The term data objects is used in this chapter to refer to discrete arrangements of digital information logically organized into something meaningful.

Digital evidence can be viewed as either the physical hardware or media that contains the relevant data objects or the data object itself.

How the evidence is viewed the physical container versus the information itself impacts the method of seizure.

The current seizure methodology employed by many law enforcement agencies focuses on the seizure of physical hardware.

A revised methodology should provide high-level guidance about approaching non-standard crime scenes such as digital media identification, minimizing the crime scene by prioritizing the physical media, and the seizure of storage devices and media.

Whether to pull the plug or shut down properly is a difficult problem facing this community. The answer lies in the technical ability of the responder versus the complexity of the situation.

Several factors may limit our future ability to seize all the physical hardware. These factors include the size of media, disk encryption, privacy concerns, and delay related to laboratory analysis.

Based on factors that may limit future hardware seizure, we must educate our responders now about the other seizure options available.

These seizure options include preview of information on-scene, obtaining information from a running computer, imaging information on-scene, and the imaging of finite data objects...