The first responder must have proper authority—such as plain view observation, consent, or a court order—to search for and collect evidence at an electronic crime scene. The first responder must be able to identify the authority under which he or she may seize evidence and should follow agency guidelines, consult a superior, or contact a prosecutor if a question of appropriate authority arises.

To prevent the alteration of digital evidence during collection, first responders should first:

• Document any activity on the computer, components, or devices.
• Confirm the power state of the computer. Check for flashing lights, running fans, and other sounds that indicate the computer or electronic device is powered on. If the power state cannot be determined from these indicators, observe the monitor to determine if it is on, off, or in sleep mode.

Assess the Situation
After identifying the computer’s power status, follow the steps listed below for the situation most like your own:

• Situation 1: The monitor is on. It displays a program, application, work product, picture, e-mail, or Internet site on the screen.
  
  1. Photograph the screen and record the information displayed.
  2. Proceed to "If the Computer Is ON."
• Situation 2: The monitor is on and a screen saver or picture is visible.
  
  1. Move the mouse slightly without depressing any buttons or rotating the wheel. Note any onscreen activity that causes the display to change to a login screen, work product, or other visible display.
  2. Photograph the screen and record the information displayed.
  3. Proceed to “If the Computer Is ON.”
• Situation 3: The monitor is on, however, the display is blank as if the monitor is off.
  
  1. Move the mouse slightly without depressing any buttons or rotating the wheel. The display will change from a blank screen to a login screen, work product, or other visible display. Note the change in the display.
  2. Photograph the screen and record the information displayed.
  3. Proceed to “If the Computer Is ON.”
• Situation 4a: The monitor is powered off. The display is blank.
  1. If the monitor’s power switch is in the off position, turn the monitor on. The display changes from a blank screen to a login screen, work product, or other visible display. Note the change in the display.
  2. Photograph the screen and the information displayed.
  3. Proceed to “If the Computer Is ON.”
• Situation 4b: The monitor is powered off. The display is blank.
  1. If the monitor’s power switch is in the off position, turn the monitor on. The display does not change; it remains blank. Note that no change in the display occurs.
  2. Photograph the blank screen.
  3. Proceed to “If the Computer Is OFF.”
• Situation 5: The monitor is on. The display is blank.
  1. Move the mouse slightly without depressing any buttons or rotating the wheel; wait for a response.
  2. If the display does not change and the screen remains blank, confirm that power is being supplied to the monitor. If the display remains blank, check the computer case for active lights, listen for fans spinning or other indications that the computer is on.
  3. If the screen remains blank and the computer case gives no indication that the system is powered on, proceed to “If the Computer Is OFF.”

If the Computer is On
For practical purposes, removing the power supply when you seize a computer is generally the safest option. If evidence of a crime is visible on the computer display, however, you may need to request assistance from personnel who have experience in volatile data capture and preservation.

In the following situations, immediate disconnection of power is recommended:

• Information or activity onscreen indicates that data is being deleted or overwritten.
• There is indication that a destructive process is being performed on the computer’s data storage devices.
• The system is powered on in a typical Microsoft® Windows® environment. Pulling the power from the back of the computer will preserve information about the last user to login and at what time the login occurred, most recently used documents, most recently used commands, and other valuable information.

In the following situations, immediate disconnection of power is NOT recommended:

• Data of apparent evidentiary value is in plain view onscreen. The first responder should seek out personnel who have experience and training in capturing and preserving volatile data before proceeding.
• Indications exist that any of the following are active or in use:
  • Chat rooms.
  • Open text documents.
  • Remote data storage.
  • Instant message windows.
  • Child pornography.
  • Contraband.
  • Financial documents.
  • Data encryption.
  • Obvious illegal activities.

For mainframe computers, servers, or a group of networked computers, the first responder should secure the scene and request assistance from personnel who have training in collecting digital evidence from large or complex computer systems.

If the Computer is OFF
For desktop, tower, and minicomputers follow these steps:

1. Document, photograph, and sketch all wires, cables, and other devices connected to the computer.
2. Uniquely label the power supply cord and all cables, wires, or USB drives attached to the computer as well as the corresponding connection each cord, cable, wire, or USB drive occupies on the computer.
3. Photograph the uniquely labeled cords, cables, wires, and USB drives and the corresponding labeled connections.
4. Remove and secure the power supply cord from the back of the computer and from the wall outlet, power strip, or battery backup device.
5. Disconnect and secure all cables, wires, and USB drives from the computer and document the device or equipment connected at the opposite end.
6. Place tape over the floppy disk slot, if present.
7. Make sure that the CD or DVD drive trays are retracted into place; note whether these drive trays are empty, contain disks, or are unchecked; and tape the drive slot closed to prevent it from opening.
8. Place tape over the power switch.
9. Record the make, model, serial numbers, and any user-applied markings or identifiers.
10. Record or log the computer and all its cords, cables, wires, devices, and components according to agency procedures.
11. Package all evidence collected following agency procedures to prevent damage or alteration during transportation and storage.

For laptop computers follow these steps:

1. Document, photograph, and sketch all wires, cables, and devices connected to the laptop computer.
2. Uniquely label all wires, cables, and devices connected to the laptop computer as well as the connection they occupied.
3. Photograph the uniquely labeled cords, cables, wires, and devices connected to the laptop computer and the corresponding labeled connections they occupied.
4. Remove and secure the power supply and all batteries from the laptop computer.
5. Disconnect and secure all cables, wires, and USB drives from the computer and document the equipment or device connected at the opposite end.
6. Place tape over the floppy disk slot, if present.
7. Make sure that the CD or DVD drive trays are retracted into place; note whether these drive trays are empty, contain disks, or are unchecked; and tape the drive slot closed to prevent it from opening.
8. Place tape over the power switch.
9. Record the make, model, serial numbers, and any user-applied markings or identifiers.
10. Record or log the computer and all its cords, cables, wires, devices, and components according to agency procedures.
11. Package all evidence collected following agency procedures to prevent damage or alteration during transportation and storage.
     

From: Electronic Crime Scene Investigation: A Guide for First Responders, Second Edition