Policy Text
CATEGORY DATE ADOPTED LAST REVIEW
3 01/24/2011 08/01/201 8
TUSTIN POLICE DEPARTMENT
STANDARD OPERATING PROCEDURES
SS116 - Digital Evidence Collection 1 SS116 DIGITAL EVIDENCE COLLECTION
SS116.1 PURPOSE AND SCOPE
The purpose of this procedure is to describe the process for the proper and safe collection of
digital evidence. Digital evidence comes in many forms: computer equipment, data devices, disks,
tape cassettes, flash drives, cell phones, hard drives, and digital cameras.
SS116.1.2 ACCREDITATION STANDARDS
This procedure pertains to the following CALEA Standards: 83.2.5
This procedure relates to the following General Orders: §814
SS116.2 COMPUTER AND OTHER DEVICE SEIZURE
When the need arises to collect and store computer equipment as evidence, officers working at
the direction o f trained personnel must properl y collect the computer equipment and related
apparatus utilizing actions which do not modify or destroy an y possible evidence.
SS116.2.1 COLLECTION AND STORAGE OF ELECTRONIC EVIDENCE
a) All collected electronic evidence will be prope rly documented. If the computer is on, leave
it on. If the computer is off, leave it off. Photograph the entire scene including the front of
the computer screen and record displayed information if applicable. Identify telephone
lines attached to devices such as modems and Caller ID boxes. Photograph and l abel
each telephone line from the walls if possible ;
b) Label, photograph, and inventory all electronic evidence incl uding cables prior to
disconnecting to allow for later assembly. Consider and properly package for possible
forensic analysis. If the computer is on, do not shut it down with normal procedures,
instead, remove the power source cable from the computer, not from the wall outlet ;
c) Remove any CD R oms from the system, package, and lab el properly ;
d) Pack magnetic media in antistatic packaging ( pink computer antistatic paper );
e) Keep electronic evidence away from magnetic sources, radio transmitters, and speaker
magnets. These sources are examples of items that can damage electronic evide nce.
SS116.2.2 TRANSPORTATION
Maintain chain of custody on all evidence transported. Transport away from any other electronic
devices. Be mindful of patrol car mobile computers, cellular phones, modems, etc.
CATEGORY DATE ADOPTED LAST REVIEW
3 01/24/2011 08/01/201 8
TUSTIN POLICE DEPARTMENT
STANDARD OPERATING PROCEDURES
SS116 - Digital Evidence Collection 2 SS116.2.3 OTHER CONSIDERATIONS
Potent ial evidence such as dates, times, and system configurations can be lost as a result of
prolonged storage, therefore evidence personnel should be informed that a device powered by
batteries is in need of immediate attention.
Only personnel who have been trained in Computer Forensics should examine and extract data
on the seized computer or electronic device.
Important steps to remember when seizing digital evidence:
a) When approaching computer equipment at a crime scene, clear everyone away from the
equipment and do not allow anyone to touch any part of it;
b) With stand -alone computers, pull the power cord to turn them off. Do not touch the
keyboard or any of the switches;
c) If the system involves a network, do not unplug them, contact a forensic expert;
d) Take photographs of the front and back of all computers to include the serial number ;
e) Label all cables, connectors, and computer connections and photograph well before
disconnecting them;
f) Separate all seized diskettes, tape cartridges, etc. , in labeled evidence envelopes. Do not
write on the diskettes and keep magnetic storage media away from magnetic fields ;
g) Do not store in heated areas such as trunks;
h) Document exactly where everything was found, including passwords written on notes and
hidden under k eyboards or other hiding places.
SS116.3 CELLULAR TELEPHONES
When the need arises to collect and store cell phone equipment as evidence, officers working at
the direction of trained personnel must properly collect the cell phone equipment and related
apparatus utilizing actions which do not modify or destroy any possible evidence.
SS116.3.1 COLLECTION
a) All collected cell phone evidence will be properly documented. The cell phone should be
photographed on both sides and under the battery com partment to include the serial
number;
b) If possible, collect the cell phone charger after photographing its original location;
c) If the cell phone and/or charger is part of the crime involved, further processing may be
necessary;
d) Package the cell phone proper ly and maintain the chain of custody for transport.
CATEGORY DATE ADOPTED LAST REVIEW
3 01/24/2011 08/01/201 8
TUSTIN POLICE DEPARTMENT
STANDARD OPERATING PROCEDURES
SS116 - Digital Evidence Collection 3 SS116.3.2 OTHER CONSIDERATIONS
Potential evidence such as dates, times, and system configurations can be lost as a result of
prolonged storage. Therefore, evidence personnel should be informed that a device powered by
batteries is in need of immediate attention.
The CSI unit can process the cell phone for evidence in the following manner:
a) Photograph the exterior of the cell phone to include the front