Home page / Computer Forensics / Digital Evidence
 

Acquisition of digital evidence begins when information and/or physical items are collected or stored for examination purposes. The term "evidence" implies that the collector of evidence is recognized by the courts. The process of collecting is also assumed to be a legal process and appropriate for rules of evidence in that locality.

Although rules of digital evidence are still incomplete, the best and safest thing is to exceed the minimum requirements for evidence admissibility.

 Learn more about . . .
 
Evidence labeling
Evidence documenting
Examination process
Documenting analysis
Documenting the chain of custody
 

When forensic team takes all required steps to ensure evidence integrity, even above legal requirements for a minimum admissibility, such evidence will be not only admissible in court but will make a stronger impact.

Most forensic experts and organizations agree on some basic standards for handling digital evidence.

Such standards can be summarized as follows:

Original evidence should be preserved in its original form or a form as close to its original as possible at the time of seizure.
If possible, it is necessary to make a precise copy (image) of the original, so that a copy can be examined in order to preserve and protect integrity of the original
Copies of data made for the examination purpose should be created on a forensic sterile media. A media or disc is considered sterile if no data has been previously recorded thereon, as such media or disc should be completely clean, without viruses and defects.
All pieces of evidence must be properly marked and documented, while the chain of custody must be preserved
Each step of forensic analysis must be documented in details.