Forensics is the use of scientific knowledge to collect, analyze, and present digital evidence to court.
Digital Forensic examiners draw on an array of techniques for discovering data from a computer, often for recovering deleted, encrypted, or damaged files (graphics, documents, images and so forth).
All of this information is crucial, especially during discovery, prior to depositions, or in preparation for criminal or civil litigation. Much of the information to be recovered may not be found in simply deleted files. It may be hidden in other data files such as HTML, e-mail entries, and information recovered from hard disk areas such as the virtual memory, slack space, or recycle bin.
Evidence Collection: Some Considerations
The manner in which digital evidence is collected and preserved is crucial to any investigation or legal matter. The following are general guidelines companies should adhere to when collecting electronic evidence. Whenever possible a digital forensic examiner should be consulted.
- First and foremost, the business, with the help of their attorney, must determine if they have a legal right to collect the data stored on the electronic device(s) of interest.
- Computer hard drives and most forms of digital media are time-stamped every time they are accessed and modified. To preserve the evidence as it was last used, it is imperative to have the device turned off, the power cable removed and if possible, stored in a secure location. IT personnel, while very knowledgeable, can unintentionally alter, what may be critical data in an investigation simply by using or reassigning a device to another employee.
All suspects and witnesses should be removed from the general area where the electronic device is being stored. If this is not possible, the electronic evidence should be collected or preserved after regular business hours, when any suspects and witnesses are not present. Also, whenever possible, the suspects and witnesses should not be notified that evidence is being collected from an electronic device assigned to them.
- If it is not practical to move an electronic device to a forensic laboratory, a forensic examiner should image or replicate the device onsite, using generally accepted digital forensic methods. Keep in mind that the length of this process depends on the size of the hard drive(s) and the volume of data being imaged.
- Next, all information pertinent to the investigation should be gathered before any work is performed on the data contained on the electronic device. This includes password(s), identifying the type of operating system(s) used, screen names, e-mail addresses, software programs of interest, etc.
- The area immediately surrounding the location of the electronic device in question should be searched thoroughly for any evidence. Digital forensic examiners routinely photograph the entire work space and look for alternate data storage devices or signs of their use. External hard drives, floppy disks, USB flash drives, SD cards and readers, voice recorders, digital cameras, and even iPods can all be used to store data that may be relevant to an investigation.
- The collection of any electronic device should be documented using a Chain of Custody form. The Chain of Custody form should reference the date, name of the person collecting the electronic device, the name of the authorized person releasing the device, a detailed description of the electronic device in question and any identifying information, such as a serial number. Time-stamped photos of the electronic device should also be taken. If the collection of data from an electronic device (such as a laptop) is not practical to perform onsite, then the client can ship the electronic device to the digital forensic examiner. Photos of the device should be taken prior to shipping and include a cover letter with the shipment that describes the electronic device being shipped. The shipment should be traceable and the item should be packaged with a great deal of care.