Discussion Forum: Data & Evidences

How you can preserve data contained in a RAM and list two documentation tools used for preserving electronic evidences.

Picture of Abraham Selby
How you can preserve data contained in a RAM and list two documentation tools used for preserving electronic evidences.
by Abraham Selby - Tuesday, 15 December 2020, 7:16 AM

1. Drive Imaging

Before investigators can begin analyzing evidence from a source, they need to image it first. Imaging a drive is a forensic process in which an analyst creates a bit-for-bit duplicate of a drive. This forensic image of all digital media helps retain evidence for the investigation. When analyzing the image, investigators should keep in mind that even wiped drives can retain important recoverable data to identify and catalogue. In the best cases, they can recover all deleted files using forensic techniques.

As a rule, investigators should exclusively operate on the duplicate image and never perform forensic analysis on the original media. In fact, once a system has been compromised, it is important to do as little as possible – and ideally nothing – to the system itself other than isolating it to prevent connections into or out of the system and capturing the contents of live memory (RAM), if needed.  Limiting actions on the original computer is important, especially if evidence needs to be taken to court, because forensic investigators must be able to demonstrate that they have not altered the evidence whatsoever by presenting cryptographic hash values, digital time stamps, legal procedures followed, etc. A piece of hardware that helps facilitate the legal defensibility of a forensic image is a “write blocker”, which investigators should use to create the image for analysis whenever one is available.

2. Hash Values

When an investigator images a machine for analysis, the process generates cryptographic hash values (MD5, SHA-1). The purpose of a hash value is to verify the authenticity and integrity of the image as an exact duplicate of the original media.

Hash values are critical, especially when admitting evidence into court, because altering even the smallest bit of data will generate a completely new hash value. When you create a new file or edit an existing file on your computer, it generates a new hash value for that file. This hash value and other file metadata are not visible in a normal file explorer window but analysts can access it using special software. If the hash values do not match the expected values, it may raise concerns in court that the evidence has been tampered with.

I will address how metadata is used in analysis in a later article.

3. Chain of Custody

As investigators collect media from their client and transfer it when needed, they should document all transfers of media and evidence on Chain of Custody (CoC) forms and capture signatures and dates upon media handoff.

It is essential to remember chain-of-custody paperwork. This artifact demonstrates that the image has been under known possession since the time the image was created. Any lapse in chain of custody nullifies the legal value of the image, and thus the analysis.