Question: Reading about computer related crimes and how law enforcement policies are lagging adjusting to the digital age, I came across this document which is a manual of sorts, recommendations for the first responders to a scene of a computer crime put together by the National Institute of Justice (American Department of Justice agency) in 2001. The document gives suggestions of procedures to follow regarding collecting digital/physical evidence and how to minimize contamination of the crime scene and package machines/drives etc. for transportation so that the defense/courts later don’t object to how the evidence was collected, analyzed, and presented.
On page 44 of the PDF (page 31 numbered in the document), it says
“Regardless of the power state of the computer (on, off, or sleep mode), remove the power source cable from the computer-NOT from the wall outlet.”
My question is, why does it matter where the power cable is disconnected from? If the first responder has made the decision to disconnect power, does it make a difference? It says not to use shut down sequence or press a button because data on the HD can be erased/changed. ?That makes sense. But if you decide to pull the plug, why does it matter where you pull it from? Are they concerned with booby traps? Or is it just safer for the person pulling the cable, you know like getting a shock or something? Or does the point of power disconnect effect the HD/RAM somehow?
Thanks!
Answer: A wall outlet may not be the way to ensure power is cut due to UPS or messy nest of power cords. When pulled from the laptop (or tower for that matter) you ensure that the divice is off primary power. Pulling the laptop battery must be in the process.