Preserving the evidence

As evidence is collected, it must be preserved in a state that is acceptable in court. Working directly on the original copies of evidence might alter it. So, as soon as you recover a raw disk image or files, create a read-only master copy and duplicate it. In order for evidence to be admissible, there must be a method to verify that the evidence presented is exactly the same as the original collected. This can be accomplished by creating a forensic hash value of the image. A forensic hash is used to ensure the integrity of an acquisition by calculating a cryptographically strong and non-reversible value of the image/data. After duplicating the raw disk image or files, compute and verify the hash values for the original and the copy to ensure that the integrity of the evidence is maintained. Any changes in hash values should be documented and explainable. All further processing or examination should be performed on copies of the evidence. Any use of the device might alter the information stored on the handset. So, only perform the tasks that are absolutely necessary.