Tip 2: Record the chain of custody for any device in your possession
When handling evidence following the seizure of the device, make sure to record proof of continuity. It’s important to
understand who had access to the device at any point in time to establish credibility for the evidence it contains. Many
investigators will keep a log to demonstrate that there are no gaps in the chain of custody for the physical evidence.
Depending on your jurisdiction, this can be a useful resource when pulling together a report for court.

Acquisition
Tip 3: Maintain data integrity
When acquiring raw data from a hard drive or mobile phone, always access the device through a write-blocker or a
tool that protects the device from being altered. Write-blockers enable read-only access for the viewer and prevents
data from being added to or changed on a hard drive. This helps back-up the integrity of your data, adding credibility
to your acquisition process.
Calculating a hash value for the hard drive is another important way to demonstrate that the data has not been
modified since seizure. Hashing algorithms provide a unique value for a particular sample of data, similar to a
fingerprint or DNA sample. If anything is changed on the hard drive, this value will change.

Magnet Forensics - 8 Tips for Presenting Digital Evidence in Court - 3