When collecting evidence items must be seized and handled appropriately. It is important to note that just because 'digital devices are there they should not be seized. There must be reasonable grounds to remove property and there must be a justifiable reason for doing so.' APCO Good Practice Guide for Digital Evidence.
Digital evidence by its very nature is fragile and can be easily altered, damaged or destroyed by improper handling or examination. For these reasons, special precautions must be taken to preserve this type of evidence. Failure to do so may render the evidence unusable or lead to an inaccurate conclusion.
When capturing data the following steps must be taken:
- Obtaining the proper authorisation to remove the property of the person or company under investigation i.e. get a search warrant.
- Identify storage devices that need to be acquired, these can be internal (e.g. hard disk) or external (e.g. USB Flash drive, CD)
- Document internal storage devices and hardware configuration
- Drive condition e.g. make, model, geometry, size, location, drive interface
- Internal components e.g. sound card, video card, network interface card (NIC), media access control (MAC) address, PC cards
- It is important to document the serial numbers of storage devices as this can be used to ascertain if the device has been used in a specific computer
In certain circumstances, it might be important to gather data form a computer whilst it is running or in a “live” state. This is becoming more common practice, even though some changes to the original evidence will be made. This is because it allows access to data stored in RAM. Due to RAMs “volatile” nature, any data stored in RAM is lost when the power to the computer/device is switched off.
There are lots of similarities between securing a physical scene and securing a digital scene, but securing a digital crime scene has its own challenges. Firstly, investigators must assess whether the data is volatile or persistent (non-volatile). Volatile data is compromised when a system is powered off. If a device is still turned on at the time of seizure, it should be left on until a qualified person has had the chance to examine it. Turning the device off could alter or delete digital evidence on the device.
Operating systems and other programs frequently alter, add and delete the contents of electronic storage. This might happen automatically without the user necessarily being aware that the data has changed. An investigator must be careful not to disrupt meta-data by opening, saving or printing files. Likewise, measures should be taken to make sure caches are not changed and temporary files are not altered.
All of the systems data must be captured and retained on a separate storage device. This preserves the state of the system at the time of the incident, so if changes are made after the investigation begins; the exact image of the system is preserved for analysis. Whenever practicable, proportionate and relevant, a forensically sound image should be made of the device. This will ensure that the original data is preserved and enable a 3rd party to re-examine it and achieve that same result.
This image may be a physical/logical block image of the entire device or a logical file image containing partial or selective data. Investigators should use their professional judgement to make sure that all relevant evidence is collected if only a partial image is created.
Not all data will be stored locally; some data may be stored remotely or in a location where it is not possible to obtain an image. In this case, it may be necessary to access the original data directly. This should only be done by someone who has the correct skills and training.
Digital evidence and the devices used to store it are fragile and sensitive to extreme temperatures, humidity, physical shock, static electricity and magnetic fields. This makes transporting the evidence difficult.
Before digital evidence is collected it must be properly documented, labelled, marked, photographed, video recorded or sketched. All connections and connected devices should be labelled for easy reconfiguration of the system later.
Digital evidence should be packed in anti-static packaging, such as paper bags/envelopes, cardboard boxes or anti-static containers. Plastic materials should not be used because plastic can produce or convey static electricity and allow condensation or humidity to build up which could damage or destroy the evidence.
Mobile devices, such as smart-phones, should be left in the power state (on or off) in which they were found. These should be packaged in signal-blocking material, such as a Faraday isolation bag, to prevent data messages from being sent or received. Power cables and adaptors for these devices should also be collected.