Electronic Crime Scene Investigation: An On-the-Scene Reference for First Responders
By U.S. Department of Justice – Office of Justice Programs
Law Enforcement Support – Provided by the SCARS Institute
Article Abstract
The “Electronic Crime Scene Investigation: An On-the-Scene Reference for First Responders” by the U.S. Department of Justice is a guide updated in 2023 to assist first responders in properly identifying, collecting, preserving, and analyzing digital evidence at crime scenes. Published by the National Institute of Justice, it emphasizes the importance of maintaining the integrity of both the physical device and the data stored within.
The guide covers various types of electronic devices and outlines best practices for evidence handling, including documenting the scene, securing evidence, and recognizing potential sources of digital information. First responders are instructed to follow proper legal protocols to ensure that evidence remains admissible in court, with special attention given to the risks of improper shutdown or handling, which could alter or destroy critical information.
This guide is a vital tool for law enforcement and helps bridge the gap between traditional crime scene investigation and the digital landscape.
Electronic Crime Scene Investigation: An On-the-Scene Reference for First Responders
By U.S. Department of Justice – Office of Justice Programs – Published 2001-Updated November 2023
[edited for this format]
The flipbook was updated by the Electronic Crime Partnership Initiative (ECPI), a program established by the National Institute of Justice to build the capacity of state and local law enforcement to prevent, investigate and prosecute electronic crime and identify, collect, preserve and examine digital evidence.
This publication does not create, is not intended to create, and may not be relied upon to create any rights, substantive or procedural, enforceable as law by any party in any matter civil or criminal. Opinions or points of view expressed in this document represent a consensus of ECPI members and do not necessarily represent the official position or policies of the U.S. Department of Justice.
The National Institute of Justice is a component of the Office of Justice Programs, which also includes the Bureau of Assistance; the Bureau of Justice Statistics; the Community Capacity Development Office; the Office for Victims of Crime; the Office of Juvenile
Justice and Delinquency Prevention; and the Office of Sex Offender Sentencing, Monitoring, Apprehending, Registering, and Tracking (SMART).
Introduction
This flipbook is intended as a quick reference for first responders who may be responsible for identifying, preserving, collecting and securing evidence at an electronic crime scene. It is a companion piece to Electronic Crime Scene Investigation: A Guide for First Responders, Second Edition, from which it is excerpted.
Use this flipbook only after you have reviewed and familiarized yourself with the contents of Electronic Crime Scene Investigation, which is available for free download at http://www.ojp.usdoj.gov/nij/pubs-sum/219941.htm [not available to the public]
Consider agency protocols; federal, state and local laws; and prevailing technology when applying the information in this flipbook.
Electronic Devices: Types, Description and Potential Evidence
Computer Systems
-
- Laptops
- Desktop systems
- Tower computers
- Rack-mounted systems
- Minicomputers
- Mainframe systems
A computer system’s hardware is likely to include:
-
- A case containing circuit boards, microprocessors, hard drive, memory and interface connections.
- A monitor or video display
- A keyboard and
- Peripheral devices such as external hard drives, modems, printers, scanners, routers and docking stations.
Storage Devices
-
- Hard drives (whether loose or connected to the system).
- External hard drives (generally require a power supply and a connection to the computer system).
- Removable media, g., cartridges or disk-based data storage devices.
- Thumb or flash drives: Small, lightweight, removable data storage devices with USB connections. Can be found as part of, or disguised as, any number of common or unique devices, e.g., wristwatch or Swiss Army Knife.
- Memory cards: Small data storage devices commonly used with digital cameras, computers, mobile phones, digital music players, personal digital assistants (PDAs) and video game consoles.
Handheld Devices
-
- PDAs
- Digital multimedia devices
- Pagers
- Digital cameras
- Global positioning satellite (GPS) receivers
- Mobile and smartphones
Peripheral Devices
Equipment that can be attached or connected to a computer.
