Presentation of Digital Evidence

Documenting the Investigation.

Documenting is not a final step, but is essentially done throughout the investigation at all stages of investigation and processing digital evidence. Documentation showing evidence in its original state is regularly used to demonstrate that it is authentic and unaltered.

Documentation includes.

• Software used and Version Numbers.
• Collection tools.
• Methods used.
• Explanation of why this analysis.
  

Court Presentation.

• The Discovery process
• Checklists, notes, comments, email, etc.
• Chain of Custody
• Business Attire.
• Ask for questions to be repeated.
• Give your attorney a chance to object.
• Review your notes before court
• Always use your notes to answer questions.

Analysis of Digital Evidence

Examination

• Start a script with time, name and date.
• Examine the partition and directories on the hard drive.
• Use the Hex editor to view suspect areas.
• Search for terms related to case.
• Retrieve deleted files.
• Check unallocated and slack space.
• If evidence is found specify the cylinder, head and sector.
  

Authenticate your recovered evidence.

• Create an Electronic Hash of all electronic evidence.
• MD5SUM, SHA or Tripwire.
  

Analyze the data without modifying it.

• Make two backups of the original data.
• Perform a bit by bit (bit stream) backup.
• Create a hash of each backup prior to analysis.

Identification of Digital Evidence

Identification of digital evidence requires digital investigators to recognizze the hardware (computers, floppy frives, hard disks, network cable, etc) that contain the digital information and then search for relevant information and the digital data that can establish that a crime has been committed or can provide a link between a crime and its prepetrator.

Some Forensic toolkits to work with

Access Data's Forensic Toolkit
The Coroner's Toolkit (TCT)
ForensiX
New Technologies Inc (NTI)
Guidance Software's EnCase application.