Evidence Collection Principles

Successful evidence collection follows established principles ensuring forensic soundness:

Principle 1: Minimize Alteration No action should change data on the source device. When alteration is unavoidable, document all changes thoroughly.

Principle 2: Document Everything Record all actions, observations, and decisions. Documentation should enable another examiner to reproduce your findings.

Principle 3: Maintain Chain of Custody Track evidence from collection through analysis, documenting every transfer and access.

Principle 4: Use Validated Tools Employ tools and methods that have been tested and accepted by the forensic community.

Principle 5: Verify Integrity Use cryptographic hashes to verify evidence hasn't been altered during collection or analysis.