Policy and procedure development


Owing to the fact that digital information can be easily deleted or manipulated, digital evidence is extremely delicate and volatile. The experts involved in the field understand that the information can be easily compromised and ensure that the data is well preserved and protected. In order to salvage such useful data, there are necessary guidelines to be followed as part of the protocol. These include a special set of instructions like how they go about in retrieving data, where exactly do they store the required evidence and how to document them to help determine that the data assembled is bonafide for further enquiry into the matter.

Due to the fact that a large amount of evidence is purely put together through digital forensics, our law agencies are increasingly dependent on IT professionals like SANS and Elijah. Over the years, they have set up teams with individuals who are well trained and have all the necessary tools to prepare a systematic and scrupulous data research. Additionally, they are also made to follow the rules and regulations in a very strict and diligent manner. This is important in safe guarding the data network of both the IT Company involved and the law enforcement agency.

Another fundamental aspect of investigation is that there is a certain manualprovided, containing a clear set of actions that will represent what exactly constitutes as evidence, where exactly to look for such evidence and how to preserve it once it has been restored. Just as there are search warrants for property, there are also legal permits and permission from higher authorities that need to be obtained before jumping in on the case. These are all part of the SOP (standard operating procedure) in any case study. There are specific guidelines that must be followed like getting a final go-ahead from those in command before pursuing a line of action.

Visual inspection: This is solely conducted to examine the nature of evidence and its validity. This is the preliminary step that is usually done during the acquisition of evidence. For instance, if a computer is going to be held in police custody, it has to be made certain that the computer is up and running or in good condition.

Duplication:  Before examining the data, a duplicate is made to work on. This is what is known as the forensic copy.

Examination and return: This comprises of the testing of the data and the return of the same to a secure facility.