The following is from the 2000 edition of The Ohio Bureau of Criminal Identification and Investigation's Physical Evidence Training Manual.
This manual is provided to Ohio law enforcement agencies that utilize BCI's crime scene and lab services, and assists them in proper submission of evidence.


Cyber Crime Evidence (Computers)

The Cyber Crime Unit investigates and forensically examines seized computer equipment. The computer will be maintained in its original, unaltered state. The data storage devices will be copied (mirror imaged) for examination. Evidence including pornographic images, files, hidden files, some erased data and some password protected files can be recovered. The Cyber Crime Unit then prepares reports for courtroom presentation. For more information call BCI's Cyber Crime Unit at (740) 845-2411.

Procedure for Seizing Macintosh, DOS, Windows 3.x, and Windows 95 and Windows 98 Based Computers
(For Windows NT and other networked computers, please call the Cyber Crime Unit for guidance prior to removing or disconnecting the computer.)

1. Have a warrant with proper language addressing the seizure of a computer. (Language that can be used as a guideline is available from the Cyber Crime Unit.)
2. Remove everyone from the area around the computer and data storage.
3. If the computer is not on, DO NOT turn it on. Turning the computer on may activate traps that cause data destruction.
4. If the computer is on, photograph the screen.
5. Disable the power at its source, i.e. wall outlet or UPS.
6. Disable or disconnect the modem.
7. Disconnect the power to the printer at its source.
8. Place a diskette into each drive and cover with evidence tape.
9. Photograph connections of all equipment.
10. Label all connections of all equipment for later reference.
11. Photograph all labeled connectionsw and diagram them.
12. Photograph the area after the computer is removed.
13. Search area for passwords or other related information.
14. Seize all books, notes, manuals, software, disks, storage devices and items related to the system. Place all disks and storage devices into non-static conducting material (paper). Inventory items.
15. Interview all suspects that may have knowledge of the computer system for passwords, operational information and all related topics.
16. Transport the evidence. Do not place items next to any electromagnetic sources such as police radios.
17. If BCI is requested to do the forensic examination of the computer system, a copy of the search warrant or consent form is required.
18. Keep in mind, computers are evidence. Evidence must be maintained in its original state. When information is viewed on a computer, file dates may change. This may cause concern during judicial procedures. Traditional system backups and copies will not capture all information within a computer system, evidence can be lost. Please call the Cyber Crime Unit with any question or for assistance.