Forensic Cop Journal Volume 3(2), Jan 2010

http://forensiccop.blogspot.com

Standard Operating Procedure of Seizure on Computer-based

Electronic Evidence
by Muhammad Nuh Al-Azhar, MSc. (CHFI, CEI, MBCS)
Commissioner Police – Coordinator of Digital Forensic Analyst Team (DFAT)
Forensic Lab Centre of Indonesian National Police HQ

Introduction

Handling the evidence found in the case of computer crime or computer-related crime is
different from handling other evidence such as blood, tool marks, trace, and fibres. The
evidence found at such crimes is grouped as computer-based electronic evidence. As the
evidence from this type of crime is easy to volatile, digital forensic analyst should be able to
understand how to handle it properly. With proper handling, it is expected that the analyst
could reveal the contents of the evidence and bring it to further investigation. With proper
ways, the findings in the evidence are also reliable and even it can be accepted by the court,
otherwise it will be doubt and even rejected by the court.

Based on this fact, as to handle such evidence is so essential, the analyst must pay more
attention when finding it at the crime scene. To handle it is started from seizure; therefore
the seizure technique plays a key role on handling it properly. From the seizure at the crime
scene, chain of custody of the evidence is also started. Chain of custody is a comprehensive
description about the travelling of the evidence from the crime scene to the court. Who
firstly found it at the crime scene; and then who handles it in further investigation actions
till who submits it to the court. It also describes who does what on the evidence. However
this journal does not discuss about chain of custody, but it will explain about how to
perform proper seizure on computer-based electronic evidence.

Computer-based Electronic Evidence

The evidence which is found in the case of computer crime or computer-related crime and
requires digital forensic analysis is grouped as computer-based electronic evidence. This
evidence is actually physical evidence as it is visually seen. Digital forensic analyst and
criminal investigators should seek the existence of this evidence type at crime scene. After
finding it, they perform a proper seizure on it.

The findings in the form of data or information stored in the evidence are called digital
evidence. This digital evidence is then required to be found and analysed by digital forensic
analyst as it can prove the relationship between the case and the perpetrators.

1
Forensic Cop Journal Volume 3(2), Jan 2010
http://forensiccop.blogspot.com

Below is physical evidence which might be found at crime scene and need to seize.
1. Personal Computers
2. Notebooks / Netbooks / Laptops
3. Mobile phones / PDAs
4. Printers
5. Optical Media: CDs / DVDs
6. Zip drives / Backup Tapes
7. Flash disks, Hard disks, Floppy disks
8. Modems / Switches / HUBs / Routers
9. Digital Cameras
10. Memory Cards
11. Dongles
12. Wireless Network Cards

Following is digital evidence which might be found in the contents of the physical evidence
above.
1. Digital Images
2. Videos
3. Voice Recordings
4. Plain Texts
5. Ciphered Texts / Encrypted Files
6. Emails
7. Instant Messages
8. Network Logs
9. Application Logs
10. Call Logs
11. Short Messages

2
Forensic Cop Journal Volume 3(2), Jan 2010
http://forensiccop.blogspot.com

Condition 1: The electronic evidence appears to be switched off

According to ACPO, below are the proper actions on how to handle the electronic evidence
when it appears to be switched off (ACPO, p11, 2008).
1. Secure and take control of the area containing the equipment.
If necessary, secure the scene by applying Police Line as the perimeter to protect the
scene from contamination which might occur.
2. Move people away from any computers and power supplies.
Warn and order any person not to enter the scene unless the analyst in charge
involved in the investigation. Nobody is allowed to be closed to the evidence unless
for the analysis purposes. It is aimed to avoid any accidental or deliberate actions
which are harmful to the evidence, particularly to change the evidence.
3. Photograph or video the scene and all the components including the leads in situ. If
no camera is available, draw a sketch plan of the system and label the ports and
cables so that system/s may be reconstructed at a later date.
4. Allow any printers to finish printing.
5. Do not, in any circumstances, switch the computer on.
This action (i.e. to switch the computer on) is prohibited to perform because it
definitely changes the contents of the evidence.
6. Make sure that the computer is switched off – some screen savers may give the
appearance that the computer is switched off, but hard drive and monitor activity
lights may indicate that the machine is switched on.
Usually by moving the mouse a moment will wake up the computer. Never forget to
check the lights displaying the activity of hard drive of monitor.
7. Be aware that some laptop computers may power on by opening the lid.
8. Remove the main power source battery from laptop computers. However, prior to
doing so, consider if the machine is in standby mode. In such circumstances, battery
removal could result in avoidable data loss.
9. Unplug the power and other devices from sockets on the computer itself (i.e. not the
wall socket). A computer that is apparently switched off may be in sleep mode and
may be accessed remotely, allowing the alteration or deletion of files.
10. Label the ports and cables so that the computer may be reconstructed at a later
date.
To do so, please perform it carefully in order to avoid mistakes on reconstruction.
11. Ensure that all items have signed and completed exhibit labels attached to them.
Failure to do so may create difficulties with continuity and cause the equipment to
be rejected by the forensic examiners.

