You are on page 1of 2

Digital Forensics: Protection of Evidence is Priority One

The number one priority of any forensic computer examiner must be to preserve the integrity of the evidence. An examiner must enter into any endeavor with a clear, process driven methodology for data acquisition and examination that protects the evidence. The process itself must be thoroughly documented, presenting a clear, duplicable outline of all steps taken. The following demonstrates some of the methodology that can be used to preserve the integrity of the evidence.

Tool testing plays an important role in the preservation of digital evidence and artifacts. Testing, including hardware and software, should be performed frequently and should be a standard part of the process. For example, before sanitizing a target hard drive, it can be connected to a write protection device and attempts can be made to write to, wipe, or copy data to the drive. This will ensure that the device is functioning properly. Once the write blocker is shown to be functioning properly, the write protection can be removed and the target can be cleaned of any preexisting data. After the disk is wiped, tests should be run to ensure that no data remains on the disk. Some wiping software simply changes each byte on the hardware to a zero. In this case, the wipe can be ensured by conducting a search of the hard disk for any value other than zero.

Before evidence is taken into custody, the immediate area containing the evidence should be photographed. Photos should be taken of connections to computers being acquired. All evidence being taken into custody should be indelibly labeled with relevant information, including examiner name, acquisition date and time, case number, etc. From this point onward evidence and artifacts will be protected by clear chain of custody policy and procedure.

When an evidential disk drive is removed from a computer for imaging, steps must be taken to protect the data from damage. An anti-static wrist strap should always be worn when removing or installing devices in a computer to protect data and hardware from damage that can be caused by static electricity. After removal, the drive should be clearly labeled as the original evidence and placed in an anti-static bag while the imaging process is prepared. The image can also be made from the computer it is installed with if special precautions are taken to protect the media. Forensic boot disks and thumb drives can be used if the examiner is certain that the computer is not going to boot to the hard drive. The disks must be tested beforehand and the examiner should be familiar with the type of machine being used and know how to get into the bios to ensure that there is no danger of the hard drive being accessed. Simply starting the computer and allowing the hard drive to be accessed will alter the data contained therein.

Robert Leigh, CCE - February 2012

Before a drive is connected to a computer or other device for imaging, the write protection should be tested once more. This can be done by connecting a test drive to the system and attempting to write, wipe, or copy as described earlier. The original evidence can now be connected to the write blocker. After recording any pertinent drive information, such as cylinder, head and sector (CHS) numbers as reported to the forensic software by the examination system bios, a check sum value of the drive can be produced. A checksum value is a digital fingerprint that can be used to ensure that the image made of the original media is an exact copy. The original media can now be imaged and the copy saved on the target media. The checksum is made of the image and compared to that produced by the target media. The examiner also has the opportunity to create a clone of the original media. In the event that the image is compromised, a replacement image can be created from the clone and the original media can remain in protective storage. The chain of custody policy should ensure that the original drive, and any other evidence, is secured in a safe, dry, locked area with limited access and requiring the signature and time of anyone entering the area.

Robert Leigh, CCE - February 2012

You might also like