During a criminal investigation, the prosecutor submitted the original hard drive from the suspect's computer as evidence.
The defense objected during the trial proceedings, and the evidence was rejected.
Which of the following practices should the prosecutor's forensics team have used to ensure the suspect's data would be admissible as evidence? (Select TWO.)
Click on the arrows to vote for the correct answer
A. B. C. D. E.AB.
During a criminal investigation, it is important to follow certain procedures to ensure that digital evidence obtained from a suspect's computer is admissible in court. Failure to follow these procedures may lead to the evidence being rejected in court, which can be detrimental to the prosecution's case. The following are the two practices that the prosecutor's forensics team should have used to ensure that the suspect's data would be admissible as evidence:
A. Follow chain of custody best practices: Chain of custody refers to the documentation of the custody, control, transfer, analysis, and disposition of physical or digital evidence. It is important to establish and maintain a chain of custody for digital evidence to ensure its authenticity and admissibility in court. The prosecutor's forensics team should have followed chain of custody best practices, which include documenting the date, time, and location of evidence collection, the names of individuals who handled the evidence, and any changes made to the evidence. This ensures that the evidence is not tampered with or altered in any way.
B. Create an identical image of the original hard drive, store the original securely, and then perform forensics only on the imaged drive: Creating an identical image of the original hard drive is important to preserve the integrity of the original evidence. An image is a bit-by-bit copy of the original hard drive, which is created using specialized software. The image is a forensically sound copy of the original hard drive and can be used for analysis without affecting the original evidence. Once the image is created, the original hard drive should be securely stored to maintain its integrity. Forensic analysis should be performed only on the imaged drive, and any findings should be documented in a forensics report.
C, D, and E are incorrect:
C. Using forensics software on the original hard drive and presenting generated reports as evidence is not recommended because it may alter the original data and therefore not be admissible as evidence.
D. Creating a tape backup of the original hard drive and presenting the backup as evidence is not recommended because the backup may not accurately represent the original data, and it may be difficult to establish a chain of custody for the backup.
E. Creating an exact image of the original hard drive for forensics purposes, and then placing the original back in service is not recommended because it may alter the original data and therefore not be admissible as evidence.