Top Special Offer! Check discount
Get 13% off your first order - useTopStart13discount code now!
Any information or data of probative value in an investigation that is stored in, received, or transferred via an electronic device is considered digital evidence (U.S. Department of Justice, 2001). Such evidence is obtained when data and/or electronic devices are obtained and made available for scrutiny. Unlike conventional types of evidence, digital evidence is latent, easily crosses jurisdictional lines, can be easily tampered with, and is frequently time sensitive. Because of the nature of digital evidence, it must be handled and stored with care. This document outlines recommended practices in handling and storing digital evidence.
When dealing with digital evidence, it is best to first document its condition. To do that, one can photograph among other areas the screen and the computer’s both front and back including the area where it is seized. Next, one should find out whether the computer is on a stand-by mode and if so, then one should follow the steps like the computer was on. After that, one should document any eternal or peripheral component connections. Handling systems that are powered-on and those that are off call for different actions on the part of the examiner.
According to Scientific Working Group on Digital Evidence (2014), in case the system is powered on, the examiner ought to check if there are any running processes. Should there be any running process that is destructive then the examiner should stop it and document this action. Next, one needs to capture the random access memory (RAM) and any other data that may be volatile. After that, find out whether the running programs are linked to off-site storage. If it is linked, then the examiner needs the legal go ahead to confirm that it includes off-site acquisition.
If in case there are any running machines, then the examiner needs to document before hibernating them. In case the computer has any encryption programs installed, then the right forensic methods should be used record the data before turning off the computer. A trusted media should be used to save the opened files. Should there be need to have the computer off, then the examiner should establish the consequence of pulling the power plug vs. shutting down the machine. This depends on both the file system and the operating system. Then, the computer should be isolated from network connection, in case there is any and finally a triage tool utilized in previewing the data.
According to Scientific Working Group on Digital Evidence (2014), where the computer is off, one should not turn it on. However, only people trained in previewing computers can turn the computer on and check the data. Then, one should disconnect any physical network connection keeping in mind the likelihood of a Wake on LAN or a BIOS scheduled booting order. Next one should check if the computer system is compatible with both the triage software and tools. After that, the examiner should ascertain and document the evidence where applicable before exporting the evidence to a reliable device.
Any potential digital evidence must be preserved to guarantee its helpfulness and to safeguard the evidence’s integrity. In best-case spoliation should not occur on the data or any to data linked to it and as such examiners must be able to show that the evidence has not been altered from the time of identification or collection (Hamidovic & Salkic, 2016). Sometimes it is required that the data is treated as confidential and should be stored in a way that guarantees confidentiality.
References
Hamidovic, H., & Salkic, H. (2016). The Basic Steps of Digital Evidence Handling Process. Scientific Journal of Theory and Practice in Business Informatics and Infomation Communication Technologies.
SWGDE. (2014, Sepetember 5). SWGDE Best Practices for Computer Forensics. Retrieved from Scientific Working Group on Digital Evidence: https://www.swgde.org/documents/Current%20Documents/SWGDE%20Best%20Practices%20for%20Computer%20Forensics
U.S. Department of Justice. (2001, April 8). Electronic Crime Scene Investigation: A Guide for First Responders. Retrieved from National Institute of Justice: https://www.ncjrs.gov/pdffiles1/nij/219941.pdf
Hire one of our experts to create a completely original paper even in 3 hours!