M3 - Digital Evidence

Notes:

Digital Evidence

Starting a Digital Forensic Examination

The process for evidence gathering cannot begin until the system is secured. The next section will address what is required to "secure the system" and other preparations that should be made prior to proceeding with evidence acquisition. The evidence must be secured in order to transport to the lab. An accurate chain of custody is necessary to document the collection of the evidence.

At the beginning of any digital forensic examination, the proper legal authority needs to be established to authorize the collection or seizure of any digital device or media to be examined. This will require securing a search warrant, consent of the user, implied consent in the case of company owned systems, etc. Additionally, the scope or limits of the examination must be identified.

Evidence Preservation

Evidence preservation is the process of seizing suspect property without altering or changing the contents of data that reside on devices and removable media.

Preservation involves searching, recognizing, documenting, and collecting electronic-based evidence. In order to use evidence successfully, whether in a court of law or a less formal proceeding, it must be preserved. Failure to preserve evidence in its original state could jeopardize an entire investigation, potentially losing valuable case-related information.

Securing a Running System for Transport

A full memory capture should be acquired.

Disconnect any network cabling to prevent further communications via the network.

Powering down a suspect's computer can cause data loss and could potentially damage the operating system. Full shutdown procedures should be avoided unless there is reason to suspect that:

A suspect is destroying evidence.
Someone is manipulating data from an outside source (through a network or a wireless connection).
A rogue process will be started upon normal system shutdown.

Acquiring Forensic Images of the Evidence

Acquiring evidence in digital forensics is the act of attempting to create a bit-for-bit exact digital copy, or image, of the digital bits stored on the device or media. A full hash calculation should be obtained of the evidence before and after the imaging process to ensure the data has not changed as a result of the imaging process and for any future examination of the copy.

Full Disk Image

This provides the most complete copy of the storage device. From an evidence standpoint, this would be sufficient to fully reconstruct a disk. The challenge with this image size is that it requires enough disk space to store the image file as a single unit. Images of this size can be very challenging to store, manipulate, and transfer as the size of the disks being imaged may be very large. Also, the imaging process could take hours to complete depending on the disk size. This type of image will automatically capture the master boot record (MBR), slack space, partition slack, and disk slack. Imaging tools can often split the image file into manageable sizes. The image should involve a hash calculation of the disk being imaged to ensure the integrity of the evidence.

Logical File System Image

A partial image may include a single disk partition or just a set of files or folders on the device. Logical imaging does not collect the MBR, partition slack, or disk slack. Therefore, file carving for deleted data will not be possible from a logical acquisition. The advantage of acquiring a logical image is it can save a tremendous amount of time compared to full disk imaging. The logical image file will also be considerably smaller in size compared to a full disk image. The logical image should involve a hash calculation of the set of files or data being imaged to ensure the integrity of the evidence.

Write-Blocking and Digital Evidence Acquisition

Gathering evidence from storage devices, in most instances, must be done without disturbing, making changes to, or contaminating the evidence.

For instance, conducting a hard drive defragmentation can wipe out the file slack or unused data that could be valuable to the case. Simply turning on a computer can even modify system files that would be helpful to an investigation. As a result, forensic examiners should carry "write-blockers" to prevent updates to the evidence during the evidence-gathering phase.

The most common type of forensic write-blockers are hardware devices that physically block electronic signals that may cause data to be written to the storage device while allowing read commands to pass. Software write-blockers, in the form of an application or registry key modification, can be used to block communications to certain ports (e.g., USB ports).

Live Acquisition of Digital Evidence

In certain cases, the forensic acquisition of evidence from a digital storage device may only be done with the evidence device powered on and booted. This is referred to as a live acquisition. In such cases, the examiner should take detailed notes and photographs documenting each step of any interaction with the file system of the evidence. This way, expected changes to the evidence can be documented.

Examples of when a live acquisition is necessary include a memory image capture from a running computer system, computers with encrypted file systems that are found in a running and decrypted state where the credentials to decrypt the drive are not available, and collecting evidence images from running network servers that cannot be readily powered off. Collecting extractions of a mobile device will always require interaction with the device's operating system by the forensic tool.

Collecting Evidence

Selecting Digital Forensic Software Tools

Selecting the appropriate software tool is an important aspect of acquiring digital evidence. All software and hardware used to support digital forensics examinations need to be tested, verified and validated. Verification and validation are the process of checking that a software system meets specifications and that it fulfills its intended purpose.

