Learning to handle the evidence

Once the sources of evidence are identified, the next critical aspect is to learn how to handle the evidence. In the previous chapter, we saw that forensics involves investigative processes used in a manner that is acceptable to a court of law.

Therefore, we need to ensure that all processes followed by us do not compromise the evidentiary value of the collected information.

Rules for the collection of digital evidence

Digital evidence, by its very nature, is fragile. It is extremely easy to tamper with and equally easy to destroy it.

In fact, in the early days, one of the key features that made computers so popular was the fact that a document that was made in a word processor could be very easily modified and mass produced.

In an evidentiary world, this means that whenever we handle the evidence or transport digital evidence, we may cause it to change. In fact, we may cause the digital evidence to change even when viewing it. Digital evidence may also degrade over time. This can be caused by the physical degradation of the media that the evidence is stored on. In fact, a single out-of-place bit can cause a substantial dent in our watertight case, raising questions about its authenticity and its admissibility, ultimately.

To ensure that this does not happen, as investigators, we need to adhere to a set of fundamental rules.

Rule 1: never mishandle the evidence

As discussed earlier, evidence has to be handled with extreme care. The objective is to minimize any disruptive contact with the evidence. When it is essential for the investigator to interact with the evidence, it must be done in a manner that is least intrusive and completely documented.

Rule 2: never work on the original evidence or system

Any interaction with the original evidence in digital form causes the evidence to be compromised. Metadata such as dates and time stamps on files change almost instantly. Unless the original evidence is handled in a write-blocked manner, the possibility of the evidence being compromised is a real threat to the successful completion of the case.

Conversely, the suspect system should never be used to carry out an investigation. Not only does that compromise the evidence, but it also adds to the risk of the evidence being manipulated / deleted / damaged / destroyed.

The recommended process is to create a forensic copy of the digital evidence, ensure its authenticity vis-à-vis the original, then carry out further investigations that are required in a write-protected manner.

Rule 3: document everything

In an investigation, any evidence is only as good as the process followed to obtain it. Unless proper processes with the correct precautions are followed, the process of acquiring and authenticating the evidence may be flawed until we have a clear-cut documentation attesting to the fact.

Therefore, the cradle-to-grave documentation for all the exhibits and authenticated images of the exhibits is a must. A comprehensive chain of custody, or CoC as it is known, has to be followed, where a detailed record is to be maintained vis-à-vis every exhibit and who had it in custody at any specific period of time. Hash values should be maintained and rechecked every time the exhibit changes hands.

At this point, it is appropriate to lay an increased emphasis on the CoC documentation process. CoC is a critical part of the investigation process. It documents every step and stage that a piece of evidence goes through in great detail. It maintains a record of every custodian (person) who was in possession of the evidence item at any point of time since the time of it being tagged as a part of the case under investigation.

Any discrepancies or gaps in the CoC can be a cause for dismissal of the case. Therefore, a CoC is considered to be as important as the case evidence itself. This is something that every investigator needs to keep in mind while conducting a forensic examination.