State of Maryland

Maryland State Police

Criminal Enforcement Command

Computer Crimes Unit

Computer Forensics Laboratory

7155-C Columbia Gateway Drive

Columbia, Maryland 21046

410-290-1620

 

 

General Guidelines for Seizing Computers and Digital Evidence

 

 

The Search Warrant

 

            The search warrant should articulate the specific computer-related items you want to seize and describe the probable cause that you possess to warrant the seizure. Sample search warrant language follows: In general, the Maryland State Police Computer Forensics Laboratory will not accept evidence for analysis unless it is accompanied by a search and seizure warrant.

 

 

Search Warrant Wording for Electronic Media (Computer) Analysis

 

This is an example of wording commonly used in computer crimes search warrants. You will need to adapt it to your specific needs. The wording should appear in both the application and affidavit.

 

Seize and examine, by persons qualified to do so, and in a laboratory setting, any and all electronic data processing and computer storage devices, including; central processing units, internal and peripheral storage devices such as fixed disks, external hard disks, floppy disk drives and diskettes, tape drives and tapes, optical storage devices, optical readers and scanning devices, CD Rom drives and Compact Disks and related hardware, digital cameras and digital storage media, operating logs, software and operating instructions or operating manuals, computer materials, software and programs used to communicate with other terminals via telephone or other means, and any computer modems, monitors, printers, etc., that may have been used while engaging in [specify the illegal conduct], as defined in the Annotated Code of Maryland, amended and revised.

 

 

 

 

Seizing a Stand-Alone Home Computer in a Residence

*   Officer safety is first and foremost. Do not make assumptions as to the passiveness of the suspect.

*   If the computer is “powered off”, DO NOT turn it on.

*   If the computer is “powered on”, do not allow the suspect or any associate to touch it. Offers to shut the computer down may be a ruse to start a destructive program that may destroy the evidence. This can be done with one keystroke.

*   Before touching the computer, place an unformatted or blank floppy disk into the floppy disk drive(s), document, videotape and/or photograph the computer system, and write detailed notes about what is on the computer’s screen.

*   If you have a computer specialist on the scene, he will have been trained to recognize the operating system and will know the proper way to shut down the computer system without altering files or losing any evidence. Computer specialists are available from the Maryland State Police Computer Forensics Laboratory 24 hours a day, seven day a week to provide necessary assistance.

*   If you do not have a computer specialist on the scene, the safest way to turn off a Windows 98/95/3.1/DOS computer, is to Pull the plug from the back of the computer. Pulling the plug could severely damage the system; disrupt legitimate business, and create officer and department liability. It is especially important to have a specialist available when dealing with business computers, networked computers and computers based on Macintosh, Windows NT, and Unix/Linux operating systems.

*   After shutting the computer down and powering the computer off:

*   Disconnect all power sources; unplug the power cords from the wall and the back of the computer. Notebook computers may need to have their battery removed.

*   Place evidence tape over each drive slot, the power supply connector, and any other opening into the computer. This should include sealing the case itself

*   Photograph and label the back of any computer components with existing connections to the computer.

*   Photograph the back of the computer and everything that is connected to it. Diagram the back of the computer showing each connection and any peripherals connected to it. Label each end of every cable and the point that it plugs into the computer of devices. Place corresponding numbers on both the cable and the computer connector to which the cable is attached. Then, disconnect the cables.

*   Label the computer and each component.

*   Package the components and transport/store as fragile cargo.

*   Keep away from magnets, radio transmitters, moisture, and other hostile environments.

 

Seizing Networked Computers or Computer at a business.

*   DO NOT pull the plug on a computer at a business. Prior to the execution of the search and seizure warrant attempt to identify the types of computer systems involved. When executing the warrant, bring a computer specialist who is familiar with those systems. Computer specialists are available from the Maryland State Police Computer Forensics Laboratory 24 hours a day, seven day a week to provide necessary assistance.

 

Removable media

*   Each piece of removable media seized should be write-protected When possible) and individually marked. The location of each piece of removable media should be documented.           

 

Computer Related Items to Seize

*   Computer

*   Monitor

*   Keyboard

*   Mouse

*   Printer

*   Scanner

*   Modem

*   External Storage Devices (CD Drives, Zip drives, Tape Drives, External hard drives, etc)

*   Removable Media (Floppy disks, compact disks, zip disks, etc.)

*   Computer Manuals

*   Software

*   Digital Cameras (Including flash memory cards and card readers – Smart Media, Compact Flash, and Memory Sticks)

*   Digital Camera Accessories (docking stations, cables, chargers)

*   Notebook Computers

*   Notebook Computer Accessories (docking stations, power cords, chargers)

*   Handwritten notes and notebooks containing names and/or e-mail addresses, website addresses, passwords, etc. (These notes are commonly found in drawers, attached to the monitor, underneath the keyboard, attached to the computer, attached desks, walls, etc.)

*   Personal Data Assistant (PDA) Computers. Small palm computers. Handspring, Palm, many others. Power the PDA off. Do not remove the batteries. Submit for analysis as soon as possible, on some models, when the batteries run down, all data is lost. Seize power supplies, cradles, and access software if available.

 

Submission of Computers and Digital Evidence for Analysis

Only specially trained and qualified Computer Forensic Investigators working in a laboratory setting should analyze computers and other forms of digital evidence. The simple act of turning a computer on can destroy or change critical evidence and render that evidence useless. The Maryland State Police Computer Forensics Laboratory will not routinely accept digital evidence for analysis if that evidence has been tainted though handling by unqualified personnel. The Maryland State Police Computer Forensics Laboratory is available to provide this service to all Maryland Law Enforcement Agencies.