Evidence Collection Cases 1. In this case the first thing that first responders need to recognize is that the computer was on when the suspect was arrested and there may be evidence that they need to collect right away. If data of apparent evidentiary value is in plain view onscreen. The first responder should seek out personnel who have experience and training in capturing and preserving volatile data before proceeding. First responders should also be alert to the crime scene environment. They should look out for pieces of paper with handwritten notes, passwords, usernames, and software and hardware manuals. These forms of evidence also should be documented and preserved in compliance with departmental policies. In this case the computer should also be checked for DNA so investigators can match the suspects DNA to the arson crime scenes. Also TimeFrame Analysis can be used to link any files of interest to the timeframes of the investigation. All these things can help link the suspect to the crimes, and in doing so can help tell the insurance company whether the claims are valid. 2. Case 4-4 (bomb threat)
A list of what items should be included in an initial response field kit to ensure preservation if digital evidence.

The initial response field kit should be lightweight and easy to transport. With this kit, you can arrive at a scene, acquire the data you need, and return to the lab as quickly as possible. * Small computer toolkit * Large-capacity drive * IDE ribbon cable * SATA cables * Forensic boot media containing an acquisition utility * Laptop IDE 40 to 44-pin adapter, other adapter cables * Laptop or tablet computer * FireWire or USB dual write-protect external bay * Flashlight * Digital Camera with extra batteries * Evidence log forms * Notebook or digital dictation recorder * Computer evidence bags…...

