Evidence Handling and Storage

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
1 hour 49 minutes
Difficulty
Intermediate
CEU/CPE
2
Video Transcription
00:00
Now that you've
00:02
identified the evidence to be collected and you've actually preserved the evidence,
00:06
the question that comes up is what do you do? How do you handle the evidence? How do you store the evidence? So less than 2.3. We're gonna talk about evidence handling and storage
00:20
in this video
00:21
will cover no surprise
00:23
proper evidence handling and storage.
00:27
There are several stages in which you need to be concerned about evidence handling and storage.
00:34
The first is when you transport from the scene to the lab.
00:38
The next is when you handle the evidence while in the lab.
00:42
And the third is when you're storing the evidence after creating the image, either in the lab or on site
00:50
when you're transporting evidence, original evidence from the scene to the lab, you wanna absolutely conduct
00:57
chain of custody documentation?
01:00
You want to know exactly who you got the evidence from, what this state of the evidence was when you got it, was it turned on? Was it damaged?
01:08
What is it that you actually collected while on site
01:12
the time of day and the day of the week and the date in which you did it and you want to get signatures of the individuals who have provided the evidence so that you can
01:23
document the fact that
01:26
on a given day at a given time at a given location, you were given a piece of evidence. And that piece of evidence is a
01:37
laptop that contains a hard drive with a 256 gigabyte
01:44
data storage size.
01:46
And you want to document that it was a Lenovo model
01:51
27
01:53
that has had that had the hard drive in it.
02:00
You, When you transport evidence from the scene to the lab, you wanna make sure you make a few stops is possible. You don't want that evidence to ever be out of your possession.
02:09
You don't ever want that evidence to be
02:14
in a position where it could be lost. Damage corrupted. So you don't wanna put it on the seat of the car and let the car hit a bunch of potholes.
02:23
You don't want to
02:24
put the evidence into your checked luggage. If you're
02:29
flying back to your lab with the evidence,
02:32
you don't want anything toe happen that could damage or degrade the integrity off that evidence. And there goes that word integrity again.
02:42
When you're in the lab, there's an idea. There's a concept known as the Golden Image or best Evidence Rule,
02:49
and it says that a
02:50
forensic image and exact bit for bit copy of data
02:53
that's been validated by MD five hash
02:57
is as good as having the original item.
03:00
An empty five is just
03:02
one of the standards to 56 for Shaw and Shaw. One are also permissible
03:08
and acceptable. MD five or I'm sorry, hash value formats.
03:16
But again, if you want to create a perfect golden image and then you wanna either store or return
03:24
the original evidence, and that's going to depend on the nature of the case.
03:29
Once you have that golden image, that's your best evidence. That's your
03:34
golden standard, the gold star that you want to hold on to to make sure nothing happens. It's the one that you're going to show that all of your analysis was done
03:46
on an exact
03:47
cryptographic, Lee confirmed
03:51
copy of the original evidence.
03:54
Now, with that golden image, however, you're going to want to make copies
04:00
because after you complete the imaging, you want to store your golden image away and never
04:06
work on the original image.
04:09
That needs to be a image that does not get touched. That does not get used. That gets stored properly in a fireproof
04:17
location in a place that's not gonna be too hot. That's not gonna cause damage to the device or to the image.
04:28
How many copies you should make is gonna vary depending on a number of factors, including how maney machines. You've got to conduct the analysis on
04:35
how many examiners they're gonna be looking at the evidence
04:40
and
04:41
basic administrative procedures that your specific lab or your specific team may have. In some cases, they may say you need to have one copy for each examiner.
04:53
In some cases, they'll say Onley, make one copy of the evidence and everybody works off that one copy.
04:59
So it's up to your standard operating procedures and your policies to determine how many copies should be made.
05:05
You may also be asked to make copies for
05:09
other investigators
05:11
or for
05:13
the defense or prosecution or plaintiff
05:16
in a matter, depending on the whether it's a civil or criminal matter.
05:20
So again,
05:23
you should make as many copies as air necessary. But you should not make Mawr copies of the data than is necessary.
05:32
In this video, we covered proper evidence handling and storage of evidence.
Up Next
DFIR Investigations and Witness Testimony

This course discusses the role of the expert witness, the process an expert should follow from collection of digital data to reporting, the act of testifying in court, the rules that govern experts and the do’s and don’ts of good testimony.

Instructed By