written 7.0 years ago by | modified 6.8 years ago by |
Subject: Digital Forensics
Topic: Preserving and Recovering Digital Evidence
Difficulty: High
written 7.0 years ago by | modified 6.8 years ago by |
Subject: Digital Forensics
Topic: Preserving and Recovering Digital Evidence
Difficulty: High
written 6.8 years ago by |
Evidence: We can define evidence as any information of probative value, meaning it proves something or helps prove something relevant to the case. It is safest to treat any information of probative value that you obtain during an investigation as evidence
Evidence Handling Procedure:
When handling evidence during an investigation, you will generally adhere to the following procedures:
1.If examining the contents of a hard drive currently placed within a computer, record information about the computer system under examination.
2.Take digital photographs of the original system and/or media that is being duplicated.
3.Fill out an evidence tag for the original media or for the forensic duplication (whichever hard drive you will keep as best evidence and store in your evidence safe).
4.Label all media appropriately with an evidence label.
5.Store the best evidence copy of the evidence media in your evidence safe.
6.An evidence custodian enters a record of the best evidence into the evidence log. For each piece of best evidence, there will be a corresponding entry in the evidence log.
7.All examinations are performed on a forensic copy of the best evidence, called a working copy.
8.An evidence custodian ensures that backup copies of the best evidence are created. The evidence custodian will create tape backups once the principal investigator for the case states that the data will no longer be needed in an expeditious manner.
9.An evidence custodian ensures that all disposition dates are met. The dates of evidence disposition are assigned by the principal investigator.
10.An evidence custodian performs a monthly audit to ensure all of the best evidence is present, properly stored, and labeled.