Digital Evidence Collection | What does HDD Duplicator do in storing digital evidence


forensic evidence storage

What is Digital forensics?

With sustainable development of the advanced technology, the rate of high-tech crime is also increasing, such as fishing website, fraud and Trojans etc.
Under the investigation, the investigator needs to collect every computers or storage media, such as USB, hard drive etc and bring them back to backup these criminal records and analyze evidences.
The department of forensic science will use these evidences and documents to rebuild the crime scene.

The digital evidence must be authentic, complete, original and convincing to the jury (court).

It's crucial to keep the evidence remains the same as original.

Otherwise, it would not be reliable enough to use as court evidence.
To keep the original safe, forensic investigator usually create a copy, then, investigate and analyze the copy without any modification

The Difficulties of storing digital evidence: “Hard to restore” & “Get Tampered easily

No matter storing digital evidence or copying the backups, it all faced 2 Major difficulties in copying and storing the evidence

1. Hard to store. The storage media is easily get physically destroyed.

The evidence usually store in storage media such as hard drive, USB, and other hardware.
The environment plays an important part while storing these storage media, such as humidity, magnetic force, even the physical destruction.

Therefore, the digital evidence is usually stored in the box which is shockproof, shatterproof and water repellent when it brings back from the crime scene. Then, storing in the place with consistent humidity and temperature.

Be tampered and deleted easily

It's possible that the evidence would be changed while reading a document every time.
For example, anyone can erase or copy the file easily if the device wasn't encrypted.

Furthermore, sometimes even during copying the original as carbon copy, the system would add some strange file in the hard drive without notice.

Even the tiny modification would lower the reliance and become invalid evidence.

‧ ‧ ‧

Solutions

Calculate the hash value to verify the integrity of the evidence

To verify the integrity of the evidence, the usual way is recording hash code in the form. If there is a confusion to the evidence, they only need to calculate the hash value to know whether it's been changed or not.
Also, to prevent the original one from changing or damaging, it needs to make at least two copies and need to copy bit by bit to make sure the space which is omitted and the deleted files are copied as well.

Encrypted the original evidence by MD5

Another way is restoring the encrypted data.
To avoid the evidence from altering, is to use digital signature.
MD5 and other encryption techniques is a common way to archive the evidence. Then, choose the forensic tool which pass the certification.
In America, as long as using the digital forensics passing the certification from the court, the evidence would usually valid to the court.
However, there is no such certificate mechanism in Taiwan, and it seems that there are no identical standards for the device while making the carbon copy.

‧ ‧ ‧
Holmes 221B Hard Drive Duplicator solves all the problems

EZ Dupe has built a perfect solutions specially for digital evidence – Forensic Holmes 221B Hard Drive Duplicator.
It solves two major difficulties mentioned above – “Write protection” and equipped with ‘MD5 & SHA-1 Hash Value”.
Furthermore, it can record all the log files, letting you master all the record.