Department of Corrections and Rehabilitation - Operations Manual

Cancel

Chapter 4 – Information Technology

Article 45 – Information Security

Revised May 20, 2013

View All Sections >

49020.12.2 Collection of Evidence

  • When misconduct is discovered which constitutes an information security incident in conjunction with a possible violation of departmental policy or criminal violation, precaution must be taken to avoid contamination of the possible electronic evidence. Prior to taking action, the discoverer should contact the Hiring Authority and/or the Office of Internal Affairs (OIAOffice of Internal Affairs) for direction, if the misconduct could lead to an administrative investigation. If the misconduct rises to the level of criminal misconduct, the OIAOffice of Internal Affairs must be notified immediately prior to any action being taken.

  • When there is any incident that involves the preservation of any evidence and after the first responder has consulted with the Hiring Authority/OIAOffice of Internal Affairs, the first responder is responsible to preserve the electronic crime scene and recognize, collect, and safeguard the digital evidence and/or non-digital evidence. First responders and managers who supervise personnel who process such events should be familiar with the information in this section and perform their duties.

  • Digital evidence includes all information and data of value to an investigation that is stored on, received, or transmitted by an electronic device. All other evidence is non-digital evidence.

  • When dealing with digital evidence, general forensic and procedural principles should be applied:

    • The process of collecting, securing, and transporting digital evidence should never change the evidence and integrity of the chain of evidence must be maintained.

    • Digital evidence should only be examined and/or acquired by those trained specifically for that purpose. First responders without proper training, equipment, or skills should not attempt to explore the contents of or to recover information from any electronic device.

    • Everything done during the seizure, transportation, and storage of digital evidence should be fully documented, and preserved. Documentation should include the specific location of the evidence found, how it was collected, labeled, and preserved.

    • Package and transport digital evidence in a secure manner consistent with chain of evidence procedures.

    • Any Forensic work shall be performed on copies of the digital evidence. The original device(s) shall be secured and protected for the entire process until a matter has been determined closed. The original drive shall not be imaged or cloned without consulting first with the OIAOffice of Internal Affairs.

  • When dealing with all other forms of non-digital evidence:

    • The original evidence shall be kept securely with a record of the individual who located it.

    • The individual who located the original evidence shall prepare a record of the location of the evidence, when the evidence was found, who witnessed the discovery of the evidence.

    • Package and transport of non-digital evidence in a secure manner consistent with chain of evidence procedures.