Acquisition of digital evidence begins when information and/or physical items are collected or stored for examination purposes.
The term “digital evidence” implies that the collector of evidence is recognized by the courts. The process of collecting is also assumed to be a legal process and appropriate for rules of evidence in that locality. Although rules of digital evidence are still incomplete, the best and safest thing is to exceed the minimum requirements for evidence admissibility.
When forensic team takes all required steps to ensure evidence integrity, even above legal requirements for a minimum admissibility, such evidence will be not only admissible in court but will make a stronger impact. Most forensic experts and organizations agree on some basic standards for handling digital evidence.
Such standards can be summarized as follows:
Original evidence should be preserved in its original form or a form as close to its original as possible at the time of seizure.
If possible, it is necessary to make a precise copy (image) of the original, so that a copy can be examined in order to preserve and protect integrity of the original.
Copies of data made for the examination purpose should be created on a forensic sterile media. A media or disc is considered sterile if no data has been previously recorded thereon, as such media or disc should be completely clean, without viruses and defects.
All pieces of evidence must be properly marked and documented, while the chain of custody must be preserved.
Each step of forensic analysis must be documented in details.
Learn more about:
Documenting the chain of custody
The evidence is labeled by the person who first came into contact with it. This person writes its own initials or full name and surname on the subject, along with the date and time stamp and case identification number.
There are two possible ways to mark evidence – physical marking on the object or marking of the paper attached to the object. First is surely the best and it’s applied whenever possible. Objects that can’t be physically marked, are placed in bags that are sealed and then the bags are being labeled. Labels are usually written with markers.
Evidence log is the most important document made while collecting evidence. The log contains a list of all the evidence that was discovered and collected on the spot/at the scene. A detailed description of each evidence is made along with the date and time of evidence collection.
The description must be detailed enough so that similar objects could be distinguished, it contains serial numbers, as well as other possible identifiers. Log, at the same time, shows all the changes of evidence possession from one person to another.
The process of creation and tracking of jurisdiction changes is the key to preserving jurisdiction chain of evidence.
The process of investigation is surely the essence of computer forensics. The structure of this process, as well as the methodology that defines it, must ensure rigid and detailed investigation, above all. Next, it is important to have procedures of proper evidence handling and keep the chances for errors to a minimum. This process is exactly the same for criminal investigations as well as military and corporate investigations, in cases of computer system security compromises, like hacker attacks, viruses, misuse…
Technicians and investigators, at the end of every case leave the resulting data to prosecutors and authorities to decide about the evidence importance. In cases when the case makes it to the court, the investigators present their findings and testify about validity of the data. Every investigative process the forensics do is aimed at following:
- acceptability – procedures and methods are accepted by other professionals;
- reliability – used methods can prove the findings;
- verification – the process can be used by anybody, regardless of time and place;
- integrity – the state of evidence is the same;
- logic connections between the suspect, events and findings, cause and effect;
- documentation – writing down key stuff for forensic technician testimonial.
All of the above has one purpose – to enable most convincing arguments, based on facts and to make them acceptable in the eyes of the law.
Investigator and forensic are responsible for complete and precise documentation, of the analysis itself, as well as conclusions, which are presented as a report at the end of the investigation.
Analysis documentation is a process which is conducted parallel to the analysis itself and it is necessary to be precise and detailed during each step.
- In order to correctly follow the procedure, the investigator should:
- make notes during consultations with prosecutor and/or detective;
- have a copy of warrant;
- have a copy of a chain of command;
- make detailed notes, so his actions can be repeated;
- put date, time and place stamp with every result;
- document any irregularities encountered;
- attach any additional, original information in regards to system under investigation (user list, network topology, hardware);
- document all changes made on the system or device;
- document OS type and application versions;
- document all additional information collected on site or remote backup locations.
When the analysis is finished, it is necessary to create a report which will be delivered in correct form to authorities. It is important to use universal document form and so, make reading the report easier.
- Report should contain:
- institution analysis,
- case number,
- ID of the person in charge of investigation,
- ID of the person which brought evidence,
- date of receipt,
- date of the report,
- list of the items brought in for analysis, serial numbers, manufacturer and models,
- ID and signature of the investigator,
- short description of performed actions,
- result or conclusion of the investigation.
- Also, it is useful to add a detailed report about the findings:
- names of the specific files in connection with the investigation,
- names of deleted, and then recovered files in the course of the investigation,
- keywords used for search,
- evidence related to net traffic (logs, e-mails, etc),
- picture analysis,
- techniques used to hide the data (hidden partition, steganography, encryption, filename anomalies).
In addition to this report, there is always a digital copy of evidence material, evidence chain of custody, as well as prints of concrete evidence.
Documenting the chain of custody
The term chain of custody is used in relation of evidence continuity. It implies legal right of one person to own, handle or transport evidence in any given moment. In legal process it is necessary to have the ability to track changes made since the collection of evidence to its presentation at court.
Every inconsistency in evidence log opens the possibility that the evidence was misused, tampered or changed in any way. Evidence that the material is identical to the one collected in the first place is the testimony of the person who collected it, that it was not manipulated or changed, is identical to the one presented in the courtroom, and that was transported in accordance with the law.
It is obvious that the integrity of the evidence is dependant upon the number of people who had the opportunity to manipulate it. In practice, the best solution is to have a single person follow the evidence around. But, in case of digital evidence, when it is necessary to process and analyse the data, it is impossible for that person to be constantly present. In those cases, the solution is to create a receipt from a laboratory which does the processing in the moment of receiving and later delivering the results. That way the integrity of the evidence is secured.
This way of processing digital evidence cause the need for testimonials of the forensic or technician working on the case in the court, who must testify about the way the evidence was housed and protected while it was in the laboratory.