How Does Evidence Preservation Work in IT Forensics?

Why is evidence preservation the most important step in IT forensics?

Evidence preservation forms the foundation of every IT forensic investigation. Without correctly performed preservation, all subsequent analyses are worthless, as courts only accept digital evidence whose integrity can be demonstrated beyond doubt.

The fundamental principle is: the original is never examined directly. Instead, forensic investigators create an exact bit-for-bit copy of the storage medium and work exclusively with this copy. This approach has several reasons:

• Any interaction with a running system changes its state (e.g., timestamps, temporary files)
• Accidental changes to the original render evidence unusable
• Multiple independent analysts can work on identical copies in parallel
• The reproducibility of results is ensured

In practice, forensic investigations fail more often due to inadequate evidence preservation than due to lacking technical analysis capabilities. A single error in the chain of evidence can result in incriminating data being inadmissible in court.

For a general overview of the field, our article What is IT Forensics? provides a comprehensive introduction to the subject.

How does forensic imaging work?

Forensic imaging refers to creating a bit-exact, sector-by-sector copy of a storage medium. Unlike a normal file copy, a forensic image captures every single sector of the storage medium, including free space, deleted files, and file system metadata.

Various imaging formats are used in practice:

The imaging process proceeds in several steps:

1. Connect write blocker: A hardware or software write blocker is placed between the original storage medium and the forensic workstation to prevent any write operation
2. Calculate hash value of original: Before imaging, a cryptographic hash value (SHA-256) of the original is created
3. Create bit-exact copy: Using specialized tools, every sector of the storage medium is sequentially read and copied
4. Calculate hash value of copy: After imaging, the hash value of the copy is calculated and compared with the original
5. Verification: If both hash values match, the integrity of the copy is proven

The duration of the imaging process depends on the capacity of the storage medium and the interface. A 1 TB hard drive via USB 3.0 typically requires 2-4 hours.

What is the chain of custody and why is it indispensable?

The chain of custody documents without gaps who had access to an evidence item at what time and which actions were performed. It is the legal backbone of every forensic investigation.

A complete chain of custody contains the following information:

• Identification: Unique designation of the evidence (serial number, model, description)
• Time of preservation: Date and time of seizure
• Location of preservation: Exact location where the evidence was found
• Responsible person: Name and role of the person securing the evidence
• Handover protocol: Every transfer between persons is documented
• Storage conditions: Where and how the evidence is stored
• Access log: Every access to the evidence is recorded
• Analysis documentation: Which investigations were conducted

In practice, the chain of custody is maintained both in paper form and digitally. Every person who comes into contact with the evidence must acknowledge receipt and return.

A break in the chain of custody occurs when a period is not documented during which the evidence could theoretically have been tampered with. Such gaps can, in the worst case, lead to entire evidence items being dismissed.

Professional data recovery needed?

Request a data recovery quote now.

Request professional data recoveryProf. data recovery needed?0800/073 88 36

Which hash methods are used for integrity verification?

Cryptographic hash functions are the technical heart of forensic integrity verification. They generate a unique fixed-length fingerprint from arbitrarily large amounts of data.

In practice, two different hash methods are frequently applied in parallel (e.g., SHA-256 and MD5). This double verification increases the evidentiary strength and accounts for the fact that MD5 is still widely used in older systems and documentation.

Hash values are calculated at multiple points in the process:

1. Before imaging (hash value of the original)
2. After imaging (hash value of the copy)
3. Before each analysis (verification of the working copy)
4. After each analysis (proof that the copy remained unchanged)

Any deviation between hash values indicates a change to the data and renders the affected copy unusable as evidence.

What hardware is required for forensic evidence preservation?

The hardware equipment of a forensic laboratory includes specialized devices not needed in normal IT operations:

Write blockers: Write blockers are the most important tool in forensic evidence preservation. They physically prevent any write operation to the connected storage medium. They are available as hardware devices for various interfaces:

• SATA/IDE write blockers for internal hard drives and SSDs
• USB write blockers for external storage media
• NVMe write blockers for modern M.2 SSDs
• Network write blockers for remote acquisitions

Forensic duplicators: Standalone devices such as Tableau TX1 or Logicube Falcon enable imaging without a connected computer. They create forensic images directly to target media and calculate hash values during the copying process.

Faraday equipment: For securing mobile devices, Faraday bags and Faraday rooms are used. These block electromagnetic radiation and prevent a device from being remotely wiped or modified (e.g., via remote wipe commands).

