Intro to Digital Forensics [Part 3 - The course of the Evidence]




From the actual incident / crime to the probative presentation, digital evidence is subject to various phases, as defined in the context of digital forensics.

To summarize:

Course 1: the digital evidence is directly identified (by the system it’s stored in, for example)

Course 2: the evidence is not directly accessible ( <- this is a major situation, which we’ll cover later) and as such requires authorization to be handled. After said authorization, we proceed to the triage of the evidence and subsequent identification.

Course 3: the location of the evidence is unknown and there’s no authorization to handle the evidence. In this case, we proceed directly to it’s preservation.

This first 3 courses occur in the first response phase to the incident (the first people on-site to review the crime scene and collect the evidence). After any of these courses, we proceed to the acquisition and validation phases. Contrary to the first 3 courses, stage 4 doesn’t occur on-site. Instead, it is done in laboratory, where we begin data recovery and analysis process.

Below you can see a flowchart that I recreated from a book I’ve been reading. It generically identifies the various courses evidence can take:

As you can see, there are a few steps that a first response team must follow. As we previously covered, the first response team must take extreme care when dealing with this evidence, to ensure its preservation and integrity. There are many manuals and books that cover good-practices and procedures, namely the international standards ISO/IEC 27032 and 27037, that deal directly with cybersecurity and digital evidence.

Some courts are quite skeptical of digital evidence due to uncertainties about chain of custody, validity and integrity of the information obtained from devices. Overcoming these challenges requires rigorous documentation of data such as when the evidence was collected, where it was collected from, who owned the device, who had access to it and how the evidence was collected. Finally, chain of custody involves documenting how the evidence was stored, who has handled the evidence, and who had access.

As such, one of the most (if not the most) imporant steps is the documentation of the whole process. I can’t stress this enough. Every single aspect of the investigation must be properly identified and justified. From the arrival at the crime scene, to the identification, acquisition, recovery, transport, etc… You get the idea. Again, these steps must not only be identified and registered but also justified. An expert must explain and justify why he did what did. Doing this allows others experts or entities to verify and achieve the same results, thus adding credibility and integrity to the case.

Now, we’ll cover with more detail the processes of Identification, Preservation, Acquisition and Transport/Packaging/Storage.

// Identification and Origin of Digital Evidence

Before the actual process of seizure and identification, it’s extremely important to note that before collecting evidence at a crime scene, first responders should ensure that [1]:

  • Legal authority exists to seize evidence.

  • The scene has been secured and documented.

  • Appropriate personal protective equipment is used.

First responders without the proper training and skills should not attempt to explore the contents of or to recover information from a computer or other electronic device other than to
record what is visible on the display screen. They shouldn’t press any keys or click the mouse.

The identification consists in locating both the physical and logical sources of the data that may be the evidence. There are many, many devices and systems where data may be stored:

  • Local or Remote devices, acessible through the local network or through the Internet;

  • Dedicated storage systems, such as those in data centers;

  • Computer Systems;

There are 3 main types of data available in these devices:

  • Simple and human-readable (i.e photos, documents, videos);

  • Complex or structured (i.e OS files);

  • Raw data;

The following images represent various types of digital storage media, where we might find some evidence (images obtained from [1]):

  • (External) Hard Drives, Removable Media, Thumb Drives and Memory Cards


Potential Evidence: may contain information such as e-mail messages, Internet browsing history, Internet chat logs and contacts, photographs, image files, databases, financial records, and event logs that can be valuable evidence in an investigation or prosecution.

  • Handheld Devices

Potential Evidence: handheld devices such as mobile phones, smart phones, PDAs, digital multimedia (audio and video) devices, pagers, digital cameras, and global positioning system (GPS) receivers may contain software applications, data, and information such as documents, e-mail messages, Internet browsing history, Internet chat logs and buddy lists, photographs, image files, databases, and financial records that are valuable evidence in an investigation or prosecution.

  • Peripheral Devices


Potential Evidence: the devices themselves and the functions they perform or facilitate are all potential evidence. Information stored on the device regarding its use also is evidence, such as incoming and outgoing phone and fax numbers; recently scanned, faxed, or printed documents; and
information about the purpose for or use of the device. In addition, these devices can be sources of fingerprints, DNA, and other identifiers.