3
Forensic Cop Journal Volume 3(2), Jan 2010
http://forensiccop.blogspot.com

12. Search the area for diaries, notebooks or pieces of paper with passwords on which
are often attached or close to the computer. Consider asking the user about the
setup of the system, including any passwords, if circumstances dictate. If these are
given, record them accurately.
13. Make detailed notes of all actions taken in relation to the computer equipment.

Condition 2: The electronic evidence appears to be switched on

Following are the actions offered by ACPO on how to handle the evidence properly when it
is found to appear to be switched on (ACPO, p12, 2008).
1. Secure the area containing the equipment.
Again, it is the same as previous actions, build perimeter area by applying Police Line
so that visually people see the border of the scene.
2. Move people away from computer and power supply.
The existence of people can contaminate the electronic evidence; even it can change
the contents of the evidence when they do something wrongly.
3. Photograph or video the scene and all the components including the leads in situ. If
no camera is available, draw a sketch plan of the system and label the ports and
cables so that system/s may be reconstructed at a later date.
4. Consider asking the user about the setup of the system, including any passwords, if
circumstances dictate. If these are given, record them accurately.
5. Record what is on the screen by photographing and by making a written note of the
content of the screen.
6. Do not touch the keyboard or click the mouse. If the screen is blank or a screen saver
is present, the case officer should be asked to decide if they wish to restore the
screen. If so, a short movement of the mouse should restore the screen or reveal
that the screen saver is password protected. If the screen restores, photograph or
video it and note its content. If password protection is shown, continue as below,
without any further touching of the mouse. Record the time and activity of the use
of the mouse in these circumstances.
7. Where possible, collect data that would otherwise be lost by removing the power
supply e.g. running processes and information about the state of network ports at
that time. Ensure that for actions performed, changes made to the system are
understood and recorded. See section on Network forensics and volatile data.
8. Consider advice from the owner/user of the computer but make sure this
information is treated with caution.
9. Allow any printers to finish printing.

4
Forensic Cop Journal Volume 3(2), Jan 2010
http://forensiccop.blogspot.com

10. If no specialist advice is available, remove the power supply from the back of the
computer without closing down any programs. When removing the power supply
cable, always remove the end attached to the computer and not that attached to the
socket. This will avoid any data being written to the hard drive if an uninterruptible
power protection device is fitted.
11. Remove all other connection cables leading from the computer to other wall or floor
sockets or devices.
12. Ensure that all items have signed exhibit labels attached to them. Failure to do so
may create difficulties with continuity and cause the equipment to be rejected by
the forensic examiners.
13. Allow the equipment to cool down before removal.
14. Search area for diaries, notebooks or pieces of paper with passwords on which are
often attached or close to the computer.
15. Ensure that detailed notes of all actions are taken in relation to the computer
equipment.

Bibliography

ACPO. (2008). Good Practice Guide for Computer-Based Electronic Evidence. Available:
http://www.7safe.com/electronic_evidence/ACPO_guidelines_computer_evidence.p
df. Last accessed 30 September 2009.
Al-Azhar, M.N. (2009). Digital Forensic: State of the art. Forensic Cop. Available:
http://forensiccop.blogspot.com. Last accessed 1 January 2010.
Casey, E. (2004). Digital Evidence and Computer Crime: Forensic Science, Computers and the
Internet. 2nd edition. London: Elsevier Academic Press.
Carrier, B. (2005). File System Forensic Analysis. London: Addison – Wesley.
Department of Justice, US. (2001). Electronic Crime Scene Investigation: A Guide for First
Responders. Available: http://www.ncjrs.gov/pdffiles1/nij/187736.pdf. Last accessed
30 September 2009.