Policy Text
Policy
808San Luis Obispo Police Department
San Luis Obispo PD CA Policy Manual
Copyright Lexipol, LLC 2024/10/31, All Rights Reserved.
Published with permission by San Luis Obispo Police
DepartmentComputers and Digital Evidence - 1Computers and Digital Evidence
808.1 PURPOSE AND SCOPE
This policy establishes procedures for the seizure and storage of computers, personal
communications devices (PCDs) digital cameras, digital recorders and other electronic devices
that are capable of storing digital information; and for the preservation and storage of digital
evidence. All evidence seized and/or processed pursuant to this policy shall be done so in
compliance with clearly established Fourth Amendment and search and seizure provisions.
808.2 SEIZING COMPUTERS AND RELATED EVIDENCE
Computer equipment requires specialized training and handling to preserve its value as evidence.
Officers should be aware of the potential to destroy information through careless or improper
handling, and utilize the most knowledgeable available resources. When seizing a computer and
accessories the following steps should be taken:
(a)Photograph each item, front and back, specifically including cable connections to other
items. Look for a phone line or cable to a modem for Internet access.
(b)Do not overlook the possibility of the presence of physical evidence on and around
the hardware relevant to the particular investigation such as fingerprints, biological or
trace evidence, and/or documents.
(c)If the computer is off, do not turn it on.
(d)The circumstances of the case should dictate the appropriate action to take with a
powered computer. Generally, a normal shutdown should be performed to preserve
log files, histories, open files, etc. If anti-forensics techniques are suspected, do not
shut down the computer normally and do not click on anything or examine any files.
1.Photograph the screen, if possible, and note any programs or windows that
appear to be open and running.
2.Disconnect the power cable from the back of the computer box or if a portable
notebook style, disconnect any power cable from the case and remove the
battery).
(e)Label each item with case number and item number.
(f)Handle and transport the computer and storage media (e.g., tape, discs, memory
cards, flash memory, external drives) with care so that potential evidence is not lost.
(g)Lodge all computer items in the Property Room. Do not store computers where normal
room temperature and humidity is not maintained.
(h)At minimum, officers should document the following in related reports:
1.Where the computer was located and whether or not it was in operation.
San Luis Obispo Police Department
San Luis Obispo PD CA Policy Manual
Computers and Digital Evidence
Copyright Lexipol, LLC 2024/10/31, All Rights Reserved.
Published with permission by San Luis Obispo Police
DepartmentComputers and Digital Evidence - 22.Who was using it at the time.
3.Who claimed ownership.
4.If it can be determined, how it was being used.
(i)In most cases when a computer is involved in criminal acts and is in the possession of
the suspect, the computer itself and all storage devices (hard drives, tape drives, and
disk drives) should be seized along with all media. Accessories (printers, monitors,
mouse, scanner, keyboard, cables, software and manuals) should not be seized
unless as a precursor to forfeiture.
808.2.1 BUSINESS OR NETWORKED COMPUTERS
If the computer belongs to a business or is part of a network, it may not be feasible to seize the
entire computer. Cases involving networks require specialized handling. Officers should contact a
certified forensic computer examiner for instructions or a response to the scene. It may be possible
to perform an on-site inspection, or to image the hard drive only of the involved computer. This
should only be done by someone specifically trained in processing computers for evidence.
808.2.2 FORENSIC EXAMINATION OF COMPUTERS
If an examination of the contents of the computer's hard drive, or floppy disks, compact discs, or
any other storage media is required, forward the following items to a computer forensic examiner:
(a)Copy of report(s) involving the computer, including the Evidence/Property sheet.
(b)Copy of a consent to search form signed by the computer owner or the person in
possession of the computer, or a copy of a search warrant authorizing the search of
the computer hard drive for evidence relating to investigation.
(c)A listing of the items to search for (e.g., photographs, financial records, e-mail,
documents).
(d)A forensic image, or authenticated duplicate of the hard drive or disk will be made
using a forensic computer and/or a forensic software program by someone trained in
the examination of computer storage devices for evidence. The needs of the case will
dictate whether or not a forensic preview is appropriate before or in place of forensic
imaging.
808.3 SEIZING DIGITAL STORAGE MEDIA
Digital storage media including hard drives, floppy discs, CD's, DVD's, tapes, memory cards, or
flash memory devices should be seized and stored in a manner that will protect them from damage.
(a)If the media has a write-protection tab or switch, it should be activated.
(b)Do not review, access or open digital files prior to submission. If the information is
needed for immediate investigation a copy of the data should be used.
San Luis Obispo Police Department
San Luis Obispo PD CA Policy Manual
Computers and Digital Evidence
Copyright Lexipol, LLC 2024/10/31, All Rights Reserved.
Published with permission by San Luis Obispo Police
DepartmentComputers and Digital