Digital & Computer Forensics
Computer, Mobile & Digital Forensics News


Ditigal Forensics, Arizona State Law, and You

Phoenix lawyers rely on forensics firms that offer litigation support services that know what they are doing. Here are some of the most basic rules of digital forensic investigations:
- The original evidence must not be altered in any way. This often means making a bitstream image of the evidence in question -- in other words, a bit-by-bit copy of the original medium that recreates the exact data on a different medium. That copy is then used for examination and searching, leaving the original in exactly the same state it was in when it was collected.
- Only a forensic analyst should have access to, or attempt to access, the data on any given digital medium. Not only does this preserve legal issues such as chain of custody, but it prevents 99% of potential data-nuking (e.g. altering metadata) screw ups that could cause the evidence to not be admitted in court.
- The analyst must have the proper legal authority before accessing the media. Along with all of the other legal obligations any investigator has, this is a crucial element of making sure that the information on the media will be allowed into evidence in court.
- Do not power off any device that is on. Particularly with personal computers, but some other devices as well, some information can be retrieved when a device is on that vanishes forever once it's turned off, including data on the RAM and in some parts of a computer's registry.
- Do not power on any device that is off. The electronic information can be altered and overwritten when this occurs.