How is digital evidence collected?
Acquiring and Collecting Digital Evidence For Digital Forensic Investigation
Digital evidence can be collected from many sources. Obvious sources include computers, mobile phones, digital cameras, hard drives, CD-ROM, USB memory sticks, cloud computers, servers and so on. Non-obvious sources include RFID tags, and web pages which must be preserved as they are subject to change. Extra care must be taken to avoid any contamination or modification of the data sources which are the subject of the digital forensic investigations.
We will take special care when handling computer evidence: most digital information is volatile can be easily changed, and once modified, it is usually difficult to detect the changes or to revert the data back to its original state. For this reason, we will carry out and calculate a cryptographic hash of digital evidence and record that hash in a safe place to prevent any computer evidence contamination. This is essential as the computer forensic investigators will be able to establish at a later stage whether or not the original digital evidence has been tampered with since the hash was initiated and calculated.
Imaging electronic media evidence
As as an initial stage of our computer forensic investigation, we may have to to create an exact duplicate of the original evidentiary media. We use a combination of standalone hard-drive duplicators or software imaging tools so that the entire hard drive is fully cloned. We will do this at the at the sector level, making a bit-stream copy of every part of the user-accessible areas of the hard drive which can physically store data, rather than duplicating the file system. We will then transfer the original drive to secure storage to prevent any tampering. During the imaging process, we will use a write-protection or write-blocking device or application to ensure that no information is introduced onto the evidentiary media during the computer forensic investigation process.
Why the preservation of the sources of investigation is important
Preservation of the sources from which we collect evidence is essential otherwise the chain of custody will be lost and all the results of the digital forensic investigation will invalidated. In addition to this, all the steps taken in collecting digital evidence must be recorded so that it verifiable if required.