The storage and management of forensic evidence is an important part of the criminal justice system. Evidence management has also become a concern for private companies.
An increasing number of corporate HR and IT departments find they need to manage evidence for internal investigations of data theft and acceptable use violations. Other companies are interested in collecting evidence to audit the effectiveness of their security programs. All of these companies will benefit from more systematic evidence management, but many have not yet learned the most effective processes used by law enforcement.
What are the most effective ways to preserve digital evidence? What do you need to know about collecting it in the first place? Are any tools available to help manage evidence?
Our 10-step guide will answer these questions for you.
Digital Evidence Is Increasingly Important
The demand for digital forensics is growing, with the market for such management services expected to reach $9.68 billion by 2022. This is due in part to the problems mobile and Internet of Things (IoT) technology introduced into evidence management.
Mobile technology has blurred the line between what counts as physical and digital evidence. Smartphones, for example, may hold pertinent photos locally, connect to files in the cloud, and carry fingerprint or other trace evidence on the device itself.
Many law enforcement agencies and private companies already have methods for managing physical evidence and digital evidence separately. Now, they need robust tools to manage them together.
The Digital Evidence Handling Process
Private companies can look to law enforcement for guidance on the best ways to preserve digital evidence. Firstly, you need to follow a process that does more than just preserve it. Good evidence management follows a five-step process of identification, collection, acquisition, then preservation, and finally, analysis.
Information needs to be gathered before the digital device is even touched. It won’t often be clear what contextual information is relevant to an investigation until much later. So to be safe, document everything about how the device was found, including:
- Who was involved in the incident
- What happened
- When the incident occurred
- Where the incident occurred
- How the incident occurred
Once all of that information is recorded, you can move on to actually collecting the physical media where digital evidence is stored or was accessed. Alter the device’s condition as little as possible while collecting.
Next, you need to extract data from the collected device. The exact acquisition method depends on the device in question. For example, the process for getting data off a laptop is very different from getting data off a smartphone.
When possible, this step should be left to professionals. Depending on the condition of the device and data, it may be best to take what is called a “forensic image” so you don’t have to manipulate the original copy at all. That requires specialized tools and knowledge.
Once data is acquired, the data and device need to be securely stored until they’re needed for further investigation. Preservation is usually done in either physical or digital storage systems—or preferably in a smart management system that can integrate with evidence management systems.
Finally, staff examines and evaluates data collected from the device to generate evidence for legal or corporate proceedings. The data collected from the device is used to help reconstruct the incident under investigation. That analysis and reconstruction are what transforms data into evidence.
10 Best Practices for Managing Digital Evidence
Digital evidence management has become so critical to legal and corporate affairs that government agencies now routinely provide guidance on the best ways to preserve digital evidence. Since most companies do not have the resources to retain in-house evidence collection specialists, we’ve pulled together these 10 best practices for handling digital evidence. They will help non-experts handle evidence in the safest and most secure way possible.
1. Document Device Condition
This is often overlooked during the identification phase. Make sure to take pictures of the device holding the digital media you will be collecting. Document its physical condition and where it was located.
Are there any dents or scratches? Is it wet? Are there tools nearby that could have been used to tamper with it? Track this information in the same evidence management system as the physical device.
2. Get Forensic Experts Involved
It is important to know when to stop working with evidence and let the experts take over. Following the best practices detailed here will allow even regular security officers, IT technicians, and office workers to help with the collection process. But the process of preserving and analyzing data still usually requires forensic expertise.
3. Have a Clear Chain of Custody
Document the transfer of media and digital evidence between every person and agency that comes in contact with it. Gaps in these records can prevent evidence from being admitted in court should legal action need to be taken. While a chain of custody can be recorded on paper, an authoritative digital record is often more reliable.
4. Don’t Change the Power Status
Leave the device in its current power state as long as possible during evidence identification and collection. If the device is on, leave it on. If it is off, leave it off.
Leave battery-powered devices in their current state as long as possible. Obviously, for wired devices, such as desktop PCs, you will eventually need to turn them off for transport. For highly sensitive investigations, it is best to bring in forensic experts before you do whenever possible.
5. Secure the Device
Ensure proper chain of custody for both hardware and data with strong physical security. Don’t store the device in an open access area. Try not to leave it unattended when it is being worked on. Poor chain of custody can reduce the value of evidence during proceedings.
6. Never Work on the Original Data
Sometimes data collection involves just copying readable files from media storage. But often other metadata can be collected from devices by forensic experts. Metadata is data about the condition of files on the device or about the device itself. Useful metadata can include how files were accessed, whether a shutdown or delete command was issued, or whether the user tried to copy files to another device.
Working directly on the original media will often delete valuable metadata. Professional data retrieval and forensic services always perform their analyses and reporting on virtual copies of media whenever possible.
7. Keep the Device Digitally Isolated
Another way to preserve metadata is to keep the device isolated from other storage systems. Keep it off Wi-Fi and wired network connections.
Sometimes well-intentioned staff can accidentally overwrite valuable metadata if they plug in a thumb drive attempting to copy files via conventional means for analysis. Leave the data copying to professional forensic experts.
8. Prepare for Long-Term Storage
Consider whether off-site storage is needed for long-term evidence management, or whether an on-site modular evidence management system can accommodate your needs. Modular systems will be able to scale if evidence retention needs or available space change.
9. Monitor Evidence Transactions
Staff will need to periodically sign out evidence for reporting or attorney consultations. Recording all of these transactions is essential for maintaining a proper chain of custody.
This can be difficult for most organizations that aren’t staffed with a full-time evidence manager. Even those law enforcement agencies that do have evidence managers can’t have them on duty around the clock. Consider whether automated evidence lockers can simplify transaction monitoring.
10. Periodically Audit Your Evidence Management Program
New electronic devices are constantly hitting the market. In particular, the advent of Internet of Things (IoT) technology means many more types of devices now hold data. You should regularly review your digital evidence management practices to ensure they accommodate all new types of devices and forms of digital storage that might come into your possession.
Good Digital Evidence Management Is a Team Effort
Good evidence management requires more than just a single person, even if they’re a forensic expert. You need on-the-ground staff who know how to identify and collect evidence when they’re first on the scene. You need supervisors who can start a proper chain of custody. You need IT technicians who can preserve and analyze data without damaging it. And you need leadership that knows when to bring in forensic expertise.
In short, you need an entire team that knows the best ways to preserve digital evidence. You also need the right supporting technology. Smart lockers can be the platform that enables your team to more effectively manage physical and digital evidence.
About the Author
Shannon Arnold is the VP of Marketing and Strategic Partnerships at Real Time Networks.