Investigators must ensure the integrity of all evidence collected, analyzed, processed and presented to a courtroom and jury. The reason that this is important is because the improper collection and analysis of evidence can lead to compromised data and potential damage to a prosecution. The seizure and analysis of digital evidence can be particularly challenging but is just as critical to a case as physical evidence. There are specific procedures that must be met to ensure the successful collection and analysis of digital media and guidelines or best practices for collection of all evidence, both physical and digital that must be followed. Conducting the proper steps in an investigation regarding the collection and processing of evidence and the proper chain of custody requirements can ensure a successful outcome in solving a case and a successful prosecution.
The first and most important step in the entire process for collecting evidence is to document the scene. It is extremely critical that an investigator capture as accurate a depiction of a crime scene as possible (Solomon, Rudolph, Tittel, Broom, & Barrett, 2011). This can be accomplished in a number of ways. These include taking a photograph of the scene to preserve the original image of the scene for a judge and jury. Investigators can also take images of a computer system. It is necessary to take hash images of volatile data first as volatile data relies on a constant flow of electricity to keep in system memory. Things that are considered volatile are registers, the system casche, routing tables, kernel statistics, memory, temporary file systems, disks and archived media (Soloman, Rudolph, Tittel, Broom, & Barrett, 2011). The first thing an investigator should do aside from photographing the scene is to take a system hash image of seized digital items. If a system is in the process of deleting what could be valuable evidence, it should be immediately unplugged to try and preserve data. Before removing digital evidence from a business or a home, a forensic investigator should also take note of network connections in use, open ports, applications and the date and time of the system. When digital items are removed and transported, they should never be transported in plastic. The battery in cell phones should be removed and the items should be placed in paper anti-static bags. Any interference from cell towers and other electronic devices could damage evidence. Investigators always want to maintain the last known state of digital items. Any changes to the date and time of a system or new data being transmitted to a system could overwrite existing data and that could jeopardize an investigation (National Forensic Science Technology Center, n.d.).
Preserving evidence collected and conducting proper analysis of systems for extraction of evidence is a very meticulous process. There are many ways in which forensic examiners can extract information from computer systems. All...