Acquisition and Custody of Evidence
One of the first steps in any digital forensic investigation is to identify and seize potential sources of evidence. Once the seizure has taken place, the next step is to acquire the evidence from the seized devices. Evidence acquisition is always done in a way that seeks to preserve the original evidence on its original device. Analysis techniques are conducted on low-level copies, or images, of the original evidentiary hardware.
Performing the analysis on an image of hardware instead of on the hardware itself serves two purposes. First, it eliminates the chances of changing the original evidence, which would spoliate it and render it useless in court. Second, it can help to establish that correct procedures were followed during the forensic analysis, since a fresh image of the original evidence can be made later. By demonstrating that the analyzed image and the fresh image do not differ and contain the same data, there is a safeguard against the opposing side claiming fabrication.