In order to ensure forensic tools have been verified and validated, the following procedures should be employed:

Review the list of tested tools published by the Computer Forensics Tool Testing (CFTT) - project created by the National Institute of Standards and Technology (NIST) to manage research on computer forensics tools. This site includes a search tool that allows you to search by functionality, host OS, and supported software.
Establish an internal tool testing process in order to certify that all software used in a given lab meets design requirements - including major new releases of a given forensic tool.
Determine if the tool has been accepted by the digital forensics community.

COTS VS Open-Source

There are two categories of software tools: commercial off-the-shelf tools and open-source tools. Both are equally acceptable for use in a digital forensic examination as long as any tool being used has been tested, verified, and validated. Most organizations use a hybrid approach and have both COTS and open-source tools that are used based on the task. Some practitioners develop their own tools as well.

Commercial Off-the-Shelf (COTS)

COTS tools generally have a proven track record, are accepted by the courts and most publishers of COTS software offer certification programs allowing the practitioner an opportunity to demonstrate their competence with a particular tool.

The downsides of COTS software are the high cost of licensing fees and the source code is unavailable for independent peer review. COTS tools will typically be supported by a robust technical support staff.

Open Source

Open-source software authors make the source code for the programs available for independent testing and review.

The software is typically free of charge, making it an ideal solution for many budgetconscious organizations. Open source tools are easier to validate for forensic purposes. If you can read the source code, you can more accurately assess what the tool is doing rather than having to rely entirely upon testing tool output.

A disadvantage is that the tool may come with limited or no customer support. Also, having the source code published can lead to vulnerabilities being identified by cybercriminals.

Automated Forensics Software

Many forensic investigators/testers constantly use, test, and review these software technologies. Government agencies such as the National Institute for Standards and Technology (NIST) and the U.S. Department of Homeland Security (DHS) also test and certify these technologies.

Pasted image 20260131143646.png|700

Solid-State Media

Compared to the forensic acquisition from hard disk drives featuring spinning magnetic platters, the acquisition of evidence from SSDs poses unique challenges that forensic examiners need to be aware of.

Solid-state storage media stores data in data blocks that are limited in the number of write-and-erase events (known as the program and erase cycles) before the block can no longer be used. Data is written to these blocks in the form of pages. Before a page of data can be written to a block, the entire block must be erased prior to the block being made available for new data.

Wear Leveling

Wear leveling is designed to extend the longevity of solid-state (or flash) storage devices. Flash media is typically rated between 10,000 and 100,000 write and erase cycles. Wear leveling is managed by the onboard controller rather than the operating system. The controller applies an algorithm to determine which physical block to use for arranging data so that the program and erase cycles are evenly distributed among all the blocks located on the microchips. Wear leveling spreads the usage across the device in order to prevent premature drive failure.

TRIM

TRIM is a technology implemented by modern operating systems that allows for the OS to communicate to the SSD controller which blocks are no longer needed due to data having been deleted that is stored in that block. This allows for the garbage collection process to skip the old data instead of retaining it. TRIM allows for much more efficient data management for the SSD device. TRIM is typically not implemented by the operating system in RAID (Redundant Array of Independent Disks) arrays that use SSDs.

Garbage Collection

Garbage collection frees up old pages of data within the blocks and also preserves updated pages. Pages that are to be kept are first written to another available block, and the old pages that are no longer needed (or garbage) are discarded. This results in the newly written blocks storing only current pages of data and the previously used block being erased and ready for new data. Garbage collection is implemented with wear leveling.

Self-Corrosion

TRIM and garbage collection may result in a forensic acquisition of the same media in different hash values, even though no data has been changed. Also, recovering deleted data from SSDs becomes problematic as a result of garbage collection. Once the SSD is connected to the examiner's forensic workstation, garbage collection will continue and data may be forever lost. Forensics examiners must retain evidence for many years. Because flash media uses electrical currents stored in transistors, flash media is not an ideal media for collecting evidence. Electrical currents discharge naturally (over several years) resulting in effectively blank media and evidence loss.

Reliable Data Storage: RAID

Redundant Array of Independent Disks (RAID) is a data virtualization technology that combines multiple physical storage drives into a single, logical volume. The RAID technology is implemented for one or more benefits: data capacity, data read speeds, data write speeds, and data redundancy (reliability).

Within a RAID setup, data is written to the drives in one of several methods depending on the RAID type employed.

