Packaging, Transportation, and Storage of Digital Evidence
Digital evidence—and the computers and electronic devices on which it is stored—is fragile and sensitive to extreme temperatures, humidity, physical shock, static electricity, and magnetic fields.
The first responder should take precautions when documenting, photographing, packaging, transporting, and storing digital evidence to avoid altering, damaging, or destroying the data.
All actions related to the identification, collection, packaging, transportation, and storage of digital evidence should be thoroughly documented. When packing digital evidence for transportation, the first responder should:
- Ensure that all digital evidence collected is properly documented, labeled, marked, photographed, video recorded or sketched, and inventoried before it is packaged. All connections and connected devices should be labeled for easy reconfiguration of the system later.
- Remember that digital evidence may also contain latent, trace, or biological evidence and take the appropriate steps to preserve it. Digital evidence imaging should be done before latent, trace, or biological evidence processes are conducted on the evidence.
- Pack all digital evidence in antistatic packaging. Only paper bags and envelopes, cardboard boxes, and antistatic containers should be used for packaging digital evidence. Plastic materials should not be used when collecting digital evidence because plastic can produce or convey static electricity and allow humidity and condensation to develop, which may damage or destroy the evidence.
- Ensure that all digital evidence is packaged in a manner that will prevent it from being bent, scratched, or otherwise deformed.
- Label all containers used to package and store digital evidence clearly and properly.
- Leave cellular, mobile, or smart phone(s) in the power state (on or off) in which they were found.
- YIELD! Package mobile or smart phone(s) in signal-blocking material such as faraday isolation bags, radio frequency-shielding material, or aluminum foil to prevent data messages from being sent or received by the devices. (First responders should be aware that if inappropriately packaged, or removed from shielded packaging, the device may be able to send and receive data messages if in range of a communication signal.)
- Collect all power supplies and adapters for all electronic devices seized.
When transporting digital evidence, the first responder should:
- YIELD! Keep digital evidence away from magnetic fields such as those produced by radio transmitters, speaker magnets, and magnetic mount emergency lights. Other potential hazards that the first responder should be aware of include seats heaters and any device or material that can produce static electricity.
- Avoid keeping digital evidence in a vehicle for prolonged periods of time. Heat, cold, and humidity can damage or destroy digital evidence.
- Ensure that computers and electronic devices are packaged and secured during transportation to prevent damage from shock and vibration.
- Document the transportation of the digital evidence and maintain the chain of custody on all evidence transported.
When storing digital evidence, the first responder should:
- Ensure that the digital evidence is inventoried in accordance with the agency’s policies.
- Ensure that the digital evidence is stored in a secure, climate-controlled environment or a location that is not subject to extreme temperature or humidity.
- Ensure that the digital evidence is not exposed to magnetic fields, moisture, dust, vibration, or any other elements that may damage or destroy it.
NOTE: Potentially valuable digital evidence including dates, times, and system configuration settings may be lost due to prolonged storage if the batteries or power source that preserve this information fails. Where applicable, inform the evidence custodian and the forensic examiner that electronic devices are battery powered and require prompt attention to preserve the data stored in them.
If more than one computer is seized as evidence, all computers, cables, and devices connected to them should be properly labeled to facilitate reassembly if necessary. In this example, the computer is designated as computer A. All connections and cables are marked with an "A" and a unique number.
Subsequently seized computers can be labeled in alphabetical order. The corresponding connections and cables can be labeled with the letter designation for the computer and a unique number to ensure proper reassembly.
From: National Institute of Justice Electronic Crime Scene Investigation: A Guide for First Responders, Second Edition