What Are the Steps to Preserving Digital Data and Evidence?
The storage and management of digital data and forensic evidence plays a pivotal role in the criminal justice system and the private sector. A growing number of HR and IT departments need to manage evidence for internal investigations of data theft and acceptable use violations.
Before we take a closer look at evidence handling procedures in digital forensics, let’s review the fundamentals:
What Is Digital Evidence Preservation?
Preservation is a comprehensive endeavor that ensures the continued accessibility of valued digital information. In other words, it aims to isolate and protect digital evidence exactly as it was found, without alteration, so that it can later be analyzed. This includes finding ways to re-present what was initially represented to users by implementing sophisticated software and hardware tools.
Mobile phones and other devices have blurred the line between physical and digital evidence. Smartphones could store pertinent photos locally, connect to files in a cloud storage service, and carry trace evidence on the device itself. Many law enforcement agencies and private entities have methods for managing physical and digital evidence separately. Now, they’ll need tools to manage them together.
Digital Evidence Preservation Best Practices
Here are steps you can take to prevent the loss of digital evidence before partnering with forensic experts:
Document the Condition of the Device
Take pictures from all sides of the physical device which holds the digital media to be collected and document its physical condition and location. Make note of any dents, scratches, or other physical blemishes. Avoid plugging any external storage media into the device(s); even a memory card or thumb drive can cause data to be lost.
Do Not Alter the Power Status
While it may be tempting to turn the device on if it’s powered off — or even power it down to save battery life and boot it up again down the line — it’s not advisable to do so. In short, if the device is on, leave it on. If it’s off, leave it off. Leave battery-powered devices in their current state for as long as you can, and consult your forensic expert team for wired devices, such as desktop computers.
Keep the Device Secure and Establish an Internal Chain of Custody
Ensure proper chain of custody for the hardware and data with physical security in a climate-controlled environment; don’t store the device in an open access area where employees and unauthorized personnel can easily get a hold of it. Log important information such as where the device is, who has access, and when it is moved.
Get Forensic Experts Involved
While there are steps you can take (and common missteps to avoid), it pays to know when to pass everything off to trained specialists. From recovering deleted files to providing trial support, the process of preserving and analyzing data requires the expertise of a forensic investigation specialist.
Do Not Permit IT to Reallocate the Device
Typically, when an employee leaves, IT departments will consider reallocating assets to new users. While this may seem like a good idea, it can destroy valuable evidence on the device. Whenever a key employee, sales team member, or anyone with access to confidential intellectual property leaves an organization, steps should be taken to preserve the computer of the former employee. This information can be useful in trade secret cases or to defend a wrongful termination lawsuit. Preserving the data can be accomplished by forensic experts quickly, allowing reallocation of the device, while maintaining the forensic image for possible investigation down the line.
A Look Into the Forensic Experts’ Process
Here are methods used by forensic experts to preserve evidence before starting analysis:
Drive imaging: Before beginning to analyze evidence from a source, forensic investigators must create a forensic image of the evidence. Imaging a drive is a process in which an analyst creates a bit-by-bit duplicate of a device’s hard drive. It’s important to note that even reformatted or deleted drives can retain recoverable or deleted data which experts can identify and recover using forensic techniques.
Forensic analysis is never performed on the original media; it’s important that analysts always operate on the duplicate image. A write blocker — a piece of hardware or software that facilitates the legal defensibility of a forensic image — is often used to create the image for analysis.
Hash values: The imaging process generates cryptographic hash values, which are crucial because:
- Hash values are used to verify the authenticity and integrity of the image as an exact replica of the original media.
- When admitting evidence in court, hash values are paramount, as altering any bit of data (such as creating a new file) generates a new hash value.
- If hash values of the image and original evidence do not match, it could raise concerns in court that the evidence has been tampered with.
Chain of custody: Forensic investigators document all steps conducted during the transfer of media and the evidence. Chain of custody paperwork (including signatures, dates, and time upon media handoff) is essential because:
- It demonstrates the image has been under known possession since the time the image was created
- Any gap or lapse in the chain of custody nullifies the image’s legal value — and by extension, the analysis.
Cornerstone Discovery: Preserving the Integrity of Your Digital Data and Evidence
The importance of proper preservation and collection of digital evidence collection in cyber security cannot be understated. After all, they’re the first steps in telling a complete story, uncovering the truth, and fortifying your protocol. Our computer forensics specialists are here to help with proper evidence handling and preservation of data, ensuring the veracity and defensibility of evidence.
For more information about our digital forensics and e-Discovery processes, reach out to us today.