Chapter 6. Acquiring and Authenticating E-Evidence

In This Chapter

  • Acquiring evidence the right way

  • Types of common media

  • Finding the right tool

  • Bitstream copying

  • Authentication and integrity

The foundation of a computer forensic investigation isn't the damaging e-mail you find that implicates a company CEO of embezzlement. Your investigation depends on how you forensically transfer the evidence from one location to another without contaminating it and then prove that you found the evidence the way you present it to the judge and jury. Without this foundation to work from, all subsequent work on a case can be called into question and potentially thrown out of court as possibly being tainted. This chapter explains how to prevent this situation. Although the concepts we describe are fairly simple, applying them often stymies even the best investigators.

The bottom line is that you're extracting and fingerprinting potential evidence in a way that is incontestable and easy for the average person to understand.

Acquiring E-Evidence Properly

Because the acquisition of data in a forensically sound manner is the cornerstone of a good computer forensic investigation, you should acquire evidence in the most professional manner possible. The primary obstacle to creating a sound forensic copy of potential evidence is the possibility of changing the data while you're attempting to duplicate it. Due to the large number of devices in circulation that hold data, the equipment you use to duplicate data varies ...

Get Computer Forensics For Dummies® now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.