Computer Search and Seizure Policy

Questions and Answers

According to the policy, what primary distinction must be made when dealing with computer-related evidence?

• Between data stored on local drives versus data stored on network servers.
• Between the procedures for seizing computer-related evidence and the procedures for the actual search of computer evidence. (correct)
• Between hardware and software components of a computer system.
• Between different types of digital media, such as hard drives and USB drives.

In a scenario where a computer system is part of a networked business environment, who is authorized to conduct a computer evidence seizure?

• Any officer trained in general evidence collection.
• Any officer acting under the direct supervision of a supervisor.
• Only a computer crimes specialist trained in computer network evidence seizures. (correct)
• Any patrol officer who discovers the computer during a routine investigation.

What is the primary action patrol officers should take when they come across a computer potentially involved in a crime during their investigation?

• Attempt to access the computer's files to determine if it contains evidence.
• Disconnect the computer from its power source to prevent data loss.
• Cordon off and protect the computer and its components as a crime scene. (correct)
• Immediately seize the computer and transport it to the station.

According to the policy, what action should an officer take first if they believe a computer is running a program that may be destroying evidence?

Immediately unplug the power supply cord from the back of the computer. (B)

What specific instruction is given regarding shutting off a laptop computer that is powered on when encountered during a search?

Turn it off by ejecting the battery. (B)

What is the recommended course of action for officers who discover a computer during a non-CSM-related investigation?

Notify their supervisor, who will then notify computer crimes investigative personnel. (D)

Under what condition does the policy permit a consent search of a computer?

When a signed consent to search form is obtained from an individual with authority to give consent. (D)

According to the policy, what is the procedure if consent to search a computer is withdrawn during a search?

The search must cease, and a warrant must be obtained before continuing. (A)

What should CSM personnel do if they encounter computer evidence during an investigation?

Document the computer screen, computer, and its surroundings with photography or video. (B)

What is the primary concern when seizing and transporting computer equipment with a warrant?

Maintaining the chain of custody while protecting the equipment from damage. (B)

What specific documentation procedure is recommended before disconnecting any cables from a computer during the execution of a search warrant?

Take a video or photograph of the site and all wiring connections. (C)

What should be done with all external disk drives when seizing a computer with a warrant?

They should be sealed with evidence tape. (D)

Under what circumstances is it permissible to seize a computer without a warrant?

Only under extreme exigent circumstances, such as preventing damage to data or protecting human life. (D)

When seizing a computer under exigent circumstances, what is the initial and primary responsibility of the officer?

To preserve computer evidence and transport the computer to a safe location. (B)

What factor should influence the decision to unplug a computer from its power source when seizing it under exigent circumstances?

Whether the computer is in a home or a business/network environment. (C)

What specific action is recommended before unplugging or moving a computer and its components under exigent circumstances?

Photographing all connective cables and their relationship to the computer. (A)

Why is the chain of custody as relevant for computers as it is for any other form of evidence?

To show that the data present on the computer has not been altered or tampered with. (B)

Where should computers or their components NOT be transported, according to the policy?

In the trunks of patrol cars that contain radio transmitter equipment. (B)

What environmental factors should be considered when transporting and storing computer evidence?

Extreme moisture, heat, cold, and magnetic fields. (A)

According to the policy, where should a computer be placed for storage in the evidence/property room?

In an area where it will not be contaminated or damaged. (B)

What should officers do before searching or seizing computer evidence?

Ensure they have received specialized training in computer forensics examination. (A)

If a laptop computer is encountered that is powered on, what action should be taken to turn it off according to the policy?

Eject the battery. (D)

When seizing computers and transporting them, what must officers protect the equipment from that could cause the potential loss of data?

Improper handling. (D)

Under normal conditions when a computer is seized by warrant, what will the investigating officer develop?

A detailed plan for documenting and preserving electronic evidence. (C)

According to the policy, what action should officers performing a computer seizure prioritize above all else?

