As an investigator, you surely know that the preservation of digital evidence for courtroom use is one of the key phases of digital forensics. Before video and image authentication, this phase requires you to store the digital evidence securely until the need to use it arises.
But what are the most effective ways to go about preserving digital evidence? You’ll find out as you read this blog further.
1. Digital evidence – imaging
As earlier mentioned, video analysis and image authentication are essential processes you need to perform after acquiring your digital evidence. But before you go into these processes, you need to make sure the original evidence is secured.
By storing the digital evidence securely, how then will you be able to analyze and perform image authentication? Here’s where the need to first image the evidence comes into play.
If the digital evidence is stored in a drive, you need to image the drive by creating a bit-for-bit duplicate of the drive. Image enhancement, video enhancement, image authentication, and other analysis that you have can follow thereafter. With a bit-for-bit duplicate of the drive, you will be able to keep the original evidence safe and secure, as you work on analyzing the image version.
Bottom line: the standard rule forbids investigators to perform analysis on the original digital evidence. This explains why you need to image the original evidence and use its duplicate version for any form of analysis you’re looking to perform.
2. Generation of hash values
By definition, hash values are specific number strings that are usually generated through an algorithm. These number strings are often associated with duplicate files.
Let’s assume you’ve just generated the bit-for-bit duplicate of the drive containing the original digital evidence for analysis and image authentication. So what next?
Well, the drive imaging process will help you generate some cryptographic hash values. With these hash values, you’ll be able to perform video & image authentication and verify the integrity of the digital evidence while working with the duplicate file.
Today, the best image authentication and video enhancement software are what you need to achieve the right hash values. Cognitech Video Investigator 64 features a hash tool, which will allow you to better verify the authenticity and integrity of your digital evidence. The hash values should match the expected values for the video evidence to be accepted for courtroom use.
3. Chain of custody
By definition, “Chain of Custody or (CoC)” in computer forensics is a process that allows you to keep track of the movement of digital evidence. It often starts from when the evidence was acquired from the client and moves to how the digital evidence was securely stored. The last part that CoC covers is the analysis and image authentication process.
Chain of Custody should be designed to document everybody that handled the digital evidence. This should also include the date and time of transfer of the evidence from one person to another. That’s not all; CoC should also include the purpose of the transfer of the evidence.
