Digital Evidence Handling Guidelines
It is the duty of the investigator in charge to follow forensically sound practices to handle digital evidence and protect its integrity so that it remains admissible in the court of law.
Laws and guidelines regarding the handling of digital evidence are evolving and digital forensics investigators must stay updated. As a rule, performing the actions that are within your technical abilities and processing your investigation cooperated with a digital forensics lab in your department could not only improve the efficiency and accuracy but avoid the evidence inadmissibility.
The following process to handle digital evidence in a forensically sound manner will help you keep its integrity and admissibility. (Please note that if there are any particular digital evidence handling guidelines by your department or the courts in your jurisdiction, you must follow them as well.)
Preparation: Planning to Collect
Since digital devices retain the digital footprints of their users, it is highly advisable for today’s investigators to be prepared to handle digital evidence at all times.
- Think about the possible availability of digital evidence
- Make preparations beforehand to handle the evidence
- Obtain the evidence in a lawful manner
In most cases, a court order is sufficient to obtain digital evidence, but make sure that the court order mentions all devices and data needed to aid the investigation. The lack of mention risks important evidence to be termed as inadmissible. In cases where digital evidence is likely to play a key role, you might consider covert entry or property interference, and you need to obtain legal authorization for that as well.
Moreover, the investigation team should hold a preparatory meeting and the members from different specialties should discuss the case and their roles.Therefore, you could obtain as much information about the case as possible since understanding the background of the investigation is going to help you not only foresee the types of digital devices you are likely to find, but make pre-search preparations to handle the evidence.
Following are some items to include in your digital forensic kit.
- Authorization to seize all relevant devices
- Faraday bag to store mobile digital devices and block their network access
- A laptop with required digital forensic tools installed
- Storage devices like portable hard disks
- Bootable media (USB drive or CD/DVD)
- Mobile phone signal jammers
- Digital cameras to take pictures of the digital devices and their set-up
- Notebook, pen, and color markers to note down the details and label the evidence
- Evidence boxes, envelops, and labels
- Screwdriver set
Identification: Possible Sources
There are a myriad of digital devices and growing technologies such as IoT (Internet of Things) promises to enable almost all devices capable of storing digital evidence. Thus, it is important for an investigator to stay updated with the possible sources of digital evidence.
Following are some common devices that might contain relevant digital evidence.
- Tablet devices
- Computers (Desktop & Laptops) – Data & Database
- Digital cameras
- Gaming consoles
- Security and other cameras and their storage(CCTV – DVR / NVR)
- Wearables, televisions, and other IoT devices
- Network equipment including modems and adapters
- Network storage devices
- Non-digital evidence related to the digital evidence (notebooks, sticky notes, pieces of paper, printouts)
Some criminals use hidden cameras to record their illicit activities, and that can prove a deciding factor in front of a jury. Always make a thorough search for hidden cameras, mics, and other such devices.
Collection and Acquisition
Forensically sound evidence collection methods that apply to non-digital evidence apply to digital devices as well. Digital devices can contain fingerprints, bloodstains, or DNA. However, there are additional considerations to collect digital evidence. When collecting digital evidence, pay close attention to the following points.
- If the device is turned on, do not turn it off. Check it for the presence of local or remote data deletion and encryption programs.
- If the device is unlocked, disable the screen and any other locking mechanisms. If appropriate, obtain passwords of the devices and applications.
- In most cases, it is advisable to disconnect the device from the network. Depending on the nature of the evidence, however, you might need to preserve the network connections or take notes before disconnecting.
- If the device is turned off, do not turn it on. If appropriate, obtain passwords of the devices and applications.
- Document the original state of the devices and all actions taken during the collection process.
Storage and Preservation
In most aspects, the storage of digital devices is similar to other objects, but digital devices have some additional storage considerations.
The following is a list of major considerations associated with digital evidence storage.
- Label all digital evidence and make an inventory
- Use Faraday bags to block radio signals and disconnect mobile devices from the network without powering them off
- Use chargers for powered on devices to preserve their power state
- Do not expose digital devices to the magnetic field. Keep the devices away from any equipment that might affect the device in any way
Handling and Analysis
Keeping integrity should be your prime objective while handling digital evidence. Whenever possible, data analysis should not be performed on the original device. Instead, a copy, also called an image, should be created and analyzed by using digital forensics analysis tools while keeping the original device as unchanged as possible.
The United Nations Office on Drugs and Crime (UNODC) has described four broad types of analyses that can be performed on digital devices.
- Time-frame analysis to create a timeline of actions and events
- Ownership analysis to determine the ownerships of devices as well as the data in the devices
- File and app analysis to determine the apps installed on the device and contents of files
- Data hiding analysis to find out if there is hidden data on the device
Depending on your role in the investigation, you might need to defend what you write in your report. Thus, you must describe your interaction with the digital evidence.
- Document the chain of custody with details like custody, control, and transfer of digital evidence
- Details of every step taken to preserve the integrity of the digital evidence
- Describe the method and tools used to acquire the digital evidence
- Include notes, pictures, videos, and other material that prove that the digital evidence has been handled in a forensically sound manner
- The results and findings of your digital evidence analysis
- Do not take any action that changes digital evidence on the source device.
- Only a trained persons should access the digital evidence from the source device and they should be able to justify the relevance and implication of their actions
- An audit trail should be maintained with the rocord of all applied processes. An independent third party should be able to examine those processes and produce the same results
(APCO’s three principles of digital evidence)