Process the Scene for Physical Evidence

The collection of physical evidence at a crime scene requires the appropriate equipment for handling and processing. A fingerprint analyst without a dusting kit, a DNA collection expert without swabs, and a forensic entomologist without sample cases would be severely limited in their abilities to process a scene. Similarly, without the basic kit, the computer forensic analyst is like a carpenter without a saw.

Not all digital evidence processing kits are alike. Some analysts prefer to have a complete mobile lab available to them for on-site analysis. Companies such as DigitalForensics provide special purpose equipment for these scenarios. Other analysts work on a first responder model whereby evidence is collected by remote first responders and then shipped to a central location for analysis. The sophistication of the evidence collection toolkit depends on the response model used, but at a minimum the following items should be included in any forensic response toolkit:

• Latex gloves. Not only do they prevent one from leaving fingerprints everywhere, but thicker latex gloves are also good protection against jagged edges when pulling apart computers.

• Security tape. The computer forensic analyst in a corporate setting may be acting alone and may need to cordon off an area as part of a physical crime scene. Basic yellow "Do Not Cross" tape can be purchased at local hardware stores. It is sufficient for non-law enforcement use.

• Evidence tags and labels. Tags specifically designed for evidence collection can be purchased cheaply from any major supplier of law enforcement goods. They should be tamper-resistant and may have two parts : one that stays with the evidence and a second that remains in the custody of the analyst.

• Cable ties. Securing a label to a piece of evidence via adhesion may not always be possible. A few inexpensive plastic cable ties do the trick nicely .

• Bolt cutters. Many laptop locks can be bypassed with a pair of scissors and a paper clip. Key locks require a little practice, and number locks require a lot of time. If time is of the essence, a set of bolt cutters or cable cutters will make quick work of inexpensive cable locks.

• Sharpies . When writing on a CD-R, evidence tag, or any other surface, a Sharpie is unbeatable. Make sure that the pen has a felt-tip, preferably a fine point or better for those tight spaces.

• Anti-static bags and evidence bags. Anti-static bags are generally silver in color and protect computer equipment for static electricity both in the environment and generated by the analyst. Evidence bags are tamperresistant and have a detachable evidence label. Buy several different sizes of each, ranging from floppy-disk size to laptop- size .

• Digital camera. Any digital camera with a time and date stamp will suffice. Look for a built-in macro lens for close-ups of network connections, components , and cables. Anything above three megapixels is sufficient. Do not attempt to compete with Ansel Adams.

• Forensic notebook. Any book with numbered pages that cannot be removed is good for this one. Lab notebooks and general bound logbooks tend to be cheaper and just as good as those sold specifically for the purpose.

• PC toolkit. This is one place not to skimp. Buy the larger-size PC toolkit (one hundred pieces or better) to get everything needed to take a machine apart on-site. Ensure that TORX bits are included.

• Forensic laptop, hard disk, and adapters. It is always nice to be able to do some analysis on-site. A basic laptop with external USB 2.0 or FireWire hard disk along with a hardware write-blocker helps here.