273764

Copyright Lexipol, LLC 2017/11/28, All Rights Reserved. Published with permission by Santa Monica Police Department Computers and Digital Evidence - 1 Santa Monica Police Department Santa Monica Police Department Policy Manual Computers and Digital Evidence 808.1 PURPOSE AND SCOPE This policy establishes procedures for the seizure and storage of computers, personal communications devices (PCDs) digital cameras, digital recorders and other electronic devices that are capable of storing digital information; and for the preservation and storage of digital evidence. All evid ence seized and/or processed pursuant to this policy shall be done so in compliance with clearly established Fourth Amendment and search and seizure provisions. 808.2 SEIZING COMPUTERS AND RELATED EVIDENCE Computer equipment requires specialized training and handling to preserve its value as evidence. Officers should be aware of the potential to destroy information through careless or improper handling, and utilize the most knowledgeable available resources. When seizing a computer and accessories the following steps should be taken: (a) Photograph each item, front and back, specifically including cable connections to other items. Look for a phone line or cable to a modem for Internet access. (b) Do not overlook the possibility of the presence of physical evidence on and around the hardware relevant to the particular investigation such as fingerprints, biological or trace evidence, and/or documents. (c) If the computer is off, do not turn it on. (d) If the computer is on, do not shut it down normally and do not click on anything or examine any files. 1. Photograph the screen, if possible, and note any programs or windows that appear to be open and running. 2. Disconnect the power cable from the back of the computer box or if a portable notebook style, disconnect any power cable from the case and remove the battery). (e) Label each item with case number, evidence sheet number, and item number. (f) Handle and transport the computer and storage media (e.g., tape, discs, memory cards, flash memory, external drives) with care so that potential eviden ce is not lost. (g) Lodge all computer items in the Property Room. Do not store computers where normal room temperature and humidity is not maintained. (h) At minimum, officers should document the following in related reports: 1. Where the computer was located and wh ether or not it was in operation. 2. Who was using it at the time. 3. Who claimed ownership. Policy 808 Copyright Lexipol, LLC 2017/11/28, All Rights Reserved. Published with permission by Santa Monica Police Department Computers and Digital Evidence - 2 Santa Monica Police Department Santa Monica Police Department Policy Manual Computers and Digital Evidence 4. If it can be determined, how it was being used. (i) In most cases when a computer is involved in criminal acts and is in the possession of the suspect, the computer itself and all storage devices (hard drives, tape drives, and disk drives) should be seized along with all media. Accessories (printers, monitors, mouse, scanner, keyboard, cables, software and manuals) should not be seized unless as a precursor to forfeiture. 808.2.1 BUSINESS OR NETWORKED COMPUTERS If the computer belongs to a business or is part of a network, it may not be feasible to seize the entire computer. Cases involving networks require specialized handling. Officers should contact a certified forensic computer examiner in the C riminal Investigations Section. If there is no certified computer examiner available, officers should contact the Criminal Investigations Section Supervisor or his/her designee to refer to a certified forensic computer examiner for further instructions or a response to the scene. It may be possible to perform an on -site inspection, or to image the hard drive only of the involved computer. This should only be done by someone specifically trained in processing computers for evidence. 808.2.2 FORENSIC EXAMINATIO N OF COMPUTERS If an examination of the contents of the computer's hard drive, or floppy disks, compact discs, or any other storage media is required, forward the following items to a computer forensic examiner: (a) Copy of report(s) involving the computer, in cluding the Evidence/Property sheet. (b) Copy of a consent to search form signed by the computer owner or the person in possession of the computer, or a copy of a search warrant authorizing the search of the computer hard drive for evidence relating to investi gation. (c) A listing of the items to search for (e.g., photographs, financial records, e -mail, documents). (d) An exact duplicate of the hard drive or disk will be made using a forensic computer and a forensic software program by someone trained in the examination of computer storage devices for evidence. 808.3 SEIZING DIGITAL STORAGE MEDIA Digital storage media including hard drives, floppy discs, CD's, DVD's, tapes, memory cards, or flash memory devices should be seized and stored in a manner that will protect them from damage. (a) If the media has a write -protection tab or switch, it should be activated. (b) Do not review, access or open digital files prior to submission. If the information is needed for immediate investigation request the Property Unit to copy the contents to an appropriate form of storage media. Copyright