Digital Forensic Process - Preservation / Collections

Digital Forensic Process – Preservation / Collections

Handling Digital Evidence

Handling of evidence is the most significant aspect in digital forensics. It is important that not a single thing be done that may modify digital proof. This is called Preservation: It is the process of segregation and defense of digital indication precisely as found without modification so that it can later be worked upon.


Collection is the process of getting-together the devices and replication of electronically stored information (ESI) for the task of saving digital evidence (exact replica of the initial copy) that stays without being touched while digital forensics is done.

Dead box forensic collection (imaging a device prior to its power being off so as to bring together digital signal) still stays as an integral part of the digital forensic method. It is rapidly growing more imperative with today’s technology to carry forward live box forensic collection or merely a live collection (the gathering of data from a dynamic device before turning it off). For instance, if the device is encoded, devoid of the passcode or encryption key, you may under no circumstances have another chance to obtain treasured evidence if that device turns off or locks due to dormancy.

Pertinent data will be perpetually lost because of the continuous utilisation of the device, such as when an employee goes from a company and their computer stays in use. When a new employee arrives six months later, it might be too late to apprehend that you should have saved their old computer. Conserving a former employee’s electronic devices, mainly C-level, may not be forensic best practices, but can definitely be measured business best practice

Critical Business Operations
Business servers used in a production environment will be providing critical employee functions or placing forth a service to its customers. Taking back one of these may lead to an expenditure to the millions in lost revenue and productivity to the corporation. In this scenario, the device cannot be powered down, and collection of relevant data must occur while the system is active. Nowadays, a majority of companies are shifting critical functions to the cloud or to a hybrid, a mixture of both (servers and the cloud).

A court instruction may command its defendants/plaintiffs to give data from a specific employee or employees and no others, not to indicate any fortunate communication or personal information that will have to be redacted.

Encrypted Data
Data at rest cannot be accessed on an encrypted device or within an encrypted partitions once it powers off or locks if the following is unknown:

  1. User names
  2. Passwords and passcodes
  3. Encryption keys

This becomes a problem for both personal devices like laptops and smartphones and also in small companies without a devoted IT team that achieves a master encryption key for company-owned devices. It is significant to note, that a majority of smartphones and laptops are encoded. Almost all smartphones have a privacy lock, and progressively complex passcodes and encoding schemes make it very tough to breech such schemes.

Inaccessible Devices
In case a device is inaccessible or physically impaired to an extent that it is not probable to get hold onto the ESI, you will then have to go in for some kind of professional assistance. It is advised that you must have the passcodes/passwords readily available as at times the window of opportunity to get allowance in a relentlessly damaged device is a short one-time opportunity.

Locations of Electronic Evidence
You might have to collect certain devices as digital evidences. Those may include Smartphones, tablets, desktops, hard drives etc. for digital evidence. Do not undermine the prominence of an electronic device. We have even examined voice recorders and automatic electronic defibrillators, Internet of things and automobiles are also a basis of ESI.

It may so happen at times that due to business requirements, it may not be possible to send devices to a forensic lab or it may be monetarily excessive to shut down a corporate system. In such a scenario of malware or network interruptions, important data might be lost if an electronic device is shut down. For the scenario to be dealt in a proper manner, you need a professional organization that specializes in retrieving lost or inaccessible data from failed storage devices such as hard drives, RAID, SSD, flash drives, micro drives, zip and jazz drives, various memory cards, DVD-RW, CD-R, and more.