Previous article in series – Digital Forensics: Identification, Collection, and Preservation of Digital Evidence

Maintaining evidence from collection to trial is a critical part of digital forensics. You should have policies and procedures in place for the collection and management of evidence. In some cases, you may need to collect digital evidence on short notice. Care should be taken not to collect data outside the scope of the requesting legal document.

Under the order of a court, certain legal discovery documents, or orders, will specify that you and the cloud service provider are not allowed to disclose any activities undertaken in support of the court order. In some cases, the cloud service provider might be restricted from disclosing a court order or an investigation to you.

Disclosure refers to information concerning data-gathering activities. Depending on the SLA(s) that the customer has in place, the data-gathering activities undertaken to support a forensic examination of a tenant’s data may not have to be disclosed to the tenant or to any of the other tenants in a multitenant hosting solution.

Collection of electronically stored information (ESI)​

• When possible, from original physical media​
• Collect hashes, matching hash values, and bit-level copies ​
• Complicated by distributed, virtualized, cloud-based systems​

Preservation of electronically stored information (ESI)​

• Legal hold activities require involvement of general council
• Protection against threats such as loss/theft, accidental damage, deliberate interference/manipulation

The Five Rules of Evidence

At a more generic level, evidence should have some demonstrative value, be relevant to the case at hand, and meet the following criteria:

1. Be authentic: Evidence needs to be tied back to the scene to be used.
2. Be accurate: Throughout the collection processes, your evidence must maintain authenticity and veracity.
3. Be complete: All evidence should be collected, including evidence that supports and that can diminish the reliability of other incriminating evidence.
4. Be convincing: The evidence should be clear and easy to understand, and believable to a jury.
5. Be admissible: The evidence must be able to be used in a court of law. Demonstrative value means that the evidence is sufficiently useful to prove something important in a trial.

Next article in series – Digital Forensics: Chain of Custoday & Nonrepudiation