HD Doctor Logo

How to Preserve Media for Forensic Analysis

Direct answer

Correct media preservation turns a technical case into legally valid evidence. SHA-256 hash, documented chain of custody and bit-by-bit copy before any analysis are mandatory. 6 steps ensure court acceptance.

Why preservation differs from regular copy

Forensics applies strict standards: original media must NOT be altered after seizure; analysis is done on bit-by-bit copy (image); every physical and logical move is documented; integrity is validated by cryptographic hash. If any of these points fails, evidence may be challenged and discarded in court. Documents like ABNT NBR ISO/IEC 27037 and NIST SP 800-86 define the standard.

Mistakes that invalidate evidence

  1. 1.
    Connect media directly to regular computer. Windows auto-mounts and may update access timestamps. All initial analysis in forensic environment (write blocker).
  2. 2.
    Skip initial hash. Without hash of original, any later alteration is indistinguishable. Hash beforehand is the first action after seizure.
  3. 3.
    Analyze original media directly. Breaks the chain. Always copy.
  4. 4.
    Not document transfers between people/places. Gap in chain = questionable evidence. Every move is a record.

6 valid preservation steps

  1. 1

    Seizure documentation

    In-situ photos of media. Note model, serial, capacity. Who handed it over, when, in what state. Evidence seal. This document is the zero point of chain of custody.

  2. 2

    Electromagnetic isolation transport

    Antistatic bag + rigid box + numbered seal. For media suspected of remote wipe: Faraday cage during transport.

  3. 3

    Bit-by-bit imaging with hardware write blocker

    Tableau, WiebeTech or equivalent prevents any write on original media. Image via FTK Imager, dc3dd or guymager. Preferred format: E01 (EnCase) or RAW.

  4. 4

    SHA-256 hash before and after

    Calculate SHA-256 of original media before any reading, and of image after creation. Both must be identical. In addition, MD5 as secondary hash. Document both.

  5. 5

    Separate working copy

    Original image stays in safe. Analysis is on copy of image. All manipulation is on copy, never on original. This principle ensures one can reanalyze from scratch anytime.

  6. 6

    Documented chain of custody

    Every physical or logical move of media is recorded: who handled, when, for what purpose, with what tool. Signed document by all. In legal case, this is the most-asked document.

FAQ

When is formal chain of custody needed?

Any case with potential judicial use: internal corporate investigation (misconduct, leak, fraud), expert report for civil or criminal proceedings, regulated security incident response. For personal/family use usually not necessary.

Can I do it myself or do I need a professional?

Equipment (write blocker) costs US$600-3,000. Paid forensic software (EnCase, FTK) costs US$6,000-10,000/year. For isolated case, hiring a lab (HD Doctor) is orders of magnitude cheaper and ensures acceptance.

How long does full preservation take?

Media up to 1TB: 4-8h. 4TB: 12-20h. Corporate RAID: 1-3 days for imaging alone. Time scales linearly with volume and media speed.

What if media is physically defective?

Image with specialized hardware (PC-3000) that ignores bad blocks and tries multiple times. Each unread sector is documented. Evidence accepts 'best effort' when documented.

How much does an expert report cost?

We do not publish list pricing. Varies by: number of media, complexity, urgency, report languages. Typical cases: US$1,000-5,000 for 1-3 media. Free quote after initial analysis.

Need to preserve media for judicial use?

Documented chain of custody. Court-valid report. We serve police, prosecutors and law firms.

Next reads