There is no doubt that the investigators of tomorrow will be faced with more digital information present in greater numbers and types of devices. Seizing the relevant evidentiary information is, and will continue to be, a critical step in the overall computer forensics process. The current view that the physical hardware is the evidence has now been joined by a different view that the information can be regarded as evidence whether the hardware or information is viewed as evidence has a dramatic effect on how we seize or collect evidence both at the scene and in the forensics laboratory.

A number of factors may limit the continued wholesale seizure of the physical hardware. The storage size of the suspect s computer hard drive or storage network may exceed an investigator s ability to take everything back to the forensics laboratory Full disk encryption, now released as part of the Windows Vista operating system, may foil an investigator s ability to recover any data without the proper encryption key Further, concerns over commingled and third-party data, covered by the Privacy Protection Act, may impact the ability of an investigator to seize more data than specified in the warrant. Lastly, the increasing amount of seized digital evidence is having an effect on the ability of many of the computer forensics laboratories to complete forensic analyses in a timely manner. Both investigations and prosecutions may be suffering because of delays in the processing of digital evidence.

While the existing seizure methodology is focused on the seizure...