Why is it important to process digital evidence properly while conducting an

investigation?
The field of computer forensics investigation is growing, especially as law
enforcement and legal entities realize just how valuable information technology (IT)
professionals are when it comes to investigative procedures. With the advent of
cybercrime, tracking malicious online activity has become crucial for protecting
private citizens, as well as preserving online operations in public safety, national
security, government and law enforcement. Tracking digital activity allows
investigators to connect cyber communications and digitally-stored information to
physical evidence of criminal activity; computer forensics also allows investigators to
uncover premeditated criminal intent and may aid in the prevention of future
cybercrimes.

Whether related to malicious cyber activity, criminal conspiracy or the intent to

commit a crime, digital evidence can be delicate and highly sensitive. Cybersecurity
professionals understand the value of this information and respect the fact that it can
be easily compromised if not properly handled and protected. For this reason, it is
critical to establish and follow strict guidelines and procedures for activities related to
computer forensic investigations

In addition to establishing strict procedures for forensic processes, cybersecurity

divisions must also set forth rules of governance for all other digital activities within
an organization. This is essential to protecting the data infrastructure of law
enforcement agencies as well as other organizations.

Digital evidence is volatile and fragile and the improper handling of this evidence can
alter it. Because of its volatility and fragility, protocols need to be followed to ensure
that data is not modified during its handling (i.e., during its access, collection,
packaging, transfer, and storage)

Evidence handling has four primary areas in any incident response activity. These
areas are:

1. Collection: Collection, which has to do with searching for evidence,

recognition, and collection of evidence, and documenting the items of
evidence. Always ensure the collection includes all of the available data and
resources, such as the whole disk drive, not just the used portions. Always
document the place, time, and circumstances of each data item collected for
evidence. The cybercrime crime scene also includes the digital devices that
potentially hold digital evidence, and spans multiple digital devices, systems,
and servers. The crime scene is secured when a cybercrime is observed,
reported, and/or suspected.
2. Hardware evidence examination, which has to do with origins, significance,
and visibility of evidence, often can reveal hidden or obscured information and
documentation about the evidence. Dimensions, styles, sizes, and
manufacturers of hard drives, other devices, or network items are all important
evidence items.
3. Software and network evidence analysis, which is where the
logs/records/software evidence is actually examined for the incident providing
 the significance criteria for inclusion and the probative value of the evidence.
Always conduct this software and network analysis and interpretation
separate from the hardware evidence examination.
4. Evidence reporting, it must be written documentation with the processes and
procedures outlined and explained in detail in the reports. Pertinent facts and
data recovered are the primary keys in the reports. Understand the
documentation and reports will always be reviewed, critiqued, and maybe
even cross-examined.

It is important to process digital evidence as:

a. Handling of Digital Evidence: Digital evidence is volatile and fragile and the
improper handling of this evidence can alter it. These protocols delineate the
steps to be followed when handling digital evidence. There are four phases
involved in the initial handling of digital evidence: identification, collection,
acquisition, and preservation
b. Identification: In the identification phase, preliminary information is obtained
about the cybercrime case prior to collecting digital evidence. This preliminary
information is similar to that which is sought during a traditional criminal
investigation. In the identification phase, cybercrime investigators use many
traditional investigative techniques, especially with respect to information and
evidence gathering. For example, victims, witnesses, and suspects of a
cybercrime are interviewed to gather information and evidence of the
cybercrime under investigation.
c. Collection: With respect to cybercrime, the crime scene is not limited to the
physical location of digital devices used in the commissions of the cybercrime
and/or that were the target of the cybercrime. The cybercrime crime scene
also includes the digital devices that potentially hold digital evidence, and
spans multiple digital devices, systems, and servers. The crime scene is
secured when a cybercrime is observed, reported, and/or suspected.
d. Acquisition: Different approaches to performing acquisition exist. The
approach taken depends on the type of digital device. For example, the
procedure for acquiring evidence from a computer hard drive is different from
the procedure required to obtain digital evidence from mobile devices, such as
smartphones. At the forensics laboratory, digital evidence should be acquired
in a manner that preserves the integrity of the evidence (i.e., ensuring that the
data is unaltered); that is, in a forensically sound manner
e. Preservation: Evidence preservation seeks to protect digital evidence from
modification. The integrity of digital evidence should be maintained in each
phase of the handling of digital evidence. First responders, investigators,
crime scene technicians, and/or digital forensics experts must demonstrate,
wherever possible, that digital evidence was not modified during the
identification, collection, and acquisition phase; the ability to do so, of course,
depends on the digital device (e.g., computer and mobile phones) and
circumstances encountered by them (e.g., need to quickly preserve data).