Evidence Acquisition
Collection
Proper evidence acquisition is critical for maintaining forensic integrity. This includes creating forensic images, documenting chain of custody, and following legal requirements for evidence handling.
Forensic Imaging Tools
bash
# FTK Imager (Windows) - Industry standard, free
# Creates E01 (EnCase) or raw (dd) images
# Verify with MD5/SHA1 hashes
# Linux disk imaging with dc3dd (enhanced dd)
dc3dd if=/dev/sda of=/evidence/disk.dd hash=md5 hash=sha256 log=/evidence/disk.log
# Standard dd imaging
dd if=/dev/sda of=/evidence/disk.raw bs=64K conv=noerror,sync status=progress
# Create E01 image with ewfacquire (libewf)
ewfacquire /dev/sda -t /evidence/disk -f encase6 -c best
# Verify image integrity
md5sum /evidence/disk.raw
sha256sum /evidence/disk.raw
# Mount forensic image read-only
mount -o ro,loop,noexec /evidence/disk.raw /mnt/evidence
# Using Guymager (GUI tool on Linux)
# Supports E01, AFF, raw formats with hash verificationWrite Blocker Required
ALWAYS use a hardware or software write blocker when acquiring evidence from original media.
Any modification to the original drive can compromise evidence admissibility.
Chain of Custody
Required Documentation
- Evidence ID: Unique identifier for each item
- Description: Make, model, serial number
- Collection Date/Time: When evidence was seized
- Collector Name: Who collected the evidence
- Location: Where evidence was found
- Hash Values: MD5, SHA1, SHA256 of forensic images
- Transfer Log: Every person who handled the evidence