From the previous few posts, I’ve touched on a number of resources that focus on the concepts of digital forensics. From the outset, digital forensics is often seen as a classy, high-tech operation bringing reams of information at the quick touch of a few buttons. The reality, however is slightly different. While an investigator can often find what they were looking for quickly, more and more data — that is, raw data — than ever before must be collected and processed. If you have something to hide within the gigabytes of data you undoubtedly possess, you’re going to do anything you can to keep someone from seeing it when they look. It is ever the careful and methodical process that traditional forensics was and will be.

The relationship to traditional forensics, that at the crime scene, is then a very close one:

• both preserve artefacts found at a scene
• both acquires any source of data, either using sealed evidence bags or careful digital techniques
• one carefully examines the physical artefact or a copy of the digital one
• both reconstruct events based upon the results

Pieces of evidence - or in the dialogue above, artefacts - are any data brought to court, whether it be written, photographed or the digital equivalent thereof. The very definition of evidence means that it cannot be altered in any way; it must be 100% preserved throughout its lifetime from acquisition to presentation. It is perhaps this acquisition process which is most crucial as what is not gathered is left behind, perhaps forever.

Using one of the many formats available, an investigator can capture data sources for later examination. It is essential that adequate documentation supplements this and the data throughout its lifetime so the authenticity can be ensured and, should anything go wrong, the source be identified. The later examination will always be performed on a copy, or even a copy of the copy, to ensure mistakes aren’t fatal.

The first response to the incident is crucial to success. As with traditional forensics, those at the scene, as well as those involved later, should handle sources of evidence with extreme care. They should capture potential evidence using appropriate methods and ensure it remains in perfect condition throughout its lifetime.