Preservation of Evidence
Electronically stored data can easily be destroyed or lost if the electronic device in question is not preserved properly.
Prior to examining the data on an electronic device, the device should be forensically imaged. Imaging is the process of duplicating the exact data, bit by bit, from the original source onto a forensically clean target hard drive, creating an image or snapshot of the source drive.
As soon as the imaging is completed, verification of the data is performed and documented to ensure the image is absolutely accurate and identical to the original. Computer forensic examiners will then utilize the data on the image, ensuring that the original data is not altered or corrupted in any way.
Every time an electronic device is turned on or used, data is destroyed or modified; therefore, whenever possible, the original electronic device, whether it is a computer, cell phone, or digital recorder, should not be used until such a time that the investigation and or legal proceeding is over. Sometimes this is not practical; for example, when the electronic device in question is a company’s e-mail server, removing the device and placing it into storage would have a major impact on business operations.
Electronic evidence and any other available evidence associated with the investigation should be secured in a safe and cool location. A log documenting when the evidence has been removed and returned from the secure location should also be maintained.
All forensic images should be archived and every additional image created should be documented.