Safely preserving digital evidence

Best Practices for Securely Storing and Protecting Digital Evidence

As the internet, technology, and digital forensics expand, it is more important than ever for the concerned professionals to deploy the best practices to preserve digital evidence. Besides preservation techniques, it is also important to understand the various steps of digital evidence preservation and the issues that may present themselves during this process.

Critical Steps in Digital Evidence Preservation

  • Make sure to keep the current state of your device the same. If the device is turned on, keep it on; if it is off, it must be kept off. Before moving forth, contact a digital forensics expert.
  • Don’t charge a cell phone or a laptop if it is running low on battery. Charging the device at this crucial stage could result in data wiping or overwriting because of automatic booting.
  • Never leave the device in an unsecured place. Ensure the device carrying the digital evidence isn’t left out in the open. Always document details like where the device is, who has access to it, and when it is moved from its location.
  • Keep any external storage media away from the device, and do not plug it in unnecessary places. Common external storage media examples include USBs, thumb drives, and memory cards.
  • Never copy anything to and from the device carrying digital evidence. You might modify the memory’s slack space by copying anything to and from the device.
  • Take pictures of the device from all sides. Photograph a mobile phone or a laptop from every side to prevent tampering until the forensic experts arrive. The slightest tampering with the device could affect the evidence.
  • Don’t access any pictures, files, or applications on the device. Accessing files, apps, and images on the device may overwrite the memory or lose the data completely.
  • You must remember the PIN/password of the device. You will have to share the login/credentials with the forensic team for them to do their job flawlessly.
  • Don’t let anyone without forensic training near the device. Only a person with formal training in digital forensics should be allowed to access the device and its information. Exposing the device to an untrained person could result in information corruption and data deletion.
  • Don’t shut down the computer. Because data can be extracted from volatile memory and disk drives, it is better to put the device in hibernation mode. Until the system reboots, the device’s contents will be preserved through the hibernation mode.

How to Expedite the Process of Preserving Digital Evidence

There are two ways forensic experts acquire digital evidence. The device is seized, or a copy is made at the crime scene. Here are some points you must remember to expedite the preservation of digital evidence.

  • Share passwords, authentication codes, and screen patterns.
  • Share the cables, manuals, and chargers of the device.
  • Forensic experts can also analyze the interactions of your device with the internet to create a comprehensive picture of the overall activity.
  • You must have ownership of the device. If you don’t have the authority to share or submit the device non-voluntarily, the police will exercise their lawful power to seize it.
  • Instead of giving away your gadget to forensic experts each time, it is better to share the external storage. Therefore, make sure to have the external memory storage of your phone or laptop configured.
  • Make sure to back up the device regularlyand always have backup copies for future use. It will help you store important information on a different device if needed.

How to Preserve Digital Evidence

Here are three ways forensic experts preserve evidence before analyzing it.

Drive Imaging

Before analyzing a piece of evidence, forensic experts must create an image. Drive imaging is a forensic process in which the experts create an accurate bit-by-bit duplicate image of the evidence. When analyzing this image, forensic experts must remember the following things.

  • Some evidence-wiped drives may contain recoverable data for forensic experts to identify.
  • All the deleted files can be recovered using forensic techniques.
  • Never make the mistake of performing analysis on the original file. Always use the duplicated image when analyzing evidence.

Any hardware or software that facilitates a legal image’s legal defensibility is a write blocker, which forensic experts can use to create a duplicate image of the evidence for further analysis.

Chain of Custody

When forensic experts gather media from the client, they must document each step conducted during the transfer process on the chain of custody (CoC). Chain of custody paperwork is important for the following reasons.

  • CoC is evidence that the image has been in known custody since it was created.
  • The slightest lapse in the CoC will nullify the legal significance of the image and the analysis.
  • The gaps in procession records, like any instance where the evidence was left out in the open or an unsecured space,can create major problems.

