I. Background of Digital Forensic
Digital forensic involves the collection and analysis of digital evidence. Any information stored on a digital media can be a piece of digital evidence to be analysed during a digital forensic process.
The purpose of digital forensic is to discover the digital evidence and ensure that they are admissible in court. Therefore, maintaining chain of custody is the most critical requirement and must be established throughout the whole process.
Chain of custody refers to the chronological documentation or paper trail, showing seizure, custody, control, transfer and disposition of evidence. As the objective of the evidence is to prove facts or to convict personnel of crimes in court, it must be handled with extreme care to avoid being altered or destroyed unauthorisedly. The ultimate purpose is to demonstrate that the alleged evidence is in fact relevant to the alleged crimes, instead of being fraudulently planted. If the chain of custody is broken, the underlying fact of the evidence will be questioned and the evidence can be no longer usable in court.
For digital evidence, the chain of custody also includes additional steps to create a binary forensic duplication of the original data and generate a digital fingerprint (i.e. hash) which can verify the data authenticity.
The forensic investigation process involves the following stages:
This is the preservation or ownership transfer of digital media before it is examined by forensic examiner.