A Stitch In Time: Prevent Data Loss Before It Ruins You
Click Here > https://urlin.us/2t7tD6
Unless live acquisition is performed, evidence is extracted from the seized digital devices at the forensic laboratory (i.e., static acquisition). At the forensics laboratory, digital evidence should be acquired in a manner that preserves the integrity of the evidence (i.e., ensuring that the data is unaltered); that is, in a forensically sound manner (see Cybercrime Module 4 on Introduction to Digital Forensics). To achieve this, the tools and techniques used to acquire digital evidence must prevent alterations to the data or when this is not possible, at the very least minimize them ( SWGDE Best Practices for Computer Forensic Acquisitions , 2018). The tools and techniques used should be valid and reliable (NIST, n.d.; SWGDE Recommended Guidelines for Validation Testing , 2014; US National Institute of Justice, 2007b). The limitations of these tools and techniques should be identified and considered before their use (SWGDE Best Practices for Computer Forensic Acquisitions, 2018). The US National Institute of Standards and Technology has a searchable digital forensics tools database with tools with various functionalities (e.g., cloud forensics tools, among others) (for more information on digital forensics tools, see Cybercrime Module 4 on Introduction to Digital Forensics).
The seized digital devices are considered as the primary source of evidence. The digital forensics analyst does not acquire data from the primary source. Instead, a duplicate is made of the contents of that device and the analyst works on the copy. This duplicate copy of the content of the digital device ( imaging) is created before a static acquisition is conducted to maintain the integrity of digital evidence (see Cybercrime Module 4 on Introduction to Digital Forensics). To verify whether the duplicate is an exact copy of the original, a cryptographic hash value is calculated for the original and duplicate using mathematical computations; if they match, the copy's contents are a mirror image (i.e., duplicate) of the original content (Cybercrime Module 4 on Introduction to Digital Forensics). A write blocker, which is designed to prevent the alteration of data during the copying process (Cybercrime Module 4 on Introduction to Digital Forensics), should be used before extraction whenever possible in order to prevent the modification of data during the copying process ( SWGDE Best Practices for Computer Forensic Acquisitions , 2018). It is important to note that the acquisition process described above applies mainly to computers. When acquiring data from mobile phones and similar devices, where the memory storage cannot be physically separated from the device to make an image, a different procedure is followed (see, for example, SWGDE Best Practices for Mobile Device Evidence Preservation and Acquisition, 2018; SWGDE Best Practices for Mobile Phone Forensics, 2013). 2b1af7f3a8