The preservation of digital evidence begins at the crime scene. It is imperative for all parties involved including forensic investigators to take active measures in the preservation and collection of digital evidence. Not only are computer data and digital evidence fragile, but forensic investigators must also consider laws when seizing and accessing electronic devices and the evidence stored in them.
Federal laws such as the Electronic Communications Privacy Act of 1986 and Privacy Protection Act of 1980 should be considered before action is taken. These laws protect individuals from unauthorized interception of electronic communications and prohibit law enforcement officials from searching for or seizing information from people who disseminate information to the public, such as reporters. Awareness of these laws and the proper training in digital evidence collection allow forensic investigators to obtain information admissible in a court of law.
How to Preserve and Collect Digital Evidence at the Scene
When collecting digital evidence investigators should maintain a proper and well-documented chain of custody to ensure any evidence collected does not lose its integrity. Different devices should be handled in a specific manner depending on how data is stored on the device.
If mobile devices must be submitted to a lab they should be turned off in order to preserve the cell tower location. This step not only prevents the phone from being used but also prevents remote destruction commands. The device should be put in a Faraday bag to prevent network interaction from potentially altering data on the device.
Devices that cannot be turned off can instead be placed on airplane mode or disable any Wi-Fi or Bluetooth capabilities [1]. If it is necessary to keep the device powered on, connect it to an external power source such as a portable battery pack. Devices that are found turned off should be left off and their model number, carrier, and unique identifiers should be documented.
Forensic investigators who encounter computers at a scene should prevent any alteration of evidence during collection. They should first document any activity on the computer, components, or devices by screenshotting and recording any information on the screen [1]. If any destructive software is running on the computer the power must be immediately disconnected to preserve the evidence.
Investigators that have been appropriately trained can also collect digital evidence at the scene. By using tools that help them identify which electronic devices contain evidence related to their case. The ability to preview digital evidence at the scene can save investigators time and resources. Investigators must make duplicate copies of the content contained on devices to maintain the integrity of the primary source of evidence [2]. The data obtained should not be altered or modified.
ADF’s digital forensic software aids investigators in preserving digital evidence during data collection. With ADF’s newly released features in Mobile Device Investigator and ADF's PRO suite of tools, investigators can document the evidence that is in front of them, here and now, that has the potential to walk and never be seen again. Screen recording, mirroring, screenshots, and screenshots of apps with security policies, allow frontline personnel and investigators the opportunity to easily collect data, on scene, now.