Friday, January 4, 2008

The bag and tag

It's been a while since I put of some pictures (you know I like 'em). So I decided to put together the bag 'n' tag sequence I use.

Here you see from left to right the suspect or evidence drive, the drive protector case, the evidence bag and the anti-static bag.




Here's the drive closeup. Note the damage to the drive..hmm looks like someone hit it with something..perhaps a flathead screwdriver? Toolmarks anyone?





The next step is to label the drive so it's easily identified while it's out of the evidence containers. I use Quill page markers. Red is for originals, Blue for Copies.



Next I place the drive in the hard plastic shell and then slip it in to the Anti-static bag. A word about the clamshell..it's from seagate. You can buy your own from various companies or buy a lot of seagate drives like I do.





Finally the evidence container is placed in to the evidence bag after it's been labeled. *THE INFORMATION IS FAKE, AND THE TIME IS WRONG* This is on purpose since I'll be using these photos in February for a class. I detach the receipt and staple it in to the case notebook. The victim(or client as it were) gets a paper copy of with a list of all seized items and relevant information.




The evidence bag is then sealed.



To anyone that bothers to read this blog...what are you using?

Equipment was purchased from:
Armor Forensics
Uline
Staples
Seagate

EDIT 1/4/2008: oops forgot to pull the home dept reference..

3 comments:

Anonymous said...

In general I use the same kind of procedure but working with original prosecution evidence from different forces means that at times, there's been two continuity procedures running together, the force's (client's) and my own (as not having my own 'one size fits all' is just asking for steps to be missed).

For example, it is still quite common to find paper continuity tags inside a sealed bag so the only way to sign it to say you've received it is to break out the evidence. Although as I've also had plain clothes detectives handing over loose computers from the back of their car, with nothing for me to sign, I'd guess the continuity checks are often presumed to be correct by both sides!

I wouldn't want to be the one to lose a case because of it though.

Tony Rodrigues said...

Hi, HogFly.

Those procedures are just for LE or can be applied to private company investigations, too ? How to apply this, and custody chain, if the client doesn`t want to turn off the server, even more take out the HDs ?

Thanks !

hogfly said...

Tony,
It can be used by any that choose to or by no one. Police have a different method to be sure as dictated by their policies and department procedures.

Supposing someone doesn't want the system down or the drive removed...

Record the relevant information from the system, make a copy of the disk(logical or otherwise), and the disk containing the image should be treated as the "original", never to be used, only to be copied once you return to a location where it can be copied effectively. Chain of custody begins once you have the copy of the disk.