CONDUCTING THE SEARCH AND/OR SEIZURE is an important party of Computer Forensics. If the search is not done properly then you will not be able to enter evidence to the case. The following is a outline
Secure the Scene.
Assign an safety officer to manage the scene. Preserve the area for potential finger prints
Leave computer in the state found. Document how they were found with photographs and written documentation. Immediately restrict access to computer(s).
Isolate from phone lines (because data on the computer can be access remotely).
Identify which machines are stand alone or network based. If the computer is network based then some of the data might reside on another machine. Below is a rule we follow when collecting evidence:
o On/Off Rule for Forensics data recovery and evidence gathering.
o If the device is “ON”, do NOT turn it “OFF”.
o Turning it “OFF” could activate lockout feature.
o Write down all information on display (photograph if possible).
o Power down prior to transport (take any power supply cords present).
o If the device is “OFF”, leave it “OFF”.
o Turning it on could alter evidence on device (same as computers).
o Upon seizure get it to an expert as soon as possible or contact local service provider.
o Make every effort to locate any instruction manuals pertaining to the device.
One of the key elements in every data forensics procedure is time. Users may unintentionally or inadvertently overwrite evidence simply by continuing to complete their daily tasks. Collecting and preserving data or evidence that may have been deleted or become inaccessible through normal computing methods is an important consideration. Determining what information needs to be gathered before hand is critical to a cases success or failure.