MONROE COUNTY SHERIFF’S OFFICE


General Order


CHAPTER:

034-C

TITLE:

Computer Search and Seizure

EFFECTIVE DATE:

August 19, 2009

NO. PAGES:

3

REVIEWED/REVISED:

November 29, 2022


Sheriff of Monroe County

RESCINDS:



  1. PURPOSE: The purpose of this General Order is to establish a procedure to ensure the proper search and seizure of computer evidence.


  2. SCOPE: Includes the search and seizure of computer equipment both in operating and non-operating models and all disks, drives, and peripheral equipment.


  3. DEFINITIONS:


    1. Computer system: computer monitor, central processing unit (CPU), hard drive, I/O (in/out) device, modem, CD-ROM or floppy drive configured to work together as a unit or cabled together externally.


    2. MCSO forensic computer examiner: Office personnel who have received specific training on the proper techniques to examine and recover evidence from computers and storage devices.


    3. Peripherals: Auxiliary devices, such as a printer, modem or storage system, that work in conjunction with a computer.


    4. Recording device: CD-ROM, digital video disc, floppy disc, tape, zip, jazz, magneto-optical, or hard drive used to store data that is not currently connected to an operating system.


    5. Recording media: Any disk, tape, cartridge or other type of media used to store data electronically (i.e. floppy disk, jazz cartridge, zip disk, jump drive, or magneto-optical disk).


  4. PROCEDURE: Searches and seizures of computer hardware and software shall be done in accordance with State and Federal Guidelines for searching and seizing computers.


    1. Secure the scene


      1. Deputy safety is of utmost importance


      2. The area and equipment should be treated as a crime scene and preserved for potential fingerprints and/or DNA evidence


      3. Immediately restrict access to the computer by any person


      4. Isolate from phone lines (data on the computer(s) can be accessed remotely)


      5. Remove wireless (Wi-Fi or Bluetooth) capabilities

      6. Secure the computer as evidence and record serial numbers of each item


    2. Computer operation status: Deputies shall not attempt to log on to the computer, operate the computer in any manner in an effort to use any software or explore files that may be contained on the media storage devices, retrieve e-mails, instant messages, etc.


      1. If the computer is “ON” follow these steps for stand-alone computer (non-networked) systems.


        1. Consult with MCSO forensic computer examiner as needed to secure the computer system


        2. If you determine that the computer is running encryption software or Vista Operating System, contact MCSO forensic computer examiner before proceeding


        3. Do not turn off


        4. Do not enter any input from the keyboard or mouse


        5. Photograph the video screen display, computer system, surroundings and connections


        6. Label all cable connections and associated ports


        7. Disconnect the power source from the computer, not the wall outlet


        8. Disassemble the computer system and seize all cables and peripherals


        9. Package all seized property


        10. Do not place the computer equipment or related devices in a vehicle trunk during transport


        11. Do not use radios that produce strong magnetic fields around computers or while transporting them


      2. If the computer is “OFF” follow these steps for stand-alone computer (non-networked) systems:


        1. Disconnect any telephone or modem connection


        2. Photograph the computer system, its surroundings and connections


        3. Label all cable connections and associated ports


        4. Disconnect the power source from the computer, not from the wall outlet


        5. Disassemble the computer systems and seize all cables and peripherals


        6. Package all seized property


        7. Do not place the computer equipment or related devices in a vehicle trunk during transport


        8. Do not use radios that produce strong magnetic fields around computers or while transporting them


    3. Networks, business operations or online providers: Do not attempt to disconnect or recover any networked computer system or related device prior to consulting with the MCSO forensic computer examiner. Seize all investigation relevant related computer systems, recording devices,

      recording media, tapes, papers, documents, manuals and notes in and around your crime scene (as indicated in search warrant or consent search).


    4. Evidence Handling Procedures: All seized computer equipment evidence shall be reported, handled, and stored in accordance with Office procedures (General Orders, Chapter 54). Due to the nature of computer and electronic devices forensic analysis, the MCSO forensic computer examiners are authorized to maintain a temporary storage area for such equipment. The temporary storage area is only authorized for evidence submitted for computer/electronic examination and/or analysis and shall be secured to the level of all evidentiary property. A Deputy transferring computer equipment as evidence for review, examination or analysis will:


      1. Complete a property receipt


      2. Provide a copy of the search warrant, acknowledgment of consent or other documentation which authorizes the evaluation of the evidence to the MCSO forensic examiner


      3. Upon completion of the computer/electronic device forensic analysis, the evidence shall be returned to the property division for evidentiary storage