Forensic workstations: High-performance computers with fast interfaces (Thunderbolt, USB 3.2), substantial RAM (at least 64 GB), and considerable storage capacity for forensic images.

How is volatile data in RAM preserved?

A particularly time-critical aspect of evidence preservation concerns volatile data stored in the working memory (RAM) of a running system. This data is irretrievably lost once the system is powered off.

Volatile data includes:

• Currently running processes and their memory contents
• Open network connections and socket information
• Decrypted data in plaintext (even with full-disk encryption)
• Passwords and authentication tokens
• Clipboard contents
• Active user sessions

RAM preservation (RAM dump or memory acquisition) is performed with specialized tools:

• WinPmem / LinPmem for Windows and Linux systems respectively
• DumpIt as a fast, portable tool for Windows
• LiME (Linux Memory Extractor) for Linux systems
• Magnet RAM Capture as a user-friendly GUI tool

The decision of whether to first secure a running system or immediately power it off is one of the most difficult in IT forensics. The general recommendation is: secure volatile data first, then shut down the system in a controlled manner, and subsequently image the hard drives/SSDs. This sequence is known as the "Order of Volatility."

What standards and norms govern forensic evidence preservation?

Forensic evidence preservation follows internationally recognized standards that ensure methodological consistency and court admissibility:

ISO/IEC 27037:2012 The most important international standard for identifying, collecting, preserving, and storing digital evidence. It defines roles (DEFR -- Digital Evidence First Responder, DES -- Digital Evidence Specialist), procedures, and documentation requirements.

ISO/IEC 27041:2015 Guidance for ensuring the suitability and adequacy of forensic investigation methods.

ISO/IEC 27042:2015 Guidelines for the analysis and interpretation of digital evidence.

NIST SP 800-86 Guide to Integrating Forensic Techniques into Incident Response. Defines the forensic process in the context of incident response.

BSI IT Forensics Guide (Germany) The German Federal Office for Information Security has published a comprehensive guide specifically tailored to the German legal framework.

What are the most common mistakes in digital evidence preservation?

Even experienced investigators occasionally make errors that can compromise the entire investigation. The most common sources of error include:

1. Modifying original data Booting a computer from the original storage medium changes hundreds of files and timestamps. This error is irreversible and renders the storage medium unusable as evidence.

2. No write blocker used Without a write blocker, the forensic computer's operating system can automatically write to the connected storage medium (e.g., autorun, indexing, journaling).

3. Incomplete documentation Missing entries in the chain of custody create attack surfaces for the opposing side in court proceedings. Every step, no matter how small, must be documented.

4. Missing hash verification If hash values are not calculated before and after imaging, the integrity of the copy cannot be proven.

5. Mobile devices not isolated A smartphone not stored in a Faraday bag can be remotely wiped or receive new data that changes its state.

6. Volatile data ignored Immediately powering off a running system leads to the loss of valuable information in RAM.

7. Insufficient training Non-forensic personnel who arrive first at the scene (first responders) can unknowingly destroy evidence through uninformed actions.

How does evidence preservation work for cloud data?

Forensic preservation of cloud data presents a particular challenge since the physical storage media are not directly accessible:

Challenges:

• Data may be stored on servers in different countries
• Cloud providers control the physical infrastructure
• Legal jurisdiction is complex for international cloud services
• Data is dynamically moved between servers
• Shared infrastructure means third-party data may be affected

Preservation methods:

• API-based extraction: Data and metadata are exported through the cloud provider's official interfaces
• Account snapshot: Freezing a cloud account at a specific point in time
• Legal hold: Cloud providers are legally compelled to preserve data
• Remote imaging: Forensic preservation of virtual machines in the cloud

In the EU, the E-Evidence Regulation facilitates cross-border preservation of digital evidence. Investigation authorities can directly order the production or preservation of data from service providers in other EU member states.

For organizations looking to protect their IT infrastructure against attacks and maintain forensic capability in emergencies, we additionally recommend our article on ransomware protection.

What costs arise from professional forensic evidence preservation?

The cost of forensic evidence preservation depends on scope, complexity, and urgency:

When commissioning services, look for transparent pricing structures and ensure the provider works according to the standards mentioned above. A reputable provider will explain the anticipated effort in detail before beginning work.

The reconstruction of deleted or tampered data as an extension of evidence preservation typically incurs additional costs that can vary considerably depending on complexity.