principle: Those first on the scene should take steps to ensure the safety of all persons at the scene and to protect the integrity of all evidence.
policy: All activities should be in compliance with your organisational policy and the Law.
procedure: After securing the scene and all persons on the scene, you should visually identify potential evidence, both conventional (physical) and electronic, and determine if fragile evidence exists. You should evaluate the scene and formulate a search plan.
Secure and evaluate the scene
* Follow your policy for securing the incident scene. This would include ensuring that all persons are removed from the immediate area from which evidence is to be collected. At this point in the investigation do not alter the condition of any electronic devices: If it is off, leave it off. If it is on, leave it on.
* protect volatile data physically and electronically. Volatile data may be found on pagers, PDAs, mobile phones, and other similar devices. You should always bear in mind that any device containing volatile data should be immediately secured, documented, and/or photographed.
* Identify telephone lines attached to devices, such as modems. Document, label, and disconnect, each telephone line from the wall rather than the device, when possible. There may also be other communications lines present for LAN / Ethernet connections. Consult your forensic expert in these cases.
Keyboards, the mouse, diskettes, CDs, or other components may have fingerprints or other physical evidence that may require preservation. Chemicals used in processing prints can damage equipment and data therefore prints should be collected after electronic evidence recovery is complete.