Posted on

General Forensics Tips

Recognizing Potential Evidence

MacForensics.com Tips - Recognizing Potential EvidenceThe following was taken from the United States Secret Service’s Best Practices For Seizing Electronic Evidence. We highly recommend you read the entire article located here as it contains lots of good information regarding electronic evidence.
 

Recognizing Potential Evidence

Computers and digital media are increasingly involved in unlawful activities. The computer may be contraband, fruits of the crime, a tool of the offense, or a storage container holding evidence of the offense. Investigation of any criminal activity may produce electronic evidence. Computers and related evidence range from the mainframe computer to the pocket-sized personal data assistant to the floppy diskette, CD or the smallest electronic chip device. Images, audio, text and other data on these media are easily altered or destroyed. It is imperative that law enforcement officers recognize, protect, seize and search such devices in accordance with applicable statutes, policies and best practices and guidelines.

Answers to the following questions will better determine the role of the computer in the crime:

  • Is the computer contraband of fruits of a crime?
    For example, was the computer software or hardware stolen?

  • Is the computer system a tool of the offense?
    For example, was the system actively used by the defendant to commit the offense? Were fake IDs or other counterfeit documents prepared using the computer, scanner, and color printer?

  • Is the computer system only incidental to the offense, i.e., being used to store evidence of the offense?
    For example, is a drug dealer maintaining his trafficking records in his computer?
  • Is the computer system both instrumental to the offense and a storage device for evidence?
    For example did the computer hacker use her computer to attack other systems and also use it to store stolen credit card information?

Once the computer’s role is understood, the following essential questions should be answered:

  • Is there probable cause to seize hardware?
  • Is there probable cause to seize software?
  • Is there probable cause to seize data?
  • Where will this search be conducted?
    • For example, is it practical to search the computer system on site or must the examination be conducted at a field office or lab?
    • If law enforcement officers remove the system from the premises to conduct the search, must they return the computer system, or copies of the seized date, to its owner/user before trial?
    • Considering the incredible storage capacities of computers, how will experts search this data in an efficient, timely manner?

Source: US Secret Service