Professional Documents
Culture Documents
Module 4 CF
Module 4 CF
CYBER FORENSICS
1
Contents
2
Handling the
Digital Crime Scene
3
4
5
6
7
8
9
10
11
Handling digital crime scene
The primary objective is to ensure that the digital evidence in question is legitimate, hasn’t been tempered
with, and that it can stand in court. The protocol requires documenting everything in relation with the
digital evidence in question and outlines the details surrounding its:
Collection
Transfer
Sequence of control
Analysis
Purpose
12
Handling the digital crime scene
If any particular detail regarding the handling of digital evidence is omitted, its quality may come under
question, and the court may rule it out as inadmissible.
In law enforcement, you will often encounter situations that require at least a basic understanding of what
the chain of custody is and how to maintain it as to not compromise the evidence that can be vital to the
resolution of the case.
To make this complex issue easier to understand, here are the steps
13
Handling digital crime scene
1. The chain of custody process
2. Filling out the CoC form is about providing answers to vital questions
4. Conclusion
14
Handling digital crime scene
1.The importance of maintaining the chain of custody
Digital evidence in criminal investigations is fundamental to convicting the ones at fault and bringing them
to justice. Fail to adhere to the protocol and you risk jeopardizing the entire case.
To preserve the chain of custody, you must follow the proper protocol – any step that’s left out could make
the digital evidence in question less authentic.
With that being said, here are some essential chain of custody principles to keep in mind:
15
Handling digital crime scene
Preserve the original materials
o When handling digital evidence, you should never make the mistake of working on the original
materials.
Take photos and screenshots
o This is one of the essential digital forensic process steps. By doing so, the digital evidence specialist
who will be taking a look at it after you will have a better understanding of what you were doing and
get a glimpse into your workflow.
16
Handling digital crime scene
Make a digital forensic image
o The image will be a bit-for-bit clone of the original and it’s what you will be uploading into the
computer to investigate. If you are looking for a professional industry-grade digital forensics tool
that lets you do this, make sure to check out DRS by Salvation DATA.
17
Handling digital crime scene
3. The chain of custody process
To give you a glimpse into the process of digital forensics and how the chain of custody fits in, we’ll walk
you through the different phases. By following the exact steps outlined below, it will be very hard for any
court to rule the evidence inadmissible.
Data collection
Examination
Analysis
Reporting
18
Handling digital crime scene
4. Filling out the CoC form is about providing answers to vital questions
To fill out the form properly, you’re going to need to answer certain questions pertaining to the chain of
custody process.
19
Handling digital crime scene
DO: Document everything
6.Conclusion
Maintaining the chain of custody can feel like making your way through a minefield. One single mistake and the entire
investigation can be jeopardized and the digital evidence ruined.
Therefore, it’s of crucial importance to follow the protocol and stick to the best practices that apply to the digital forensics’
investigation process.
20
Digital Evidence Examination Guidelines
While the data processing steps outlined focus on preparing electronic records for civil litigation, the process of
filtering out irrelevant, confidential, or privileged data is applicable to many digital forensic computer analysis
situations, including:
o Eliminating valid system files and other known entities that have no relevance to the investigation.
o Managing redundant files, which is particularly useful when dealing with backup tapes.
o Identifying discrepancies between forensic computer analysis tools, such as missed files and MD5 hash errors.
Additionally, the output of this process provides a solid foundation for subsequent analysis, including
classification, individuation, evaluation of source, and temporal reconstruction.
Three approaches to implementing the evidence processing methodology. The first approach uses command line
utilities. The other two approaches use the GUI tools: EnCase and FTK. The same methodology can be translated
to UNIX-based tools.
21