Search, Seize, Preserve!: Digital Evidence#

As the world increasingly moves online, so too does the realm of criminal activity. Just as traditional investigators would search a physical location for clues and evidence, digital investigators must now know how to search, seize, and preserve digital evidence. But where do you even start? This blog will provide tips and tricks for digital investigators on how to search, seize, and preserve digital evidence.

Introduction#

As a Criminalist, which of the following actions would you take to preserve computer-based evidence?

-Ask the suspect to close the computer system down

-Try to avoid altering any of the evidence

-Ensure the investigative work is handled by qualified personnel

It is of utmost importance that the evidence on a computer is not changed in any way, shape or form so the correct answer would be to avoid altering any of the evidence.

Electronic Evidence Seizure Procedure Steps#

Prepare for the search and seizure#

When on the scene of crime, the last thing any individual would like to do is to fall short on their tasks, which is why a pre-defined set of phases have been developed for guidance. In the first stage, preparation is done for the search and seizure.

Secure the scene#

In securing the scene, only the required personnel must be let onto the scene of crime. Be aware of the network connections as those can place data at risk. Once those two steps are followed, assure that volatile data will not be lost and disconnect the network cables that are seen. Isolate the seized mobile devices from the network such as memory cards, cellular phones and external hard drives.

Document the Scene#

Documenting the scene is essential to the investigation. A record is necessary for maintaining a record of all the investigative processes applied to identify, extract and analyze the data captured. First responders should document activities on the devices and taking photographs and recording information that is on the scene.

Collect the evidence#

Depending on the nature of the evidence, isolation of the devices is almost always deemed crucial. Wireless devices such as cellular phones should be placed in a faraday bag for that purpose so the evidence remains untouched. Write-blocking software will then be installed so that the data will be only viewed and not changed

The Computer Forensics Paradigm#

The computer forensics Paradigm also notes similar procedures when dealing with evidence. These include:

  • Identification: The identification of specific objects that store important data for the investigative process and specific objects that store important data for the case analysis.

  • Collection: Establishing a chain of custody and documenting all the steps that furthermore proves that the data collected remains unchanged. Examination, Analysis and Evaluation: Determining the type of information that is stored on the digital evidence and conducting extensive analysis of the media in question.

  • Reporting: Preparing and delivering an official report and the processing of notes for expert testimony.

Recovery and investigation of computer-based evidence#

There are four basic principles related to the recovery and the investigation of computer-based evidence. Following these procedures guarantees the integrity of the evidence and allows for the accurate replication of the results and minimizes doubt.

Minimize Evidence Contamination#

No action taken by the individuals on the scene should change data held on a computer or other media. Why is this so, you may ask? Simply put if an individual turns on the computer and browses through the data, it results in a change in memory and the data storage devices. Then, you may ask, so what if the data is changed? The data change may lead to losing evidence as it may be replaced by new data, it also brings into question the trust of the data that can be used in the investigations and in some jurisdictions, this can even be viewed as tampering with the evidence! With this being said, the data must not be changed as they are crucial in the investigative process.

Know what you’re doing#

If a case comes where the personnel on the scene finds it necessary to access the original data held on a target computer, that individual must e competent to do so and bring forth evidence explaining the reasoning, relevance and implications of their actions. Due to this, thinking before you act, knowing the effects of your actions on the data and the willingness to prove it if altered is taken very seriously in this sphere. In other words, be prepared to prove your competence!

Documentation of everything#

An audit trail of all the processes applied to the computer-based evidence should be created and preserved so much so that an independent third party should be able to examine the same processes and achieve the same result. The analysis should follow some logical procedure whilst being verifiable. The documentation of everything done for the sake of repeated unambiguity if questioned and the notes that are taken should be clear and precise.

Responsibility#

The lead on the scene of crime is responsible for ensuring that the previously stated principles are adhered to. This applies to the possession and accessing of data contained on a computer. This must be satisfactory as it is the responsibility of the team to prove that everything on the scene was rightly done!

See also

Want to learn practical Digital Forensics and Incident Response skills? Enrol in MDFIR - Certified DFIR Specialist