TheFraud Examiners Manuallists required steps before seizing evidence:
Obtain legal authority.
Review privacy issues.
Ensure software/hardware are validated.
Document surroundings, inspect for traps, image drives, etc.
There isno requirementto assemble a team exclusively of outside experts.
Before seizing evidence in adigital forensic investigation, the2014 International Fraud Examiners Manualoutlines several critical steps:
“Before obtaining evidence, ensure that there is legal authority to seize evidence and review the data associated with the evidence. This might require obtaining a warrant in a criminal matter or ensuring that internal policies authorise seizure for an internal investigation.”
“Before the fraud examiner can seize evidence, he must take certain steps to help ensure that the evidence will be admissible: He must determine whether there are any privacy interests in the item(s) to be searched… In every case where it becomes necessary to seize a computer or other device capable of storing digital evidence, the investigator should consult with legal counsel.”
“It is important to allow a trained examiner to conduct a proper seizure and examination of digital evidence to help ensure that the information can be used in a legal proceeding.”
✅These are allvalid required steps.
In contrast, the idea that the team must be composedonly of outside digital forensic expertsisNOT a required step. The Manual stresses flexibility in team composition:
“Some organisations have their own in-house personnel… while others might prefer the use of an outside examiner. Sometimes retrieving digital data is as easy as searching the target computer’s hard drive, but other times retrieval requires a thorough knowledge of computers.”
Thus, requiringonly outside expertsis not a standard step, since investigations may useinternal, external, or a mixof specialists depending on the situation.
