The way of collecting digital forensic evidence is very important. The evidence in this area is volatile and delicate. It should be noted that due to improper handling, the investigation may be disrupted. In other words, acquisition, storage, transmission, and the preservation of evidence require precise procedures.
When securing digital evidence, the following characteristics need to be ensured:
- Correctness of the data – the recovered data must be exactly the same as the source data.
- Authenticity – actual data from the analyzed medium.
- Integrity – the analyzed data is not altered; the alteration can be detected.
- Confidentiality, availability.
Containing a threat or an event is the first step in the mind of cyber professionals, but gathering information and evidence to pursue legal action typically follows immediately afterward. Our Digital Forensics Services specialize in getting to the bottom of every case with deep science and industry experience.
Depending on the type of data and the digital device, the method of data acquisition is selected. There are several methods, for example logical disk-to-disk file, disk-to-disk copy, disk-to-image file and also sparse data copy of a file or folder.
The method of obtaining digital evidence also depends on whether the device is switched off or on.
- If it is switched on, it is live acquisition. The evidence is collected from a running system. Data changes because of both provisioning and normal system operation. So in conclusion, live acquisition enables the collection of volatile data, but also influences the data.
- In case of postmortem acquisition, the evidence is collected from storage media of a system that is shut down. Moreover, postmortem provides better integrity preservation and does not influence the data. However, volatile data can be lost in the process of shutting down a system.
A significant factor in the acquisition of digital evidence is its volatility. Based on their level of fragility, the most volatile are acquired first. These are, for example, registers, cache, routing table, arp cache, process table and memory. It continues with temporary file systems and securing the disk. Last is more static data, such as physical configuration, network topology, and archival media.
It is also necessary to think about the documentation of the seizure and acquisition of digital evidence. Chain of custody documents the entire process and the handling of data and equipment.
A few facts to keep in mind when acquiring data from workstations or servers:
- Deleted data is still not completely lost. Often it is possible to recover files and get information about when they were deleted.
- Lot of information about how the computer was used can be recovered from the system.
- Formatting a disk does not remove all data.
- Information about visited websites can be retrieved relatively easily.
- Data is unusable unless it is decrypted.
- Volatile data can remain on the system for a relatively long time, even after a system reboot.
- It is often possible to recover data even after physical destruction.
- Devices through which packets pass often store logs that are retained for a relatively long time. So do devices that provide services.
Common mistakes that occur when obtaining digital evidence:
- Digital evidence improperly seized is degraded for the purposes of criminal proceedings.
- Turning off a device that is switched on without acquiring volatile evidence.
- Inaccurate and chaotic marking of evidence.
- Failure to secure additional equipment (e.g., USB flash, CD/DVD)