Evidence handling is one of the most important aspects of Digital Forensics because it singlehandedly determines whether evidence will meet the standards necessary to be admissible in a court of law. Evidence needs to be authentic, reliable, and complete in order to be considered legally valid. Here are some key elements that need to be kept in mind in relation to evidence handling:
Policies and procedures
It is critical to establish policies and procedures that provide detailed guidance on how potential digital evidence will be recovered, how systems will be prepared before evidence retrieval, where retrieved evidence will be stored, and how these activities will be documented. This ensures that a formal and unambiguous methodology is followed for collecting evidence and ensuring the authenticity of data.
Preparation
Computer forensic examiners must properly analyze the case at hand to determine where evidence will be collected. Protocols and applicable regulatory requirements should be followed for acquiring evidence. The method that will be used to make a copy of the source evidence should also be determined and agreed upon.
Collection
After identifying what sources of evidence need to be included in scope, the collection process begins where the computer forensic investigator creates a copy of the electronic evidence in order to preserve it. Computer forensic examiners typically make a bit stream backup of all evidence before reviewing or processing it. Bit stream backups are also known as “mirror image” backups and involve backing up all areas of the device/media such that the backup exactly replicates the device/media.
Hashing
Hashing is a method to ensure the integrity of data acquired by an investigator. A one-way algorithm is created and applied when the investigator images evidence. If the hash value of the data before starting the imaging process matches the hash value of the copy, this demonstrates that the evidence has not been tampered with during the process to ensure its integrity and admissibility in court.
Chain of custody
A chain of custody is a paper trial or sequential documentation of the entire evidence-handling process. It details all the steps performed for data collection, sequence of control, transfer, and analysis of evidence to ensure that it can serve as a supporting form of evidence in a court of law. It is very important to maintain the chain of custody to preserve the integrity of the evidence.
Handling and transportation
Each piece of electronic evidence should be stored in its own electronic evidence bag/box for transportation. Smaller devices could be stored together provided they are first labeled and logged. When transporting evidence, extra caution should be taken so that there is no damage or adverse effect from extreme weather conditions.
Encryption
All collected electronic data should be encrypted and secured at all times of collection, in transit, and at its destination.