6
Reading about computer related crimes and how law enforcement policies are lagging adjusting to the digital age, I came across this document which is a manual of sorts, recommendations for the first responders to a scene of a computer crime put together by the National Institute of Justice (American Department of Justice agency) in 2001. The document gives suggestions of procedures to follow regarding collecting digital/physical evidence and how to minimize contamination of the crime scene and package machines/drives etc. for transportation so that the defense/courts later don't object to how the evidence was collected, analyzed, and presented.
On page 44 of the PDF (page 31 numbered in the document), it says
"Regardless of the power state of the computer (on, off, or sleep mode), remove the power source cable from the computer-NOT from the wall outlet."
My question is, why does it matter where the power cable is disconnected from? If the first responder has made the decision to disconnect power, does it make a difference? It says not to use shut down sequence or press a button because data on the HD can be erased/changed. That makes sense. But if you decide to pull the plug, why does it matter where you pull it from? Are they concerned with booby traps? Or is it just safer for the person pulling the cable, you know like getting a shock or something? Or does the point of power disconnect effect the HD/RAM somehow?
Thanks!
Fixed Point
Posted 2013-03-06T00:00:18.680
Reputation: 193
6Perhaps they figure that if they do it that way, responders are less likely to unplug the wrong cord. (Most of us tend to have LOTS of cords running around behind our machines.) It could also be that they figure it's easier to carry a machine without tripping if there are no cords hanging from it. Otherwise, there's certainly no electrical difference which end is unplugged. – Nicole Hamilton – 2013-03-06T00:06:17.270
1Building in Nicole Hamilton's suggestion, it's also possible that removing the cord from the device results in less disturbance to the crime scene. Crawling under a desk, etc. could disturb other evidence. – Wayne Johnston – 2013-03-06T00:46:48.830
2A wall outlet may not be the way to ensure power is cut due to UPS or messy nest of power cords. When pulled from the laptop (or tower for that matter) you ensure that the divice is off primary power. Pulling the laptop battery must be in the process. – Carl B – 2013-03-06T01:20:54.513
@NicoleHamilton Well, eventually they would document and label all of the cables and ports and what was connected to what and perhaps confiscate everything as evidence. And before they walk off with the tower, the will disconnect all of the cables (after labeling the ports) anyway. – Fixed Point – 2013-03-06T08:41:48.347
@CarlB Your answer seems most plausible. All three are good and make sense but if you would be kind enough to post your comment as an answer, I'll accept it. And yes the manual says to remove the battery too in case of a laptop/mobile device. Thanks everyone. – Fixed Point – 2013-03-06T08:44:02.430
@FixedPoint - supplied as answer. – Carl B – 2013-03-06T16:02:38.290
@FixedPoint: I think it could be a combination of what you and Carl stated. If the accused has already initiated some sort of data wipe and a UPS is being used, yanking the power cord from the PC itself would ensure immediate termination of the process and consequently, less chance of losing valuable data/evidence. Otherwise by the time they realise that pulling the cord from the socket didn't necessarily turn the PC off completely, who knows what might be lost? – Karan – 2013-03-06T18:24:51.207