Page 33 - Forensic News Journal Jan Feb 2018
P. 33
Digital Evidence and Legal Proceedings
versed on many occasions the defendant’s version consists of an exact byte-
and it also confirmed the of events could not have by-byte copy of all data
origins of the check. After been supported. and space, both live files
months of investigation, and deleted information,
after the identification of During the examination which is present on the de-
this evidence, the case was process of digital vice. This forensic image
dropped on the morning of evidence, it is standard then forms the basis of the
the trial. procedure for the evidence investigation and analy-
Photo Courtesy of securedatarecovery
to be connected to a suit- sis and the original ex-
Had the computer evi- able system using write hibit can then be securely
dence not been sufficiently protecting hardware so stored.
protected and secured that no alteration or access
following seizure and the to the original device is At the start of the foren-
data present altered in possible. sic copying process, the
any way, whether it be by device is assigned an ac-
use of the hard drive or Due to the volatility of quisition hash value (most
improper handling of the digital evidence it is best commonly an MD5 hash
drive, the relatively small practice to take a forensic value). Once the evidence
piece of crucial evidence ‘image’ of the hard drive has been forensically ac-
may have been lost and or storage device that quired (imaged, similar to
33
