What are the mandatory steps for the proper collection of digital evidence?

Digital evidence in criminal investigations is fundamental to convicting the ones at fault and bringing them to justice. Fail to adhere to the protocol and you risk jeopardizing the entire case.

FACT: Evidence documentation and maintaining the chain of custody are two closely related concepts. (Source: NCBI)

Those who come in contact with it may play different roles, either in the process of digital forensics or in the legal system, and maintaining the chain of custody is of unquestionable importance:

To the examiner

A digital forensics examiner may conduct an analysis of digital evidence in various shapes and forms while working with data obtained from several devices such as:

• Flash drives
• IoT devices
• Hard drives
• Video
• Audio
• etc.

Let’s suppose the job requires obtaining metadata from an image file. But upon closely examining it, you seem to find nothing of use. However, this does not necessarily mean that you are stumbling in the dark – the digital forensic evidence you’re looking for can lie elsewhere and you may be able to discover it by following the chain of custody.

Remember that it holds crucial information pertaining to:

• Its origins
• Who handled it
• What equipment was used
• etc.

To get the kind of clues you’re looking for, perhaps you may discover that you might need to use different digital forensics tools than what you’re currently using. This is why the chain of custody is more than what meets the eye.

It also happens to be important:

To the court

Even though the court’s job is not to lead a forensic investigation, it does have a responsibility to ensure the digital evidence in criminal investigations is admissible and its integrity unquestionable. In case there is a missing link in the chain of custody, the court may decide to overturn the evidence.

The key chain of custody principles

To preserve the chain of custody, you must follow the proper protocol – any step that’s left out could make the digital evidence in question less authentic.

With that being said, here are some essential chain of custody principles to keep in mind:

• Preserve the original materials

When handling digital evidence, you should never make the mistake of working on the original materials. Make a copy instead – this is what you’ll be working on without constantly being worried about damaging the original. The reason being is that you always want to have the option of comparing the modified version to the original to rule out any discrepancies.

• Take photos and screenshots

This is one of the essential digital forensic process steps. By doing so, the digital evidence specialist who will be taking a look at it after you will have a better understanding of what you were doing and get a glimpse into your workflow.

• Document the time and date of receipt

This allows you to make sense of the phases in computer forensics and visualize a timeline of who inspected the digital evidence. Also, you’ll know where it was every step of the way before the law enforcement agency got a hold of it.

• Make a digital forensic image

The image will be a bit-for-bit clone of the original and it’s what you will be uploading into the computer to investigate. If you are looking for a professional industry-grade digital forensics tool that lets you do this, make sure to check out DRS by SalvationDATA.

• Authenticate the image through hash analysis

This is for the purpose of further authentication. Remember that a digital evidence specialist needs to make sure the data is not corrupt and that it represents a true copy of the original – this is where hash analysis comes into play.

The chain of custody process

To give you a glimpse into the process of digital forensics and how the chain of custody fits in, we’ll walk you through the different phases. By following the exact steps outlined below, it will be very hard for any court to rule the evidence inadmissible.

1. Data collection

This is the very first step in the chain of custody process. It involves:

• Identification
• Labeling
• Recording
• Acquisition

This is to preserve the integrity of the evidence.

2. Examination

The digital forensic process steps that have to do with the examination are all about documenting everything. In practice, this translates to capturing screenshots that give an insight into the digital forensics examiner’s workflow and what tasks have been completed.

3. Analysis

The analysis of digital evidence involves evaluating the data extracted from the device. Using sophisticated industry-grade digital forensics tools like VIP 2.0, it’s possible to reconstruct the events exactly as they happened.

4. Reporting

The reporting step involves writing a professional digital forensics report that is compliant with the legal standards. It should cover the following:

• The digital forensics tools used in the process
• The chain of custody statement
• A description of data sources
• Any issues and vulnerabilities identified
• Recommendations on additional measures to be taken

Writing a digital forensics report can be rather time-consuming and requires a substantial amount of man-hours. To take the strain out of your personnel, consider using a one-stop solution like Digital Forensic Lab that supports one-click report generation.

Filling out the CoC form is about providing answers to vital questions

To fill out the form properly, you’re going to need to answer certain questions pertaining to the chain of custody process.

• What is the evidence in question?
• Who has handled it?
• Who transported it?
• Who has access to it?
• How and when was it obtained?
• Where and how is it stored?
• Can it be tracked?

Every single time one of the staff members from your department does anything with it, every action surrounding the event needs to be documented in detail.

The dos and don'ts of working with digital evidence

Since failing to adhere to the best practices of working with digital evidence could potentially render it inadmissible in court, anyone involved in the digital forensics investigation process is advised to follow the best industry practices you’ll find below.

DO: Document everything

In the process of digital forensic investigation, you should document everything, including the physical condition of the device. Take a photo of what state it was in when you found it.

Were there any cracks, dents, or scratches on it? Was it drenched in water?

You should also take notes on whether you found any tools nearby that indicate someone might have tampered with them.

DON’T: Work with the original

To avoid corrupting the original data or making irrevocable changes to it, a digital evidence specialist should opt to make a digital forensic image instead. Another problem with trying to work with the original is that you risk deleting valuable metadata that is stored on it.

Since it contains logs about what files were accessed and when, whether someone copied them or not, and when the device was shut down, it can be absolutely vital to the resolution of a case.

DO: Use a dedicated machine or a virtual environment

When handling digital evidence in criminal investigations, the best practice is to keep it offline. You should also consider establishing a virtual environment to prevent malware from infecting the machine.

Keep in mind that someone might attempt to tamper with the evidence from far far away – an example of this would be its owner trying to erase computer logs through the internet.

DON’T: Attempt to do it without a digital forensics professional

Since anything you do could potentially jeopardize the integrity of the data and render the digital evidence inadmissible in court, you shouldn’t proceed with the investigation without a digital forensics expert present.

Although other IT and law enforcement personnel can get involved by helping you collect data and secure the evidence, you should not attempt to undertake the matter without the supervision and guidance of a digital evidence specialist or other qualified professional.

DO: Store the device properly

Since devices that contain digital evidence may be sensitive to environmental factors such as heat and humidity, you should ensure they’re being stored in a proper environment.

Moreover, never store it in an area with open access. This could expose you to the risk of unauthorized individuals trying to tamper with it or alter it in any way.

DON’T: Change the device’s power status

As long as the digital forensics investigation is in motion, you should not change the device’s power status. In other words, if it’s on, leave it on. If it’s off, don’t attempt to boot it.

The reason being is that during the device’s startup, certain processes get activated automatically, some of which could flush the cache, overwrite unused space, and alter or update metadata that resides on it.

Conclusion

Maintaining the chain of custody can feel like making your way through a minefield. One single mistake and the entire investigation can be jeopardized and the digital evidence ruined.

Therefore, it’s of crucial importance to follow the protocol and stick to the best practices that apply to the digital forensics investigation process.

What is the proper procedure for the collection of digital evidence?

What are the five 5 steps of Digital Forensics?

What is the correct sequence of steps that needs to be followed in Digital Forensics I preserve II identify III recover IV present V analysis?