Officer safety. (D)

What is the recommendation in the policy regarding obtaining a warrant prior to searching and seizing computer evidence?

Officers and investigators should obtain a search warrant prior to the search and seizure of any computer evidence. (A)

How does the policy suggest dealing with computer evidence in a networked business environment?

Consult computer crimes specialist trained in such seizures. (B)

If it becomes necessary to seize or move a computer under exigent circumstances, what documentation is required by the policy?

A detailed report documenting the event. (B)

According to the policy, extreme...

moisture, heat, cold, and magnetic fields can destroy a computer system and its data (B)

According to policy PD99-2305, what is the purpose of the policy?

To establish procedures for the seizure of computer equipment and electronic information. (D)

According to this policy, what is one of the major considerations when transporting and storing computer evidence?

Magnetic fields (D)

If a computer forensics examiner has refused to analyze a system because the chain of command wasn't followed, what steps need be taken?

Make sure you have all fingerprints, other source identifying information, etc. (D)

What is a key difference between seizing a regular PC and a laptop in order to preserve the electronics?

A computer can be unplugged, but a laptop needs it's battery ejected. (A)

Why are "plain view" and "exigent circumstances" exceptions useful for searches and seziures of computers?

They apply equally to searches and seziures (D)

What key traditional evidence should be gathered, in addition to the computer, when seizing a computer?

Fingerprints from the keyboard and notes (A)

Why is important to seal the computer at the scene?

To protect the chain of custody (A)

What is the best practice action to take before disconnecting any cables?

Video all the connections (C)

When transporting smaller computers it it tempting to carry the system to the vehicle. What is a better practice?

Place in a box with proper packaging (D)

Flashcards

Purpose of Policy

To establish procedures for seizing computer equipment and electronic information.

Computer Search Exceptions

Exceptions like 'plain view' apply to computer searches, but computer evidence needs distinct handling.

Who can seize evidence?

Only trained officers can seize computer evidence; specialists handle networked systems.

Computer crime scene

Cordon off the computer as a crime scene, separate from any existing crime scene.

Officer Safety First

Officer safety is most important. Remove individuals from the computer area to prevent data destruction.

Avoid damaging data

Avoid premature searches that risk damaging data. Viewing files can render evidence useless.

How to shut down a computer

Unplug the computer from the back or eject the battery. Call for help if unsure how to turn off.

Notify Supervisor

Notify a supervisor, who will then notify the computer crimes unit.

Who can examine computer evidence?

Only certified Computer Forensics personnel can examine seized computer evidence.

Search warrant recommended

A search warrant is recommended before searching and seizing computer evidence.

Documenting the scene

Document the computer screen, computer, and its surroundings. Only trained personnel can seize or move evidence.

Protecting equipment

Protect equipment from damage to prevent data loss. Pack carefully for transport to court.

Wiring documentation

Photograph the wiring and connections. Back up with diagrams or drawings.

Sealing External Drives

Seal external drives; use agency floppy disk to prevent accidental boot-up.

Seizure without warrant

Seize without a warrant only in extreme circumstances, such as preventing data destruction or protecting human life.

Photograph and Report

Photograph the display screen and write a detailed report documenting the event.

Before Unplugging

Photograph cables before unplugging. Mark each cable and its location to reconfigure.

Chain of Custody

Chain of custody is as relevant for computers as for other evidence; record all personnel involved.

Transporting Don'ts

Do not transport computers in patrol car trunks with radio transmitters—magnetic fields can destroy data.

Environmental Protection

Protect from moisture, heat, cold, and magnetic fields to preserve data.

