Well, seizing the computer in question comes first of course. But making sure that you have a right to seize the computer is essential. The Us Federal Guidelines for Searching & Seizing Computers is a guideline that can help diffrenciate that right. Seizing the wrong hardware and computers can harm businesses and waste crucial time. So let's say that there is an established reason for seizing the computer in question. Note-Contraband, evidence with information or used in instrmentality/hardware are established reasons.

Collecting the Evidence

There are many differing opinions on whether investigators should quickly turn the computer off or leave it on. Vital data can be lost forever, the computer may not come back on and the suspect could have left traps so it may be best to collect files and leave the computer running as it is. If a computer is turned off it is important to unplug it entirely from the sockets. Do not turn it off using the computer commands or pressing the power button.Investigators are only supposed to collect hardware, software and peripherals (such as printers, digital cameras, etc.), that they can articulate there being a reason to seize. This is referred to as the independent component doctrine.

• Notes, papers, and even garbage should also be collected. Photograph the location, the evidence being taken, and how everything was plugged up. In addition labels are to be affixed to the ports, etc.
• Write protect media and the drivers should be secured with tape.
• Everything taken should be put in suitable containers and not stored in a hot area or anywhere near magnets. Some crooks put magnets in their doorways to destroy evidence!

Retrieving the Data

Now comes the fun part-finding whatever you are looking for. Depending on how much time you are alloted (based on the case and circumstances) determines how much information you are going to copy from the computer. A bitstream copy-which copies slack & unallocated space should be made and 2 copies should be made. Being able to recover and retrieve data depends on the type of computer that was used, the kind of digital evidence, the operating system, and the hardware/software. with the execmption of Unix operating systems which are harder to retrieve from, it is possible to obtain even deleted files.

• Shadow Data-Overwritten data that retains some of the deleted information can be examined using scanning probe microscpopes, magnetic force microscopes, etc.)
• Binary files which contain a lot of information that is stored when it's not being used that can be read with utilities but not word processors. Encrpyton is a growing tool used by criminals that scrambles things making them difficult to read.

Puting the Pieces together

BY collecting the evidence and hopefully obtaining everything you could from it, you also have to answer the who, what, where, and whys surrounding the case! Remembering that there will always be gaps in information and not to fully rely on the digital evidence is key. Important guidelines that must be adhered to:

• Warrants and the right to seize and search property should be known and observed. The Privacy Protection Act (PPA) and the Electronic Communications Privacy Act (ECPA)
• Planning how the search is to be done should be decided beforehand. It is important to forsee all that can happen or develop in the course of a investigation but planning ensures that silly mistakes that could hurt the case wont be made.
  
  
  
  
  • What is Digital Forensics?
  • Why is it important?
  • How is it applied and how does it work?
  • Resources