Digital evidence is fragile and volatile; even the smallest mistake during its handling can alter the content and make it inadmissible during legal proceedings. Evidence handling involves four major steps, such as identification, collection, acquisition and preservation—and you have to follow certain protocols to ensure data isn’t modified during these steps.
As a leading digital forensic consultant agency, our experts have explained common digital evidence handling mistakes, so you don’t make any.
Not Isolating the Seized Device from Networks
If the seized device can connect to wireless or cellular networks, the evidence it carries is automatically at risk. Mobile devices and laptops are constantly syncing with cloud-based servers to store digital data such as contacts, emails, photos, documents, etc. These background processes can destroy, modify or corrupt crucial evidence.
Therefore, you should immediately put the device in airplane mode and turn off wireless and Bluetooth capability. If you don’t have access to isolate the device from networks, you can simply shut it down or remove the battery.
Powering Up the Computer
If you find a seized computer that is turned off, it can be tempting to turn it on and explore the evidence on it. However, a lot of background processes can occur when a device is powered on, and you can’t stop them at once. For example, when you turn on a laptop, it connects to a network, runs a virus check, performs automatic software updates, synchronizes data on a cloud server, etc. Even if these processes don’t impact the evidence, you’re putting it at risk of being modified or deleted.
Improper Labeling
Another common digital evidence handling mistake is the failure to isolate and label all evidence and derivative media.
In digital forensics, every component of the seized device is considered digital evidence and requires separate labeling and chain of custody documentation. For example, if you found a desktop computer, you can’t treat the whole device as a single piece of evidence. Every component of this computer that can store data will be treated as separate digital evidence. This includes each internal hard drive and flash drive connected via a USB port. So you have to identify, label, and secure every component and its derivative media to prevent mishandling.
At Eclipse Forensics, we provide all kinds of digital forensics services. We have leading digital forensics engineers onboard who can perform video analysis, authenticate audio forensics, perform cellphone search and image redaction, and more.
Reach out to us for more details.