This week we turn our attention to the techniques and tools you would use to collect, preserve, and analyze digital evidence. While this class does not focus on the highly technical aspects of digital forensics (e.g., using tools, techniques and processes to collect, preserve and analyze digital evidence). It does stress, however, being prepared for the digital evidence process, as it fits into the criminal justice system.
Of course, it is critical that computer forensic examiners understand processes such as capturing volatile data, recognizing and collecting digital evidence, analyzing the evidence once it is collected, etc.; however, what I want you to focus on this week is why and how processes designed to identify, seize, collect, preserve, and analyze digital evidence relates to the criminal justice process.
You should understand the need to verify what a warrant will allow you to search for and seize in a criminal case. Remember that, if you exceed the scope of the warrant, you potentially compromise your case.
You should also be aware of what a company’s policy or an organization’s leadership will allow you to do in a non-criminal justice investigation. In either case, you need to able to testify about all the steps you took, from the point when you were first notified of the incident or called in to collect the digital evidence, until the time you are called to testify about it. Digital evidence must not just be simply collected (e.g., picked up and put in a bag), but procedures must be put in place to preserve the evidence. This is especially necessary in a criminal case so that the defense cannot raise reasonable doubt about the integrity or provenance of the evidence.
For this week’s discussion:
1. Describe at least 5 steps you would use in a process to collect digital evidence from the time you are asked to collect it to the time you testify about it in court. Explain why each of these steps is important.
2. Assume that you are testifying in court and counsel asks you the following questions:
- What was the first thing you did upon entering the room where the computer was located?
- After seizing the computer evidence, what did you do with it?
State your answers and explain them.