Collection of Electronic Evidence

Obtaining the original evidence without deterioration and analyzing the data without changing the data constitutes the basis of forensic information. The only aim to be attained here is to ensure the acceptability of the electronic evidence submitted to the courts and to take measures in every stage.

Factors affecting the best way to obtain electronic evidence are:
• Staff,
• Originality of evidence,
• Methods,
• Hardware and software used,
• Chain of evidence protection and surveillance

In order to prevent problems in the acceptance of electronic evidence by the courts, personnel with expert knowledge who are able to use forensic information tools and techniques are required.
The reasons that require the use of electronic evidence collection tools are:

• The size of the amount of data stored,
• Variety of operating systems and file formats,
• The need to verify that the electronic evidence obtained is the same as the originals,
• Volatile and fragile electronic data,
• The existence of counter-judicial information techniques and encryption mechanisms,
• Variety of electronic data storage devices

Electronic evidence should be copied or obtained with at least one appropriate tool or technique to ensure that it is acceptable, providing reliability and eliminating data weakness.

Collecting Evidence from Desktops and Laptops
Computer systems encountered at the scene can be found in an open or closed state. Desktops and laptops should not be turned on if they are off. Opening the closed systems will change the electronic evidence. For example, in each Microsoft Windows XP operating system, almost 50 files are changed and at least 5 new files are created. On the other hand, open systems must be controlled in a few ways. If there are CD / DVD drives on the open computer, the disk drives must be checked and removed. The network cable connections of networked computers systems must be removed because of the possibility of damage to the data in these devices by a remote connection, but it should also be noted that volatile data such as open connections will be lost. If there are documents already sent to the printer from the computers, the printer should be expected to remove all of these documents.

Operating systems are controlled by connected monitors only. In these systems, there is a possibility of encountering some situations. These are;
• Actively working on programs that damage evidence,
• Active remote access to the system,
• Encrypting the disk seen in the system,
• Understanding that an encrypted virtual disk is connected,
• Having an open document and a document determined to be encrypted,
• Understanding that the data is secure

The random access memory (RAM) on the computers only holds data when the computer is on and completely discharged when the computer is turned off.