Skip Navigation

Assignment: Sources, Acquisition, and Custody of Evidence

For this assignment, you will learn about digital forensic evidence in detail. In particular, you will understand where evidence can be found, what procedures need to be followed to preserve that evidence, and what can happen if the evidence is damaged during an investigation.

Page Contents

Background Material

Requirements

Prepare a video presentation that addresses the following:

  1. Explain where evidence can be found inside a computer. Be sure that you consider hardware devices, partitioning, and filesystems.
  2. Does deleting a file mean that the data cannot be recovered? Is deleting data from one type of device more likely to result in immediate or rapid erasure than deleting data from another type of device?
  3. Locate at least 5 different digital forensic hardware devices that are currently on the market. Give a brief overview of what each device does, include a photo, and give the URL of the manufacturer’s website. Forensic devices can be from any part of the digital forensics field, including equipment for analyzing cell phones and mobile devices, write blockers, special forensics workstations, etc.
  4. Explain how to collect and handle digital evidence at a crime scene, following the NIJ guidelines.
  5. Discuss imaging, why it is important for analysis, and how to do it properly.
  6. Describe ways to obtain data from solid state drives while reducing the risk of the drive deleting the data before it can be recovered.
  7. Explain spoliation, and state why it must be avoided.

If you elect to work with a partner, you should each present for approximately equal time.

Be sure to include the URLs to your portfolio (or both portfolios, if working with a partner) in the presentation.

Portfolio Items

Add the following components to your portfolio:

  1. A table summarizing the components of a computer that might contain evidence. This table should have 3 columns: a column for listing the components, a column for briefly summarizing the proper procedures for seizing that type of component from a scene, and a column with any special handling precautions for that type of component. Be sure to list mechanical hard drives and solid state drives separately.
  2. A brief summary statement explaining why we run analysis tools on bitstream images of evidentiary devices instead of on the devices themselves. Define spoliation and explain why it must be avoided.

Submission

Submit your presentation video to one of the weekly submission boxes for the course. If you’re working with a partner, only one person needs to submit the video.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.