The new reality
Basic recommendations for incident response
Computer Forensics, the new tool
When can we find Electronics Evidences
Request for Electronic Evidence manual

Electronic Evidence is so volatile that just the fact of starting the operating system or examining the content of a hard disk can cause the alteration or, ever much worse, the elimination of data likely to be classed as Electronic Evidence.

Technical recommendations:
Document, adequately, the circumstance and take photographs of the specific device making certain that both sides of the device are photographed specially the cable connections.

Initiate the chain of custody* of this media as soon as possible.

Do not handle the electronic device that is involved (PC, phone, agenda…). Avoid turning on/off the device without the necessary tools & training so as to preserve any possible proof. If the device is switched on, leave it switched on; if it is switched off, leave it switched off.

If it is absolutely necessary to switch off the specific device for any reason, do not use the operating system tools. Disconnect directly (unplug) the power supply of the device. As a mesure of caution, take exact details of the date and the time so that this action is completely documented for later analysis.

For devices running with batteries, make sure that they have enough energy supply to ensure the conservation of the data.

Legal recommendations:
In order to guarantee and preserve the admissibility of Electronic Evidence during a court procedure, it is neccesary for this evidence to fulfil the following conditions:

1.Legitimacy
Electronic Evidence must be valid to be used and accepted by the judge during a judicial proceeding. As a result, it is important to use the necessary technology and procedures for the correct capture and presentation of evidence. Failure to fulfil this obligation could result in both economic and legal problems.

2. Authenticity
It is necessary to establish a direct link between the evidence itself and the incident. Otherwise, this Electronic Evidence will not be valid to be presented in court.

3. Integrity
The great volatility of Electronic Evidence makes it necessary to preserve the integrity of the original storage, not altering a single bit of the original technological media while it is being captured and analyzed. It is also essential to make use of security measures to certify this integrity.

4. Transparency
Due to its non-tangible and technological nature, Electronic Evidence requires a very comprehensible form of presentation, so that everyone involved in the process will understand without the necessity of prior technical knowledge.