Module 4

CYBER FORENSICS

1
Contents

2
Handling the
Digital Crime Scene

3
4
5
6
7
8
9
10
11
Handling digital crime scene
The primary objective is to ensure that the digital evidence in question is legitimate, hasn’t been tempered
with, and that it can stand in court. The protocol requires documenting everything in relation with the
digital evidence in question and outlines the details surrounding its:

 Collection

 Transfer

 Sequence of control

 Analysis

 Who was in its custody

 Date and time of events

 Purpose
12
Handling the digital crime scene
If any particular detail regarding the handling of digital evidence is omitted, its quality may come under
question, and the court may rule it out as inadmissible.

In law enforcement, you will often encounter situations that require at least a basic understanding of what
the chain of custody is and how to maintain it as to not compromise the evidence that can be vital to the
resolution of the case.

To make this complex issue easier to understand, here are the steps

1. The importance of maintaining the chain of custody

2. The key chain of custody principles

13
Handling digital crime scene
1. The chain of custody process

2. Filling out the CoC form is about providing answers to vital questions

3. The dos and don'ts of working with digital evidence

4. Conclusion

14
Handling digital crime scene
1.The importance of maintaining the chain of custody

Digital evidence in criminal investigations is fundamental to convicting the ones at fault and bringing them
to justice. Fail to adhere to the protocol and you risk jeopardizing the entire case.

2.The key chain of custody principles

To preserve the chain of custody, you must follow the proper protocol – any step that’s left out could make
the digital evidence in question less authentic.

With that being said, here are some essential chain of custody principles to keep in mind:

15
Handling digital crime scene
 Preserve the original materials
o When handling digital evidence, you should never make the mistake of working on the original
materials.
Take photos and screenshots
o This is one of the essential digital forensic process steps. By doing so, the digital evidence specialist
who will be taking a look at it after you will have a better understanding of what you were doing and
get a glimpse into your workflow.

 Document the time and date of receipt

o This allows you to make sense of the phases in computer forensics and visualize a timeline of who
inspected the digital evidence. Also, you’ll know where it was every step of the way before the law
enforcement agency got a hold of it.

16
Handling digital crime scene
 Make a digital forensic image
o The image will be a bit-for-bit clone of the original and it’s what you will be uploading into the
computer to investigate. If you are looking for a professional industry-grade digital forensics tool
that lets you do this, make sure to check out DRS by Salvation DATA.

 Authenticate the image through hash analysis

o This is for the purpose of further authentication. Remember that a digital evidence specialist needs to
make sure the data is not corrupt and that it represents a true copy of the original – this is where
hash analysis comes into play.

17
Handling digital crime scene
3. The chain of custody process

To give you a glimpse into the process of digital forensics and how the chain of custody fits in, we’ll walk
you through the different phases. By following the exact steps outlined below, it will be very hard for any
court to rule the evidence inadmissible.

Data collection

Examination

Analysis

Reporting

18
Handling digital crime scene
4. Filling out the CoC form is about providing answers to vital questions

To fill out the form properly, you’re going to need to answer certain questions pertaining to the chain of
custody process.

 What is the evidence in question?

 Who has handled it?

 Who transported it?

5. The dos and don'ts of working with digital evidence

19
Handling digital crime scene
DO: Document everything

DON’T: Work with the original

DO: Use a dedicated machine or a virtual environment

DON’T: Attempt to do it without digital forensics professional

DO: Store the device properly

DON’T: Change the device’s power status

6.Conclusion

Maintaining the chain of custody can feel like making your way through a minefield. One single mistake and the entire
investigation can be jeopardized and the digital evidence ruined.

Therefore, it’s of crucial importance to follow the protocol and stick to the best practices that apply to the digital forensics’
investigation process.
20
Digital Evidence Examination Guidelines
While the data processing steps outlined focus on preparing electronic records for civil litigation, the process of
filtering out irrelevant, confidential, or privileged data is applicable to many digital forensic computer analysis
situations, including:

o Eliminating valid system files and other known entities that have no relevance to the investigation.

o Focusing an investigation on the most probable user-created data.

o Managing redundant files, which is particularly useful when dealing with backup tapes.

o Identifying discrepancies between forensic computer analysis tools, such as missed files and MD5 hash errors.

Additionally, the output of this process provides a solid foundation for subsequent analysis, including
classification, individuation, evaluation of source, and temporal reconstruction.

Three approaches to implementing the evidence processing methodology. The first approach uses command line
utilities. The other two approaches use the GUI tools: EnCase and FTK. The same methodology can be translated
to UNIX-based tools.
21