Forensic Preservation

Evidence Preservation

host devices and media taken from the crime scene should be labeled, bagged, and sealed, using tamper-evident bags
- ensure that the bags have antistatic shielding to reduce the possibility that data will be damaged or corrupted by electrostatic discharge (ESD)
Each piece of evidence should be documented by a chain of custody form
evidence should be stored in a secure facility with physical access and environmental controls
- protect against condensation, ESD, fire, and other hazards do not damage the electronic evidence
- locks, guards, surveillance cameras, visitor logs, and other access controls
transport methods must also be secure
Hashing is used to validate data integrity
- generate the hash value of a disk drive before performing any analysis
- allows a forensic analyst to make copies of evidence and prove the copies are exact
important to create metadata that accurately defines characteristics about digital evidence
- e.g., type, date it was collected and hashed, purpose
use a consistent naming scheme
- date and time, case number, and evidence type

Provenance, in digital forensics, is being able to trace the source of evidence to a crime scene and show that it has not been tampered with.

a valid timeline is vital to the evidence collected at the crime scene
Video recording the whole process of evidence acquisition establishes the provenance of the evidence as deriving directly from the crime scene
To obtain a forensically sound image from nonvolatile storage
- capture tool must not alter data or metadata (properties)

Write blocker is a forensic tool to prevent the capture or analysis device or workstation from changing data on a target disk or media.

prevents any data on the disk or volume from being changed by filtering write commands at the driver and OS level
data acquisition uses this