🔹

CSDF Unit 4 - Evidence Collection and Data Seizure

1. Why Collect Evidence?

The primary goal of evidence collection in computer forensics is to obtain

reliable, authentic, and admissible data that can help reconstruct events and
support legal or disciplinary action.

According to Brown, digital evidence is fragile and easily altered, so it must

be captured in a way that preserves its original state.

Evidence is collected to:

• Identify the perpetrator of a cybercrime or policy violation.
• Reconstruct the sequence of events — who did what, when, and
how.
• Support prosecution or defense in court by providing verifiable
proof.
• Prevent further damage or data loss.

Vacca adds that evidence collection must always follow the principle of “do no
harm” — never change the original system during examination.

2. Collection Options

There are three main collection strategies:

(a) Live Collection

Performed when the computer is powered on, capturing volatile data such as
RAM contents, running processes, open ports, and network connections.
Used for:
• Intrusion detection,
• Rootkit analysis,
• Malware activity tracing.

(b) Static (Offline) Collection

The system is powered off and forensic images are created using write-
blockers.
This is the safest and most legally preferred method since it avoids changes
to data.
Common tools: EnCase, FTK Imager, and dd.
(c) Remote / Network Collection

Used when the system is at a distant site. Forensic software agents capture
data over a secured channel.
This is used in corporate environments and cloud-based investigations.

3. Obstacles in Evidence Collection

Investigators often face practical and legal challenges:

• Encryption and Passwords: strong encryption can make data
unreadable.
• Anti-forensic tools: suspects may use wiping utilities or fake
timestamps.
• Volume of data: terabytes of information require selective
acquisition.
• Distributed storage: cloud or remote servers may fall under other
jurisdictions.
• Legal restrictions: privacy laws, lack of search warrants, or multi-
jurisdictional complications.
• Volatility: some evidence (RAM, cache, logs) disappears once the
system is powered off.

Brown emphasizes that proper planning and legal authorization mitigate

most obstacles.

4. Types of Evidence and the Rules of Evidence

(a) Real (Physical) Evidence – tangible devices such as computers, USB

drives, mobile phones.

(b) Documentary Evidence – files, logs, emails, databases, and printed

reports.

(c) Testimonial Evidence – statements from witnesses or experts

interpreting data.

(d) Demonstrative Evidence – charts or diagrams created to illustrate

forensic findings.

Rules of Evidence

For evidence to be admissible in court, it must satisfy these conditions:

 1. Relevance – it must relate directly to the case.
2. Authenticity – proof that the evidence is genuine and unaltered.
3. Reliability – obtained using scientifically accepted methods.
4. Integrity – handled under a proper chain of custody.
5. Legality – collected under lawful authority.

Vacca stresses that even strong technical evidence becomes useless if

procedural rules are violated.

5. Volatile Evidence

Volatile evidence refers to data that is lost when the computer is powered
off, such as:
• RAM contents,
• Active network connections,
• Running processes and system time,
• Clipboard contents, temporary files, and cache.

Brown insists this data should be captured immediately after seizure using
trusted tools like Volatility Framework, DumpIt, or FTK Imager Lite.

Example order of volatility (from most to least volatile):

1. CPU registers and cache,
2. RAM,
3. Network connections,
4. Disk data,
5. Archival media.

6. General Procedure for Evidence Collection

1. Preparation – secure proper authorization, gather tools, and assign
roles.
2. Securing the Scene – prevent unauthorized access and photograph
the setup.
3. Documentation – label each item, record make/model, serial
numbers, and location.
4. Collection – capture volatile data (if live) and create forensic images
of storage.
5. Preservation – seal evidence in tamper-evident bags, store in secure
lockers.
6. Chain of Custody – maintain a continuous record of every transfer
and access.
7. Transportation and Storage – handle with care, avoiding
electrostatic and magnetic damage.
⸻

7. Collection and Archiving

• Collection focuses on capturing active or relevant evidence.
• Archiving is about securely storing evidence for long-term
preservation.

Brown emphasizes redundant archiving—keeping multiple copies in separate

secure locations.
Evidence should be stored in climate-controlled environments and checked
periodically for data integrity.

