Documenting the Electronic Crime Scene

Documenting the Electronic Crime Scene is necessary to maintain a record of all the forensic investigation processes applied to identify, extract, analyze, and preserve the evidence. The details should include location of the crime, status of the system, connected network devices, storage media, smart phones, mobile phones, PDAs, Internet and network access,

The document will help trace the serial numbers or other identifiers of the procured devices. Documenting also includes taking photographs, video, notes, and sketches of the scene, in order to recreate it later. The investigator needs to document the processes and activities running on the display screens.

The points to consider while documenting the electronic crime scene are;
  • Documentation of the electronic crime scene is a continuous process during the investigation that makes a permanent record of the scene.
  • It is essential to properly note down the site and state of computers, digital storage media, and other electronic devices.
  • Document the physical crime scene, noting the position of the mouse and the location of the elements found near the system.
  • Document details of any related, difficult to find electronic components.
  • Record the state of the computer system, digital storage media, electronic devices, and predictable evidence, including power status of the computer.
  • Take a photograph of the computer monitor’s screen and write notes on what you have seen on the screen.

The crime scene documentation should contain comprehensive details at the time of investigation.

Related Product : Computer Hacking Forensic Investigator

Photographing the Scene

Crime scenes are the main source of physical evidence and photographing it will provide the investigators with a visual reference for future use. The images will also help the investigators recreate the scene when required.

Sketching the Scene

A sketch conveys the measurement relationship between the crime scene and the evidence found. The sketch explains the data in the documented photos and videos. Sketches can also portray the positions of the camera as well as the photographer.

The points to remember while sketching the scene are:
  • After securing the scene, the computer forensic professional (CEP) has to prepare a sketch of the crime scene.
  • This sketch should include all details about the objects present and theft locations within the office area.
  • As with photographs, forensic professionals prepare many sketches of the complete scene, all the way down to the smallest piece of evidence.
  • After creating an accurate scene sketch, the CFP should sketch the top of the computer desk, specifying pieces of evidence.

Note Taking Checklist

Computer crime scene investigation requires significant effort. The investigation effort varies according to the situation, and without a checklist, it is impossible to remember all the findings of the computer crime investigation. The investigator uses the checklist to note down the findings of the digital evidence search, collection, and preservation processes at the crime scene.

Also Read : Roles of First Responder in computer forensics

Computer Forensics Investigation Methodology

The investigators should have keen knowledge of all the devices that could have played part in transmitting the attack data to the victim device. They should be able to search for all the involved devices and seize them in a formal manner in order to analyze them for evidential data.


Consent, in computer forensics investigation, refers to the process of obtaining formal permission from the owner of the victim organization or an individual owning the target system to perform a thorough investigation, A written consent from the authority is enough to start the investigation and search process.

At the time of consent, the investigators should use properly written banners with suitable use policies and get them signed from the owner of the evidence scene or devices. If you have a properly worded banner and a suitable use policy informing users of monitoring activities and how to use the information collected from monitoring activities, the consent burden will suffice in a majority of cases.

There are instances when the user is present and has to provide consent as the hardware user. It should never be a general permission for system administrators to conduct unplanned and random monitoring activities.

Use appropriate forms for the jurisdiction and carry these documents in the grab bag to protect from any harm or damage. Monitoring activities related to the consent should be part of a well-documented procedure in the obtained consent.

Witness Signatures

A witness is a person who is present while signing a document or agreement and testifies that the parties mentioned in the agreement have voluntarily signed for it. Depending on the legislation in the jurisdiction, the agreement or contract needs the signatures of one or two witnesses.

Typically, one witness signature suffices if the forensic analyst or law enforcement officer is performing the seizure. When the case requires two witness signatures, seek guidance to determine the second signatory.

The witness signature verifies that the information in the consent form and other written documents are correct and have also been explained to and understood by the other party, and they had given the consent voluntarily.

Whoever signs as witness should have a clear understanding of their role and may have to provide a witness statement or attend court.

Conducting Preliminary Interviews

When preparing a case, Computer Forensic Professionals (CFPs) follow a standard system analysis to solve a problem. They start their investigation by collecting evidence and conducting preliminary interviews. As a part of their preliminary investigation, they enquire about all those who were present on the site at the time of the offense. After identifying the persons present at the time of the crime, they conduct individual interviews and recognize all personnel (witnesses and others) available at the crime scene and note down their position at the time of entry and their reason for being there.

As part of their investigation process, CFPs first determine whether the suspect has committed a crime or has violated any departmental policies, Usually, departments establish certain policies regarding the usage of computers.

Consistent with departmental policies and applicable laws, the CFP gathers evidence and collects information from individuals, such as:

  • Actual holders or users of any electronic devices present at the crime scene.
  • Usernames and Internet service provider.
  • Passwords required to access the system, software, or data.
  • Purpose of using the system.
  • Automatic applications in use.
  • Any offsite data storage.
  • Unique security schemes or destructive devices.
  • Documents detailing installation of a hardware or software on the system.
  • Any offsite data storage.
  • Web mail and social networking website account information.

If the evidence gathered by the CFP suggests that the suspect has committed a crime, he or she will produce that evidence in court. If the evidence suggests that the suspect has breached company policy, the CFP will hand over the evidence at the corporate enquiry.

Questions related to this topic

  1. What are the four steps in collecting digital evidence?
  2. How should an investigator avoid contaminating evidence?
  3. What are some of the problems traditionally associated with finding digital evidence?
  4. What are the seven steps of a crime scene investigation?

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us –

Leave a Comment

Your email address will not be published. Required fields are marked *