The information that leads to your arrest is not dreamed up by some bored copper. Rather, it will likely come from one of two distinct avenues. It can be allegations made by An example of intelligence-led investigations are where people who use their credit cards to purchase illegal porn are revealed. Sometimes evidence even comes from rape or murder cases. When such cases occur, computers are taken as they can contain a whole treasure trove of information, Seized items are bagged with tamper proof ID and tags, clicking shut like the same cable ties we use to keep our own systems in order. The tag holds details such as item description and photographs of the evidence as it was seized. Inside the clear bags would be all the IT gear belonging to the suspect. Other attributes include the time and place of seizure, as well as case references and exhibit ID. Evidence is not just computers and disks, but can also be passwords on Post-It notes or scraps of paper, printouts or even financial statements. The potential mountain of IT paraphernalia will then be put in the back of a police van and driven away
In situations where a business computer is involved the collection method can be very different. In cases such as these you can't take all the computers or the business would just fold.
The framework within which the e-crimes investigator are based around four major principles.
No action taken by the police should lead to a change in the source media. This is the main reason write blockers are used. Using the disk prior to a clone could lead to allegations of planting evidence.
Any action that is performed on the source media must be documented, along with potential issues that this may raise. For example, if the original media is destroyed and needs to be rebuilt in a specialised clean room.
An audit trail should exist and contain documentation of any and all procedures that the evidence undergoes. This is so that the process is repeatable and the outcome the same if the procedure is repeated.
Any actions taken must fully comply with the letter of the law. For obvious reasons if the law is not adhered to it could potentially open claims that could lead to the case being thrown out.