doc_1004740

Policy 807Santa Ana Police Department Santa Ana PD Policy Manual Copyright Lexipol, LLC 2021/05/28, All Rights Reserved. Published with permission by Santa Ana Police DepartmentComputers and Digital Evidence - 1Computers and Digital Evidence 807.1 PURPOSE AND SCOPE This policy establishes procedures for the seizure and storage of computers, personal communications devices (PCDs) digital cameras, digital recorders and other electronic devices that are capable of storing digital information; and for the preservation and storage of digital evidence. All evidence seized and/or processed pursuant to this policy shall be done so in compliance with clearly established Fourth Amendment and search and seizure provisions. 807.2 SEIZING COMPUTERS AND RELATED EVIDENCE Computer equipment requires specialized training and handling to preserve its value as evidence. Officers should be aware of the potential to destroy information through careless or improper handling, and utilize the most knowledgeable available resources. When seizing a computer and accessories the following steps should be taken: (a)Photograph each item, front and back, specifically including cable connections to other items, and visible make, model, and serial number. Look for a phone line or cable to a modem for Internet access. (b)Do not overlook the possibility of the presence of physical evidence on and around the hardware relevant to the particular investigation such as fingerprints, biological or trace evidence, and/or documents. (c)If the computer is off, do not turn it on. (d)If the computer is on, do not shut it down normally and do not click on anything or examine any files. 1.Photograph the screen, if possible, and note any programs or windows that appear to be open and running. 2.Disconnect the power cable from the back of the computer box or if a portable notebook style, disconnect any power cable from the case and remove the battery). (e)Label each item with case number, evidence sheet number, and item number. (f)Handle and transport the computer and storage media (e.g., tape, discs, memory cards, flash memory, external drives) with care so that potential evidence is not lost. (g)Book all computer items in the Evidence Section. Do not store computers where normal room temperature and humidity is not maintained. (h)At minimum, officers should document the following in related reports: 1.Where the computer was located and whether or not it was in operation. 2.Who was using it at the time. 3.Who claimed ownership. 4.If it can be determined, how it was being used. Santa Ana Police Department Santa Ana PD Policy Manual Computers and Digital Evidence Copyright Lexipol, LLC 2021/05/28, All Rights Reserved. Published with permission by Santa Ana Police DepartmentComputers and Digital Evidence - 25.Visible make, model, and serial number (i)In most cases when a computer is involved in criminal acts and is in the possession of the suspect, the computer itself and all storage devices (hard drives, tape drives, and disk drives) should be seized along with all media. Accessories (printers, monitors, mouse, scanner, keyboard, cables, software and manuals) should not be seized unless as a precursor to forfeiture. 807.2.1 BUSINESS OR NETWORKED COMPUTERS If the computer belongs to a business or is part of a network, it may not be feasible to seize the entire computer. Cases involving networks require specialized handling. Officers should contact a certified forensic computer examiner for instructions or a response to the scene. It may be possible to perform an on-site inspection, or to image the hard drive only of the involved computer. This should only be done by someone specifically trained in processing computers for evidence. 807.2.2 FORENSIC EXAMINATION OF COMPUTERS If an examination of the contents of the computer’s hard drive, or floppy disks, compact discs, or any other storage media is required, forward the following items to a computer forensic examiner: (a)Copy of report(s) involving the computer, including the Evidence/Property sheet. (b)Copy of a consent to search form signed by the computer owner or the person in possession of the computer, or a copy of a search warrant authorizing the search of the computer hard drive for evidence relating to investigation. (c)A listing of the items to search for, (e.g., photographs, financial records, e-mail, documents). (d)An exact duplicate of the hard drive or disk will be made using a forensic computer and a forensic software program by someone trained in the examination of computer storage devices for evidence. 807.3 SEIZING DIGITAL STORAGE MEDIA Digital storage media including hard drives, floppy discs, CD’s, DVD’s, tapes, memory cards, or flash memory devices should be seized and stored in a manner that will protect them from damage. (a)If the media has a write-protection tab or switch, it should be activated. (b)Do not review, access or open digital files prior to submission. If the information is needed for immediate investigation, book the package into evidence and immediately request the item is checked out to ensure the chain of custody is maintained. The member conducting the investigation is responsible for obtaining a copy of the contents and storing it on the an appropriate media storage device. (c)Many kinds of storage media can be erased or damaged by magnetic fields. Keep all media away from magnetic devices, electric motors, radio transmitters or other sources of magnetic fields. (d)Do not leave storage media where they would be subject to excessive heat such as in a parked vehicle on a hot day. Santa Ana Police Department Santa Ana PD Policy Manual Computers and Digital Evidence Copyright Lexipol