First Response Guide Lines

The weakest leak in the process of your case can be the first person that touches the suspect computer. If you have received the computer or hard drive from the police or some other source, you cannot do anything about it except document the condition you received everything in. However, if you are the "first responder" to the computer, we would like to offer some pointers on how to best preserve the data on the computer:

1. If the computer is off, leave it off. Never turn a suspect computer on, since the boot-up process will over-write and destroy some data. By preserving the integrity of the data on the hard drive, you will greatly increase the chances of a successful forensic examination.
   
   
2. If the computer is on, leave it on until you have followed the next two steps. If you are uncertain about anything, call immediately at (360) 651-2391 and we will talk you through the best procedure.
   
   
3. If the suspect computer is a desktop model, that runs any type of Microsoft® Windows Operating System, and it is on, do not shut it off using the usual shut down procedure. Many technically smart criminals use routines to wipe certain data from the hard drive during the normal shut down process. The best option is to unplug the power cord from the wall. Since some data will, or probably will be lost no matter what you do, this is the method with the least potential for data loss.
   
   
4. If a laptop computer is on, call Precise Cyber Forensics at (360) 651-2391 for further instructions.
   
   
5. Identify to whom the computer belongs to and document how you know this.
   
   
6. Take pictures of the computer if possible. If the computer is on, take pictures of the screen. If possible, take pictures of the clock in the lower right corner of the screen and document the time by your watch when the picture was taken. Take pictures of the back of the computer so all of the items attached to the computer are documented.
   
   
7. Start an accurate documented chain of custody form. Document the time and date any part of the suspect computer came into your possession. Document the time and date you handed any part of the suspect computer to someone else and why.
   
   
8. Call Steve at Precise Cyber Forensics at (360) 651-2391 if there are any questions conforming to these basic guidelines.
   
   
9. If you need to ship the computer, or any part of it to Precise Cyber Forensics' lab, please follow the instructions here, or call Steve at (360) 651-2391.