Evidence Preservation Tool
This simple but effective program is designed to limit access to computers
that have been seized as evidence. All too often, 'resident computer
experts' get curious and attempt to operate seized computers in hopes of
finding clues or evidence. These individuals many times are not trained
in computer forensics and are therefore unfamiliar with proper computer
evidence processing procedures. They typically don't know that even the
mere running of a computer system can overwrite evidence stored in the
Windows swap file and/or in erased file space. This program was written
to help prevent these common problems and its uses are described in
Computer Forensics, Incident Response Essentials by Warren G. Kruse II and Jay G. Heiser,
Cyber Crime Investigator's Field Guide
by Bruce Middleton
Cybersecurity Operations Handbook by Dr. John W. Rittinghouse and Dr. William M. Hancock.
When the Seized program is operated, it locks the computer system and displays a
message on the screen advising the computer user that the computer contains
evidence and it should not be operated without authorization. The program
was designed to be installed on a DOS system diskette for placement in all
floppy diskette drives on the computer system. The program is called from an
AUTOEXEC.BAT file configured to call the program. Once the program has been
called it locks the computer and displays the warning message on the screen.
Please note that this methodology may not work effectively if the seized
computer is configured to boot from the computer hard disk drive. Therefore,
a knowledgeable computer forensic specialist should configure system diskettes
to boot with the automatic operation of the program. The computer specialist
should also examine the content of CMOS to insure that the computer will boot
from a floppy diskette rather than a hard disk drive.
SEIZED Program - Primary Uses:
- Used to aid in the preservation of computer evidence.
- Provides the computer user with an audible and visual warning that the subject computer has been seized as evidence. It also warns them to cease operation and locks the computer keyboard.
- Provides the computer user with the name and phone number of the computer specialist who seized the computer. This information is embedded in the program by NTI.
SEIZED - Program Features and Benefits:
- DOS based for ease of use on a single floppy diskette.
- No Software Dongle! - We know that software dongles get in the way and they restrict your ability to process several computers at the same time. That is why NTI does not use software dongles and our licensing of this software allows you to process multiple computers at the same time. NTI's goal is to make your life easier and this software was designed with ease of use in mind.
- Compact program which easily fits on any system formatted floppy diskette.
- Provides visual and audible alerts warning that the subject computer contains evidence.
- Prevents the operation of the computer.
- Clearly displays the name and phone number of the computer specialist who seized the computer as evidence.
- Can not be bypassed by pressing the (Control C) or (Control Break) keys.
- Provided free to law enforcement agencies to help with limited budgets.
Back To NTI's Home Page
Please direct E-Mail to
Copyright © 2004 by New Technologies Armor, Inc. January 16, 2004