Proper evidence handling

The proper handling and securing of evidence is critical. Mistakes in how evidence is acquired can lead to that evidence being tainted and subsequently not forensically sound. In addition, if an incident involves potential legal issues, critical evidence can be excluded from being admitted in a criminal or civil proceeding. There are several key tenets of evidence handling that need to be followed:

• Altering the original evidence: Actions taken by digital forensic examiners should not alter the original evidence. For example, a forensic analyst should not access a running system if they do not have to. It should be noted that some of the tasks that will be explored have the potential to alter some of the evidence. By incorporating proper documentation and having a justifiable reason, digital forensic examiners can reduce the chance that evidence will be deemed tainted.
• Document: One central theme you will often hear in law enforcement is the phrase if you didn't write it down, it didn't happen. This is especially true when discussing digital forensics. Every action that is taken should be documented in one way or another. This includes detailed notes and diagrams. Another way to document is photographs. Proper documentation allows for examiners to reconstruct the chain of events if ever the integrity of evidence is called into question.