Collecting Evidence: Theory, Methods, and Real-Life Applications

To read the full-text of this research, you can request a copy directly from the author.


Digital forensics is all about examining digital evidence and that implies that you need to collect the evidence before it can be examined. Every action that you carry out on a computer will leave traces and that contradicts with the facts that evidence must be handled in a way that ensures that it is not altered. This chapter discusses the key points of securing digital evidence in a forensically sound manner. Doing that ensures that the examination can be conducted in a way that does not contaminate the evidence. The concept of using a write blocker to create a forensic copy of the evidence is also introduced. The reminder of the chapter provides an in-depth discussion on live investigations, examining computers that are running. A model that can be used to plan forensically sound live investigations is presented as well as the constraints that must be taken into consideration when working with live evidence.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the author.

ResearchGate has not been able to resolve any citations for this publication.
Conference Paper
The integrity of any original evidence is fundamental to a forensic examination. Preserving the integrity of digital evidence is vitally important as changing just one bit among perhaps gigabits of data, will irrevocably alter that data and cast doubt on any evidence extracted. In traditional digital forensics write-blockers are used to preserve the integrity of that evidence and prevent changes from occurring, but virtual machine forensics presents more difficult challenges to address. Access to the digital storage device will probably not be possible, typically the only accessible storage will be a virtual hard disk drive. This will have the same integrity issues as those of a real device, but with the added complication that it is not possible to use a hardware write-blocker to prevent changes to those data. For this reason it is important to explore how to implement write-blocking mechanisms on a virtual device. In this paper we present an implementation of a software write-blocker and show how we can use it to be compliant with the 2 nd ACPO principle on digital evidence.
Definition of evidence in English
  • Oxford Dictionaries
Evaluation of digital forensics tools on data recovery and analysis
  • I Lazaridis
  • T Arampatzis
  • S Pouros