-
- Modems
- Routers
- Printers
- Scanners
- Docking stations
Computer Networks
-
- Two or more computer systems linked by data cables or by wireless connections to enable them to share resources and data.
- Often include printers and data-routing devices such as hubs, switches and routers.
Sources of Potential Digital Evidence in Electronic Devices
-
- The device and its
- The function(s) it performs or
- Software, documents, photos, image files, e-mail and attachments, databases, financial information, Internet browsing history, chat logs, buddy lists and event logs.
- Information stored on the device regarding its use, e.g., incoming and outgoing phone and fax numbers and recently scanned, faxed or printed documents.
- Identifying information associated with the computer system, e.g., Internet protocol (IP) and local area network (LAN) addresses, broadcast settings, and media access card (MAC) or network interface card (NIC) addresses.
Electronic devices also may hold latent evidence such as fingerprints, DNA or other physical evidence that should be preserved.
See below for other potential sources of evidence.
Securing and Evaluating the Scene
Document, photograph, and secure digital evidence at the scene as soon as possible.
When securing and evaluating the scene:
-
- Do not alter the state of an electronic If a computer or an electronic device is off, leave it off.
- Remove all unauthorized persons from the area where evidence is to be collected.
- Identify, seize and secure all electronic devices, including personal or portable devices.
- Recognize potential digital evidence in telephones, digital video recorders, other household appliances and motor vehicles.
If the computer is on or the power state cannot be determined:
-
- Look and listen for indications that the computer is on — e.g., fans running, drives spinning and lit light-emitting diodes (LEDs).
- If you cannot determine the power state of the computer, observe the monitor to determine if it is on, off or in sleep mode.
- Check display screen for signs of data
- Look out for words such as “delete,” “format,” “remove,” “copy,” “move,” “cut” or “wipe.”
- Look for indications that the computer is being accessed remotely and/or signs of ongoing communications with other computers or users — e.g., Instant Messaging (IM) windows or chat rooms.
- Take note of all cameras and determine whether they are active.
Preliminary Interviews
Separate and identify all adults of interest and record the location they occupied when you entered the scene. Obtain the following information from interviewee(s):
- Purpose of computers and
- All users of the computers and
- Type of Internet access and Internet service
- Computer and Internet user information — g., login names, user account names and passwords, and Instant Message screen names.
- E-mail and Web mail (Web-based e-mail) accounts and personal Web
- Account information for online social networking Web sites — g., MySpace, Facebook.
- All security provisions, data access restrictions, destructive devices or software in use.
- Any automated applications in
- Any other relevant
Documenting the Scene
Your documentation should include:
- The type, location, position, condition and power status of the device.
- A record of all activity and processes visible on the display screen(s).
- A record of all physical connections to and from the computers and other devices.
- A record of any network and wireless components capable of linking devices to each other and the Internet.
- The type, condition and power status of the device’s Internet and network access.
- Video, photos, notes and sketches to assist in recreating/conveying the details of the scene.
Some computer systems and electronic devices — and the information they contain — may be protected under applicable laws, agency policies or other
factors, that may prohibit collection of these devices or components. However, do include the location, condition and power state of these devices in your documentation.
Movement of a running computer or electronic device may cause changes or damage to the computer or device or the digital evidence it contains. Computers and electronic devices should not be moved until it is determined that they are powered off.
Evidence Collection
Handling digital evidence correctly is essential to preserving the integrity of the physical device as well as the information or data it contains. Turning off the power to a computer or other electronic device may cause the information or data stored on it to be damaged or lost.
If you are not trained in handling digital evidence —
- Do not attempt to explore the contents of a computer or other electronic device or to recover information from it.
- Do not alter the state of a computer or other electronic device.
- Do not press any keys or click the
- If the computer or device is off, leave it
- Do not move a computer or other electronic device that is powered on.
- Do not accept offers of help or technical assistance from unauthorized
- DO request technical assistance from personnel with advanced equipment and training in digital evidence collection. See http://www.ecpi-us.org/Technicalresources.html for a list of available resources.
