Chapter 6. Acquiring and Authenticating E-Evidence
In This Chapter
Acquiring evidence the right way
Types of common media
Finding the right tool
Bitstream copying
Authentication and integrity
The foundation of a computer forensic investigation isn't the damaging e-mail you find that implicates a company CEO of embezzlement. Your investigation depends on how you forensically transfer the evidence from one location to another without contaminating it and then prove that you found the evidence the way you present it to the judge and jury. Without this foundation to work from, all subsequent work on a case can be called into question and potentially thrown out of court as possibly being tainted. This chapter explains how to prevent this situation. Although the concepts we describe are fairly simple, applying them often stymies even the best investigators.
The bottom line is that you're extracting and fingerprinting potential evidence in a way that is incontestable and easy for the average person to understand.
Acquiring E-Evidence Properly
Because the acquisition of data in a forensically sound manner is the cornerstone of a good computer forensic investigation, you should acquire evidence in the most professional manner possible. The primary obstacle to creating a sound forensic copy of potential evidence is the possibility of changing the data while you're attempting to duplicate it. Due to the large number of devices in circulation that hold data, the equipment you use to duplicate data varies ...
Get Computer Forensics For Dummies® now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
