The Digital Evidence discipline became part of the American Society of Crime Laboratory Directors/Laboratory Accreditation Board’s (ASCLD/LAB) accreditation program in April 2003. A laboratory conducting forensic analysis in any its four sub-disciplines (Audio Analysis, Computer Forensics, Digital Imaging Analysis, Video Analysis) must include Digital Evidence when it applies for accreditation or re-accreditation. The ASCLD/LAB Accreditation Manual includes all the appropriate standards and criteria that must be met to attain that accreditation.

Part 1 of this article series began with a background discussion of the Digital Evidence discipline and both of ASCLD/LAB’s accreditation programs as well as what should be considered evidence in this growing discipline, including rules and their practical application as they apply to Digital Evidence.

We now continue with suggested practices to attain compliance with select essential standards and criteria. Emphasis is placed upon the Computer Forensics sub-discipline. All criteria cited are derived from the 2003 ASCLD/LAB Legacy Manual.
(Note: Part 1 of this article can be viewed on Forensic Magazine’s website: www.forensicmag.com.)

Marking, Sealing, and Protection of Computers and Digital and Analog Media
Criterion 1.4.1.2 requires that, whenever practical, each individual item of evidence must be marked with a unique identifier for identification purposes. This is to ensure that evidence is not mistaken with other similar appearing evidence. In some instances, this may require the unique identifier to also include an item designator.

Criterion 1.4.1.3 requires that all evidence be stored under a proper seal. A container is considered properly sealed (via tape seal, heat seal, or other type of seal) when obvious damage or alteration occurs to the seal or its container when entering the container. The actual seal must be sufficient to prevent items from being removed or inadvertently lost from the container. In the Digital Evidence discipline, what or how to seal items of evidence is open to discussion. “Is it acceptable to tape seal all the ports, floppy drive, CD drive, etc. on a computer and not have to package it in another container?” “Can I tape seal multiple optical discs in a container without having to individually tape seal them in protective sleeves?” “Is it necessary to place a tape seal across the front of a videotape to prevent it from being accessed?”

Criterion 1.4.1.4 requires that evidence be protected from deleterious change. Questions arise concerning how to protect evidence: “Can several floppy disks or optical discs be packaged together without them having to be individually protected?” “How should hard drives be packaged to prevent potential damage?” “Can multiple forensic images from separate cases be stored and examined on a single forensic analytical computer’s hard drive?” “Can an internal file server connected to a local area network be used to storemultiple forensic images from multiple cases generated from multiple examiners?”

Examples illustrating marking, sealing, and packaging of computers, optical media, floppy diskettes, videotapes, and audiotapes are presented. They should be used as a guide for attaining compliance with criteria 1.4.1.2, 1.4.1.3, and 1.4.1.4. Other alternative methods may also be appropriate.