Go to Data Redundancy to see the types of RAIDs

Network Storage Clusters

This form of storage cluster is physically separated from the computer using the disk media and can be implemented on one or more computers. These computers are frequently highly specialized storage devices with proprietary innovations implemented to boost performance, reliability, or capacity.
The focus of network storage clusters is generally on communication protocols required to get data to and from the cluster members.

Connect over Standard Networks

This method is cheaper and is used where cost is a barrier to more advanced solutions. This type of connection performs at much slower speeds than are frequently found with dedicated, specialized networks. Because cost is generally the barrier, the actual storage devices are generally low-cost, off-the-shelf products which can vary greatly in make, model, and size.

Connect Over Dedicated, Specialized Networks

This method can be very costly, but is ideal to achieve the best speed, capacity, and high availability. The physical storage device is often highly specialized equipment that requires specialized expertise to access and configure.

Network Storage Cluster Examples

Network storage differs from software and hardware media in that multiple computer servers can independently access the same network storage. This fact creates several challenges for the forensic examiner. Network storage clusters are generally very large, so copying the evidence is usually not an option. Even if enough storage space were available, preventing contamination from other computers writing to the storage would be difficult. It may be more beneficial to target data of value for acquisition of the entire cluster.

Network Attached Storage (NAS)
A NAS device may operate alongside multiple servers over a LAN or WAN connection in order to allow users access to the stored data. Using a filebased protocol, computers request from the NAS device a portion of an abstract file rather than a disk block.

Storage Area Network (SAN)
A SAN is like an "inner network" of remotely connected storage devices (such as servers, disk arrays, tape libraries, and optical jukeboxes) that allow the devices to appear as locally attached to a user's operating system.

Mobile Device Forensics and Write-Blockers

Any forensic acquisition of evidence from a mobile device will require interaction between the forensic tool and the mobile device's operating system. This will, by definition, cause some system files to change and timestamps to be set during the process.

Thorough documentation by the forensic examiner should include all interactions with the device during the acquisition process.

There is no use for a write-blocker when extracting data from a mobile device. Only the imaging of external media connected to a mobile device, such as SD cards, will benefit from a write-blocker to avoid altering the data on such removable media.

There are acquisition tools (e.g. Cellebrite) intended to minimize changes made to an item of evidence during acquisition and from vendors that can be queried about the nature of changes that are made, and that those tools should be used in lieu of acquiring data from mobile devices using standard consumer connections

Steps for Collecting Evidence from Mobile Devices

Regardless of what process will be used to extract data from a given mobile device, the forensic examiner must follow several important steps in the collection process.

If the device is off when recovered, keep it off.
If the device is on when recovered, keep it on. If the device is on, maintain the battery life (connect an external battery supply).
Disable the PIN code
If the device is on and unlocked, place in Airplane Mode, disable Wi-Fi and Bluetooth. A user can initiate a remote reset command by logging into their cellular service. Once the device is able to make a cellular connection, the device will be directed to drop its encryption keys - making all stored content immediately and permanently inaccessible.
Place in a shielded container (Faraday bag). Faraday bags are specialized enclosures designed to block signals, both incoming and outgoing.
If the device is powered off or locked, ask the user for the passcode for the device. Keep in mind that repeated attempts to brute-force the passcode on a device could result in the device resetting itself-meaning all data will be permanently lost.

Mobile Device Forensic Collection Types

The collection of data from a mobile device can be categorized as one of three types

Physical Acquisition

A bit-for-bit copy of some portion of the mobile device. Often, a physical acquisition may not be possible on a particular device due to file system encryption. In such cases, it may be possible to obtain a logical or a file system acquisition.

Logical Acquisition

A copy of certain user data as presented by the device's operating system that does not include any unallocated or slack space. An example would be all SMS text messages from a device or the contents of the Camera Roll containing the pictures.

File System Acquisition

A copy of the file structure from the device, including directories and files. No unallocated space or slack space will be included.

Challenges Involving iOS Evidence Acquisition

The iOS mobile operating system is a proprietary platform developed by Apple for use in Apple devices. The software, updates, and applications must be downloaded via Apple's iTunes. Updates to iOS are released at least every year. The changes implemented in new releases often break current forensic tool capabilities requiring developers to constantly update their forensic tools to keep up.

The default encryption will prevent access to mobile devices running the latest version of iOS unless the device is unlocked or the passcode is known. For example, iOS 11 requires that the passcode is entered to establish a trust relationship with an attached computer. So even with an unlocked device, in order to create an iTunes backup extraction, the passcode to the device will need to be known. In previous versions of iOS, establishing trusted relationship only required confirming the "Trust this computer?" prompt on the device screen.

