Computers at Crime Scene

During the recent classes in Mastering Expert Testimony, several of the students were computer experts who testify to computer records in fraud and pornography cases. One of their pet peeves is the misconception among some officers that a computer should immediately be unplugged when a search warrant is being executed. Special thanks go to Steven Tackett, Computer Forensic Analyst with the U.S. Postal Service, for explaining the following to us.

Two reasons commonly given by misinformed officers for immediately unplugging a computer at a crime scene are: first, it prevents the operator from deleting evidence by a preprogrammed keystroke; and second, it prevents a remote operator from erasing records and documents via modem. Both of these reasons are flawed.

In the first place, it is highly unlikely anyone would program into their computer a magic keystroke to erase data. This is almost never done due to the danger of the user accidentally hitting the key and losing all of the records. For an officer to routinely jerk the plug on a computer to prevent the suspect from using a keystroke jeopardizes information in the vast majority of cases and virtually never serves a useful purpose. Besides, after you have removed the suspects from access to the computer, they could not erase files anyway.

In the second case, the correct way to prevent a remote operator from erasing memory is to unplug the modem, not the power source. Unplugging the computer's power virtually guarantees you will lose all of the documents that are open. Unplugging the phone line from the modem removes access from remote operators without risking the loss of open documents.

Correct computer shutdown:

The recommended steps to shut down any computer in a search situation is first, immediately remove suspects from their workstations and unplug the phone lines to the computer. Second, save open documents and files to a separate computer diskette so the original data can be kept in its last saved form. Third, after the data has been saved on diskette, the computer may be safely shut down.

If you do not feel competent to manage the above steps, locate a resource person before the search warrant is served. Several options are available. First, some other person in your department may be able to do a controlled shutdown. Second, state or federal law enforcement agencies may have personnel available who could talk you through the correct steps over the phone once you have secured the scene, removed the computer operator, and unplugged the phone line from the modem. Or third, a friendly computer store person who is knowledgeable and trustworthy may help as an advisor.

The bottom line is this: Simply pulling the plug as soon as you enter a scene will probably destroy valuable information and files. Instead, you should immediately remove people from access to the computer and unplug phone lines. Then, by saving open documents and shutting the computer down correctly, you will guarantee that all information has been saved.

- Pat Wertheim, Director of Training