Evidence Handling and Storage
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
1 hour 49 minutes
Now that you've
identified the evidence to be collected and you've actually preserved the evidence,
the question that comes up is what do you do? How do you handle the evidence? How do you store the evidence? So less than 2.3. We're gonna talk about evidence handling and storage
in this video
will cover no surprise
proper evidence handling and storage.
There are several stages in which you need to be concerned about evidence handling and storage.
The first is when you transport from the scene to the lab.
The next is when you handle the evidence while in the lab.
And the third is when you're storing the evidence after creating the image, either in the lab or on site
when you're transporting evidence, original evidence from the scene to the lab, you wanna absolutely conduct
chain of custody documentation?
You want to know exactly who you got the evidence from, what this state of the evidence was when you got it, was it turned on? Was it damaged?
What is it that you actually collected while on site
the time of day and the day of the week and the date in which you did it and you want to get signatures of the individuals who have provided the evidence so that you can
document the fact that
on a given day at a given time at a given location, you were given a piece of evidence. And that piece of evidence is a
laptop that contains a hard drive with a 256 gigabyte
data storage size.
And you want to document that it was a Lenovo model
that has had that had the hard drive in it.
You, When you transport evidence from the scene to the lab, you wanna make sure you make a few stops is possible. You don't want that evidence to ever be out of your possession.
You don't ever want that evidence to be
in a position where it could be lost. Damage corrupted. So you don't wanna put it on the seat of the car and let the car hit a bunch of potholes.
You don't want to
put the evidence into your checked luggage. If you're
flying back to your lab with the evidence,
you don't want anything toe happen that could damage or degrade the integrity off that evidence. And there goes that word integrity again.
When you're in the lab, there's an idea. There's a concept known as the Golden Image or best Evidence Rule,
and it says that a
forensic image and exact bit for bit copy of data
that's been validated by MD five hash
is as good as having the original item.
An empty five is just
one of the standards to 56 for Shaw and Shaw. One are also permissible
and acceptable. MD five or I'm sorry, hash value formats.
But again, if you want to create a perfect golden image and then you wanna either store or return
the original evidence, and that's going to depend on the nature of the case.
Once you have that golden image, that's your best evidence. That's your
golden standard, the gold star that you want to hold on to to make sure nothing happens. It's the one that you're going to show that all of your analysis was done
on an exact
cryptographic, Lee confirmed
copy of the original evidence.
Now, with that golden image, however, you're going to want to make copies
because after you complete the imaging, you want to store your golden image away and never
work on the original image.
That needs to be a image that does not get touched. That does not get used. That gets stored properly in a fireproof
location in a place that's not gonna be too hot. That's not gonna cause damage to the device or to the image.
How many copies you should make is gonna vary depending on a number of factors, including how maney machines. You've got to conduct the analysis on
how many examiners they're gonna be looking at the evidence
basic administrative procedures that your specific lab or your specific team may have. In some cases, they may say you need to have one copy for each examiner.
In some cases, they'll say Onley, make one copy of the evidence and everybody works off that one copy.
So it's up to your standard operating procedures and your policies to determine how many copies should be made.
You may also be asked to make copies for
the defense or prosecution or plaintiff
in a matter, depending on the whether it's a civil or criminal matter.
you should make as many copies as air necessary. But you should not make Mawr copies of the data than is necessary.
In this video, we covered proper evidence handling and storage of evidence.