8. Methods of Collection

Method Description
Forensic Imaging Bit-by-bit copy of drives ensuring
no alteration.
Network Capture Sniffing packets or logs using tools
like Wireshark.
Memory Dump Capturing volatile memory for
malware and process analysis.
Log Harvesting Collecting event logs, access logs,
and audit trails.
Mobile Device Imaging Using Cellebrite or Oxygen tools.
Cloud Data Acquisition Downloading snapshots, access
logs, or API-based data under legal
authority.
⸻

9. Artifacts

Artifacts are traces of user activity or system operation left behind on digital
media.
Examples include:
• Browser history and cookies,
• Recycle Bin records,
• Registry keys,
• Email attachments,
• Metadata (timestamps, file paths),
• System logs.

Brown calls artifacts the “digital fingerprints” that reconstruct a user’s behavior.
Investigators extract them using forensic suites and correlate with time stamps
for event reconstruction.

10. Collection Steps (According to Brown and Vacca)

1. Identify potential evidence.
2. Isolate and protect the device.
3. Document physical connections and peripherals.
4. Capture volatile data (RAM, network).
5. Power down safely if needed.
6. Create forensic image using write-blocker.
7. Verify image integrity with hash.
8. Package and label storage media.
9. Complete chain-of-custody forms.
10. Transport and store in secured evidence locker.

11. Controlling Contamination — The Chain of Custody

Contamination occurs when evidence is altered, damaged, or mixed with other

data.
To prevent it:
• Use write-blockers when imaging drives.
• Always work on forensic copies, not originals.
• Avoid booting seized computers.
• Record every handler’s name, date, time, and purpose in the Chain of
Custody log.

Chain of Custody ensures that:

• The evidence is authentic,
• There are no unexplained gaps in possession,
• Each transfer is documented and signed.

Without this, evidence can be rejected in court.

12. Duplication and Preservation of Digital Evidence

Duplication creates forensic images—exact bit-level copies of storage devices.

Common Duplication Methods:

• Physical imaging: copies every sector (even deleted space).
• Logical imaging: copies only active files.
• Remote imaging: captures data over a secured connection.
Preservation means storing this duplicate safely with hash verification and
proper labeling.
Vacca recommends maintaining two copies: one for analysis and one sealed
for court use.

13. Preserving the Digital Crime Scene — Computer Evidence

Processing Steps

Brown divides digital evidence processing into these stages:

1. Recognition – Identify potential evidence sources (devices, logs,
networks).
2. Preservation – Protect against alteration, ensure static state.
3. Collection – Acquire forensic copies.
4. Examination – Filter and extract relevant data.
5. Analysis – Interpret data and reconstruct activities.
6. Presentation – Prepare reports and testify if required.

Just like a physical crime scene, investigators must avoid cross-contamination

or accidental modification of data.

14. Legal Aspects of Collecting and Preserving Evidence

Forensic evidence collection must comply with:

• Search and seizure laws, requiring proper authorization (warrant or
consent).
• Privacy and data protection acts, especially in corporate settings.
• Chain of custody standards (ISO/IEC 27037).
• Jurisdictional regulations, particularly for cross-border data.

Brown warns that evidence obtained illegally, even if technically valid, can be
declared inadmissible.
Hence, forensic investigators must work with legal authorities throughout
the process.

15. Computer Image Verification and Authentication

Verification ensures the copied forensic image is identical to the original.

Authentication proves that the evidence presented later is the same as what
was originally seized.
Steps:
1. Compute cryptographic hash (MD5, SHA-1) of the source before and
after imaging.
2. Compare hash values — they must match exactly.
3. Document verification results in the report.

If the hashes differ, the image is invalid and cannot be used.

16. Special Needs of Evidential Authentication

Digital evidence can be easily modified, so courts demand strong proof of

authenticity.
This involves:
• Maintaining unaltered originals in secure storage.
• Recording every person who accessed the data.
• Using trusted forensic tools verified by testing bodies (e.g., NIST
CFTT program).
• Logging tool versions, system configuration, and hash values.

Brown calls authentication the “heart of forensic credibility.”

17. Practical Considerations in Evidence Authentication

• Always use verified imaging tools (FTK, EnCase, X-Ways).
• Compute hashes using at least two algorithms (e.g., MD5 and
SHA-1).
• Maintain backup copies in separate locations.
• Seal evidence in tamper-proof bags.
• Retest hash values periodically if evidence is stored long-term.
• Provide tool validation documents in the case file.

18. Practical Implementation of Verification and Authentication

Example procedure:
1. Attach drive via write-blocker.
2. Generate pre-imaging hash.
3. Acquire image using forensic software.
4. Generate post-imaging hash.
5. Compare results (they must match).
6. Store image in secure repository with hash metadata.
7. Record process in the chain-of-custody log.
This end-to-end validation provides confidence that the evidence has not
been tampered with.