A physical acquisition is not possible due to file system encryption being implemented in earlier versions of iOS. Therefore, the only means possible to acquire data from an iOS device will be either through an Apple iCloud or iTunes backup method.

To accomplish an iCloud backup, the user's iCloud credentials will be needed (assuming that the necessary 4th Amendment legal challenges have been met). Further investigative techniques such as subpoenas and search warrants on the cloud provider may be necessary to gather this information.

Establishing a trust relationship between an iOS device and a computer is necessary so that a logical acquisition of the device can be made. Without pairing the device to the computer, the forensic examiner will be unable to make a local backup of the device.

One option formerly used by a forensic examiner to access data on an iOS device was through the use of pairing records retrieved from trusted computers that the iOS device may have been paired with. The pairing records allowed accessing the data in the device without unlocking it with a passcode, fingerprint, or trusted face. These pairing records had no expiration time limitations. However, with iOS 11.3, Apple introduced expiration times for the pairing records. As a result, the pairing records cannot be used past a week.

As a result, it is imperative that the acquisition of any iOS device be accomplished immediately upon seizure.

Jailbroken iPhones

iPhone owners can install an altered version of the iOS operating system, a process known as jailbreaking. With a jailbroken iOS device, the operating system software is modified to remove the restrictions and limitations set by Apple.

With a jailbroken device, you will also be able to access and investigate the phone's internal storage and browse the entire filesystem. This is done in order for the user to gain root access to the device and then be able to install applications that are not offered via the Apple Store. This may impact efforts to acquire data from the device.

If you encounter a jailbroken iPhone there is a likelihood that the device has been modified to run non-Apple provided applications.

Mobile device forensic tools, such as Magnet ACQUIRE or Cellebrite UFED Physical Analyzer, can recover a full logical file system dump from jailbroken iPhones. This extraction will include all the files, folders, user data, and native data.

A forensic solution to acquire data from an iPhone may only be to jailbreak the device. This should only be attempted by a forensic examiner with adequate training and experience in such tasks as the device could easily be rendered useless by the process.

Acquiring Evidence from Android Devices

Applications are made available through the open-market Google Play or 3rd party app stores and can be created by anyone. As a result, Android applications are more likely to contain adware, malware, or other malicious code.

Each of these applications can store user data and settings in one of four locations: on the local device, on an attached SD card, on one or more Cloud storage locations (Google Play, Google Cloud), or with a third-party online service.

Unique to Google is the very frequent dependence an Android user will have on Google products and services. Most Android versions will require the use of a Google account in order for the free applications to function properly. Consequently, most of the information to be found on an Android device will become a matter of deciphering which Google Application was being used and what Google account credentials are needed.

An Android application is contained in a self-contained file called an Application File Package (APK). The APK file can be exported and a Zip file extension added in order to extract the contents for review using 7-Zip or WinZip. Data within the APK file are stored using database formats (JSON, XML, and SQLite).

Partitions

There are multiple partitions on the Android operating system that can be of interest to forensic investigators. Each is referred to as a mount point under the root directory. The root partition is displayed as " $ρ$ ". Other important partitions typically include the following:

/cache (backup, lost+found and recovery folders)
/data (user and application data)
/dbdata (user and application data)
/emmc (camera picture/video storage)
/sdcard (external SD card, camera picture/video storage)
/userdata (user created data and application information)

In order to acquire a logical acquisition of data from an Android device, the forensic examiner will typically employ the ADB Backup command. This will generate a logical backup of the data on the device. Once the resulting tar file (archive file) is generated, a number of commercial and open-source forensic tools can be used to parse the data such as Android Backup Extractor.

Android Debug Bridge (ADB)

Validating Evidence

Validating or determining if evidence was collected correctly is done by hashing functions like MD5, SHA-1 or SHA-256 algorithms. These hash functions produce a fixed-length string of characters based on a mathematical calculation of the binary data being hashed. A single bit that is changed in the input will produce a different result. In the same way, two identical hash strings indicate that the contents are identical.

Pasted image 20260131151559.png|500

Shown is an excerpt from the acquisition log file created by FTK Imager showing that the image and the source evidence are identical. FTK Imager can be used to verify the same image file in the future to ensure the data has not changed.