Assess the Situation
Before seizing digital evidence, make sure you have the legal authority to do so. Improper access to information or data stored on electronic devices may violate provisions of federal laws.
After securing the scene and identifying the computer’s power status, follow the steps listed below for the situation most like your own.
Situation 1: Monitor is on. Program, application, work product, picture, e-mail or Internet site is displayed.
-
- Photograph screen and record information
- Proceed to “If the Computer Is ON”.
Situation 2: Monitor is on. Screen saver or picture is visible.
-
- Move mouse slightly without depressing buttons or rotating wheel if present.
- Note any onscreen activity that causes a change in the display.
- Photograph screen and record information.
- Proceed to “If the Computer Is ON”.
Situation 3: Monitor is on. Display is blank.
-
- Move mouse slightly without depressing buttons or rotating wheel if present.
- Display changes to login screen, work product, or other visible display.
- Note change in display.
- Photograph screen and record information
- Proceed to “If the Computer Is ON”.
Situation 4a: Monitor is off. Display is blank.
-
- If monitor’s power switch is in off position, turn monitor on.
- Display changes to a login screen, work product or other visible display.
- Note change in the display.
- Photograph screen and record information
- Proceed to “If the Computer Is ON”.
Situation 4b: Monitor is off. Display is blank.
-
- If monitor’s power switch is in off position, turn monitor on.
- Display does not change. Screen remains blank.
- Note that the display does not change.
- Photograph blank screen.
- Proceed to “If the Computer Is OFF”.
Situation 5: Monitor is on. Display is blank.
-
- Move mouse slightly without depressing any buttons or rotating the wheel if present.
- If display does not change, confirm that power is supplied to the monitor.
- If display remains blank, check computer case for active lights and listen for fans spinning or other indications computer is on.
- If computer case gives no indication that it is powered on, proceed to “If the Computer Is OFF”
If the Computer Is OFF
For desktop, tower and minicomputers follow these steps:
-
-
- Document, photograph, and sketch all wires, cables, and devices connected to the computer.
- Uniquely label and photograph the power supply cord and all cables, wires or USB drives attached to the computer and the connection each of these occupies on the computer.
- Remove and secure the power supply cord from the back of the computer and from the wall outlet, power strip or battery backup device.
- Disconnect and secure all cables, wires and USB drives from the computer and document the device or equipment connected at the opposite end.
- Place tape over the floppy disk slot if present. En- sure that the CD or DVD drive trays are retracted into place and tape across the drive tray to prevent it from opening.
- Place tape over the power switch.
- Record the make, model, serial numbers and any user-applied markings or identifiers.
- Record or log computer and all cords, cables, wires, devices and components according to agency procedures.
- Carefully package all evidence collected to prevent damage or alteration during transportation and
-
For laptop computers follow these steps:
-
-
- Document, photograph and sketch all wires, cables and devices connected to the laptop.
- Uniquely label and photograph all wires, cables and devices connected to the laptop and the connection each occupies.
- Remove and secure the power supply and all batteries from the laptop computer.
- Disconnect and secure all cables, wires, and USB drives from the laptop and document the equipment or device connected at the opposite end.
- Place tape over the floppy disk slot if present. Ensure that the CD or DVD drive trays are retracted into place and tape across the drive tray to prevent it from opening.
- Place tape over the power switch.
- Record the make, model, serial numbers and any user-applied markings or identifiers.
- Record or log the laptop computer and all cords, cables, wires, devices and components according to agency procedures.
- Carefully package all evidence collected to prevent damage or alteration during transportation and
-
If the Computer Is ON
Removing the power supply is generally the safest option. If evidence of a crime is visible on the computer display, however, request assistance from personnel with experience in volatile data capture and preservation (see http://www.ecpi-us.org/Technicalresources.html [not available to the public]).
Immediate disconnection of power is recommended when —
-
-
- Information or activity on screen indicates that information or data is being deleted or overwritten.
