digital evidence

digital evidence

Collection of Digital evidences (Switched off/on Systems and Cell phone systems)

Switched off systems-

  • Secure the scene of crime and disable all the modems, network connections etc. Unplug the power and all other devices from sockets. Never switch on the computer, in any circumstances. Allow printers to finish printing, pending if any.
  • Confirm that the computer is switched off. As sometimes the screen may mislead, that should be done from the hard drive and monitor activity lights. Some laptops switch on, only by opening the lid. So, remove the battery if required.
  • Label and photograph (or video) all the components in-situ. Label the in & out port cables so as if required, the computer could be reconstructed in future.
  • Open the side casing of CPU/Laptop carefully and detach the hard disk from the mother board by disconnecting the data transfer cable and power cable.
  • Take out the Hard disk carefully and record the identifiers(like- make, model, serial number etc.). Take signature of the accused & witnesses with date & time on the Hard disk, by a permanent marker. All other items/documents should also be signed and pasted with exhibit labels.
  • Ask the user for the passwords, operating system, application package running on the suspected system, details of the other users and the off –site data storage, if any.
  • After the Hard disk is removed, switch on the system and go to BIOS. Note down the date and time shown in BIOS. Prepare detail notes of “when, where, what, why & who” and overall actions taken in connection with the computer system.
  • The suspected hard drive should be connected to the investigator computer only through a ‘write-block device’ for forensic preview/copy.

Switched on systems-

  • Secure the scene of crime and disconnect the modem and all other connection cables, if attached. Label and photograph (or video) all the components in-situ.
  • Carefully remove all the equipment attached and record their unique identifiers separately. All the items should have signed exhibit labels attached.
  • Ask the user for the passwords, operating system, application package running on the suspected system, details of the other users and the off-site data storage, if any.
  • Photograph the ‘live screen’ and also prepare a written note of the content. Do not touch the keyboard or click the mouse.
  • In case a screen saver is active or the screen is blank, given to the circumstances of the case, the E.O. shall decide whether he wants to restore and inspect the screen. If required, the screen could be restored with a gentle movement of the mouse. Then follow the procedure(c) above. Record every mouse activity with time.
  • If available, use live forensics tools to extract the information present in the RAM. Otherwise, remove the power cable (end attached to the computer) without closing down any program. Then follow (A) above.

Cellphone systems-

  • If the device is switched off, do not turn that ‘on’. If the device is live or switched on, let that remain so. Photograph the device and screen display. Label and collect all the cables and additional storage media available; and transport them with the device.
  • Keep the device charged; if not possible, then the forensic analysis must be completed before the battery gets discharged or the data may be lost. Record every activity with photograph (if possible) and time.
  • Faraday bags- The mobile handsets often get ‘PIN locked’ and keep communicating with the network which may tamper with the evidences. The Faraday Bags are envelops made of flexible metallic fabric or conductive mess, which block external electromagnetic fields. Whenever an external field or radio frequency interference comes into contact with the mess, it produces equal and opposite electrical charges distributed over the surface, which neutralizes the effect of the field inside the envelope. Thus, they are used for electromagnetic shielding.

             The mobile handsets and other sensitive radio equipment should be secured in Faraday bags. It potentially avoids the PIN locking and prevents the networks from communicating with the device (covert acquisition). At the same time, an examiner can also view the equipment in ‘Faraday’ condition, through the window in the bag.

Forensic Duplication of Digital Evidence? Read More: