School of Information Systems

Digital Evidence for Forensic Investigation

28 Jul 2023

There exist multiple methods for gathering digital forensic evidence, but not all of them are effective. It’s important to note that the way we collect this evidence is crucial as the evidence itself is volatile and sensitive. Mishandling it could potentially disrupt the entire investigation process. Therefore, precise procedures must be followed during the acquisition, storage, transmission, and preservation of the evidence to avoid errors.

Some characteristics of the data that we have to ensured,

  1. It is crucial that the data retrieved must be an exact match to the original source of data.
  2. Authenticity is also of utmost importance; the data being analyzed should be the same data from the analyzed medium.
  3. Maintaining integrity is crucial, meaning that the analyzed data should remain unaltered.
  4. Confidentiality and availability are also important factors to consider.

The selection of the data acquisition method is dependent on the specific data or digital device being analyzed. Numerous methods are available, such as disk-to-disk file, disk-to-disk copy, disk-to-image file, and even sparse data copy of a file or a folder.

  • If a device is powered on, the acquisition of digital evidence is referred to as live acquisition. This method involves obtaining evidence from a running system while it is still active, which allows for the collection of volatile data.
  • On the other hand, if a device is powered off, the acquisition of digital evidence is referred to as postmortem acquisition. This method involves obtaining evidence from a storage media of a powered-down system, providing better data integrity.

Volatility is a crucial factor to consider during the acquisition of digital evidence. Depending on the level of volatility, certain data is prioritized for acquisition first. Examples of such data include registers, cache, routing table, arp cache, process table, and memory. This is followed by temporary file systems and securing the disk. The acquisition of static data, such as physical configuration, network topology, and archival media, is typically conducted last. It is also important to document the seizure and acquisition of digital evidence from the device.

It is important to keep in mind certain considerations when acquiring data from workstations or servers.

  1. Deleted data is not necessarily permanently lost, as it may still be possible to recover the files.
  2. Valuable information about how a computer was used can often be recovered.
  3. Formatting a disk does not necessarily remove all data from it.
  4. Information about websites that were visited may be easily retrievable.

Here are some common mistakes that can occur during the process of obtaining digital evidence:

  1. Improperly seized digital evidence can result in degradation of the evidence, and may impact its usefulness in criminal proceedings.
  2. Turning off a device that is actually on without first acquiring volatile evidence can result in the loss of valuable information.
  3. Incorrect and disorganized labeling and marking of digital evidence can make it difficult to track and manage the evidence properly.
  4. Failure to secure additional equipment, such as USB flash drives, CDs or DVDs, can result in the loss or contamination of digital evidence.
Joni Suhartono