Mobility

Computer forensics: Collecting physical evidence


In the previous installment of this series, we secured the scene and captured the general state of the crime scene with photographs. We arrived at the point at which we're ready to collect evidence.

The actual collection of evidence is a critical step in the investigative process. Each piece of evidence collected must be handled in a way that preserves its integrity and any trace evidence, and that provides for a detailed record of its whereabouts from the time of collection to the time it arrives in a court room. Failure to pay proper attention to any one of these areas can easily result in one or more pieces of evidence having no value in court or in administrative proceedings.

Once an object is identified as evidence, it must be tagged. Evidence tagging helps identify the collected item. The tag can consist of as little as a sticker with the date, time, control number, and name or initials of the investigator. Using a control number is an easy way to identify a piece of evidence in documentation such as a chain of custody. A tag can also be an actual document that contains general information about the item and the incident under investigation. Photo A is an example of an evidence tag form.

The types of evidence that should be tagged include:

  • Removable media
  • Cables
  • Publications
  • All computer equipment, including peripherals
  • Items taken from the trash
  • Miscellaneous items (e.g., notes or reports)

Once the evidence is tagged, the investigator should photograph it in a way that also displays the tag information. This becomes another way to document what was collected and how it was processed. When taking pictures of computing devices, the investigator should include all interfaces. If a cable is attached to an interface, it should remain connected during the picture taking process. It's a good practice to clearly label each attached cable with the associated peripheral device before taking interface photos.

After photographs are taken, the evidence is bagged. Bagging evidence helps protect and organize items through the assessment, documentation, and presentation steps. Consider the use of Faraday and antistatic bags when magnetic media or handheld communication devices are seized.  A Faraday Bag prevents harmful RF from altering magnetic media. It can also help prevent handheld devices from sending/receiving messages or any other types of data. 

Photo B is an example of a standard sealable evidence bag. Although formal evidence bags are nice, a simple collection of resealable storage bags works just as well.

Photo B (Click here for larger photo.)

When an item is bagged, a chain of custody document must be initiated. It is this document that provides critical information about who handled the evidence, why there was a change of possession, and how each person safeguarded it. A PDF version of the chain of custody document I use is located here. Failure to record any change in possession of a piece of evidence is an open door to having it excluded in legal or administrative proceedings. The chain of custody form should be affixed securely to the evidence. For example, consider stapling the form to the evidence bag. 

Prior to transport to a security vault, it's a good idea to place individual items into a large container. This helps protect the integrity of the evidence and reduces the chance that one or more items might be lost in transit. Here are some things to remember when transporting evidence to the evidence vault:

  • Prevent damage caused by evidence moving around in a trunk or by travel over rough roads.
  • Do not leave the evidence unattended in the transport vehicle. In addition to damage by environmental conditions, the evidence chain of custody might be broken before the evidence reaches the investigator's office.
  • Avoid damaging environmental conditions, such as temperature extremes, humidity, etc.

Once the evidence arrives at the investigator's office, it must be secured in a locked room, safe, cabinet, or vault that has restricted access. The ideal situation, and one that ensures a clean chain of custody, is the presence of a single individual who is responsible for receiving, securing, and signing out evidence. Sometimes known as an evidence custodian, this person has full responsibility for ensuring continuous secure storage for all evidence collected.

In the next installment in this series, we'll start looking at how to acquire evidence from desktop or laptop computers.

About

Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...

1 comments
dave_severson
dave_severson

My preferred process for a harddrive would be to collect drive at site and bag in tamper proof bag. Then at the bench I would do an MD5 hash collection and forensic copy of the drive. I then like to bag the drive again and securely store and not touch unless absolutely necessary. How do people handle the id and bagging process when you go from collect to hash & copy to store. Do you use two bags or what. How is it recorded on a CoC form for the bag IDs etc.

Editor's Picks