Criminals have chosen computer media more and more to perpetrate their crimes. Whether it is the luring of children on the Internet, making fake money and checks on the computer, or hiding financial records or other illegal records on the computer, we must know how to deal with it all. In Colorado, we have at our disposal the Colorado Bureau of Investigation. They have one expert analyst who does nothing but computer evidence analysis and computer crime investigations. Chuck Davis is the one who will analyze any and all computer evidence coming to the lab, and he also assists agencies with search warrants and actual collection of evidence in the field. He has several points and tips to make your handling of computer evidence more effective.

First thing is to know your limits! If your ability in the handling and seizure of computer evidence is limited, don’t just wing it. Call an expert. Incorrect seizure and handling can lead to no evidence. Don’t call your MIS department, or the "office computer wiz". While these people may have some expertise, chances are they have no experience in criminal investigations. Plus, they probably cannot testify in court as a computer expert.

Second, be careful what you touch!! Criminals may have a destruct key or other "booby traps" on the computer. You should first photograph the screen from the front and the side, write down what applications are running and the names of open files. Document what you see on the screen, using various formats (video, Polaroid, 35mm, and just copying it down on paper). If the system is off, leave it off. If the system is on, down it properly. In Windows 95/98, that involves the Start button. This is a good thing to call your MIS department for. Next, turn the machine off at the power supply. Do not try to look around inside the files. Don't run a directory, don't run file manager or explorer. DON'T execute any programs at all!!!. This may cause loss of crucial evidence.

With the power off, label the cables and the locations where they are plugged in. Disconnect everything, look for suspicious wires, or connections. Document the backs of the computers the same way as the front. Ensure when writing the warrant or getting a consent to search to cover all equipment including monitors, hard drives (installed or not), keyboards, digital camera, printers, floppy discs and other related items. Remember that these items might be needed for prosecution but you definitely want to be thinking forfeiture. Make sure that any peripherals that require a unique power cord be seized as well. Laptop computers always have a special power cord that sometimes cannot be found elsewhere. Place evidence tape over entry into disk drives and tape on the case to show if the system has been opened or taken apart. Initial the tape in such a way so that the initials are on the tape and on the item. . One piece of tape down the front of the system across every drive is OK. Be prepared to take all floppy discs (new or old), CDs, keyboards, mice, monitors, printers, tape drives with tapes, Zip drives, Jaz drives, and any other computer media. However, DO NOT submit monitors, cables, mice, keyboards, power strips, or printers for analysis. If you bring them to the lab, you will have to bring them back to you office.