Chicago Police DepartmentSpecial Order S07-01-05
Recovered/Seized Computer Equipment
Issue Date:29 April 2014Effective Date:01 May 2014
Rescinds:9 March 2001 Version of G07-01-01
Index Category:Processing Property
I.Purpose
This directive:
  • A.sets forth Department policy regarding the recovery and processing of computers and electronic evidence for forensic analysis.
  • B.provides definitions of computer related evidence.
  • C.identifies procedures for recovery of computer related evidence.
  • D.outlines responsibilities of investigating officers and supervisors.
  • E.identifies the Bureau of Detectives Crime Analysis Technical Group as the unit responsible for the analysis of computer related evidence.
II.Policy
It is the policy of the Department to collect and analyze all evidence of a crime which may aid in identifying and/or prosecuting an offender. As computer technology becomes easier to use and more accessible to the general public, criminals use technology to their advantage. As a result, Department members are likely to encounter crimes committed with the aid of a computer. It is imperative that certain measures are taken to ensure that the evidence that may be contained in the computer is preserved and processed. The Bureau of Detectives Crime Analysis Technical Group is responsible for advising officers as to how to recover computer related evidence and determine what evidence will be analyzed. This is critical because accessing computer evidence improperly may destroy it.
III.General Information
  • A.If during the course of an investigation an officer determines that a computer or electronic device may have evidentiary value, it will be processed as evidence.
  • B.A computer or electronic device may be considered evidence if:
    • 1.the computer and/or its software is stolen property.
    • 2.it was actively used to commit an offense. For example, false ID's or other counterfeit documents prepared with a computer, scanner, or printer.
    • 3.it was used incidental to a criminal offense. For example, a narcotics dealer may use a computer to maintain trafficking records or financial documents.
    • 4.it was used as both the instrument to commit the crime and as a storage device for proceeds. For example, an offender may use a computer to access other computers and unlawfully retrieve credit card numbers. The stolen numbers may then be stored on the computer.
    • 5.information found on the victim's computer indicates a crime has or will be committed. For example, a homicide victim may have threatening electronic mail messages on a computer that may help to identify or implicate a suspect.
  • C.Officers identifying computers or computer equipment as evidence to be seized in the execution of a search or arrest warrant will contact the Bureau of Detectives Crime Analysis Technical Group as soon as possible after learning the computer or computer equipment is to be included in a warrant.
IV.Procedures
  • A.The investigating/recovering officer will:
    • 1.secure the scene and restrict access to the computer.
      • a.Under no circumstances will any officer attempt to access any data on the computer after it is determined that the computer may have evidentiary value. A search warrant may be needed to access data.
      • b.Officers will not make any attempt to shut down or disconnect the computer or any of its accessories. Doing so may cause severe damage or interruption of legitimate business in certain network systems.
    • 2.notify the Bureau of Detectives Crime Analysis Technical Group for instructions on how to proceed with the seizure of the computer, inclusive of a determination whether a warrant is needed.
      NOTE:
      If a recovery is made during off hours, CPIC will be contacted. The Crime Analysis Technical Group will be contacted for instructions by CPIC.
    • 3.inventory the computer as instructed by a member of the Crime Analysis Technical Group.
      NOTE:
      Instructions will not contradict procedures for processing of seized property as outlined in the Department directive entitled "Processing Property Under Department Control."
    • 4.take precaution due to the delicate nature of the equipment. In transporting equipment, officers will take special care to ensure that the equipment is not dropped, jarred, or left unsecured during transport. Doing so may cause irreparable damage to sensitive components. Officers will also ensure that the equipment is not transported or stored near any other components that may contain magnetic material. Magnets may erase valuable evidence that is stored on the equipment.
    • 5.restrict phone access of suspects/offenders until communication lines are disconnected from the computer. Failure to do so may allow access to the computer from a remote location, which may provide for the opportunity to destroy data.
  • B.The Bureau of Detectives Crime Analysis Technical Group will:
    • 1.accept and respond to inquiries from field personnel regarding the processing of computers as evidence.
    • 2.advise field personnel of proper procedures for processing computers and related items, such as printers, scanners, cables, etc., including chain of custody preservation.
    • 3.respond on scene when necessary and take custody of computers and equipment seized.
    • 4.respond with officers in the execution of search warrants which may involve the seizure of computers or related equipment, as dictated by circumstances.
    • 5.preserve the chain of custody for equipment that is under their control.
    • 6.prepare all necessary reports and functions regarding their findings in the analysis of the seized equipment.
Garry F. McCarthy
Superintendent of Police
12-149 JAB