Forensic/data recovery good practice

From datarecoverywiki.com
Jump to navigation Jump to search

Data Recovery Resources

Background Information

While there are lots of courses and sources that can teach you the technical information (highly recommend reading or watching them),

They often do not cover the skills to problem-solve and build up the confidence to take on an unknown project with no or limited experience. The ultimate goal of this course is to provide people with the confidence to try skills and not be afraid of failure because it's a natural part of learning.

That is how you create truly capable, truly independent individuals in whatever aspect of life you find yourself. The foundation of that is building good practices.

Maintaining the Validity of Data Within Handled Devices

Contemporaneous Notes

Contemporaneous notes are documents that detail precisely what actions were taken (e.g., device imaged) and how they were taken (e.g., device was imaged through the Magnet Axiom process). They are purely factual.

If you are making physical notes, it is critically important that the page is signed and dated, with any blank space having a single line running through the middle of it while using a pen that cannot be erased. This allows you to prove that your notes were not changed at a later date. If you do make a mistake, simply strike through the mistake once. Do not attempt to scribble it out, as it may look like you're hiding something.
By following these points, you ensure that any notes you have written cannot be discredited due to later edits.
Contemporaneous notes should consist of the following things:

  • Case reference number - To identify which case these notes belong to.
  • Exhibit reference number - To identify which exhibit within the case the notes are referring to.
  • Type of examination - What was conducted? Was the device imaged? Was it repaired? Was it examined?
  • Full name of the examiner - Full names help eliminate confusion.
  • Start date and time - When was the examination started? (format: 13:01:07 11/OCT/2025)
  • Examination processes and results - Include any notes, but detail the exact actions you took, when you took them, and how you did them (include the time the action was taken or as soon as reasonably possible).
    It's better to be unsure than to make something up or guess.
  • End date and time - When was the examination ended? (format: 13:01:07 11/OCT/2025)
  • Signature of the examiner - By signing the notes, you provide proof that it was you (be aware that these notes could become public records).

Photographs count as part of contemporaneous notes, but make sure the contents of the image are described in detail.
For example:
Photograph of a blue iPhone 5 SE with a black Apple logo located in the centre of the phone's case. A scratch runs diagonally across the back of the phone from top to bottom. The phone is resting on the bedside cabinet
where it was found upon its discovery. There are no other noticeable markings on the phone besides the standard serial number 1238414114 and the IMEI number 41747134.

Chain of Custody (COC)

Consider the chain of custody like parcel tracking information. It allows a person to know when, where, and with whom an exhibit (piece of evidence) has been, all the way from seizure at the crime scene until the exhibit is destroyed.
COC is used to ensure that an exhibit is not tampered with, alongside other methods such as storing the exhibit in an ISO 27025-compliant storage room. If an exhibit is tampered with or a claim is made stating that it was tampered with,
it is possible to trace back until the responsible party is located, or a mistake is identified.
A COC form should consist of at least the following:

  • Name and signature of person(s) gaining access to the exhibit.
  • Location - Where the exhibit was kept.
  • Access log - Which people could physically access the exhibit.
  • Activities - What happened either with or to the exhibit.
  • Date and time of access - What time and date was the exhibit accessed? (01/Oct/25)
  • Reason for access - Why did you need to physically access the exhibit? (e.g., imaging the device)
  • Case reference number - The reference number of the case the exhibit is part of.
  • Bag seal number - The unique number of the evidence bag in which the exhibit is stored.

ACPO Principles

  • Principle 1: No action taken by law enforcement agencies, persons employed within those agencies, or their agents should change data that may subsequently be relied upon in court.
    • Explanation: Nobody who works for or on behalf of law enforcement agencies (police, government, or people contracted to perform a role by the agencies)
    should change any data either from or still on a device that may be used as part of a case in court.
  • Principle 2: In circumstances where a person finds it necessary to access original data, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
    • Explanation: While Principle 2 states you should never change data that will be used in court, it is okay (e.g., accessing logs from images on a device, not planting evidence)
    if there is no other way to access data on a device. However, the person doing so needs to know what they are doing and be able to explain what they did, what effects
    their actions had on the device (what data changed), and why it was absolutely necessary to do it this way (e.g., there was no other viable option to retrieve the data).
  • Principle 3: An audit trail or other record of all processes applied to digital evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
    • Explanation: Make notes of everything—how it was done, what was done, and what it was done on (software, version numbers, and hardware). When it was done.
    The goal is for another person to be able to recreate the exact results using only your notes (not including step-by-step instructions); it is assumed and hoped that the person is competent. The standard date formatting for the UK is as follows: 11/OCT/2025. This clearly shows it was done on the 11th of October (11/10/25) and not the 10th of November (10/11/25).
    This practice helps avoid mistakes as different parts of the world use different date formats.
  • Principle 4: The person in charge of the investigation has overall responsibility for ensuring that the law and these principles are adhered to.
    • Explanation: It is the responsibility of the person in charge (manager, lead investigator) to make sure everyone involved in the investigation follows these principles and the laws regarding investigations and evidence handling.

    Related Topics

    Topics such as desoldering to chip-off or firmware dumping for disk PCB repairs.

    Further Reading

    External references in wiki references can just be cited through the keyword link.

    1. Reference 1: Forensics for Dummies, page 49-50 (Chain of Custody)
    2. Reference 2: ACPO Principles (Section 2.1)

Retrieved from "https://datarecoverywiki.com/index.php?title=Forensic/data_recovery_good_practice&oldid=964"