Policy Text
CATEGORY DATE ADOPTED LAST REVIEW
4 01/24/2011 07/30/24
TUSTIN POLICE DEPARTMENT GENERAL ORDERS
___________________________
814 - Computers and Digital Evidence 1 POLICY 814 COMPUTERS AND DIGITAL EVIDENCE
814.1 PURPOSE AND SCOPE
This policy establishes procedures for the seizure and storage of computers, personal
communications devices (PCDs) , digital cameras, digital recorders and other electronic devices
that are capable of storing digital information; and for the preservation and storage of digital
evidence. All evidence seized and/or processed pursuant to this policy shall be done so in
compliance with clearly established Fourth Amendment and search and se izure provisions.
814.1.1 ACCREDITATION STANDARDS
This policy pertains to the following CALEA Standards: 11.4.4 , 83.2.1, 83.2.5
This policy pertains to the following Standard Operating Procedures: SS102
814.2 SEIZING COMPUTER S AND RELATED EVIDENCE
Computer equipment requires specialized training and handling to preserve its value as evidence .
Officers should be aware of the possibility of destroying information through careless or improper
handling, and utilize the most knowledgeable available resou rces. When seizing a computer and
accessori es, the following steps should be taken:
a) Photograph each item, front and back, specifically including cable connections to other
items. Look for a phone line or cable to a modem, or a Wi -Fi router, for Internet access ;
b) Do not overlook the possibility of the presence of physical evidence on and around the
hardware relevant to the particular investigation , such as fingerprints, biological or trace
evidence, and/or documents ;
c) If the computer is off, do not turn it o n;
d) If the computer is on, do not shut it down normally and do not click on anything or
examine any files :
1. Using a department -issued camera, p hotograph the screen, if possible, and note
any programs or windows that appear to be open and running ;
2. Disconnect the power cable from the back of the computer box or if it is a portable
notebook style, disconnect any power cable from the case and remove the battery ;
e) Label each item with case number, evidence sheet number, and item number ;
f) Handle and transport the c omputer and storage media (e.g., tape, discs, memory cards,
flash memory, external drives) with care so that potential evidence is not lost;
g) Use anti -static plastic wrap while packaging computers, hard drives, and data storage
devices to guard against stat ic electricity which can result in data loss;
h) Book all computer items in Property and Evidence . Do not store computers where normal
room temperature and humidity are not maintained ;
i) At minimum, officers should document the following in related reports:
CATEGORY DATE ADOPTED LAST REVIEW
4 01/24/2011 07/30/24
TUSTIN POLICE DEPARTMENT GENERAL ORDERS
___________________________
814 - Computers and Digital Evidence 2 1. Where the computer was located and whether or not it was in operation;
2. Who was using it at the time;
3. Who claimed ownership;
4. If it can be determined, how it was being used.
j) In most cases when a computer is involved in criminal acts and is in the possession of the
suspect, the computer itself and all storage devices (hard drives, tape drives, and disk
drives) should be seized along with all media. Accessories (printers, monitors, mouse,
scanner, keyboard, software and manuals) should not be seized unless as a precursor to
forfeiture or as directed by a search warrant .
814.2.1 BUSINESS OR NETWORKED COMPUTERS
If the computer belongs to a business or is part of a network, it may not be feasible to seize the
entire computer. Cases involving network s require specialized handling. Officers should contact a
certified forensic computer examiner for instructions or a response to the scene. It may be
possible to perform an onsite inspection, or to image the hard drive only of the involved computer.
This should only be done by someone specifically trained in processing computers for evidence.
814.2.2 FORENSIC EXAMINATION OF COMPUTERS
If an examination of the contents of the computer’s hard drive, or USB drives , compact discs, or
any other storage media i s required, forward the following items to a computer forensic examiner:
a) Copy of report(s) involving the computer, including the Evidence/Property sheet ;
b) Copy of a consent to search form signed by the computer owner or the person in
possession of the comp uter, or a copy of a search warrant authorizing the search of the
computer hard drive for evidence relating to investigation ;
c) A listing of the items to search for (e.g., photographs, financial records, email,
documents) ;
d) An exact duplicate of the hard driv e or disk will be made using a forensic computer and a
forensic software program by someone trained in the examination of computer storage
devices for evidence .
814.3 SEIZING DIGITAL STORAGE MEDIA
Digital storage media including hard drives, USB drives , CD’s, DVD’s, tapes, memory cards, or
flash memory devices should be seized and stored in a manner that will protect them from
damage.
a) If the media has a write -protection tab or switch, it should be activated ;
b) Do not