In order for your digital evidence to be used in a court of law you should take care in your evidence collection procedures from digital devices. Best practices for collection are designed to help you maintain the integrity of evidence. Individual agencies may have their own policies and procedures in place but overall general practices may be similar.
The crime scene is your first stop in evidence collection, arriving prepared can save you time. The proper forensic techniques not only speed up your investigations but also ensure you get the most out of digital forensic software. Of course, also being familiar with Federal Laws helps you understand what you can collect and how. The five tips below will give you the knowledge you need to collect digital evidence properly. 
1. Maintain a well-documented chain of custody. The smallest errors in your chain of custody can invalidate the evidence. If there is a chance there could have been mishandling of evidence seen in your documentation of the chain of custody you may not be allowed to use it in court. This can cause major damage to a case. Chain of custody verifies that evidence is authentic and was seized at the crime scene [1].
Every point of movement and location of the evidence must be recorded, from the moment of discovery, and recovery, to analysis. Each investigator or the person responsible for collecting evidence must complete the labels of the sample container/bags and the chain of custody forms to enable tracking of the sample [1].
2. Understand how to preserve evidence from different devices. Procedures for evidence collection from digital devices may vary. The steps you take to preserve data on a mobile device will be different from those on a computer or other data storage devices. It’s important to be aware of these differences to avoid losing any data. Some measures to take include turning off Mobile or placing them in airplane mode or Wi-Fi mode if unable to turn them off [2]. You should not turn on any devices that you find off.
You may document activity on a computer by taking screenshots or recordings of the screen. These are just a few examples of steps you can take to preserve evidence, remember to also familiarize yourself with your agency's standard operating procedures.
3. Do not alter the original data collected. Obtaining copies of the original data ensures that you are preserving any valuable metadata. Metadata includes information such as author, file size, the date data was created, and keywords. Other valuable metadata may include how files were accessed, shutdowns or commands, and if copies were created. Installing a block on the working copy allows you to view the data but nothing can be altered or added.
4. Select an extraction method. Your choice of extraction method may vary on the amount of time that you have to retrieve the data or what data you are trying to retrieve. Mobile devices have two extraction methods.
Logical extraction involves the communication between the extraction tool with the device using its own program. Live data can be acquired such as messages, call logs, contacts, passwords to social media, photos and videos, and data from apps. Although, logical extraction is the quickest way to collect data you cannot recover deleted files or use this method on locked or password-protected devices.
Physical extraction involves making a bit-by-bit copy of the data contained on a device including any files that were hidden or deleted. This method may take longer but will yield the live data and deleted data.
5. Be equipped with the right digital forensic software tools. Time is of the essence for many cases especially those involving victims of human trafficking, or CSAM. Having software that helps to speed data collection and minimize the time spent sifting through massive amounts of data makes all the difference in an active case. The choice of your software can help you reduce the amount of time and resources needed.
Abilities such as previewing and screenshotting will give you a better idea of which devices to focus on or possibly submit to a lab for further analysis. Know the strengths and limitations of your software to get the most out of it when you arrive on the scene.
ADF’s suite of digital forensics software tools helps you properly collect and analyze digital forensic evidence by logical extraction. With the need for speedy investigations in mind, ADF provides evidence-collection tools that you can customize or use out-of-the-box search profiles. A Search Profile is a combination of Selected Artifact Captures and File Capture appropriate for the Search Profiles objective.
ADF makes collecting mobile and computer evidence easy with all-in-one forensic software tools. Our PRO Series allows frontline field investigators to quickly preview, capture, and collect evidence from iOS, Android, Mac, Linux, and Windows using your forensic machine or an ADF rugged field forensic tablet.
Learn more about ADF’s suite of digital forensic tools.
