to protect the personal
information of any innocent third parties.
Seizing Equipment for Computer Forensics
Investigators can only seize equipment connected with the case; knowing the role of the computer
will indicate what should be taken. For instance, if it is thought that the computer was used to store
evidence then all storage media should also be seized for the computer forensic inspection.
If the computer was running programs to collect and analyze information, any relevant books found
at the scene should be seized to help computer forensic experts understand the programs.
If the suspect is present he must be prevented from touching the computer. A computer that is
running at the time of seizure should not be allowed to shut down, pulling the plug out of the wall
will prevent any programs from wiping incriminating information during the shutdown sequence.
The computer forensic expert can test the shutdown sequence later, to see if it includes any
Dismantling Equipment for Computer Forensics
When a computer and its peripherals are removed from a crime scene, a great deal of care has to be
taken while dismantling the equipment to prevent any malicious programs from being activated
should the computer power system be booby trapped.
The entire set up should be photographed or a video taken before starting dis-assembly, notes taken
at every step, and every cord labeled stating where it was attached. There are several ways to set up
a computer and peripherals, and when it arrives in the computer forensics lab the suspect one will
need to be set up exactly as it was at the crime scene.