Digital Evidence Preservation – Digital Forensics
As the realm of the Internet, Technology, and Digital Forensics constantly expand, there is a need for you to become familiar with the ways they contribute to preserving digital evidence. The fundamental importance of digital evidence preservation is quite clear. Through this article, we want to highlight the necessity to follow a series of steps in order to preserve digital evidence, as even a small inattentive move could lead to a loss of evidence and the break of a case.
In this article, we will be covering the following topics:
Attention reader! Don’t stop learning now. Get hold of all the important CS Theory concepts for SDE interviews with the CS Theory Course at a student-friendly price and become industry ready.
- Top 11 Critical Steps in Preserving Digital Evidence.
- Details You Should Plan To Share.
- Three Methods to Preserve Digital Evidence.
- Problems in Preserving Digital Evidence.
Let’s start discussing each section in detail.
Top 11 Critical Steps in Preserving Digital Evidence
In this section, we will be discussing the critical steps that need to be followed to prevent loss of data before bringing to the forensic experts. Time is highly important in preserving digital evidence.
- Do not change the current state of the device: If the device is OFF, it must be kept OFF and if the device is ON, it must be kept ON. Call a forensics expert before doing anything.
- Power down the device: In the case of mobile phones, If it is not charged, do not charge it. In case, the mobile phone is ON power it down to prevent any data wiping or data overwriting due to automatic booting.
- Do not leave the device in an open area or unsecured place: Ensure that the device is not left unattended in an open area or unsecured area. You need to document things like- where the device is, who has access to the device, and when it is moved.
- Do not plug any external storage media in the device: Memory cards, USB thumb drives, or any other storage media that you might have, should not be plugged into the device.
- Do not copy anything to or from the device: Copying anything to or from the device will cause changes in the slack space of the memory.
- Take a picture of the piece of the evidence: Ensure to take the picture of the evidence from all the sides. If it is a mobile phone, capture pictures from all the sides, to ensure the device has not tampered till the time forensic experts arrive.
- Make sure you know the PIN/ Password Pattern of the device: It is very important for you to know the login credentials of the device and share it with the forensic experts, for them to carry their job seamlessly.
- Do not open anything like pictures, applications, or files on the device: Opening any application, file, or picture on the device may cause losing the data or memory being overwritten.
- Do not trust anyone without forensics training: Only a certified Forensics expert should be allowed to investigate or view the files on the original device. Untrained Persons may cause the deletion of data or the corruption of important information.
- Make sure you do not Shut down the computer, If required Hibernate it: Since the digital evidence can be extracted from both the disk drives and the volatile memory. Hibernation mode will preserve the contents of the volatile memory until the next system boot.
Details You Should Plan To Share
For the evidence to be professionally acquired by forensics investigators, the device is either seized or a forensic copy is created at the site of the “crime” scene. Key Points to remember to speed up the process of preserving digital evidence and ease out the process for the authorities:
- Prepare your self to share your authentication codes like screen patterns and passwords.
- You may also need to share the device manuals, chargers, cables.
- Device interactions will the Internet can also be analyzed to build a complete and most appropriate picture of overall activity.
- Have ownership of the device that you plan to submit to the police. In case you do not have the authority or you’re not voluntarily submitting the device, then, in that case, Police may need to seize the device under their lawful powers.
- It is easier to share external memory storage than your devices with the police instead of giving your phone away every time, so it is recommended that you have an external memory configured for your phone.
- Regularly back-up your phone data and retain copies of these back-ups for future use. These will help you restore another handset or your phone if needs be at a later today, and also can help to log a trail of incidence.
Three Methods To Preserve a Digital Evidence
In this section, we will discuss three methods that can be used by forensics experts to preserve any evidence before starting the analysis phase.
- Drive Imaging: Before forensic investigators begin analyzing evidence from a source, they need to create an image of the evidence. Imaging a drive is a forensic process in which an analyst will create a bit-by-bit duplicate of the drive. When analyzing an image forensic experts need to keep in mind the following points:
- Even wiped drives can retain important and recoverable data to identify.
- Forensic experts can recover all deleted files using forensic techniques.
- Never perform forensic analysis on the original media. Always Operate on the duplicate image.
A piece of hardware or software that helps facilitate the legal defensibility of a forensic image is a “write blocker”, which forensic investigators should use to create the image for analysis.
- Hash Values: When a forensic investigator creates an image of the evidence for analysis, the process generates cryptographic hash values like MD5, SHA1, etc. Hash Values are critical as:
- They are used to verify the Authenticity and Integrity of the image as an exact replica of the original media.
- When admitting evidence in the court, hash values are critical as altering even the smallest bit of data will generate a completely new hash value.
- When you perform any modifications like creating a new file or editing an existing file on your computer, a new hash value is generated for that file.
- Hash value and other file metadata are not visible in a normal file explorer window but analysts can access this information using special software.
If the hash values of the image and the original evidence do not match, it may raise concerns in court that the evidence has been tampered with.
- Chain of Custody: As forensic investigators collect media from the client and transfer it, they should document all the steps conducted during the transfer of media and the evidence on the Chain of Custody (CoC) forms and capture signatures, date, and time upon the media handoff. It is essential to conduct CoC paperwork due to the following reasons:
- CoC demonstrates that the image has been under known possession since the time the image was created.
- Any lapse in the CoC nullifies the legal value of the image, and thus the analysis.
- Any gaps in the procession record like any time the evidence was left unattended in an open space or an unsecured location are problematic.
Problems in Preserving Digital Evidence
In this section, we will discuss a few problems that are encountered while preserving evidence.
- Legal Admissibility: The highest risk is legal admissibility, If the evidence of a crime is a piece of digital media, it should be immediately quarantined and put under the CoC – an investigator can create an image later.
- Evidence Destruction: If in case, threat actors have installed an application on a server, the future forensic analysis will rely on the application being available and not deleted from the system.
- Media is still in Service: If the media is still in service, the risk of vital evidence destruction grows with the amount of time that has elapsed since the incident took place.