The dos and don'ts of working with digital evidence
Since failing to adhere to the best practices of working with digital evidence could potentially render it inadmissible in court, anyone involved in the digital forensics investigation process is advised to follow the best industry practices you’ll find below.
DO: Document everything
In the process of digital forensic investigation, you should document everything, including the physical condition of the device. Take a photo of what state it was in when you found it.
Were there any cracks, dents, or scratches on it? Was it drenched in water?
You should also take notes on whether you found any tools nearby that indicate someone might have tampered with them.
DON’T: Work with the original
To avoid corrupting the original data or making irrevocable changes to it, a digital evidence specialist should opt to make a digital forensic image instead. Another problem with trying to work with the original is that you risk deleting valuable metadata that is stored on it.
Since it contains logs about what files were accessed and when, whether someone copied them or not, and when the device was shut down, it can be absolutely vital to the resolution of a case.
DO: Use a dedicated machine or a virtual environment
When handling digital evidence in criminal investigations, the best practice is to keep it offline. You should also consider establishing a virtual environment to prevent malware from infecting the machine.
Keep in mind that someone might attempt to tamper with the evidence from far far away – an example of this would be its owner trying to erase computer logs through the internet.
DON’T: Attempt to do it without a digital forensics professional
Since anything you do could potentially jeopardize the integrity of the data and render the digital evidence inadmissible in court, you shouldn’t proceed with the investigation without a digital forensics expert present.
Although other IT and law enforcement personnel can get involved by helping you collect data and secure the evidence, you should not attempt to undertake the matter without the supervision and guidance of a digital evidence specialist or other qualified professional.
DO: Store the device properly
Since devices that contain digital evidence may be sensitive to environmental factors such as heat and humidity, you should ensure they’re being stored in a proper environment.
Moreover, never store it in an area with open access. This could expose you to the risk of unauthorized individuals trying to tamper with it or alter it in any way.
DON’T: Change the device’s power status
As long as the digital forensics investigation is in motion, you should not change the device’s power status. In other words, if it’s on, leave it on. If it’s off, don’t attempt to boot it.
The reason being is that during the device’s startup, certain processes get activated automatically, some of which could flush the cache, overwrite unused space, and alter or update metadata that resides on it.