Hash Values

When forensic experts create a copy of the evidence for analysis, cryptographic hash values like SHA1 and MD5 are generated. Hash values are important for the following reasons.

  • They help verify the integrity and the authenticity of the image and help ensure that it is a replica of the original file.
  • When using the replica in court, the hash values are critical. The slightest change to the evidence will create new hash values.
  • When you perform any alterations, like creating or editing a new file on your computer, a new hash value will appear for that file.
  • Hash values and other metadata cannot be viewed using regular file explorers. Instead, they need special software.

If the hash values on the original evidence and the image don’t match, it could raise concerns in the court. Moreover, it is a sign that the evidence has been tampered with.

Issues in Preserving Digital Evidence

Let’s look at some of the problems forensic experts encounter when preserving digital evidence.

  • Legal admissibility is the biggest problem faced while preserving digital evidence. If the evidence is available in any form of digital media, it must be quarantined and placed in the CoC. The investigators can create images later.
  • Evidence destruction is another major issue faced while preserving digital evidence. If the threat actors have installed an app on the server, the future analysis will depend on whether the application is still available or deleted from the system.
  • Sometimes,the media is in service. If this is the case, the likelihood of evidence destruction remains high with the time that has elapsed since the incident happened.

Best Forensic Data Recovery Software

Guidance Software

This flexible tool allows forensic excerpts to gather data from devices like smartphones, tablets, and GPS. It also helps its users to generate comprehensive reports while maintaining the integrity and credibility of the evidence.

Key Features

  • Integrated investigative workflows.
  • Customizable and powerful processing.
  • Flexible reporting options.
  • Automated external review.
  • Computer and mobile acquisition.

AccessData

If you work for a law agency or the government, this evidence recovery tool should be your first choice. It offers E-discovery, computer devices, and mobile forensics. AccessData helps recover deleted data much more efficiently than any other recovery tool on this list.

Key Features

  • Provides tailor-made services.
  • Unifies all products on a single database.
  • Quicker searching
  • Database driven
  • Matchless stability and speed.

Magnet Forensics

This tool allows you to recover evidence pieces from smartphones, IoT devices, cloud services, and computers.

Key Features

  • Advanced Mac support.
  • Visualization of connections between files, users, and devices.
  • Generation of automated proof points.
  • Review capabilities and intuitive interface.
  • Helps find key evidence quickly.

X-Ways

Besides retrieving and recovering deleted files, this tool also offers data cloning. It also allows users to communicate with other people using the same software, thus minimizing the likelihood of error, which is why experts in digital forensics recommend it.

Key Features

  • Can analyze remote devices.
  • Detects NTFS and ADS.
  • Supports bookmarks and automation.
  • Provides templates for reviewing and editing binary data.

Wondershare Recoverit

With over 1000 file formats and audio/video and document recovery features, this evidence recovery tool is the first choice of forensic experts. This tool can recover trash data from external storage media, recycle bins, laptops, and crashed computer systems. With a customer base of over five million people worldwide, you can rely on this tool for all your data recovery needs.

Key Features

  • Secure virus-free guarantee.
  • Over 1000 file formats.
  • Supported by Mac and Windows.
  • Recovers audio, video, photos, documents, and more.

Safely preserving digital evidence

Cellebrite

The digital intelligence solutions of Cellebrite are made keeping your data recovery needs in mind. The two major components of this recovery tool are Cellebrite Digital Collector and BlackLight, which enhance recovery capabilities on Windows and Mac.

Key Features

  • Provides access to various devices.
  • Improves data collection flow.
  • Helps you use unsurpassed recovery techniques.
  • Provides access to over 40 apps on Android.

Final Word

At Eclipse Forensics, we always search for the best tools and techniques to protect and preserve data and information. We offer services like audio forensic services FL, data redaction, and digital forensics. To benefit from our services, visit our website today or call (904) 797-1866.

 

Posted in Uncategorized.