In 2021, digital devices are quite common, with the most common ones being mobile phones, tablets, and computers. However, the emergence of IoT has made a plethora of electronic devices a source of digital evidence. For example, a digital camera can be used to view or store illegal images. The first responders in this case are digital forensic experts, who should identify and seize every electronic device to acquire evidence.
But how is this digital evidence gathered? Hear what our digital forensic engineer has to say!
Collection of digital evidence
Numerous sources can be used to collect digital evidence. Some of these sources are servers, cloud computers, USB memory sticks, CD-ROM, hard drives, digital cameras, mobile phones, computers, and the like. Some of the more non-obvious sources include web pages that should be preserved because they can change, as well as RFID tags. It’s important to ensure that extra care of data sources is taken so that nothing can modify or contaminate them as they’ll be used for digital forensic investigations.
Since the majority of digital information is volatile, it’s subject to change. Once it’s modified, identifying the changes or rolling back the data to its original state becomes a lot more difficult. Therefore, a cryptographic hash of digital evidence can be carried out and calculated. This hash must be recorded in a safe place to ensure there’s no contamination of digital evidence. This is crucial because it would allow computer forensic experts to establish whether someone fiddled with the original data evidence or not.
Imaging evidence within the electronic media
During the initial phases of the investigation, it’s a good practice to duplicate the original evidentiary media. Now, a combination of software imaging tools and standalone hard-drive duplicators can be used to fully close the entire hard drive. This can be done at the sector level, where a bit-stream copy of all parts of the hard drive’s user-accessible areas will be made. This means there won’t be any need to duplicate the file system. In order to prevent tampering, the original drive can be transferred to secure storage. While this imaging process is underway, a write-blocking or write-protection application or device can be used to make sure no information is made part of the evidentiary media during the computer forensic investigation.
Why preserving the sources of investigation is important?
It’s important to preserve the sources from which evidence is gathered so that the chain of custody remains intact. Otherwise, it won’t be possible to validate the results of the digital forensic investigation.
Turn to Eclipse Forensics – your certified digital forensic consultant
Since 2005, we’ve worked on hundreds of cases for a variety of individuals, private attorneys, and law enforcement jurisdictions. We’re ready and poised to help in the analysis and development of mobile device forensics, authenticate audio and video forensics, court-certified forensics in FL. Contact us now for more information!