- A destructive process appears to be in progress on the computer’s data storage device(s).
- The system is powered on in a typical Microsoft Windows® Pulling the power supply cord from the back of the computer will preserve information about the last user account logged in, login time, most recently used documents, most recently used commands, and other valuable information.
-
Immediate disconnection of power is NOT recommended when —
-
-
- Information or data of apparent evidentiary value is in plain view onscreen. Seek assistance from personnel with advanced training in digital evidence collection.
- Indications exist that any of the following are active or in use: Chat room(s), text documents, remote data storage, Instant Messaging (IM), child pornography, contraband, financial documents, data encryption and obvious illegal activities.
- The device is a mobile or smart Leave mobile and smart phones in the power state in which they were found.
-
Improper shutdown of mainframe computers, servers or a group of networked computers may result in the loss of data, loss of evidence and potential civil liability. Secure the scene and request assistance from personnel with advanced training in digital evidence collection of large or complex computer systems (see http://www.ecpi-us.org/Technicalresources.html [not available to the public]).
Packaging and Transporting Digital Evidence
Packaging Procedures
-
- Ensure that all digital evidence collected is properly documented, labeled, marked, photographed, video recorded or sketched and inventoried. Properly label connections and connected devices to facilitate reassembly of the system later.
- Protect any latent, trace or biological evidence contained on the digital evidence. Photograph digital evidence before conducting latent, trace or biological evidence processes on the evidence.
- Pack all digital evidence in antistatic Plastic bags and containers can produce static electricity and allow the development of humidity and condensation that can damage or destroy digital evidence.
- Package digital evidence in a manner that will prevent it from being bent, scratched or otherwise deformed. Label all containers
- Leave phones in the power state in which they were found. Package phones in radio frequency-shielding material to prevent them from accessing communication signals.
- Collect all power supplies and adapters for all electronic devices
Transportation Procedures
-
- Keep digital evidence away from magnetic fields,
e.g., those produced by radio transmitters, car stereo speaker magnets, and magnetic mount emergency lights. Other transportation hazards include heated seats and any device or material that can produce static electricity, such as carpets.
-
- Do not keep digital evidence in a vehicle for extended periods. Heat, cold and humidity can damage or destroy digital evidence.
- Ensure that computers and electronic devices are packaged and secured during transportation to prevent damage from shock and vibration.
- Document the transportation of the digital evidence and maintain the chain of custody.
Electronic Crime and Digital Evidence Considerations by Crime Category
Below are potential sources of digital evidence for different crimes. These lists are not exhaustive.
Child Abuse and/or Exploitation
-
- Calendars and journals
- Computer games
- Digital photo software
- Printed photographs
- Printers and copiers
- Scanners
- Still cameras and media
- Video cameras and tapes
- Video games and consoles
- Voice over Internet Protocol (VoIP) phones
Computer Intrusion
-
- Antennas
- Books and references on hacking
- List of computers accessed
- List of IP addresses
- Network devices and components
- Printed computer code
- Wireless network equipment
Counterfeiting
-
- Checks and money orders
- Credit card information
- Database printouts
- Financial records
- High-quality printers
- Magnetic strip readers
- Online banking software
- Printed computer code
- Reproductions of signatures
- Scanners, copiers, laminators
Death Investigations
-
- Credit card information
- Financial records
- Medical records
- Online banking software
- Personal writings and/or diaries
- Recently printed material
- Reproductions of signatures
