The computer forensic experts have to conform with many rules and regulations if the evidence they uncover is to be acceptable to the courts.

The first step in obtaining computer forensic evidence is obtaining a search warrant to seize the suspect system. This warrant must include wording allowing the investigators to seize not only the computer, but also any peripherals thought to be connected with the crime. A suspected counterfeiter, for instance, may have used his computer, a scanner, and a printer to produce his counterfeit documents, in which case all three items would need to be seized to provide evidence.

If it is thought that evidence is contained in emails, this also should specifically mentioned in the search warrant. Email is a sensitive area as it can be considered personal, so solid justification is needed before a suspects email is allowed to be searched.

A warrant also needs to be clear about the searching of network and file servers, whether backup media is included, and if hardware, software, and peripherals can be removed to another location to conduct the search.

In all circumstances, data not connected to the crime must not be touched. Doctors, lawyers, and clergy store documents on their PCs and much of this information is confidential. While the computer forensic expert needs to uncover evidence, care must be exercised to protect the personal information of any innocent third parties.

Seizing Equipment for Computer Forensics

Investigators can only seize equipment connected with the case; knowing the role of the computer will indicate what should be taken. For instance, if it is thought that the computer was used to store evidence then all storage media should also be seized for the computer forensic inspection. If the computer was running programs to collect and analyze information, any relevant books found at the scene should be seized to help computer forensic experts understand the programs.

If the suspect is present he must be prevented from touching the computer. A computer that is running at the time of seizure should not be allowed to shut down, pulling the plug out of the wall will prevent any programs from wiping incriminating information during the shutdown sequence. The computer forensic expert can test the shutdown sequence later, to see if it includes any destructive programs.

Dismantling Equipment for Computer Forensics

When a computer and its peripherals are removed from a crime scene, a great deal of care has to be taken while dismantling the equipment to prevent any malicious programs from being activated should the computer power system be booby trapped.

The entire set up should be photographed or a video taken before starting disassembly, notes taken at every step, and every cord labeled stating where it was attached. There are several ways to set up a computer and peripherals, and when it arrives in the computer forensics lab the suspect one will need to be set up exactly as it was at the crime scene.