Forensic Wiping of Hard Drives

A forensic wipe differs from formatting a hard drive. When you do a quick format under Windows, it only deletes the bookkeeping portion of the file system, the root directory and the file allocation table. The quick format doesn't remove the actual files and these files will remain until they are overwritten by the operating system. This can create an evidence admissibility problem for investigators, so a forensic wipe is always performed on the destination storage media prior to storing evidence on it. Forensic wipe options are usually available options in major forensic software.

Storing Forensic Images of Evidence

Forensic images of evidence are contained files that can be verified through hashing, and extraneous data remaining in unallocated space on the same drive as the forensic images cannot contaminate the integrity of the forensic image files.

Prior to storing evidence on any digital media storage device (old or new), a sterilization process of the media needs to be performed.

Indexing Evidence

Computers are capable of storing huge volumes of information making it difficult for a forensic investigator to find the files they need. Indexing is a method that helps investigators locate and retrieve pieces of information among vast amounts of information.

Once files are indexed and the investigator has narrowed down how large a scope the retrieval of evidence will be, they will have a better idea of what is needed in terms of software or techniques necessary in order to obtain the proper data.

Understanding the search process enables the investigator to successfully recover the evidence needed. Part of this technical understanding is how the tools they use will index the document content, and how documents that can't be indexed will be handled. The indexing process is used to narrow down the search to specific keywords while not altering documents that may be needed for evidence.

Syntax for Searching an Index

The chart below includes syntax for searching an index using the dtSearch tool.

Pasted image 20260131152125.png

Memory Forensics

Memory Forensics Overview

Memory forensics involves capturing and analyzing volatile memory such as RAM. Data is considered volatile if it is likely to be lost when a machine is rebooted or overwritten. Because data is always in a state of flux, it can be more difficult to predict and analyze into meaningful data. Retrieving artifacts from volatile data from memory is a new focus for investigators and is much more complex. However, some types of artifacts can only be recovered from memory. Therefore, it is critical that today's forensic investigators have updated information, tools, and techniques about the process of retrieving volatile memory.

Software Used to Capture RAM

Having access to tools such as VMware provides one way for examiners to be able to save RAM memory for forensic analysis. If the forensic examiner runs the system in a VMware virtual environment (or the forensic image has been booted in a virtual environment), the contents of memory will be saved to a .VMEM file if the virtual machine is suspended. This essentially creates a crash dump that will contain the contents of memory. Once a .VMEM file is created, an investigator can then mine for data. This is particularly helpful in malware or malicious logon investigations.

Examples of software used to capture RAM include:

ESX by VMware
Volatility
Rekall

Volatility

A memory analysis is then performed on the memory image to determine information about which programs were running, information about the operating system, and overall information about the state of the computer to be investigated. A software tool that has been found to successfully process memory dump files from Windows and Linux operating systems is Volatility. Volatility is updated frequently and is available for analysis of memory dumps acquired from all versions of Windows, macOS, and Linux platforms. Volatility is also free, supported by The Volatility Foundation, an independent 501(c) (3) nonprofit organization.

Obtaining A list of Active Network Connections and Open Sockets From a Memory Dump

Network connection information is one of the most critical pieces of information that can be taken from a computer being investigated. If this information comes from a static analysis of a memory dump, it is even more valuable. Information about network connections, ports being listened to, currently established connections, and local and remote information associated with these connections can all be recovered from memory. When information is pulled directly from a memory dump, using data structures themselves, it's much harder for an intruder to hide a backdoor or connections to their home server.

What you can find through network connection information:

Displays active TCP connections and TCP and UDP ports on which the computer is listening
Displays statistics, such as the number of bytes and packets sent and received
Displays active TCP connections and includes the process ID (PID) for each connection
Displays active TCP connections
Displays statistics by protocol
Displays the contents of the IP routing table
Re-displays the selected information every interval second

Volatile Memory

Volatile memory is the memory hardware that fetches/stores data at a high-speed. It is also referred as temporary memory. The data within the volatile memory is stored till the system is capable of, but once the system is turned off the data within the volatile memory is deleted automatically. RAM (Random Access Memory) and Cache Memory are some common examples of volatile memory. Source: geeksforgeeks

Processes, information about open files and registry handles, network information, passwords and cryptographic keys, content that is encrypted (and thus unavailable) on disk, hidden data, and worms and rootkits written to run solely in memory are all potentially stored in volatile memory.

