First Steps for Preserving Digital Evidence | HiSEC Information Security Laboratory
The reliability and analyzability of digital evidence can change significantly depending on the first response. Before powering off a device or opening applications, responders should document the current state and prioritize procedures that reduce alteration of the original evidence.
First Steps for Preserving Digital Evidence
The reliability and analyzability of digital evidence can change significantly depending on the first response. Before powering off a device or opening applications, responders should document the current state and prioritize procedures that reduce alteration of the original evidence.
Core Principles
Document the current state of devices and accounts with photographs, time, location, and user statements.; Avoid unnecessary app execution, file browsing, account login, or synchronization.; Preserve original media and mobile devices where possible, and perform analysis on copies or forensic images.
When to Ask for Help
Basic technical consultation may help when incident facts are unclear or when the meaning of logs and file traces is difficult to assess.; Lab support is limited to basic technical assistance for education, research, and public-interest purposes and does not replace official forensic examination or legal expert opinion.
Category
Technology Brief
Topics
Evidence Preservation, Digital Forensics, First Response