Electronic Crime Scene Investigation: A Guide for First Responders, Second Edition

April 14, 2008

Chapter 5. Evidence Collection

Section 1 — Computers, Components and Devices

To prevent the alteration of digital evidence during collection, first responders should first—

  • Document any activity on the computer, components, or devices.
  • Confirm the power state of the computer. Check for flashing lights, running fans, and other sounds that indicate the computer or electronic device is powered on. If the power state cannot be determined from these indicators, observe the monitor to determine if it is on, off, or in sleep mode.

Assess the Situation

After identifying the computer’s power status, follow the steps listed below for the situation most like your own (see, also, the Collecting Digital Evidence Flowchart):

  • Situation 1: The monitor is on. It displays a program, application, work product, picture, e-mail, or Internet site on the screen.
    1. Photograph the screen and record the information displayed.
    2. Proceed to "If the Computer Is ON."
  • Situation 2: The monitor is on and a screen saver or picture is visible.
    1. Move the mouse slightly without depressing any buttons or rotating the wheel. Note any onscreen activity that causes the display to change to a login screen, work product, or other visible display.
    2. Photograph the screen and record the information displayed.
    3. Proceed to “If the Computer Is ON.”
  • Situation 3: The monitor is on, however, the display is blank as if the monitor is off.
    1. Move the mouse slightly without depressing any buttons or rotating the wheel. The display will change from a blank screen to a login screen, work product, or other visible display. Note the change in the display.
    2. Photograph the screen and record the information displayed.
    3. Proceed to “If the Computer Is ON.”
  • Situation 4a: The monitor is powered off. The display is blank.
    1. If the monitor’s power switch is in the off position, turn the monitor on. The display changes from a blank screen to a login screen, work product, or other visible display. Note the change in the display.
    2. Photograph the screen and the information displayed.
    3. Proceed to “If the Computer Is ON.”
  • Situation 4b: The monitor is powered off. The display is blank.
    1. If the monitor’s power switch is in the off position, turn the monitor on. The display does not change; it remains blank. Note that no change in the display occurs.
    2. Photograph the blank screen.
    3. Proceed to “If the Computer Is OFF.”
  • Situation 5: The monitor is on. The display is blank.
    1. Move the mouse slightly without depressing any buttons or rotating the wheel; wait for a response.
    2. If the display does not change and the screen remains blank, confirm that power is being supplied to the monitor. If the display remains blank, check the computer case for active lights, listen for fans spinning or other indications that the computer is on.
    3. If the screen remains blank and the computer case gives no indication that the system is powered on, proceed to “If the Computer Is OFF.”
Date Created: April 9, 2008