It's sometimes difficult to ascertain exactly what qualifies as evidence, especially at the exact start of an investigation when all the facts on what occurred may not have yet been collected or stated. As in any investigation, we should be aware of and follow the guidelines, practices, and procedures for acquiring evidence in such a way that it is not tampered with or in a worst-case scenario, lost.

At the scene of a crime, let's say a shooting, there are specific items that may immediately qualify as evidence. The physical evidence is easily collected, put into evidence bags, labeled, and then shipped off to the labs and secure storage areas for safekeeping. This evidence may include spent bullet casings, perhaps a gun, fingerprints, and blood samples. Let's not forget witness statements and CCTV (an acronym for Closed Circuit Television) footage also. It's also of interest to consider the individuals from law enforcement agencies that would be at the scene, and the order in which they may have arrived. Seems simple enough.

When a breach or crime involving a computer or smart device is reported, however, collecting the evidence is sometimes not as simple as there are many factors to consider before labeling any items as evidence.

If a desktop was involved in the act for example, do we take the tower alone or do we also seize the monitor, keyboard, mouse, and speakers? What about the other peripherals such as printers and scanners? Are there any additional fixed or removable storage media at the scene and do we also seize them?

This chapter answers all these questions and provides guidelines and best practices for incident response, evidence acquisition, and other topics, including:

• Digital evidence acquisition procedures
• Preserving evidence integrity
• Write blocking and hashing
• Powered-on versus powered-off device acquisition
• Live acquisition best practices
• Data imaging and hashing
• Chain of custody