Discussion Forum: Data & Evidences

how you can preserve data contained in a RAM and documentation tools used for preserving electronic evidences

Ibrahim Uthman
how you can preserve data contained in a RAM and documentation tools used for preserving electronic evidences
by Ibrahim Uthman - Sunday, 8 November 2020, 8:12 AM

The most effective methods to ensure legal admissibility while preparing to engage a forensic analyst include the following:

·         Drive Imaging

·         Hash Values

·         Chain of Custody

1.       Drive Imaging

Before investigators can begin analyzing evidence from a source, they need to image it first. Imaging a drive is a forensic process in which an analyst creates a bit-for-bit duplicate of a drive. This forensic image of all digital media helps retain evidence for the investigation. When analyzing the image, investigators should keep in mind that even wiped drives can retain important recoverable data to identify and catalogue. In the best cases, they can recover all deleted files using forensic techniques.

As a rule, investigators should exclusively operate on the duplicate image and never perform forensic analysis on the original media. In fact, once a system has been compromised, it is important to do as little as possible – and ideally nothing – to the system itself other than isolating it to prevent connections into or out of the system and capturing the contents of live memory (RAM), if needed.  Limiting actions on the original computer is important, especially if evidence needs to be taken to court, because forensic investigators must be able to demonstrate that they have not altered the evidence whatsoever by presenting cryptographic hash values, digital time stamps, legal procedures followed, etc. A piece of hardware that helps facilitate the legal defensibility of a forensic image is a “write blocker”, which investigators should use to create the image for analysis whenever one is available.

2.       Hash Values

When an investigator images a machine for analysis, the process generates cryptographic hash values (MD5, SHA-1). The purpose of a hash value is to verify the authenticity and integrity of the image as an exact duplicate of the original media.

Hash values are critical, especially when admitting evidence into court, because altering even the smallest bit of data will generate a completely new hash value. When you create a new file or edit an existing file on your computer, it generates a new hash value for that file. This hash value and other file metadata are not visible in a normal file explorer window but analysts can access it using special software. If the hash values do not match the expected values, it may raise concerns in court that the evidence has been tampered with.

3.       Chain of Custody

As investigators collect media from their client and transfer it when needed, they should document all transfers of media and evidence on Chain of Custody (CoC) forms and capture signatures and dates upon media handoff.

It is essential to remember chain-of-custody paperwork. This artifact demonstrates that the image has been under known possession since the time the image was created. Any lapse in chain of custody nullifies the legal value of the image, and thus the analysis.


Any gaps in the possession record, including any time the evidence may have been in an unsecured location are problematic.  Investigators may still analyze the information but the results are not likely to hold up in court against a reasonably tech-savvy attorney. Forms that investigators use to clearly and easily document all records of change of possession are easy to find on the Internet; we use the NIST Sample CoC to maintain the chain of custody audit trail.

Source: https://ci.security/resources/news/article/3-methods-to-preserve-digital-evidence-for-computer-forensics

Digital Forensics Tools

Forensics is the application of scientific tests or techniques used in criminal investigations. Digital forensics is the process of recovering and preserving materials found on digital devices. Digital forensics is needed because data are often locked, deleted, or hidden. There are five primary branches of digital forensics and they are categorized by where data is stored or how data is transmitted. Digital forensics tools are hardware and software tools that can be used to aid in the recovery and preservation of digital evidence. Law enforcement can use digital forensics tools to collect and preserve digital evidence and support or refute hypotheses before courts.

Digital Evidence

Digital evidence is any information stored in digital devices that can be used in courts. Conventional examples are files stored in a computer or mobile device, such as e-mails, images, and internet browser histories.

Documentation Tools for Preserving Electronic Evidences

Integrity Protection by FTK Imager

FTK Imager is a disk imaging tool. It can be used for imaging of logical drives as well as physical drives. It supports four different formats to store the extracted image. These formats are AD1, E01, RAW and SMART. Digital evidence integrity is ensured by calculating MD5 and SHA1 hashes of the extracted content and storing it in a report along with other details related to the drive. It also offers an encryption feature to ensure the confidentiality of the digital evidence. The digital evidence can be encrypted by using a password or a digital certificate. The documentation of FTK Imager recommends using “Write Blocking Hardware” so that digital evidence contents are not changed during the data extraction phase.

Integrity Protection by Encase

Encase is a forensics tool and it is used to extract an image of the whole drive. The extracted image is stored in E01 format. Integrity of the extracted contents is ensured by generating CRC and digital hashes (MD5 and SHA1). It also provides an optional feature of encryption to ensure the confidentiality of the extracted contents. Just like FTK Imager, Encase recommends using “Write Blocking Hardware.”