Why do I need Digital Evidence?

The preservation of digital evidence is crucial in order to use it in court. The best way to do this is to take photographs if applicable and then document everything carefully. Establish a chain of custody by documenting who, when and where digital evidence was touched. Record hash values of files if possible to help show integrity (Stuart, 2006).

One issue is that the consent to search by the owner may include devices that are shared and therefore may not be legally binding. If a person gives consent or a search warrant is issued on a personal computer does that give consent for a shared NAS device owner by another person? This issue has been decided in court that yes, the peripherals are included in the search (Lonardo, White, Martland & Rea, 2011). However, as with all court rulings this may change due to other circumstances and be reversed in another ruling.

As part of the documentation to prove that the exact piece of evidence was not altered it is recommended that the forensics chain of custody logs include the hash values. This is accomplished with the use of a mathematical sum, such as MD5 or SHA-1, to create a unique 16-character hexadecimal hash value calculated against the contents or the file(s). This hash of the original can be compared to the hash of the file(s) presented in court to prove they have not been altered (Stuart, 2006).

References:

Lonardo, T., White, D., Martland, T. P., & Rea, A. (2011). Legal issues regarding digital forensic examiners third party consent to search. Journal of Digital Forensics, Security & Law, 6(4), 19-34. Retrieved from http://ezproxy.umuc.edu/login?url=http://search.ebscohost.com.ezproxy.umuc.edu/login.aspx?direct=true&db=i3h&AN=73895917&site=eds-live&scope=site

Stuart, R. E. (2006). Digital evidence. In H. Bidgoli (Ed.), Handbook of information security (Vol. 2). New York, NY: John Wiley & Sons.