Best Practices for Forensic Evidence Seizure

Robert BuheckerBest Practices

Digital Evidence Seizure Best Practices During Forensic Collection Process


The employee has left, I suspect that they were involved with transferring trade secrets to a competitor. What do I need to do to protect the integrity of the evidence on the computer used?

This is a common occurrence that happens everyday, and it is of tantamount importance that the evidence seizure and collection process follows some simple best practices.

Evidence seizure can be stressful and potentially dangerous. With this in mind, your personal safety comes first. Make sure that you are in a safe environment and that there are no safety concerns or threats present prior to beginning any of following recommendations.

The first step to protect the evidence is to make sure the employee and any other unauthorized users cannot access the device. Access to the machine can be gained physically or remotely, therefore ensuring the computer or mobile device is in a secure location and has no network connectivity. WiFi and Ethernet connectivity are the obvious choices for connectivity however the really clever person could use Bluetooth to access the machine remotely if they can get within range so be sure to turn all network connectivity options off.

Now that the device has been isolated the preservation process continues by protecting the contents of the hard drive. If the hard drive is an SSD the drive is constantly being overwritten through the garbage collection and TRIM processes. These processes create their own set of challenges and the longer the machine is left up and running, the more data will be deleted. To protect the data, shut the computer down as soon as possible. Shutting the computer off safely is best accomplished by doing a hard shutdown. A hard shutdown is completed by holding in the power button until the computer shuts down. A hard shutdown is the preferred method because if the user has installed a malicious program, the hard shutdown will not allow the program to run. If the hard drive is encrypted please be sure to include the key to prevent delays in the processing of the hard drive.

If you are securing a mobile device, power it down safely. Unlike a computer, the mobile device will be shut down through the Operating System. If the device is password protected be sure to include the password with the submission to prevent possible delay in the processing of the item.

Preserving the evidence is the most important part of Computer Forensics. Maintaining the integrity of the evidence is paramount. To preserve the evidence it must be isolated and secured. Removing the device from all networks will prevent access and malicious data destruction. Shutting the computer down will ensure that the device is not overwriting data.

This is intended for best practices for safe preservation of evidence for submission, not all cases or scenarios can be preplanned. If you are in a situation where you are unsure in the best method to preserve the evidence for analysis, do not hesitate to contact us at (800) 288-1407 and we will attempt to assist.