School of Information Systems

CREATING DIGITAL FORENSIC EVIDENCE

06 Oct 2023

Creating digital forensic evidence typically involves following a systematic and careful process to ensure the integrity and admissibility of the evidence. Here are the general steps involved in creating digital forensic evidence:

1. Preserve the original evidence: It is crucial to preserve the original digital evidence in its original state to maintain its integrity. Make sure not to modify or alter the original evidence in any way. Use write-blocking devices or software to prevent any unintentional changes to the evidence.

2. Document the chain of custody: Establish and maintain a detailed chain of custody for the evidence. Document all the individuals who have had access to the evidence, including dates, times, and any actions performed on the evidence. This helps ensure the evidence’s integrity and demonstrates its authenticity in court.

3. Create forensic copies: Make forensic copies (also known as forensic images) of the original evidence. Use specialized forensic tools that create a bit-for-bit copy of the original data without modifying it. These copies will be used for analysis and investigation, while the original evidence remains preserved and untouched.

4. Analyze the forensic copies: Examine the forensic copies using appropriate forensic tools and techniques. This may involve searching for specific files, analyzing file metadata, recovering deleted data, examining system logs, analyzing network traffic, and more. The goal is to uncover relevant information and potential evidence related to the investigation.

5. Document findings and actions: Throughout the analysis process, meticulously document all findings, actions taken, and the tools used. This documentation should be thorough and detailed, ensuring that all steps are clearly recorded. Proper documentation supports the credibility and reliability of the forensic evidence.

6. Maintain the integrity of the evidence: Throughout the investigation, it is vital to maintain the integrity of the forensic copies. Avoid altering or modifying the copies in any way, as any changes made could compromise the integrity of the evidence and render it inadmissible in court.

7. Generate reports: Create comprehensive reports summarizing the findings, analysis methods, and any relevant evidence discovered. These reports should be clear, concise, and well-organized, allowing others to understand the investigative process and conclusions.

8. Secure and store the evidence: After completing the analysis and generating reports, securely store the original evidence, forensic copies, and all related documentation. Follow best practices for evidence storage to prevent unauthorized access or tampering.

It’s important to note that digital forensics is a highly specialized field that requires expertise and proper training. If you need to create digital forensic evidence for legal or investigative purposes, it is recommended to consult with a professional digital forensic examiner or forensic laboratory.

Joni Suhartono