  • Network Devices


Potential Evidence: may include software, documents, photos, image files, e-mail messages and attachments, databases, financial information, Internet browsing history, log files, event and chat logs, buddy lists, and data stored on external devices. The device functions, capabilities, and any identifying information associated with the computer system; components and connections, including Internet protocol (IP) and local area network (LAN) addresses associated with the
computers and devices; broadcast settings; and media access card (MAC) or network interface card (NIC) addresses may all be useful as evidence.

  • Other Potential Sources of Digital Evidence


Potential Evidence: The device or item itself, its intended or actual use, its functions or capabilities, and any settings or other information it may contain is potential evidence.

// Preservation of the Digital Evidence

When a first responder arrives on scene, he must perform a series of actions to preserve the original state of the evidence, allowing an integral and certified collection of the evidence.

After securing the scene and all persons at the scene, the first responder should visually identify all potential evidence and ensure that the integrity of both the digital and traditional evidence is preserved. First responders should document, photograph, and secure digital evidence as soon as possible at the scene. When securing and evaluating the scene, the first responder should [1]:

  • Follow departmental / jurisdictional policy for securing crime scenes.

  • Immediately secure all electronic devices, including personal or portable devices.

  • Ensure that no unauthorized person has access to any electronic devices at the crime scene.

  • Refuse offers of help or technical assistance from any unauthorized persons.

  • Remove all persons from the crime scene or the immediate area from which evidence is to be collected.

  • Ensure that the condition of any electronic device is not altered.

  • Leave a computer or electronic device off if it is already turned off

If the jurisdiction of the first responders allows, they should perform some preliminary interviews and obtain the most information possible from all suspects on scene, if any. Some critical information a first responder should look for while interviewing:

  • Names of all users of the computers and devices and respective user accounts/login information;

  • All computer and Internet user information.

  • Purpose and uses of each computer and device on scene.

  • All passwords.

  • Type of Internet access.

  • Any offsite storage.

  • Internet service provider.

  • All (web) e-mail/social networks/ accounts.

  • Security provisions in use.
  • Data access restrictions in place.

  • All instant message screen names.

The information with probative value may be in four different states:

  • Stored: persistently stored in a digital storage media, such as a hard drive;

  • In transmission: it’s being sent over a communications network to a receiving device;

  • In reception: it’s being received by a device, but it’s not yet available to a user;

  • In creation: it’s being locally produced and is only parcially available to a user.

So the actions taken should be previously planned and organized taking to account these possible states and other factors (just like hacking, proper “recon and footprinting” is important before a digital forensic op).

// Acquisition and Validation of data

The first responder must have proper authority to search for and collect evidence at any electronic crime scene. The first responder must be able to identify and verify the authority under which he or she may seize evidence and should follow his organization guidelines, consult a superior, or contact a prosecutor if a question of appropriate authority arises.[1]

The acquisition of data can be done on-site or it can be postponed and performed on a lab environment. The choice to do either depends on several factors:

  • Personnel on-site: sometimes, the personnel on site may not be equipped or have sufficient knowledge to correctly perform the acquisition;

  • Time: some Ops may be time sensitive or on a tight schedule, so it’s beneficial to perform the acquisition on-site, to speed up the process;

  • Type of data: some information may be more sensitive and therefore shoulf be handled with more care or in a more controlled environment

  • State of data: as previously mentioned, data can be found in 4 mains states: stored, in transmission, in reception and in creation. When an expert encounter data in one of the last two states, it’s wise to postpone the acquisition, allowing experts to have the full data instead of parcial information.

When performing the acquisition an expert must take into account all the type of devices listed in the Identification phase. It is also of the utmost importance for an expert to have a dedicated “forensic station”, that is, a dedicated computer(s) that is specifically designed (both in hardware and software) to handle all the nuances of a forensic op.

