A critical part of any computer forensic investigation is ensuring proper evidence collection and proper maintenance of the chain of custody of the evidence collected. You need to be sure that you can identify the who, what, when, where, how, and why of each piece of evidence or material that you collect during the investigation:
- Who. Who handled the evidence?
- What. What procedures were performed on the evidence?
- When. When was the evidence collected and/or transferred to another party?
- Where. Where was the evidence collected and stored?
- How. How was the evidence collected and stored?
- Why. For what purpose was the evidence collected?
If evidence must change hands multiple times, you may have a very long list of information to keep track of here.
Collecting and handling evidence
As mentioned above the first step in any forensic investigation is the collection of evidence. Sometimes, we have to gather large amounts of data before we can determine what is relevant enough to be deemed evidence. But this needs to be obtained within the confines of the law. We should think about the process that we’ll use to collect evidence. So on a live running machine, we would have to perform a live analysis, and that would be conducted from another machine over the network. Data analysis, though, should only occur on copies of data – never the original. So we need to think about volatile evidence, such as the contents of electronic memory because when the machine is shut down, that evidence would be lost. The details of the scene need to be recorded because sometimes investigations can be lengthy. So everything needs to be documented, and date and time stamped because we might need to report findings months, or even many years later. Sometimes, the result of a court decision can be overturned in the future. So often, we’ll need to archive evidence that gets collected.
Evidence collection is the first step of a forensic investigation and is a two-pronged process. The first aspect is determining what evidence needs to be collected and confirming if that evidence can be collected legally. The second aspect involves deciding how to collect evidence which includes considering the collection process, conducting live analyses, and bearing volatile evidence like electronic memory in mind.
When collecting evidence, it is important to record details of the potential crime scene because investigations are sometimes lengthy. This means you may need to report findings months or years later.
Evidence would also include items such as handwritten notes, photographs, or audio/visual recordings. Sometimes a great way to gather evidence on a machine that’s already running is to take a photograph of what’s happening on the screen. The chain of custody, often referred to as COC, preserves the integrity of collected evidence. It records items such as who obtained evidence, what the evidence was – whether it was an entire computer system, external storage media, and so on – when and where the evidence was obtained, who secured the evidence, and who had control or possession of the evidence. All of this pertains to the chain of custody. This needs to be a documented process because any break in that chain of custody will cast doubt on the integrity of that evidence. So therefore, the court could deem that evidence inadmissible. Data integrity can be proven using hashing.
In evidence collection, it is important to also consider things like handwritten notes, photographs, and audio/visual recordings.
Chain of Custody
Part of the purpose of having a chain of custody in place is to preserve the integrity of evidence. The chain of custody holds record of who obtained evidence, what the evidence was (eg. computer, external hard drive, or SD card), when and where the evidence was obtained, who secured the evidence, and who had control or possession of the evidence.
The chain of custody needs to be well-documented. Any break in the chain of custody can cast doubt on the investigation as well as on the integrity of the evidence. That doubt could render the evidence inadmissible in court.
Hashing can be used to prove data integrity. Methods like MD5, SHA1, and SHA256 can be used to execute the hashing.
Algorithms including MD5 and SHA256 might be used to actually do that. File hashing should be performed multiple times, using multiple tools, so that we can prove that data has not been tampered with. Bear in mind that digital forensics is about following very specific steps, to consistently reproduce the exact same results. It’s all about integrity and consistency. We should also consider what to do when it comes to interviewing people involved, such as suspects, colleagues, or witnesses – including expert witnesses. Often these people can provide additional helpful information for an investigation. These items might be related to the actual incident, or it could be related to the evidence being seized; in terms of who owns it, who uses it, and how they use it. In this video, we discussed evidence collection and handling.
In collecting evidence, it is important to consider interviewing people involved like suspects, colleagues, and witnesses. These people often provide additional information on the actual incident, who owns the evidence, and who uses it.