School of Information Systems

Process in collection and preservation in digital forensic investigation

The collection and preservation of digital evidence in a forensic investigation is a critical process that requires careful handling to maintain the integrity and admissibility of the evidence in court. Here is a step-by-step process for collecting and preserving digital evidence:

1. Identification of Digital Evidence:

Identify the digital devices and media that may contain relevant evidence. This could include computers, smartphones, tablets, servers, external drives, or cloud storage.

2. Securing the Scene:

If the digital evidence is found at a physical location (e.g., a crime scene or workplace), secure the area to prevent unauthorized access or tampering with the evidence.

3. Documentation:

Document the location and condition of each digital device or media storage, noting any visible damage, connections, or labels.

4. Chain of Custody:

Establish and maintain a clear chain of custody for each piece of digital evidence. This includes documenting who handled the evidence, when, and for what purpose.

5. Legal Authorization:

Ensure that the collection of digital evidence complies with legal requirements and obtain any necessary warrants or permissions.

6. Digital Forensic Toolkit:

Prepare a digital forensic toolkit with the necessary hardware and software for evidence acquisition and analysis. Common tools include write-blockers, forensic imaging software, and analysis software.

7. Forensic Imaging:

Create a forensic image or copy of the digital storage media. This is a bit-for-bit copy that preserves the original data without modification.

Use write-blocking devices to prevent any changes to the original data during imaging.

8. Hashing:

Calculate cryptographic hash values (e.g., MD5, SHA-1, SHA-256) for the forensic image files. Hash values are used to verify the integrity of the evidence throughout the investigation.

9. Documentation of Procedures:

Document the procedures used to acquire the forensic images, including the date, time, and specific tools and settings used.

10. Evidence Packaging:

Store the original digital media in anti-static bags or containers designed for evidence preservation. Label each container with a unique identifier and maintain the chain of custody.

11. Transportation:

Safely transport the evidence to a secure and controlled environment, such as a digital forensic laboratory, for analysis.

12. Evidence Handling:

Minimize physical handling of the original evidence, as it can be fragile and susceptible to damage. Use gloves when necessary.

13. Secure Storage:

Store the original evidence and forensic images in a secure and controlled environment with restricted access to maintain the chain of custody and prevent tampering.

14. Documentation of Storage:

Document the storage conditions, including temperature, humidity, and access control, to ensure the preservation of evidence integrity.

15. Data Verification:

Periodically verify the integrity of the forensic images by re-calculating hash values and comparing them to the original values.

16. Backup Copies:

Create backup copies of forensic images to prevent data loss in case of unforeseen circumstances.

17. Legal Documentation:

Prepare legal documentation detailing the collection and preservation process, including the chain of custody, procedures followed, and the individuals involved.

18. Courtroom Preparation:

If the investigation leads to legal proceedings, prepare digital forensic experts to present their findings and the integrity of the evidence in court.

Throughout the entire process, maintaining the integrity and confidentiality of the digital evidence is paramount. Adhering to proper procedures, documenting all actions, and ensuring that evidence is collected and stored securely are essential for a successful digital forensic investigation.

Joni Suhartono