- Telephone records and/or telephone bills
- Will-making software
Domestic Violence, Threats and Extortion
-
- Caller ID records
- Financial records
- Legal documents
- Personal writings and/or diaries
- Protection orders
- Telephone records/telephone bills
E-mail Threats, Harassment and/or Stalking
-
- Caller ID records
- Financial records
- Legal documents
- Maps, directions, GPS equipment
- Personal Web sites
- Personal writings and/or diaries
- Telephone records
Gambling
-
- Accounting software
- Cash
- Client lists
- Database printouts
- Electronic money transfers
- Financial records
- Forged documents
- Lists of online gambling sites
- References to odds and/or lines
- Sports betting statistics
Identity Theft
-
- Accounting software
- Cash
- Checks and money orders
- Credit card information
- Database printouts
- Electronic money transfers
- Financial records
- Forged documents
- High-quality printers
- Mail in the victim’s name
- Online banking software
- Reproductions of signatures
- Scanners, copiers, laminators
- Web site transaction records
Narcotics
-
- Cash
- Countersurveillance equipment
- Credit card information
- Database printouts
- Electronic money transfers
- Fictitious identification
- Financial records
- Forged documents
- GPS devices and maps
- Online banking software
- Photographs of drugs and accomplices
- Police scanners
- Unfilled prescriptions
Online Fraud and/or Economic Fraud
-
- Accounting software
- Cash
- Checks and money orders
- Credit card information
- Database printouts
- Electronic money transfers
- Financial records
- Forged documents
- Online banking software
- Reproductions of signatures
Prostitution
-
- Appointment logs
- Calendars and/or journals
- Cash
- Client lists
- Credit card information
- Database printouts
- Electronic money transfers
- Financial records
- Forged documents
- Lists of online escort sites
- Medical records
- Online banking software
- Printed photos
Software Piracy
-
- Cash
- CD and DVD burners and labelers
- Credit card information
- Electronic money transfers
- Financial records
- Forged documents
- Software activation codes
- Software duplication equipment
Telecommunication Fraud
-
- Boot loader devices
- Cash
- Credit card information
- Database printouts
- Electronic money transfers
- EPROM burner
- Financial records
- Forged documents
- Online banking software
- Phone cables
- SIM card reader
- Stolen phones
Terrorism (Homeland Security)
-
- Cash
- Credit card information
- Database printouts
- Electronic money transfers
- Fictitious identification
- Financial records
- GPS equipment and/or maps
- Phone cables
- Stolen phones
- VoIP phones
Other Potential Sources of Evidence
-
- Answering machines
- Audio recorders
- Blank pads of paper with impressions from prior writings
- Calendars
- CDs and CD burners
- Cell phones/smartphones
- Computer processors (chips)
- Computer-printed material
- Contact lists
- Copy machines
- Cordless landline telephones
- Digital cameras
- DVDs and DVD burners
- DVD/CD players
- External data-storage devices
- Fax machines
- GPS equipment and accessories
- Handwritten notes
- Hard drive duplicators
- Hardware and software manuals
- Information on steganography
- Internet activity records
- Laptop power supplies and accessories
- Microphones
- MP-3 players, g., iPods
- Multifunction machines (e.g., printer, scanner, copier, fax combos)
- Pagers
- Pieces of paper with possible passwords
- Printed e-mails and notes
- Printers
- Records of chat sessions
- Removable media
- Scanners
- Screen names and buddy lists
- Smart cards
- Software duplication equipment
- Telephone caller ID units
- User names and passwords
- Video cassette recorders (VCRs) and VCR tapes
- Web cameras
- Wireless access points
Information to Document to Assist the Forensic Examination
- Authorization to examine evidence
- Case Summary
- Investigation point of contact
- Keyword lists
- Passwords
- Preliminary reports and documents
- Suspect information and nicknames
- Suspected criminal activity
Please Leave Us Your Comment
Also, tell us of any topics we might have missed.
Thank you for your comment. You may receive an email to follow up. We never share your data with marketers.
