Welcome back to the computer forensics path. Course six module four. The collection of digital evidence. When we're talking about collecting or seizing evidence, we need to document who collected the evidence. Where was the evidence found? When, I mean date and time was the evidence found? What is the evidence? So model serial number and why is this evidence being seized? When you intake the evidence when you're on scene evidence officer like I said, you always want one person assigned as the evidence person, when they take this evidence in, they need to write on a piece of paper or type into the computer. The answers to all these questions. Who where, when what and why? Because trust me, when this case goes to court or you have your company hearing, you're not going to remember the answer to all these questions. And if you're in a court of law this is called authenticating the evidence. And we talked about that if you can't authenticate the evidence, it's not going to be allowed to court. When we seize a computer or any other piece of digital evidence for that matter, the items that are attached to it are called sub items and these could be attached external storage devices, they could be manuals, papers, adapters or other hardware. These were all sub items. And we're going to talk about how you tagged these, so that we don't get confused later throughout this path, Photos First, Photos First. I can't say that enough. I can't tell you how many times I've been on a search warrant and people just run in and start moving stuff around. You need to have everybody have their assignments ahead of time. Make sure you put the brakes on. If you're the case person and take these photos, we need to take the photos of evidence prior to being collected. We've got to show that evidence as it was found in its location. We're going to note the location. We're going to know the state of the evidence on or off. We're going to note prior damage to the evidence and at least one person, possibly more depending on the size of the area searching and how many people are searching. But at least one person should be assigned to take photos and keep a photo log. This is going to become very important when this case goes to court or when this hearing happens. This is an example of photos taken. You want to take an overall photo. If you look at the photo on the right, that would be called an overall photo. Now, if you look at the photo of the left, that's close up photo, you need to be able to see how these devices all connected together. We need to show how this computer connects to these external drives, connects to this other computer, connects to this Camp V switch, connects to these monitors. There's yeah USB ports, USB drives. So you have a lot going on in this picture on the right. And you want to be able to reassemble that system if you had to. So you want to take those overall photos showing the pieces in relation to each other and you want to take the close up photos showing the connectors in which port all these connections are going into and where they're going. So take many photos, you can never take too many photos. Logging evidence. I can't stress this enough. You're going to have one person assigned to document evidence collection who found the evidence, what they found that I mean make model and serial number where they found it when they found it. Date and time and any sub items that are attached to the device. You want to make sure you label the evidence, when you label the evidence you should include the case of the incident number of course the date and time, a short description of the item. But you know make model serial number and the name of the person who collected the evidence for authentication purposes at a hearing or in the court of law. When you package the evidence, make sure you take over all the disk drives. If we're talking about a computer or something that does have just drives, make sure you take over all the disk drives, the USB ports or openings for SD cards. The reason being is you don't want anybody to be able to insert anything in these drives and alter your evidence. You want to use paper or anti static bags over exposed contacts. If you have exposed contacts, say, like a USB connection, you want to make sure that you put some type of anesthetic bags or paper over those exposed contact points. If you use plastic, consider moisture in exposed contacts. So when you use plastic you don't want is plastic on anything wet and you don't want to use plastic or exposed contacts. You want to use paper. Take your evidence seals and when you do this, initial the tape, date and time, right the case or the incident number very important, in our next module, we are going to talk about how we transport and store digital evidence.