Below is a list of some hardware, software and other equipment an expert is expected to use:

  • Write Blockers - devices that allow acquisition of information on a drive (read command) while intercepting and blocking write commands, thus blocking any modification to the disk[5]. They can be either hardware based (see below) or software based (software write blockers are installed on a forensic computer workstation). There are two types of hardware write blockers, Native and Tailgate. A Native device uses the same interface on for both in and out, for example a IDE to IDE write block. A Tailgate device uses one interface for one side and a different one for the other, for example a SCSI to IDE write block. [4]

Portable Hardware Write Blocker (HWB)

  • Various imaging software - applications that perform a low level copy of the contents of a target drive to an external storage device (i.e EnCase, FTK Imager, Tableu Software Imager). Most of these applications emit/produce a certification or digital summery of the whole process.

  • A bootable disk/USB drive - should contain a bootable image of an autonomous, certified OS that blocks write commands (some Open Source Forensic OS’s include: CAINE; Helix, SANS SIFT, Sumuri Paladin)

  • A USB drive - should contain various forensic portable apps, that allow selective data recovery that avoid leaving traces in the target machine.

  • Portable forensic station - usually a high-end, high-performance laptop. Oftentimes this laptops are custom built or purchased from companies that specialize in building and configuring such machines (see Digital Intelligence for examples).

  • External RAID system - allow high storage capacity and should support various connection interfaces (USB, IDE, eSATA, Firewire, etc)

If you want to see detailed instructions on how to proceed with the acquisition and collection of data as well as methodical flowchart, see Electronic Crime Scene Investigation: A Guide for First Responders, page 33 to 41.

// Transport, Packaging and Storage

Like all the previous phases, this one must also respect a few rules and good practices. Like any electronic device, digital evidence (and the digital media it is stored in) is quite fragile and sensitive to high temperatures, humidity, physical shock, static electricity and magnetic fields. [1]

Packaging Procedures

First of all, all devices that constitute the digital evidence must be properly documented, labeled and invetoried before being packaged. An important observation is that these devices may contain more traditional types of evidence, such as fingerprints, for example. Forensic imaging should be done before any kind of procedure is done on these types of evidence [1].

When packaging the devices, one must only use antistatic packaging. This means only cardboard boxes, paper bags and antistatic containers should be used. All plastic containers should be avoided since plastic materials have a tendecy to produce static electricity and allow condesation to take place, potentially damaging the device [1].

If an expert is dealing with mobile devices, these should be packaged in a signal-blocking material, such as a faraday isolation bags, a radfio frequency shielding/blocker material (even wrapping them in aluminum foil) to prevent the phones from receiving a call, text message, or other communications signal that may alter the evidence. [1]

Transporting Procedures

Regarding transportation, the devices should not be stacked, straped or packaged in any manner that may cause deformation.

During transport, the devices should be clear of any (electro)magnetic sources, such as radio transmitters, subwoofers and speakers, for example. In fact, a team of researchers recently revealed a study on an acoustic attack to hard drives, proving to be an effective DoS attack.

Adversaries without special purpose equipment can cause errors in the hard disk drive using either audible or ultrasonic acoustic waves. Audible waves vibrate the read/write head
and platters; ultrasonic waves alter the output of the HDD’s shock sensor, intentionally causing the head to park. [6]

When being transported by a vehicle, the evidence should also be clear of any sources of heat and humidity, like a heating system, and avoid being directly exposed to sunlight.


The devices should be properly stored and inventoried according to the organizations policies and standards. The storage environment must be climate-controlled (regarding temperature, humidity, dust, magnetic fields, etc). Another important aspect is that this storage area must be properly secured. There should be strict Access Control Policies in place and the area should have safety measures regarding catastrophes and other hazards, such as a fire or a flood.

This bring us to the end of this article. I know this was quite a bit longer that the previous two, however, it is much more in depth and interesting I believe. So kudos if you made to the end.

Next up, we’ll cover the “Data Recovery and Analysis”, which might just be longer than the current article. As always, any suggestions or feedback is welcomed.


[1] Electronic Crime Scene Investigation: A Guide for First Responders, 2nd Edition (April 2008, NCJ 219941)
[3] Antunes, Mário, and Baltazar Rodrigues. Introdução à Cibersegurança. FCA, 2018.
[5] Hardware Write Blocker Device (HWB) Specification, Version 2.0 (May 19 2004, NIST)
[6] Blue Note: How Intentional Acoustic Interference Damages Availability and Integrity in Hard Disk Drives and Operating Systems

(Cdimit) #2

Excellent work!

I am waiting for the next one.