Recent Reader Comments
- on Why People Blame Victims?: “After my 2nd reading of the article I am still impressed with how SCARS really understands the scam experience.” Oct 6, 20:18
- on Helping Friends & Family Better Understand Romance Scams: “This article is a great read for those who want to help a scam victim become a survivor.” Oct 6, 09:40
- on New Scam Victims – Support & Information Resources 2024: “So sorry to inform you I just had a guy pose as you he is on X please see if…” Oct 5, 22:39
- on Resilience Coping Recovery And Romance Scam Victims [UPDATED 2024]: “Thank you – we updated the whole article.” Oct 5, 01:11
- on How To Detect Scams In Someone You Know – A Guide For Family & Friends: “This article speaks the truth. It describes what the scam victim is going through perfectly.” Oct 4, 10:10
- on Resilience Coping Recovery And Romance Scam Victims [UPDATED 2024]: “I would like to be a SCARS Institute volunteer as a proof reader for the website as I love to…” Oct 3, 19:11
- on Scam Victim’s Responsibilities: “I have been blessed by so many people who didn’t know me yet helped me throughout my life. From someone…” Oct 3, 18:39
- on Forgiveness and Scams – Why It Matters So Much!: “Forgiveness is an obstacle along the road to recovery that is so easy to get stuck. So many emotions I…” Oct 3, 15:44
- on Scam Victim Relapse: “I am a survivor of a pig butcher scam, followed by a romance scam where a great deal of money…” Oct 3, 10:58
- on What To Do When Someone Close To You Experiences The Personal Trauma Of A Romance Scam: “As a scam victim myself, I appreciate this article and hope it finds its way to all of those who…” Oct 3, 10:06
Important Information for New Scam Victims
- Please visit www.ScamVictimsSupport.org – a SCARS Website for New Scam Victims & Sextortion Victims
- Enroll in FREE SCARS Scam Survivor’s School now at www.SCARSeducation.org
- Please visit www.ScamPsychology.org – to more fully understand the psychological concepts involved in scams and scam victim recovery
If you are looking for local trauma counselors please visit counseling.AgainstScams.org or join SCARS for our counseling/therapy benefit: membership.AgainstScams.org
If you need to speak with someone now, you can dial 988 or find phone numbers for crisis hotlines all around the world here: www.opencounseling.com/suicide-hotlines
SCARS Resources:
- Getting Started Right: ScamVictimsSupport.org
- Sextortion Scam Victims: Sextortion Victims Support – The Essentials (scamvictimssupport.org)
- For New Victims of Relationship Scams newvictim.AgainstScams.org
- Subscribe to SCARS Newsletter newsletter.againstscams.org
- Sign up for SCARS professional support & recovery groups, visit support.AgainstScams.org
- Join our Scam Survivors United Chat & Discussion Group facebook.com/groups/scam.survivors.united
- Find competent trauma counselors or therapists, visit counseling.AgainstScams.org
- Become a SCARS Member and get free counseling benefits, visit membership.AgainstScams.org
- Report each and every crime, learn how to at reporting.AgainstScams.org
- Learn more about Scams & Scammers at RomanceScamsNOW.com and ScamsNOW.com
- Scammer photos ScammerPhotos.com
- SCARS Videos youtube.AgainstScams.org
- Self-Help Books for Scam Victims are at shop.AgainstScams.org
- Donate to SCARS and help us help others at donate.AgainstScams.org
- Worldwide Crisis Hotlines: https://blog.opencounseling.com/suicide-hotlines/
Other Cyber Resources
- Block Scam Domains: Quad9.net
- Global Cyber Alliance ACT Cybersecurity Tool Website: Actionable Cybersecurity Tools (ACT) (globalcyberalliance.org) https://act.globalcyberalliance.org/index.php/Actionable_Cybersecurity_Tools_(ACT)_-_Simplified_Cybersecurity_Protection
- Wizer Cybersecurity Training – Free Security Awareness Training, Phishing Simulation and Gamification (wizer-training.com)
-/ 30 /-
What do you think about this?
Please share your thoughts in a comment below!
To Learn More Also Look At Our Article Catalogs
Scam & Crime Types
More SCARS
- ScamsNOW Magazine – ScamsNOW.com
- ContraEstafas.org
- ScammerPhotos.com
- AnyScam.com – reporting
- AgainstScams.org – SCARS Corporate Website
- SCARS YouTube Video Channel
Leave a Reply