The wholesale seizure of the physical storage device/media is arguably the most common form of seizure practiced by law enforcement responders today. The question remains, are there other options besides the seizure of physical devices that are available to responders? If yes, are these methods of seizure within the reach of anyone but the most technical of responders?

For a long time, up to and including today, many in the forensics community place little faith in the ability for responders on-scene to deal appropriately with the computers they may encounter. The direction was simply Don t touch the keyboard. Pull the plug and send everything to the lab. In many cases, the forensics side of the house is correct to protect against the possible corruption or destruction of data by taking this hard-line approach particularly based on the technology of yesterday but at what cost? Although the computer forensics community might have intended to do the most good by promulgating the pull-the-plug mantra, we need to examine how disempowering the on-scene responders may affect the overall forensic process, from seizure through analysis to investigation and ultimately prosecution.

The latest Search and Seizure of Computers and Obtaining Digital Evidence (Manual), published by the Department of Justice supports the proposition that the seizure of digital evidence should be an incremental process, based both on the situation and the training level of the responder. The Manual describes an incremental approach as a search strategy (pg. 221) for the seizure...