Computer/Cellular Evidence Collection Notes
Location of Crime / Incident:
Legal Authority to Process Evidence:
Warrant Waiver None
Contact a member of the state or local Computer Forensics Unit to respond and collect the computer evidence. If one is not available
or cannot respond this form may be completed during the collection of the computer equipment to ensure it is properly documented
and collected. Improper collection of computer evidence may result in loss of valuable data.
Has This Evidence or
Computer(s) been
previously viewed or
accessed by anyone?:
If Yes, Please Attach
Supplemental Explaining
Who Accessed the Computer
and Why.
Are You Aware of Any
Privileged
Information (ex.
Medical, Legal, etc.):
If Yes, Please Attach
Supplemental Explaining
the Privileged Information
Initially preserve the state of the evidence, do not alter the condition of any electronic device. If it is on, leave it on. If it is off, leave
it off.
Identify telephone lines attached to devices ( Document phone lines; Disconnect phone lines and Label phone lines)
Application File Passwords:
Encryption Pass Phase Password:
Any Unique Security or Destructive devices:
Any Offsite Data Storage:
Documentation Explaining the Hardware or Software Installed on the System:
Mouse Position/Location:
Left Right Other:
Location of Other Components Relative to Each Other:
Power Status:
On Off Sleep mode
Power Status Light:
On Off None
Computer Temperature:
Warn Hot Cold
Identify and document related electronic components that will not be collected.
Photograph / Notes: Front of computer; Front of monitor and If active program is running, consider videotaping monitor
DO NOT MOVE ANY COMPONENTS UNTIL PROPERLY POWERED DOWN
Computers attached to a network (Business or Home) should only be recovered by specially trained personnel
Monitor On - Photograph and Record Visible Information:
Monitor - Sleep Mode, Slightly Move Mouse (DO NOT PUSH BUTTONS OR PUSH KEYS) - Photograph and Record Visible Information:
Turn on Monitor - Photograph and Record Visible Information (May Have to Slightly Move Mouse):
Remove power cord from computer. Laptops must have batteries (look for secondary battery) removed as well.
Cell phone batteries are also removed.
If there is no battery, power off the cell phone in the normal manner.
Check for other connections to Computer (phone, DSL, etc.) and determine phone number is possible.
Remove floppy disks and label and package separately
Leave CDs in CD drive (Do Not Touch CDs or CD drive)
Place tape over all drive slots and over the power cord connector.
Photograph, diagram and label all connections to the computer and corresponding cables.
Identify all peripheral devices, laptop docking stations
Determine if WIFI or hardwire network cable or routers are being used by the computer
DO NOT OPERATE electronic devices, unless an emergency exists
If emergency exists, document all actions performed on the device.
Package electronic evidence in a manner to minimize the loss of trace evidence and/or fingerprints.
Consider using antistatic packaging material or antistatic plastic bags
Avoid folding, bending or scratching computer media
Package and label multiple computer systems in a manner that can facilitate reassembly.
