In previous articles in the series we’ve explored what to look out for and ways to collect digital evidence without impacting its reliability and admissibility in legal proceedings. Of course, in digital forensics, collecting evidence is only the first step. Once the data is acquired, the challenge turns to how to preserve the digital forensic evidence whilst digging into its details.
Preservation and analysis are critical phases where digital forensics and eDiscovery expertise converge. (It’s this convergence that allows us to transform raw data into actionable insights.) A solid preservation process safeguards the authenticity of the evidence, while advanced analysis methods reveal patterns and connections that bring the investigation to life. This stage requires a blend of forensic rigour and eDiscovery innovation – essential for uncovering the full story hidden within the data.
In this article, we’ll explore how preservation lays the groundwork for effective analysis and in the final article of the series, we review how eDiscovery tools and techniques boost forensic analytics capabilities to deliver accurate, defensible results.
How to preserve digital forensic evidence to maintain authenticity and integrity?
Once collected, data under investigation must be preserved to maintain its authenticity and prevent any alteration or loss (spoliation). Best practice for preserving digital forensic evidence includes two critical steps:
- Creating master and working copies: A “master” copy of the collected data is created, bagged, sealed, and stored as a pristine, untouched version of the original evidence. A second “working” copy is used for analysis. This approach allows forensic experts to work on a duplicate without risking alterations to the original evidence – a critical measure in ensuring the credibility and admissibility of findings.
- Documenting the chain of custody: Preservation also includes meticulous Chain of Custody documentation. This chronological record tracks every individual who has accessed or handled the evidence, along with the date, duration, purpose, and context of each access. The Chain of Custody is the evidence’s secure “paper trail,” crucial for confirming the data has remained unaltered and has been managed responsibly.
What happens when forensic evidence is not correctly preserved?
When properly executed, these steps are fundamental to the integrity of an investigation. But if preservation is poorly managed, the risks are substantial. A lack of precision can lead to mistakes that delay investigations or, worse, alter or damage evidence in ways that make it inadmissible. For example:
- Missed data: Collecting too much irrelevant data or failing to capture key pieces of evidence slows the investigation, adds unnecessary costs, and can dilute the focus.
- Altered timestamps and metadata: Accidental changes to metadata can interfere with an analysis that relies on accurate timelines or user access histories.
- Data corruption: Without defensible preservation, critical evidence may become corrupted or inadvertently deleted, undermining the entire case.
Progressing from preservation of digital forensic evidence to analysis
Once the data has been preserved, analysis can begin. This phase is where digital forensics meets eDiscovery.
By combining digital forensics expertise with the latest in eDiscovery tools, our team can delve into both structured data (like databases) and unstructured data (like documents and emails) to draw out patterns and insights that drive the investigation forward at speed.
Preservation and beyond: the skills to transform your investigation
At Salient, we know that accurate preservation and precision analysis of digital evidence in forensic investigations can make all the difference. If you’re unsure how to preserve digital forensic evidence, or want assistance to gain actionable insights from the data, get in touch.
An Introduction to Digital Forensics:
from defensible collection to analysis and insights
Read more in our Digital Forensics series to explore the complexities of collections, processing and analysis in more detail, and gain practical insights into how we can help uncover the truth in even the most challenging cases.
Introduction to digital forensics services – we share our thoughts on the applications and challenges.
Digital evidence collection – we discuss the two main techniques: Imaging vs. RAM Capture.
What to collect and how – we explore the different data types and the importance of a defensible process.
Digital forensics meets eDiscovery – we show how to use eDiscovery tools to analyse digital evidence and uncover hidden patterns.