Collecting a computer into evidence requires careful consideration.

Common Scenario
After obtaining a search warrant from a magistrate, detectives went to the subject’s place of business and served him with the warrant. The warrant alleged the subject was using stolen and/or forged customer information and credit card data to commit online fraud and identity theft. Listed in the search warrant was the property to be seized, namely any computers and software that could be used to capture or create credit card numbers. Upon entering the premises, detectives discovered a desktop computer in the subject’s private office. The computer monitor was displaying what appeared to be credit card numbers. Believing they had probable cause and pursuant to their warrant, detectives placed the suspect under arrest. They then photographed the computer monitor, unplugged the power cord from the back of the computer, and seized it for later forensic analysis.

What Can Be Seized?
It should be noted that there are certain circumstances under which a magistrate will generally not sign a warrant for the removal of a computer or computer system from a subject’s premises or place of business. In those circumstances, the computer or computer system must be imaged or forensically examined on-site or via remote access. This can often be a challenging and daunting task for investigators. Forensic examination of a live system requires specific training, hands-on practical experience, and a set of verified forensic tools. Further, the number of computers, the makeup of the computer system, and the amount of data to be imaged or analyzed can make it extremely difficult to determine where potential digital evidence may reside. Not every agency or investigator has the knowledge, skills, or ability to conduct forensic analysis on a live system.

Fortunately, in the vast majority of computer related investigations, magistrates do allow their seizure. Normally no forensic examination or imaging is performed on-site or via remote access. The computer is seized, packed appropriately, and submitted for forensic analysis at a later date. Investigators are taught and instructed that if they are the first responders, there are certain steps to take to ensure the integrity of potential digital evidence. Their primary goal is to document the scene, locate the evidence to be seized per the warrant, and to search for or identify other potential evidence that may be relevant to the investigation. Investigators that have received basic electronic crime scene training know that if the computer is not on, they do not turn it on. Likewise, if the computer is on, they know not to use it, but rather to photograph or document what is being displayed on the monitor and then unplug the power cord from the computer. For a desktop or laptop computer, this involves removing the power cord from the back of the computer itself. For a laptop computer, the additional step of removing the battery(ies) is commonplace.