Study Notes

Computer Search & Seizure Policy

• The policy establishes procedures for seizing computer equipment and electronic information.
• The established exceptions to the search warrant requirement can apply to searching and seizing computers, data, and equipment.
• Due to the unique nature of computer related evidence, a distinction exists between procedures for seizing computer related evidence and the actual search of computer evidence.
• Because of the technical nature of computer searches and legal liabilities, only trained officers can seize computer evidence.
• Computer systems in a networked business environment must be seized by a computer crimes specialist trained in computer network evidence seizures.
• Officers can assist the computer crimes specialist with packaging and transportation under direct supervision.
• Officers or investigators must not examine computer systems or evidence without specialized training in computer forensics examination.

Procedures for Searching and Seizing Computer Hardware

• Patrol officers and investigators who find a computer or its components during an investigation must cordon off and protect it as a crime scene if probable cause exists that it was used in a crime, constitutes fruits of a crime, or is evidence of a crime.
• Officer safety is the highest priority when seizing a computer.
• Remove all individuals from the area near the computer to prevent remote data destruction.
• Data should not be damaged by premature searches like clicking on desktop icons, viewing files or photos can render the evidence useless in court.
• Unauthorized examination of computers will show up during the computer forensics examination.
• If you feel that a computer will destroy evidence, unplug the power supply cord from the back.
• With laptop computers, pulling the power cord will not work because of the battery, instead turn it off by ejecting the battery so call someone to help.

Preliminary Computer Crime Scene Management

• If discovered during a regular investigation, officers must notify their supervisor, who will then notify computer crimes investigative personnel.
• Personnel must not seize or move the computer system without specialized training.
• If it is necessary to shut the computer system off, the officer can pull the power plug at the back of the system.

Actual Computer Search

• Only individuals with training conducting Computer Forensics Examinations can examine computer evidence seized by the department.
• Officers and investigators must obtain a search warrant before the search and seizure of any computer evidence.
• Consent searches are permitted if a signed consent to search form is obtained from an individual with authority to give consent.
• Consent can be withdrawn at any time, requiring a warrant before continuing the search.

Seizing the Computer: With a Warrant

• Officers must protect equipment from damage during seizure and transport to avoid data loss and system malfunction.
• The is a need for a detailed plan for documenting and preserving electronic evidence and brief participating search officers.
• Traditional forms of evidence i.e., fingerprints from the keyboard, computer case, notes, and printed materials, should be in kept in mind.
• The computer must be sealed at the scene to protect the chain of custody.
• The computer forensics examiner can refuse to analyze an improperly handled system.
• The investigating officer will take special precautions when disassembling and packing equipment.
• Before disconnecting cables, take a video or photograph of the site and all wiring connections, backed up by diagrams or drawings of the wiring scheme.
• All external disk drives should be sealed with evidence tape.

Seizing the Computer: Exigent Circumstances Guidelines

• A computer can be seized without a warrant only under extreme exigent circumstances to prevent damage or destruction of data or to protect human life.
• A detailed report must be written documenting if it is seized or moved.
• When seizing a computer under exigent circumstances, guidelines will minimize possible damage to the computer.
• Document any image on the computer screen with a quick photograph of the display.
• Primary responsibility is to preserve computer evidence and transport the computer to a safe location.
• The decision to unplug the computer from its power source at the back of the computer depends on circumstances.
• A stand-alone personal computer can generally be shut down, a computer in a business or network environment should not be shutdown with out precaution.
• Before unplugging, shutting down, or moving the computer and its components, a photograph must first be taken of all connective cables and their relationship to the computer and its components.
• Tape should mark each cable end and its location, so that it can be reconfigured as it was when seized.
• Chain of custody is relevant for computers, and each item should be recorded and marked by different personnel.

Transporting the Computer

• The trunks of patrol cars that contain radio transmitter equipment should not be use when transporting computers.
• Magnetic fields generated by the radio equipment can destroy computer evidence.
• Moisture, heat, cold, and magnetic fields can destroy a computer system and its data.
• Smaller computers should be transported in a box with proper packaging.
• The computer should be placed in an area of the evidence/property room where it will not be contaminated or damaged,