Attackers have learned they can leverage volatile memory to store data and execute code. It is now more popular than ever for attackers to run exploits from memory rather than storing their malicious code on the hard disk to avoid detection. Most anti-virus software and malware detection tools aren't very good at analyzing volatile memory. Therefore, storing malware in the memory benefits the attackers by making it harder for analysts to recover and reverse-engineer their code.

Analyzing ovlatile Memory

This has created the need for investigators to develop their own methodologies for recovering evidence from volatile memory. Since memory can be allocated and deallocated to different areas, depending upon what memory is already being used, it is impossible to predict what you will find in volatile memory or where it will be stored. Virtually every action a user performs on a computer modifies the memory on the machine, which leads to a certain amount of unpredictability in the resulting captures.

Finding User Passwords or Password Hashes in a Memory Dump

Volatile memory analysis can be particularly valuable to an investigator because passwords and keys are loaded into and stored in memory. Analyzing memory can allow the investigator to recover them. While recovering passwords and keys, an investigator can also come across encrypted content. When this happens, the encrypted files can be recovered without having the key.

When a user accesses an encrypted file, the content is unencrypted and loaded into memory where it may remain in memory, even after the suspected has closed the file as long as something else doesn't write over it. The investigator that goes through volatile memory may find fragments of files, or entire files that otherwise would not be recoverable unless the investigator had the password or key to unencrypt the data. Tools for recovering passwords include Passware, Password Recovery Toolkit (PRTK) and ElcomSoft Distributed Password Recovery.

Transporting Evidence

Before Transporting Electronic Evidence

The best evidence is obtained when forensics investigators can access and analyze the device in as close to its original state as possible. The primary challenge with transporting evidence is potential damage to the evidence that occurs when a device changes state from power-on to power-off.

The old rule that computers must be shut down by pulling the power cord is no longer applicable. Should the device have encryption enabled, shutting down the system prematurely may render all data inaccessible.

Before transport, a photograph of all evidence should be taken, and all data ports to the computer device should be taped shut and initialed by the investigator. Each component, cable, and peripheral being collected should be documented by model and serial number, as well as how the devices were connected. If a local wireless access point (AP) was being used, it should be collected as well if the search authorization permits.

Packaging, Transporting, and Storing Computers and Mobile Devices as Evidence

If at all possible, take no actions to add, modify, or destroy data stored on a computer or other media.
Avoid high temperatures and humidity, physical shock, static electricity, and magnetic sources.
Maintain chain of custody of electronic evidence, documenting its packaging, transportation, and storage.

Packing Properties

Properly document, label, and inventory evidence before packaging.
Pack magnetic media in anti-static packaging (paper or anti-static plastic bags).
Avoid folding, bending, or scratching computer media such as diskettes, CD-ROMs, removable media, etc.
Properly label evidence containers.

Transportation Procedures

Avoid magnetic sources (e.g., radio transmitters, speaker magnets).
Avoid conditions of excessive heat, cold, or humidity while in transit.
Avoid shock and excessive vibrations.

Storage Procedures

Ensure evidence is inventoried in accordance with authoritative policies.
Store in a secure area away from temperature and humidity extremes.
Protect from magnetic sources, moisture, dust, and other harmful particles or contaminants.

Transporting Electronic Evidence

For mobile devices, the power source may be a charger, battery, or peripheral connector such as a USB cable. In these cases, it may be possible to temporarily disconnect power from a local power source and reconnect to power at a later time. Some portable power sources allow such devices to be transported as-is.

Important: As discussed earlier in the module, mobile devices such as laptops, tablets, smart phones, cell phones, etc., must be in a Faraday bag during seizure. It should be transported in a Faraday bag as well to prevent outside transmissions. Many smartphones can have their data destroyed by an external signal. While this was created to protect owners' sensitive information on stolen or lost devices, this can work against law enforcement. The owner can initiate a remote wipe of the device by logging into iCloud or Android.com. If the device ever establishes a cellular connection, the command to wipe will be passed to the device. All data will then be lost.

Chain of Custody

As physical evidence is collected, it should be inventoried. The chain of custody will note a description of the evidence, where it was found, and who collected it. All persons who receive the evidence will sign and date the chain of custody. Any break in the chain of custody may place the evidence at risk for challenge in subsequent legal proceedings.

Maintaining the Chain of Custody: Accessing Evidence

Every subsequent access of the evidence will require documentation on the chain of custody that specifies:

Who and when the evidence was accessed
Why the evidence was accessed (examination, transport, etc.)
If the evidence changed, document the reason why in a memorandum to file and attach a copy the chain of custody