CO2517 Digital Evidence 2023 Part 1

Digital evidence refers to any information or data that is stored or transmitted electronically and can be used in a court of law to support or refute a legal case.

Physical evidence - Evidence that can be seen, touched, or analyzed in a laboratory, such as DNA, fingerprints, or blood samples.

ACPO Principle 1 • No action taken should change data held on a computer or storage media which may subsequently be relied upon in court

ACPO Principle 2 • In circumstances where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and implications of their actions

ACPO Principle 3 • An audit trail or other record of all processes applied to a computer-based electronic evidence should be created and preserved.

ACPO Principle 4 • The person in charge of the investigation has overall responsibility for ensuring that the law and these principles are adhered to.

Credibility - The credibility or believability of evidence is also a matter for the trier of fact to decide and is not considered a test of evidence admissibility.

Chain of Custody It is a document that records the transfer of evidence It should provide the chronology of the movement and handling of the potential digital evidence up to its current state

Although largely used, these algorithms are known to be subject to collision attacks since 2005/2006 − i.e., two different files can be manipulated to generate matching hashes

• To address this issue, in Forensics, two (or more) hash algorithms are often used − Some tools automatically generate MD5 and SHA-1 hash values and others allow the selection of algorithms.

Generally, volatile data is more likely to change or be lost than non-volatile data, so volatile data should be collected first. The order of volatility typically starts with data that is most volatile, such as data that resides only in memory, followed by data that is less volatile, such as data stored on hard drives or other persistent storage media.